Hello comrades! In light of the fucked up state of the UK govt I’m looking at some VPN options to further harden my homelab.
Right now, I have zero VPN coverage for my seedbox/jellyfin server which of course means a major security hole, even if my ISP hasn’t shit over me for it yet.
I had a few questions about selfhosting a VPN versus a third party service.
-
How does a self hosted VPN actually do anything? I was under the impression that VPNs had to be off-site to give the benefits of, say, location spoofing.
-
Do I need to pay any subscriptions to other services for a self hosted VPN? At least in order to access features such as location spoofing.
-
We use Cloudflare WARP at work to access internal services. Will a LAN-VPN Fuck this up even if I explicitly avoid spoofing my location to ensure my IT guy doesnt shit a brick?
thanks cumrades!
My ISP doesn’t block commercial VPN usage but assuming the block is of known IP addresses of commercial VPNs, what I would do is:
- rent a VPS offshore
- OpenWRT router with wireguard through the VPS
- Wireguard on devices through a commercial VPN
So this would route your traffic home -> personal VPS -> commercial VPN
forgoing the block, whilst still meaning that websites see your IP address as being from the commercial VPN, avoiding de-anonymising you since your VPS IP address will only be used by you
The reason for the OpenWRT router is because generally you can’t have multiple wireguard connections on the same device. I’ve found that wireguard on the router then wireguard on device connected to the router allows me to route my traffic in that way, easily.
Now if your government tries detecting and blocking wireguard connections you’re probably more cooked, however in that case I imagine the kickback from businesses that need to use wireguard would be enough for your government to reconsider? The UK probably doesn’t want a reputation for being a bad place to set up a business.
Truly anonymous networking looks like this:
- Home -> Tor -> VPN/Proxy -> Tor -> VPN/Proxy -> Tor -> Web
If they start restricting VPN technologies, look into the tlsfragment/V2Ray/shadowsocks proxy software out there for the first hop.
Any VPN/Proxy is paid for with Monero via Tor. The network traffic is encrypted to one of the proxy servers with symmetric keys, installed by writing terabytes of data to them via SSH and then uploading a script which pulls the key from some random bytes throughout those terabytes. NSA isn’t logging every byte out of terabytes, just start/end & intermittent packets.
I’ve never found a link to it again but I use something known to me as
ts(tombstone, I think?) and it is a virtual driver which I add on the self-hosted proxies/VPNs that effectively forces everything to the pagefile, which is encrypted on a ramdisk volume. They have to be unlocked via KVM though.How does a self hosted VPN actually do anything? I was under the impression that VPNs had to be off-site to give the benefits of, say, location spoofing.
It wouldn’t do anything for the concerns you have. You want to avoid trouble for torrenting and avoid government internet censorship.
If you’re at work, where the government censors your internet access, it wouldn’t help you to route your connection through your home, where the government censors your internet access.
If you’re at home, worried a rights holder will join a swarm and clock the ip you’re downloading from, routing your traffic through a self hosted vpn on a vps you pay for which conforms to kyc laws isn’t going to prevent them from clocking an ip that goes to you on paper. Vps operators are not going to stand on business for you either just from my experience.
A self hosted vpn would allow you to dial into your home network and watch tv off your jellyfin when you’re at work though. Or ssh into your computers from the other side of the country.
Do I need to pay any subscriptions to other services for a self hosted VPN? At least in order to access features such as location spoofing.
Location spoofing comes from having your actual connection actually routed through an actual server in the actual location you’re spoofing from. When I want to stream Thomas the tank engine in the original localization and I set my mullvad connection to gb-glw-wg-002 my computers uplink to the internet actually goes through mullvads second WireGuard server in Glasgow, Great Britain before it asks for dns, etc. so when I pull up Thomas, the Netflix or whatever says “oi! ‘Es go’ a loicense f’ this ‘ere bad English!” And gives me the option of watching the banned in the us episodes where the gang has to avoid a diddler train that lurks in a tunnel.
If you were to self host, you’d need to maintain vpses in every place you wanna be from.
We use Cloudflare WARP at work to access internal services. Will a LAN-VPN Fuck this up even if I explicitly avoid spoofing my location to ensure my IT guy doesnt shit a brick?
Yes you will stand out.
It’s also expensive to rent unmetered vpses. Do your own research but you need to be below $5 a month to beat mullvad in price and below $3 to beat air.
And then you have to spend your time actually doing the setup and administration of the vpn on the vps.
And you’re not even laundering your traffic with everyone else coming out of there either, so there’s that.
The solution to your problem is a vpn service or two.
You want port forwarding on your vpn for torrenting and you want at least a decently paranoiac coded service for privacy.
People who pay for one vpn service to solve the problem you have use proton. It’s about eight bucks a month and you get port forwarding and it’s kinda okay for paranoia and privacy.
People who pay for two vpn services to solve the problem you have use mullvad for privacy and air or something for torrenting. It comes out to about eight bucks a month.
https://github.com/Nyr/wireguard-install
Cheap vps: https://vps.today/
Melbicom is pretty good. There are cheaper options too for Europe, since it’s an internet transit hub.
I like router level VPN for client instead of setting it on each device . Pfsense, routeros all good options.
I have a homelab that I could host the VPN on and route traffic through there? Unless the principle is different to how, say, PiHole works?
Does a VPS have its own issues since it would be tied to my banking info should I use it to bypass a government censor? Or are we suggesting:
LAN -> VPS -> VPN -> WAN
Yes ideally I want all network users on that VPN. How would a cheap VPS handle data streaming? I have 500mbps down so I imagine a VPS could be a massive bottleneck unless I pay £££
EDIT: ah looks like there are generally affordable VPS (£8/mo) that offer a good speed.
