How feasible is it to roll your own VPN endpoint in the cloud?

I have successfully set up a very basic VPN to my home server with ESXi, pfSense and an OpenVPN endpoint. The next question in my mind is how hard is this to do in the cloud w/ AWS or Linode or whatever. And what about bandwidth costs? If I watch 10TB of YouTube a month through the VPN, what will that do to my cloud data bill?

Keep in mind I have exactly zero experience with cloud platforms. (So it’s about darned time I did, right?)

Not sure if I am understand what a vpn edpoint is, but ryan did a linode wireguwrd vpn guide a while back. At the very least it would explain how to roll it to your own cloud

3 Likes

An endpoint is where the VPN and encryption ‘ends’, and traffic is exposed to the Internet (or the remote network as the case may be.) That looks great, but I wonder what Linode’s data caps (or rates) are set to.

1 Like

Went to Linode’s “Cloud Calculator” and a server instance with 1 cpu, 1gb RAM, 25gb storage and 1TB/mo bandwidth was $5/month. If I’m not reading that wrong, that’s hard to beat unless I can find free elsewhere.

I looked at linode a little while ago for the same reason. Renting the necessary linode server and using wireguard ended up being cheaper than a static IP from my ISP.

I think I remember that 1TB of data over your plans limit was $10 a pop, so you might consider that when you’re picking a plan with your expected usage.

1 Like

Well if you did it at hone you can do it online. Its just do you want AWS to have the data dump at the other end?

The more appropriate thing to ask would be ‘what services are safe for this’

Linode VPSs are quite limited in bandwidth so if you’re going to be downloading a lot I’d look elsewhere. OVH has an awful management interface in my opinion but their networking is great and they provide a 100/100 unlimited traffic VPS for $3.50, or 250/250 for $6. I am pushing ~10TB per month through mine.

I would strongly recommend going with WireGuard instead of OpenVPN.

1TB/Mo might (or might not) be total traffic.
If you set the instance as an endpoint, it is ingesting, then forwarding all the traffic.
You might only end up with half.

Worth double checking.

But 10TB/Mo sound stupid high, unless the family all stream 4K?

Oh, I guess downloading

[edit] @Derkades suggestion of unlimited for 3.50/6 looks much better.
Don’t worry about the DC burning down, you can spin up a new instance elsewhere

Funnily enough, my VPS was actually in SBG so I had to restore from backup early last year. Weird experience to wake up with monitoring warning emails, google the OVH status page and instead find news stories of the building being literally on fire…

1 Like

I’m not saying such things help remind us to keep backups current….

I will be downloading, but not the Library of Congress or Steam’s whole library. I think 1TB (maybe even 500GB) will probably be enough; I’ll have to check my router’s logs to make sure.

EDIT: Checked the logs…my entire network usage for last month was 1.4TB. Hmm…well 2TB was $15/mo I think. Still OVH may be the best option.

1 Like

I have my VyOS router at home route specific traffic over Wireguard to a VPS also running over VyOS. There are certainly cheaper options than $5/month out there but you start dealing with shared CPU time so they’re not quite as responsive. I don’t think they have any available right now but BuyVM is one example.

One thing to keep in mind is your requirements / goal for a vpn.

If you are looking for anonymity, plausible deniability, etc. rolling your own defeats the point. Also, if you may potentially transfer any data that breaks the terms of service of the cloud provider, keep that in mind.

If you are looking for a secure tunnel to a known endpoint because you don’t trust the local network and/or upstream provider, this may be worth pursuing.

Questions:

  • do you need anonymity, plausible deniability, etc
  • would any of your traffic break the TOS
  • do you have any need / desire to manipulate your geography? (helps with some streaming and other activities e.g. BBC)

If you answer yes to any of the above a 3rd party may be a better bet.

Also, keep in mind you are responsible for all the security of your endpoint (os / vpn daemons / cyphers, etc.) If you goal is to learn about cloud and hosting VPN, by all means go for it… just know that you’re likely will get your connection to work before you’ve closed all the vulnerabilities.

I host a VPN to get into my private network, but when I need to secure my traffic originating from my network I use a 3rd party service.

