This is an accompanying guide for our recent video (currently on Floatplane) where we setup a DIY VPN server using Pritunl.
Note: Image links will be coloured like this: https://google.ca (I still need to finish this, was posting at the end of the day and ran out of time D:)
A credit card or PayPal account to rent a server with
That's it - unless you intend to install Pritunl locally in which case you will need a system or VM to install CentOS onto
Stage 1 - VPS Install, Firewall, and Setup (before the video tutorial section):
Before you can do any installing, you must deploy a VPS from your chosen provider. For the purposes of this tutorial we will be using Vultr.com (LMG affiliate link), specifically their $3.50/month 1 core, 512MB of memory, 500GB of bandwidth plan (note: this plan is only available at their New York/New Jersey data center).
Create an account at Vultr or your chosen VPS provider.
Deploy a VPS at your desired tier and location, choosing Centos 7 as your operating system (it appears Pritunl does not yet support CentOS 8, although this may change). This is one of the lightest-weight mainstream operating systems that Pritunl is compatible with right out of the box.
Wait a few minutes for the VPS to deploy and start up - you should get an email once it is ready.
Once the VPS is running and ready, you'll need to get an SSH client so we can SSH into the VPS to setup the Pritunl VPN server.
Download, install and then launch the SSH client of your choice. We will be using PuTTY because it's simple, but any SSH client will do: https://lmg.gg/8KVmQ (https://i.imgur.com/POLV3i4.png)
Copy the IP address assigned to your VPS into PuTTY, and click "Open" (https://i.imgur.com/PKYfvD2.png). You can find this in your VPS provider's control panel (https://i.imgur.com/z4To3uM.png).
You may be prompted about a "PuTTY Security Alert" with a message about the host key not being cached, this is normal, click Yes (https://i.imgur.com/RRMqhMI.png).
After it prompts you with "login as:" enter 'root'
Then for password, copy and paste (paste in PuTTY by right clicking with your mouse) in the password supplied in your VPS provider's control panel (https://i.imgur.com/JwQxXHZ.png). You should now be logged in over SSH.
Update the server and setup automatic security updates
Quickly update the server by running 'yum update -y' (https://i.imgur.com/f7uWUge.png)
**OPTIONAL BUT RECOMMENDED**: Setup automatic security updates on your VPS: https://www.howtoforge.com/tutorial/how-to-setup-automatic-security-updates-on-centos-7/
Now that you're SSH'd into the server, while technically optional, we highly recommend setting up some basic security including: changing your root password, setting up a sudo user and blocking root from SSH login, and setting up a firewall.
At a bare minimum, you should change the supplied root password. This was provided to you in plain text through your provider's web panel and should be considered insecure until it is changed:
Enter 'passwd' in PuTTY and hit enter. Input and then confirm your desired new password (https://i.imgur.com/unLgve8.png).
Setup a firewall either in OS, or via the control panel of your VPS provider. We will be using the one supplied by Vultr.
On the Vultr.com website, under Products>Firewall click the "Add Firewall Group" button (https://i.imgur.com/plIIpKJ.png) and set the description to something related to VPN so you remember what it is for (ie. "VPN Firewall")
Create a firewall rule to allow SSH connections to the VPS (https://i.imgur.com/oxtHuHw.png).
Source: My IP (or you can set this to Anywhere, but this will allow anyone to attempt to login to your server)
Create a firewall rule for the VPN server IP (https://i.imgur.com/R67XT7E.png).
Port: 1337 (or whatever you decide to use as your VPN port)
Source: Anywhere (or you can define a specific IP range if you want to limit access to your VPN to only that range)
Create a firewall rule to allow HTTPS connections to the VPN web panel (https://i.imgur.com/WyRmpSC.png).
Source: Anywhere (or you can define a specific IP range if you want to limit access to your VPN web panel to only that range)
Create a firewall rule to allow HTTP connections to the VPN web panel for LetsEncrypt SSL, if you want to specify a custom domain (https://i.imgur.com/SXuJuXH.png).