Melbicom has gigabit servers I think. If it’s close enough you could get full speed.
Europe in general you can find cheap gigabit vps. It’s Asia where transit is v expensive.
Does a VPS have its own issues since it would be tied to my banking info should I use it to bypass a government censor?
VPS can see ip addresses and encrypted data. Banking sites log your IP so yes they can tag your IP to your identity. Not a problem with shared airvpn and all.
With pihole you can have a different server connected to your router ie your home lab
But for whole network routing through VPN, the router itself must be doing it. Not the home lab.
Gotcha. I’ll make some notes on my options. Thank you!
For now it looks like the goal is:
Client (LAN) -> VPN (Router) -> VPS -> VPN -> WAN
Client(s) - > Your Router (hosting Wireguard VPN client -> Encrypted Wireguard Tunnel Over Internet - >VPS (Wireguard Server) -> Internet.
With pihole you mentioned before
Your DNS Queries (only DNS on udp port 53) -> Pihole on homelab (blocks/caches and forwards to encrypted dns, either port 443 or 853) -> Router -> DNS Sever listening on same 443/853 (Eg 1.1.1.1) whichever you set in settings of pihole
You could use tailscale and sign up for a mullvad exit node in a foreign country for $5 a month.
Or if your seedbox/jellyfin server is outside the country you can set up tailscale on it and use it as an exit node and route everything through that.
Cloudflare WARP and a VPN might have issues working together.
- VPNs are simply a way to securely access one network from another. Commercial VPN providers are allowing you to use their networks as if they were your own.
Self hosting isn’t really for location spoofing, it can only allow you to spoof the location where the VPN server is installed. They are used most commonly to access your home network while you are away without exposing your home network to all the threats of open internet ports.
- You could run your own VPN on a paid VPS hosting provider and spoof that location. Some folks do that for various reasons. It can give you more privacy than a commercial vpn, but you should assume that three letter agencies could harvest that data, although it would need to be more of a targeted attack rather than the wide scale harvesting that likely happens on commercial VPN providers. You’d also only be able to spoof the one location where your vps server is.
Edit: I think I may have misunderstood the question. What are you wanting the use the VPN for? To access your jellyfin from a remote location, or prevent your ISP from seeing you torrent? Or is it for location spoofing for web browsing and preventing data tracking?
If the former, use wireguard or tail scale, or cloudflare service(can remember the name). If the latter you can use a commercial VPN only for your torrent software.
My main goals are as follows:
-
Provide wider network privacy.
-
Obscure Torrents traffic from my ISP/Government should their enforcement against this increase.
-
Obscure traffic and bypass censorship of sites and services targeted by the so-called “Online safety act”. Whether that’s porn, wikipedia, or social media censored for Antizionism, I don’t care. I only mention location spoofing as that’s a mechanism of bypassing said censorship.
-
Allow access to my home server remotely via my existing hosted domain in Cloudflare, which allows me to set family memebers up with client applications easily.
These goals won’t work well on the same setup. A commercial VPN provider will make you (more) anonymous to third parties like copyright snitches by mixing your traffic with other customers emerging from the same endpoint. A self hosted VPN can be useful for accessing your home network from outside, accessing the Internet from the location of your VPS, or hosting services from behind your ISP’s firewall, but does nothing for anonymity. The IP of the endpoint is leased exclusively to you.
A VPN itself is just a means of tunneling traffic from one location (e.g. your home) to another (e.g. some office or data center). You would want two separate VPNs to cover these use cases. A commercial (not self-hosted) one for piracy, and a self-hosted one on a VPS for the homelab to bypass the ISP firewall (and potentially non-pirate web browsing emerging from one specific location outside UK).
Be careful with the routing! Funny and unexpected things can happen when you activate or deavtivate network interfaces. The traffic WILL be sent over the wrong interface (I.e. unencrypted torrents to your home ISP, bank transactions to the “anonymous” torrent VPN) unless there is a firewall preventing it, and IPv6 traffic will not be blocked by rules explicitly written for IPv4 address ranges. :)
-
I have one just to access my LAN from afar or for privacy from work/public WiFi. But it won’t help circumvent any national blocks/websites blocking your country. It just makes it so that you’re basically connected to your home WiFi from anywhere, but that means any issues you have using your home Internet remain.
You would have to pay for a VPN, or rent a server somewhere else to circumvent issues with your home Internet.
A VPN on someone else’s box will mainly just cost you money and tie the traffic to yourself at a different location. If you’re looking to hide questionable downloads, I’d recommend Usenet over torrents. A VPN isn’t really necessary then, and is usually discouraged with software like the arr’s. I am all for the use of a VPN service, such as Mullvad, to increase privacy, but I don’t think you’ll have a good time self-hosting through it.
A self-hosted VPN would mean that you rent a server, install a VPN server software on the server, and then route your traffic through that server. The benefit of having self hosted VPN is that you would have more bandwidth. Typically, VPN companies will allocate 30-40 users to a single VPN server, so you get a fraction of the bandwidth. Also, your server will have a dedicated IP address, which could be good or bad depending on your needs.
If your goal is to bypass the UK govt firewall, a self-hosted VPN is fine. Renting a server requires that you provide ID, most times. If you commit any severe crimes (hacking, etc), the server company could be subpoenaed for your information. You probably shouldn’t use a self hosted VPN with public torrents. I’ve heard that people commonly use self-hosted VPNs with private torrents, without problem.
