Hello comrades, I recently started to selfhost my own VPN. I thought of using a regular VPN provider but I don’t trust the cheap ones and the good ones are too costly for my needs. So I started to rent a cheap one core VPS (DMCA ignored of course) for 2,5€/month. Before that I tried some seedboxes from some cheap providers, but the amount of control you have there was absolutely terrible. If they have SSH access, you have no sudo permission.
One of those providers I tried just deploys docker containers and then using some fancy marketing they make a good amount of cash from something that one can do oneself with a little bit of technical knowledge. And then when something doesn’t work; good luck my friend.
So that’s why I choose a VPS where you have maximum control. Setting it all up including security measures and a custom OS is very fun. My distro of choice is Devuan. I’m running a Debian based distro myself and having no systemd not only boosts the startup time, but saves some system resources, which is especially important on a server with 1 GB RAM.
Installing Devuan was quite an adventure. Navigating their website to find the right download is like cruising a wild jungle. After choosing a mirror to downloaded from, one has to check the name of the latest release. After that I selected “installer-iso”. In there I grabed the netinstall. From there the real adventure began. Among the “standard stuff” I had to specify the DNS and netmask, nothing wild. I didn’t installed a desktop environment of course, just the ssh-server components.
I then followed Wolgangs guide to setup SSH. Managing a computer without a desktop environment is something I never had done before and while on a desktop PC this can be a horrifying experience, it’s really fun to operate a remote system via command line. For enhanced security I activated and configured ufw. Many distros comes preinstalled with gufw, so setting up ufw wasn’t a big deal.
Without systemd many Wireguard install script doesn’t work, so I installed Wireguard via docker-compose with the help of Christian Lempas wonderful guide. Amazing guy. I had to enter the DNS servers manually so that the actual DNS addresses of the server are used.
I tried to route IPv6 traffic through the VPN by entering the IPv6 address in brackets into the docker-compose.yaml, adding ::/0 in the AllowedIPs, but it all didn’t worked. So I had to deactivate IPv6 on my system and in the network manager. This stopped all IPv6 leaks.
As killswitch I found this easy method. I tested it and it works. No IP-leaks anymore.
To prevent DNS leaks I found these commands: sudo iptables -A OUTPUT -p udp --dport 53 -j DROP, sudo iptables -A OUTPUT -p tcp --dport 53 -j DROP.
I tried the ufw equivalent sudo ufw deny out 53/udp, sudo ufw deny out 53/tcp, but it blocks internet access.
I make the iptables persistent with iptables-save since iptables-persistent conflicts with gufw and ufw.
With this setup I started my torrent client and saw that I’m barely seeding. That’s not cool. I tried to set up port forwarding with a lot of iptables and routing tables like this one but when checking the port it’s always closed.
So what now? My goal is to torrent over the I2P. I see a lot of potential in the I2P. It is basically what people envisioned the internet to be in the 90s. Since the internet is a military technology, freedom was never implicated, so even with a lot of obfuscation and circumvention, there is always some trouble when using clearnet. My intention with the VPN is to port over clearnet torrents to I2P. Thus the reliance on VPNs can be decreased.
I want to call out one thing in case you didn’t know.
The idea of a public VPN is to hide your traffic with other users who also use the VPN. If you’re renting a VPS you don’t get all the “benefits” of a public VPN. All you’re doing is adding an extra hop to the internet, you’re not mixing your traffic with others using the same IP. It’s all you… In fact, you’re probably making it easier to isolate the things you do online because at home you could say a guest you had over must have downloaded it. If its the VPS, its all you.
I already have considered this. Generally I prefer a dedicated IP over a shared IP, especially since I consider the use of private trackers. There are some use cases though like high OpSec operations or a higher privacy need were a shared IP is beneficial, but for me this is not needed.
Why use a VPS at all then? Do you not want to host at home?
That’s because I live in a country with strict anti-piracy laws. Torrenting pirated stuff here without a VPN would be a death sentence. In the fact the whole piracy scene of my country revolves around stream hosting and one click hosters. Understandable if you consider the fact that anyone can see what you torrent sometimes even including your whole download history.
As mentioned in the comments, the VPN isn’t really viable here. That being said, your DNS iptable statements don’t work for two reasons:
- TCP 53 isn’t going to be used unless something like EDNS or zone transfers occur which is like never.
- The first statement blocks any traffic on the output chain (leaving your network) that is destined to a remote UDP port 53. This kills your access to any off-device DNS server.
You would have to have an ACCEPT statement to allow the DNS traffic through the VPN. Something like:
iptables -A OUTPUT -o tun0 -p udp --dport 53 -j ACCEPTWhy do you think that a VPN isn’t viable?
I don’t understand it, why doesn’t these commands block internet access when they block DNS traffic like the ufw command?
The problem here is that it sounds like you think torrenting traffic is using the self-hosted VPN, but that wouldn’t be true. Here is how it sounds like it is currently working: Torrent Client -> VPN interface -> Default interface -> Torrent Users You could probably confirm that with mtr/traceroutes and bmon.
The reason your internet goes done when you run your iptable statements is because you’re preventing DNS resolution which uses UDP 53 from leaving the device. Even if you are running your own DNS server on that VPS, unless you have trackers’ statically mapped, DNS recursion has to be allowed for your VPS to determine host IPs.
Nope, I checked the traffic with mtr and it connects directly to the internal IP address of the server. Also I’ve bound the torrent client to the network interface of the VPN to ensure the traffic goes through the VPN.
I understand. The problem with the rules above though is that it would block my regular network interface even after the VPN goes down. That’s why I created some postup and postdown rules for the Wireguard config.
PostUp = iptables -I OUTPUT -o %i -p udp --dport 53 -j ACCEPT && iptables -A OUTPUT ! -o %i -p udp --dport 53 -j DROPPreDown = iptables -D OUTPUT -o %i -p udp --dport 53 -j ACCEPT && iptables -D OUTPUT ! -o %i -p udp --dport 53 -j DROPThis only activates the rules while the VPN interface is on.So, all traffic leaving the device is going out the VPN? if you
curl ipinfo.iothen does that show an IP address present inip addr?
bless your heart. i bet youve learned a lot!
Yes, it’s very interesting although the networking stuff is not very fun.
How long have you spent with this? I ask because it’s frankly an impressive amount of detail and understanding you’re displaying, given your statement that you’d never administered an OS without a desktop environment. Kudos!
Thanks. It approximately took one or two weeks to setup it up and configure it step by step. I know using a distro without systemd is not the easiest thing for a beginner but I’m already running MX Linux for a while after I had used plain Debian, so I felt pretty confident. Also there are really good guides out there as I mentioned before. The most difficult part was to configure the VPN so that there are no leaks and stuff like that. For that I needed to a lot of tests and do some research. One thing that would be really cool is to do application based split tunneling or even workspace based split tunneling. But first I will need to find a solution to open the port of my torrent client to outside traffic to torrent properly. I think I have a solution to this.