Then, you must attach the Firewall Group to the VPS for it to take affect.
On the Vultr.com website, under Products>Instances>Cloud Instance (the VPS you rented for this)>Settings>Firewall select the Firewall Group we created earlier, with the description you assigned yourself (https://i.imgur.com/FUc91Xw.png).
Click "Update Firewall Group" to apply the changes (https://i.imgur.com/9eHNUio.png).
Setup a sudo user by creating a new user, setting the users password, and then adding the user to the sudo user group. This new user with only have access to commands that affect it's own user directory (not the rest of the system or other users), unless they prefix commands with 'sudo' (essentially running the command as root), which has password verification. For this to be at all beneficial we must also restrict root from logging in via SSH.
Run 'useradd <USERNAME>', replacing '<USERNAME>' with your desired user name (https://i.imgur.com/ziPXvm9.png).
Run 'passwd <USERNAME>' replacing '<USERNAME>' with the username of the user you just created (https://i.imgur.com/76nomeh.png).
Run 'usermod -aG wheel <USERNAME>' replacing '<USERNAME>' with the username of the user you just created (https://i.imgur.com/60lrNyY.png).
Run 'nano /etc/ssh/sshd_config' and change the "PermitRootLogin yes" line to "PermitRootLogin no". This will prevent root login over SSH (https://i.imgur.com/aJzoFvh.png).
Use 'Ctrl+X', the 'Y' key, and then the 'Enter' key to close the nano text editor and save changes.
Run 'systemctl restart sshd' to apply the above change (https://i.imgur.com/cOkWVJX.png).
Close PuTTY, so you can re-login with your sudo user.
Re-Login to SSH on PuTTY with your newly created sudo user by following steps 2.2 to 2.5, replacing "root" with whatever username you chose for your sudo user.
If you're using your VPS provider's firewall like we did in this tutorial, you will need to disable the CentOS firewall as it will block the VPN's web panel from being accessed. If you plan on using the OS based firewall, we are assuming you know how to configure that yourself.
Run 'sudo systemctl disable firewalld' (https://i.imgur.com/6GLlgME.png).
Run 'sudo systemctl stop firewalld' (https://i.imgur.com/5TOJyZp.png).
Run 'sudo systemctl status firewalld'. This should show the status as "inactive (dead)" (https://i.imgur.com/kTGqsw7.png).
Use 'Ctrl+C' to exit this view.
Bam, your OS is now secured, auto security updating, and ready to go for Pritunl.
Stage 2 - Installing & Trying out Pritunl (this is where the tutorial portion of the video starts)
Now that our OS is setup, and you're SSH'd in, it's time to install Pritunl. I'm expecting that these commands could change in the future, so please refer to the official Pritunl documentation here: https://docs.pritunl.com/docs/installation
Copy over each piece from the CentOS 7 portion of their install docs to your SSH client individually as shown here: https://drive.google.com/a/linusmediagroup.com/uc?id=14i5tFSPXfOd7B_sKnYgKPmNLiWEiGJOp
With Pritunl installed you should be able to access your Pritunl VPN web interface at https://<SERVERIP>/ replacing "<SERVERIP>" with the IP of your VPS, and can now configure the VPN server.
Run 'sudo pritunl setup-key' in the PuTTY SSH client. Copy (double left click in PuTTY) the key it supplies into the Pritunl web interface (https://i.imgur.com/8Oqoykd.png).
Run 'sudo pritunl default-password' in the PuTTY SSH client. Copy (double left click in PuTTY) the username and password it supplies into the Pritunl web interface (https://i.imgur.com/Q6qePiM.png).
You should now be logged in and placed at the "Initial Setup" screen. Choose a username, password, and optionally a custom domain for your server (https://i.imgur.com/ckz8qzO.png).
Navigate to the "Users" page and click "Add Organization" to create an Organization, this is essentially a group for users (https://i.imgur.com/qF1kM6W.png).
On the same page click "Add User" to create a User(s), while being sure to specify a secure pin (https://i.imgur.com/zbCyJzX.png).
