Setup Your Own Always-Free Private VPN In Oracle Cloud

In this post, I’ll show you how to run your very own Free Private VPN (forever!) in the Oracle Cloud using OpenVPN. We’re going to use the pre-built OpenVPN image from the Oracle Cloud Marketplace, and much of the info in this post is also contained in the guide, but this post has enough information in it to get your VPN launched, so let’s get started.

First, you’re going to log in so head over and sign up if you have not done so yet.

Important! Wait, don’t go yet! When signing up for a free tier account, you’ll need to select a “home region” which will be the only region that you can create your free VM in. Keep in mind that your VPN will make your local connection appear as it originates from the same IP as the VPN, so choose your home region very carefully as it can not be changed later!

Table of Contents

Launch Instance
Login To Admin UI of Free Private VPN
Create A User
Connecting To The VPN
Testing The VPN
Summary

Launch Instance

Free Private VPN — *As stated above, we’ll need to first launch an instance using the OpenVPN Image on the OCI Marketplace. Head over there and click ‘Get App’ to get started.*

*Select your home region and Sign In to your Oracle Cloud account.*

*Choose the version, a compartment that you’d like the VM to reside in, accept the terms and conditions and then click ‘Launch Instance’.*

*Make sure your home region is selected and then name the VPN, choose a compartment and an Availability Domain.*

*In the “Specialty and Legacy” category, choose the “always free eligible” micro shape:*

*Under networking, choose a VCN and public subnet. If you want to use a Reserved IP, see the guide, otherwise select ‘Assign a public IPV4 address’.*

*Configure SSH so you’ll be able to connect to the machine later on.*

*Accept the rest of the defaults and click ‘Create’. The VM will initially be in a ‘Provisioning’ state:*

*After a minute or two, the VM will enter a “Running” state. At that point, grab the public IP address so that we can remote in and finish configuring the OpenVPN install.*

Now head over to your friendly local terminal and SSH in with the username `openvpnas`:

ssh openvpnas@[Your Public IP] -i ~/.ssh/id_oci_demo

Note: You’ll want to point a domain name at your IP address to make life easier later on. Just add the appropriate record according to your DNS hosting provider’s normal process.

As soon as you SSH in for the first time, the OpenVPN init script will prompt you to complete the install. Much more detailed information regarding this script can be found in the guide. The prompts, as of mid-December 2020, will first ask you to read and accept the EULA. Next, answer “yes” to the question that asks if this will be the primary node:

Once you provide a few initial configuration settings,
OpenVPN Access Server can be configured by accessing
its Admin Web UI using your Web browser.

Will this be the primary Access Server node?
(enter 'no' to configure as a backup or standby node)
> Press ENTER for default [yes]: yes

Choose ‘all interfaces’:

Please specify the network interface and IP address to be
used by the Admin Web UI:
(1) all interfaces: 0.0.0.0
(2) ens3: 10.0.0.46
Please enter the option number from the list above (1-2).
> Press Enter for default [1]: 1

Accept the default port for the Admin Web UI:

Please specify the port number for the Admin Web UI.
> Press ENTER for default [943]:

Accept the default port for the Daemon:

Please specify the TCP port number for the OpenVPN Daemon
> Press ENTER for default [443]:

Accept the default (yes) for “Should client traffic be routed by default through the VPN?”:

Should client traffic be routed by default through the VPN?
> Press ENTER for default [yes]:

Accept the default for “Use local authentication” – this will mean that you have to create/manage VPN users via the Admin UI.

Use local authentication via internal DB?
> Press ENTER for default [yes]:

Accept the default for “Should private subnets be accessible…”:

Should private subnets be accessible to clients by default? Press ENTER for default [yes]:

Accept the default Admin UI username (or specify your own name):

Do you wish to login to the Admin UI as "openvpn"?
> Press ENTER for default [yes]:

Leave the activation key blank (unless you have a key). OpenVPN is free for 2 users without a key:

> Please specify your Activation key (or leave blank to specify later):

The script will now produce output similar to the following:

Initial Configuration Complete!

You can now continue configuring OpenVPN Access Server by
directing your Web browser to this URL:
https://10.0.0.46:943/admin
Login as "openvpn" with the same password used to authenticate
to this UNIX host.
During normal operation, OpenVPN AS can be accessed via these URLs:
Admin  UI: https://10.0.0.46:943/admin
Client UI: https://10.0.0.46:943/
See the Release Notes for this release at:
   https://openvpn.net/vpn-server-resources/release-notes/

Next, set a Linux password for the `openvpn` user:

$ sudo passwd openvpn

The default timezone is set to US (Pacific – Los Angeles). If you would like to change this, run the following command (you will be asked what timezone you would like to set).

$ sudo dpkg-reconfigure tzdata

The next step is to login to the Admin UI, but before we can do that we need to make sure that the security list for the VCN has ingress rules for a few ports. Back in the Oracle Cloud console, on the instance details page, click on the subnet that you associated with your instance.

*On the subnet details page, click on the security list.*

*Add an Ingress Rule for TCP ports 943 and 443.*

*Add another Ingress Rule, this one for UDP port 1194 (used for the VPN tunnel):*

*Now you can login to the Admin UI via `https://[your public IP or your domain name]/admin`. The admin UI uses a self-signed cert, so accept the cert to continue:*

*Login with the username specified in the init script and the password you created.*

Note: If you do not update this setting, NONE of your clients will be able to connect to your VPN server since by default it is set to a non-routable (private) IP address!

At this point, the internal IP address has been configured as the server name.

*We’ll need to update this to be our public IP (or even better – domain name). To change, click on Configuration (#1) and Network Settings (#2).*

*After saving, update the running server:*

*Verify that internet traffic will be routed through the VPN:*

That will take care of the basic VPN configuration, but should you want to read more, please refer to the additional security recommendations.

Create A User

*Click on ‘User Management’ and then ‘User Permissions’.*

Connecting To The VPN

Download the proper OpenVPN Connect Client for your OS:

*Upon first launch, you’ll need to configure the client.*

Testing The VPN

Visit this page (or something similar) both before and after connecting to your Free Private VPN. You’ll notice that your IP address and location will assume the VPN’s information and location after connecting to the VPN.

Summary

In this post, we launched our own Free Private VPN server and connected to it from our local machine. There are certainly other servers that can be used for VPN, so feel free to adapt this process as necessary. You may have to launch your own VM though instead of using a preconfigured VM image as we’ve done here.