As for cost, I’ve had good luck with https://airvpn.org/, and after a year of good service now buy it in three year blocks (2.75 €/m). I’ve has success with bypassing geo-fencing and have hit 400-500 Mbit occasionally with 200-250 being common.

food for thought.

1 Like

Excellent points. So my goals are to protect my browsing from my nosey ISP, not necessarily the world. And to also provide protection from snoops when surfing open WiFi at coffee shops, restaurants, etc. Every once in a while I will do something that I’d prefer stronger anonymity (not security) for. I’m not trying to start a revolution, I’m just trying to prevent private info from becoming public, details that would not be materially harmful if they did come to light. I figure on such occasions I’d simply use Tor on top to the VPN to hop from the end point to a Tor node, and then whence it needs to go.

Is there a flaw in this plan? Remember, I don’t need the kind of security that some journalists, activists or Edward Snowden need.

1 Like

For Linode, inbound traffic is free, so 1TB of outbound traffic for the smallest plan. Depending on the overages, the next highest plan is $10, so it will still probably cheaper and faster than a static IP at home.

I run wireguard on my linode, but it’s just for protection when I’m on work or public wifi.

1 Like

Oracle Cloud (I know, I know, the dastardly evil chaps) has a free tier, and it really is free as in beer, that includes:
https://docs.oracle.com/en-us/iaas/Content/FreeTier/freetier_topic-Always_Free_Resources.htm

  • 4 OCPUs and 24 GB of memory on ampere ARM shapes (that can be one vm with all resources, or 4 vms with 1 cpu and 6GB each …)
  • 1 VM.Standard.E2.1.Micro (AMD based, 1 vCPU, 1GB
  • 6 Public IPs
  • 10TB Egress (ingress is free)
[[email protected] ~]$ curl -s https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py | python -
Retrieving speedtest.net configuration...
Testing from Oracle Cloud (130.61.222.49)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by inexio (Saarlouis) [161.07 km]: 6.6 ms
Testing download speed................................................................................
Download: 1054.22 Mbit/s
Testing upload speed......................................................................................................
Upload: 1385.52 Mbit/s
  • 200GB of block volumes
  • 20GB of object storage
  • an Oracle NoSQL Database with up to 133 million reads per month, 133 million writes per month, and 3 tables with 25 GB storage per table
  • two Autonomous Databases (Oracle database backed) - 1 Cpu - 20 sessions - 20GB storage
  • one 10Mbps Load balancer

Plenty of free resources for a Wireguard server or two, and a small minecraft server to go with it …
If you are into databases, the free tier runs on Exadata infrastructure, so performance is incredibly good for a free service …

The ARM VMs are screaming fast, btw :slight_smile:

2 Likes

Thanks! That is good to know

There are only two flies in the ointment here: Oracle will have access to all my traffic, and I’m not sure I trust Larry Ellison to not start billing for the free goodies. Neither is the end of the world, but dealing with Oracle makes me a little uneasy. That said, I do appreciate Virtualbox, but that is one virtue in a sea of vice :wink:

I thought, and correct me if I am wrong, but none of the VPS providers (Linode, DO, Google, Amazon&Oracle) claim to not keep logs; all of them have records of your traffic, none of them promise anonymity?

I might still trust a company like that with my history, rather than my direct ISP, but it is not anonymous…

Still, does make a secure connection, to a set end point.
And separates traffic from your home, so reduces risk/exposure to some bad actors (script kiddies and angry internet people, like minecraft ddos’ers)

I cannot speak for the future, and I surely will not bet mr Ellison not to try and make up some old good money from a service that originally was promised to be free forever …
In the meantime, my 2 cents, I have met some of the guys that created part of the infrastructure for OCI, and I have been into the early developement phase cycle as a partner … they are not the usual Oracle corporate lapdogs … but they still get their checks from Big Larry … so YMMV.
In the meantime, my main use for the things I have deployed there are VPN in to my home LAN and minecraft servers for the kids, so nothing that can’t be shut down in a pinch and/or nothing that cannot survive a migration to a more (at least officially) politically correct provider with the additional expense when the time comes …

1 Like