Navigate to the "Servers" page and click "Add Server" to create your VPN server (https://i.imgur.com/00nyfI3.png).
Set "Name" to whatever you'd like to name the VPN server.
Set "Port" to your desired VPN port, this is the one we added a firewall rule for earlier in the tutorial. We are using "1337".
Enable "Allow Multiple Devices"
Disable "Inter-Client Communication" (this disallows VPN users on the same virtual network from seeing each other, you may wish to keep this feature but if you don't know what this means, just disable it).
Click "Add" to save the configuration.
Before you can start the server, you must attach the Organization you created earlier to it, so the server knows which users to allow to connect.
Click "Attach Organization", and it should auto populate both the organization and server you made earlier, as they're the only ones present in the database (https://i.imgur.com/6MPdOhr.png).
Click "Start Server", and bam, your VPN server is now running!
With your VPN server configured, you can now download the Pritunl client on your respective device, and the user profile used to connect to it.
Navigate to the "Users" page again, and click on the down arrow for the user you'd like to connect with (https://i.imgur.com/dldl5KR.png).
Navigate to the https://client.pritunl.com/ website to download the Pritunl client for your respective device, and then install it (https://i.imgur.com/hHtEQiw.png)
Launch the Pritunl client, and then drag the <USERNAME>.tar file into the Pritunl client (you can also use the Import Profile button) (https://i.imgur.com/I9Uge7H.png).
Click the hamburger menu icon on the profile you added and then click "Connect". Enter your pin, and BAM! You're now connected to your very own VPN server.
Note: If the connection doesn't succeed, it's likely you forgot to disable the CentOS file (steps 6.1-6.3.1), or you incorrectly set the port during the Pritunl setup (Stage 2, step 2.6.2), or you incorrectly set the port during the Vultr firewall setup (step 184.108.40.206).
Check https://whatismyipaddress.com/ to see if your IP address did indeed change. It should show your location as wherever your VPS is hosted. Yay.
Note: If you are trying to setup a VPN server to access your network remotely, there are instruction from Pritunl here: https://docs.pritunl.com/docs/accessing-a-private-network
Huh, weird, my R7000 works fine. Granted, I never run factory firmware on it - I have Advanced Tomato and it works well. It is aging though, and eventually will need to be replaced with something else in the near future. Seriously considering going with something from Ubiquiti Networks instead.
If you have any way to actively cool the router that might help. DDWRT made my router run hot as hell. I used a laptop cooler I had laying around and plugged it in to the routers USB port. Found it ran much cooler. The lack of support is why I choose to buy a new router. Because I was not sure when DDWRT was going to update the firmware due to the security issues found in WPA 2 last year or so.
Thank you! I don't know why my response hasn't been posted but I am currently using DDWRT. This actually comes with its own problems too. Slow support aside, my wifi drop randomly if there is 7 or more devices are connected. It also requires to restart every so often in a matter of days. I haven't tried advanced tomato. I will check this out and thank you again for your recommendation on Synology RT2600AC.
PCPartPicker part list / Price breakdown by merchant
CPU: AMD - Ryzen 5 2600 3.4GHz 6-Core Processor ($159.89 @ OutletPC) CPU Cooler: be quiet! - Dark Rock 4 CPU Cooler ($66.99 @ SuperBiiz) Motherboard: MSI - B450 TOMAHAWK ATX AM4 Motherboard ($99.09 @ Newegg) Total: $325.97 Prices include shipping, taxes, and discounts when available Generated by PCPartPicker 2018-10-28 13:02 EDT-0400
This is what you are looking for. Good performance for a good price.
The CPU and motherboard can overclock and you get a good cooler to do so.
Do you plan on overclocking? If not, just get an 8700 with a B360, if you do, get an 8700k with a Z370, you won't get any extra performance for spending more on a Z390 nor in a 9700k. And if you don't plan on playing in a high refresh rate monitor, Ryzen is also a great option, it's only downfall is for 144Hz+ gaming, other than that, pretty great at everything, specially cost.