How to create your own personal VPN (and why you should)

December 11, 2016 0 Comments vpn, streisand, linkedin

I've been using VPNs for a long time, here and there. In the past I've used a wide range of VaaS ('VPNs as a service', I literally just made that up) from providers including Private Internet Access, Vypr, Hotspot Shield (courtesy of a Stacksocial lifetime deal) and Zenmate, probably amongst others. My reasons for using VPNs have been varied - privacy (particularly when on public / untrusted connections), performance (avoiding traffic shaping particularly when abroad, but also more generally) and geographic (accessing content intended for other markets, accessing UK content when abroad, speeding up downloads from China by VPN'ing to Hong Kong).

Just lately, something has happened that rekindled my interest in VPNs and it should do the same for you - the Royal Assent and therefore progression into law of the Investigatory Powers Act, formerly known as the 'snoopers charter'. You didn't know it had become law? I can't say I'm surprised. For some bizarre reason the IP Act seems to have been largely ignored by the media, sneaking through in its final guise with barely a whisper. It is not good.

As a starting point, I recommend reading this post at Wired UK. Their intro details aspects of the law such as offensive hacking (equipment interference), bulk hacking and the aspect that I find most frightening, bulk collection of web records.

This means internet history data (Internet Connection Records, in official speak) will have to be stored for 12 months. Communications service providers, which include everything from internet companies and messenger services to postal services, will have to store meta data about the communications made through their services. The who, what, when, and where will have to be stored. This will mean your internet service provider stores that you visited WIRED.co.uk to read this article, on this day, at this time and where from (i.e. a mobile device). This will be done for every website visited for a year.

Does this scare you? If not, it should. That an open democracy such as ours can pass this kind of law still beggars belief. We're not exactly setting an example of how to behave to the world's more oppressive regimes are we!

A common response to concerns such as this is 'well, if you've done nothing wrong, you've nothing to worry about'. Nope, that doesn't wash. So your ISP could be storing a year's worth of your Internet history. Even if you're not doing anything wrong... would you really want that falling into the hands of a hacker? Everywhere you shopped online, where you've accessed your online banking, which sites you likely have accounts at, where you've accessed from using which device and when... the potential for misuse of the data should it fall into the wrong hands (and, believe me, I have no doubt that at some point it will) is enormous. Frighteningly so. I absolutely don't want to let my data be harvested in this way.

So this brings us back to VPNs. If you're not familiar with the concept, what a VPN does is provide a secure, encrypted connection between two points. In the case of a VPN provider such as those mentioned above, the connection is between your device (laptop, phone, router etc.) and the servers of the provider. Your Internet traffic effectively travels back and forth along an encrypted tunnel between you and them, before heading out to the Internet. This means that logging traffic at your ISP isn't going to work any more - as far as they are concerned, you're just visiting [IP address of your VPN provider], which might be located in the UK, but could also be elsewhere in Europe or indeed the world.

As I started looking at the options available for my new VPN requirement, it quickly became clear that a conventional VaaS provider might not be the answer. There are lots of good reasons for doing things this way, but also some drawbacks. Many providers using publicly known pre-shared keys (compromising security), of course you are sharing the infrastructure with others which could affect speed and for a really decent service, it can work out quite expensive. This led me to consider configuring a VPN on one of my hosted servers... which is when I stumbled across what I now think is the best option for me and anyone who can handle a little bit of setup and config... Streisand.

In a nutshell...

Streisand sets up a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.

It works. It works REALLY well. I know what you're thinking - in order to use Streisand, you're going to have to pay for a dedicated server / VPS. Yes, you are, but this is much cheaper than you think! I have spent the last week or so exploring all the options (so you don't have to)... and there are some great providers, including...

  • Amazon Lightsail - Amazon's new $5 servers can run Ubuntu 16.04 and include 1 core / 512MB RAM / 20GB SSD and 1TB of traffic, however boxes are only available in the US at the moment (Ireland and Frankfurt regions will come online at a later date).
  • Aruba Cloud - An established provider offering servers with the same spec as Lightsail, but for only 1 Euro a month! They have a number of datacentres across Europe, however the setup / config / control panel experience is roughly akin to punching yourself in the face.
  • Digital Ocean - Another VPS provider offering boxes for, you guessed it, $5! Exactly the same specs as Lightsail, data centres across Europe and in the US and, best of all, a slick, easy to use control panel. Very nice indeed.

As you may have guessed... my pick is Digital Ocean for the best overall experience (you get $10 free credit on signup too, which gives you a server free for 2 months!) or Aruba Cloud if you want a super cheap option. I've deployed a bunch of non-VPN servers at Digital Ocean too and I'm very impressed.

![Digital Ocean](https://drops.azureedge.net/drops/files/acc_507795/J1BR?rscd=inline%3B%20filename%3DUpload%25202016-12-11%2520at%252016%253A46%253A14.561Z.png&rsct=image%2Fpng&se=2016-12-11T17%3A17%3A56Z&sig=53cZ0QOE7q%2BiPFiptJxUCFJuX4KRpsSvzw3rg%2BDlWeM%3D&sp=r&sr=b&st=2016-12-11T16%3A17%3A56Z&sv=2013-08-15)

Sign up for your VPS (thinking carefully about where you want it to be sited), run the install process (I did it from Ubuntu for ease), reboot your server and you are set up. You'll have a locally created HTML file together with connection instructions on a secure site on your box. Super neat.

After you've set up, you need to configure your clients. Now, which protocol to use? Again, I've played with them all so I can give you some advice. You can use a traditional protocol such as L2TP with a PSK, which is fine, and supported out of the box on most devices. I also tried Cisco Anyconnect (it works well) and also one I wasn't familiar with previously, called Shadowsocks. Shadowsocks is actually pretty awesome. It connects fastest, seems to have the lightest overhead in my tests, integrates well with Android 7.0 Nougat as an 'always-on VPN' ... I'm very impressed.

![Nougat](https://i.imgur.com/dG2xapN.png)

I'm still working out how the VPN is going to fit into my daily use. Do I keep it connected all the time on my devices? Do I connect from my home router to a VPN? Do I make an exception for streaming video? I will report back over the coming weeks with how I get on, but in the meantime, I'm keen to hear your thoughts too.

Oh, and fire away if you have any questions. :)

One more thing: it's not at all clear yet exactly who is going to be tasked with collecting data and who isn't. As such, if your VPN endpoint is in the UK while it currently appears as though hosting providers won't have an obligation to log, it's definitely not guaranteed at this stage. Hopefully this will become clearer in due course.