Projects

Self hosted VPN

The problem

One of the first and most utilitarian projects for my homelab was my VPN. The problem was simple, my cellular provider was throttling any traffic towards video streaming platforms such as Youtube, Netflix, and Disney+. I could witness internet speeds hovering over 10mbps towards speed test sites or towards other services. But as soon as I started using a video streaming platform, I would get about 2-3 mbps. What was happening here was my cellular provider was inspecting my traffic and flagging video streaming IPs for throttling. But with a VPN connection, your traffic can be encrypted and your service provider will only see the destination IP at the end of the VPN tunnel.

 

Choosing the best solution

I knew that I could set up a VPN endpoint on any typical computer in my home. But it would be better if I had a dedicated device that was available 24/7 for this service, instead of just setting up a laptop on the days that I might think I need it. What I needed was a server.

 

Unfortunately, enterprise level server equipment can be expensive and they can use a lot of power and produce a lot of heat. That's why I decided to get a raspberry pi. I could run a lightweight distro on this device, it would sip minimal power, and it could be tucked away somewhere without being loud or in the way. Additionally the large community support behind Raspbian OS (now called Raspberry Pi OS) meant that I had a lot of reference material and could easily troubleshoot.

 

Initial configuration

There's numerous tutorials for the initial setup of the Raspberry Pi such as my own tutorial here. But it is important to set it up for headless (no keyboard, mouse, or display) use. This way, I could permanently set it up near my networking equipment and simply configure it over SSH. It is also important to assign the Raspberry Pi a static IP. This can be done through the Pi's network settings, or on your DHCP server (most likely your router all-in-one unit), or on both.

 

Phoning home

The biggest challenge for maintaining a stable VPN that can operate 24/7 will be knowing which IP to phone home to. Now if I was to deploy this server in the cloud, or in an enterprise environment, I could rely on a dedicated public IP address. Conversely, most ISPs will cycle you through multiple public IP addresses to your home over time. So we need a method of always knowing our home IP address.

 

The technology that should come to mind is DNS records. If I reserved a domain name and updated public DNS records whenever my IP address changed, I could reliably phone home. Thankfully there are Dynamic DNS services such as Duck DNS or Dynu DNS. By reporting my IP address repeatedly using a chron job on the Pi, the DNS server will always have my home's latest IP address. Then I can point my VPN client, such as my phone, to the domain which will be resolved to the IP address.

 

Enabling the service

Now I was ready to install the VPN service on the server. Pi VPN facilitates this process on the Raspberry Pi. I was prompted to choose between the tried and tested OpenVPN or the newer and faster Wireguard. I tested both and Wireguard was both faster and more reliable, so it was an easy choice for me. Furthermore, I wanted to retain as much of my bandwidth as possible for video streaming.

 

After following the prompts, it is time to install and configure the client software on the client device. Once it is setup, it is time to test it. I was able to see it work both when connected to my wireless network, as well as on cellular. I also was able to sniff the packets using Wireshark and see the process of the handshake as well as the encapsulation and encryption of normal traffic

 

Considerations

It is important to note that anyone trying this will be limited by the home network's speeds. Most people with copper networking such as Cable or DSL will have much slower upload speeds, which will in-turn be the bottle neck for the client's download speeds.

 

Also, this VPN connection is not a silver bullet for privacy. Although my mobile provider will not be able to inspect my mobile traffic and know the destination IP addresses, there are still things to consider. Most importantly, my home ISP will still be able to see those destination IPs. After your VPN tunnel delivers the packets to your home, it still gets sent to your ISP and they need to know what IP address to route it to.

 

Other benefits

Aside from being able to bypass my provider's throttling, there are many great benefits to using a VPN to my home: