I feel the need to start this post with something impactful about industrial-scale data capture and the weaponsiation of software exploits; this would be covering a well-trodden path, and it’s unnecessary. You need a personal VPN to help secure your privacy your personal data.
I’ve run my own VPN on Digital Ocean (DO) for a few years now. This isn’t ideal; I’d rather run this on hardware which I racked myself, but it’s cheap, and DO have datacentres in privacy-friendly European jurisdictions.
Previously, I have been using the excellent
streisand scripts to maintain this service.
streisand is a very comprehensive, mature package, and I recommend it for people who live in really hostile environments as it provides a lot of connectivity options to bypass VPN blocking and suchlike. However, there is quite a bit of churn in
streisand (probably for good reason; that project faces evolving threats), and each of the last three times I’ve run the install scripts, it’s recommended different defaults, and different VPN clients. This isn’t optimal; I want to install my VPN, and forget about it for a few years at a time, and most importantly I want effortless connectivity from my devices which run OSX and iOS.
This has led me to a much slimmer, more focused solution:
IKEv2-setup. The project self-describes as:
A Bash script that takes Ubuntu Server 18.04 LTS … from clean install to production-ready IKEv2 VPN with strongSwan.
IKEv2-setup supplies a
.mobileconfig profile for OSX and iOS, with on-demand connectivity; this means that I can be reasonably sure that all my internet traffic will be routed via the VPN.
First, setup a new Ubuntu 18.04 server using the hosting provider of your choice. You also need to setup a DNS record to point to this server (for example
vpn.example.com). I’ll assume you can login and get a
root shell. Make sure that everything is up-to-date:
$ apt-get update && apt-get upgrade
IKEv2-setup script from Github:
$ cd /root/ $ curl https://raw.githubusercontent.com/jawj/IKEv2-setup/master/setup.sh > setup.sh
Now, read carefully the contents of
setup.sh and understand what each step does. If there are any steps which you don’t understand, ask someone with a little more Linux knowledge to review. Installing untrusted software from the internet is dangerous; you need to understand what is about to happen to your server.
Once you are ready to continue, run the script:
$ /bin/bash setup.sh
You’ll be asked for your DNS name, and a VPN username and password, and an SSH username and password (for the passwords, I recommend generating two long different password with
pwgen --numerals 32). After these questions, the script will proceed to run; save the output if you’re particularly interested in the changes which were made.
Once the process is complete, further configuration instructions will be located in
/home/<username>/vpn-instructions.txt. For OSX and iOS configuration, download the
/home/<username>/vpn-ios-or-mac.mobileconfig file. From OSX, you can just double-click the file in Finder, and the profile will be installed. Optionally you may want to visit
Network.prefpane and configure the VPN icon in your statusbar. You can then AirDrop this same file to your iOS device and configure the same username and password there.
It’s probably sensible to leave logging enabled on your server for a few days to debug any connectivity problems, however once the service is stable, you can disable any logging as follows:
rm /var/log/syslog && ln -s /dev/null /var/log/syslog rm /var/log/auth.log && ln -s /dev/null /var/log/auth.log