# How to create a VPN server with Hetzner ## Introduction Having a personal VPN server can prove to be beneficial in many scenarios: having a [static IP address](https://nordvpn.com/blog/what-is-static-ip/), accessing geo-restricted information online, or simply learning the basics of networking. In addition, you can use a single VPN server between several individuals to have IP-restricted access to certain resources, for example, important documents. [Hetzner](https://www.hetzner.com/) is a large data center operator that offers a wide range of reliable and affordable cloud services, such as cloud servers, dedicated servers, and cloud storage. When used in conjunction with Meshnet and its [traffic routing feature](https://meshnet.nordvpn.com/features/routing-traffic-in-meshnet), Hetzner’s servers can be turned into VPN servers in just a few minutes. This article goes over the process of deploying a virtual machine (VM) in the cloud using Hetzner and configuring it as a VPN server with the use of [Meshnet](https://nordvpn.com/meshnet/). {% hint style="info" %} **Note** While setting up your own VPN server enhances your online privacy, it may not provide the same level of protection as connecting to a standard VPN server offered by NordVPN. NordVPN follows a [strict no-logs policy](https://nordvpn.com/features/strict-no-logs-policy/), which is crucial for ensuring your online activities remain confidential. {% endhint %} ## Prerequisites Before you start, make sure that you have an active [Hetzner account](https://accounts.hetzner.com/signUp). During registration, you are required to provide your billing details. ### Generate an SSH key (optional) When creating your VPN server, you will need to choose an [SSH authentication method](https://nordvpn.com/cybersecurity/glossary/secure-shell/). It is recommended to use SSH key authentication for a more secure connection between your devices. If you intend to use SSH keys, proceed with the instructions below to generate an SSH key pair on your device: 1. Open **PowerShell** (on Windows) or **Terminal** (on macOS and Linux). 2. Execute the following command, where `` is the desired path and the filename for the SSH key pair:

ssh-keygen -f </path/key-name>

\ **Example**

ssh-keygen -f C:\Users\secretmeerkat/.ssh/hetzner-vpn

\ This command generates private and public SSH keys at the specified directory. 3. Display the contents of the public SSH key file by entering the `cat` command followed by the path to the file, as shown:

cat </path/key-name>

\ **Example**

cat C:\Users\secretmeerkat/.ssh/hetzner-vpn

4. Select and copy the command line output to your clipboard. The copied content will be required when configuring SSH access to the VM.

Content of the SSH public key visible in the terminal window.

Your SSH key pair is now created and ready for use. ## Create a VM instance on Hetzner With the prerequisites taken care of, you can start working on creating your VPN server on Hetzner. ### Create a new project Hetzner allows you to group servers and other related resources into [projects](https://docs.hetzner.com/cloud/general/faq/#what-are-projects-and-how-can-i-use-them). With projects, you can share the resources with your peers and assign different roles for all users involved. For convenient management, it is recommended to create a new project for your VPN server by taking these steps: 1. On your [Hetzner Cloud console](https://console.hetzner.cloud/projects), select **New project**. 2. Enter a custom name for your project. 3. Click **Add project**.

Adding a new project called 'VPN servers' in Hetzner.

A new panel for your project should appear on your Hetzner dashboard. ### Import your SSH key (optional) If you want to use SSH key authentication to connect to your cloud VM, you can import the SSH key to the Hetzner project. 1. On your Hetzner Cloud console, click your newly created project. 2. From the menu on the left, select **Security**. 3. On the **SSH keys** page, click **Add SSH key**. 4. In the new dialog, in the **SSH key** field, paste the content of your public SSH key file. 5. In the **Name** field, enter a custom name for this specific SSH key or leave the automatically generated one. 6. Select **Add SSH key**.\ \ ![Adding the generated SSH key to the Hetzner project.](https://3559400189-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0cTezbT2vN0lurEio8Z5%2Fuploads%2FvG6B1s53jYsFx9Wv2rqs%2Fhetzner_ssh_key_add.png?alt=media\&token=082eaef0-a3d0-44a7-99c0-8cd6ee36d865) You should now see an entry for your key on the SSH keys page.

### Configure the VM With the project created, you can proceed to configure your cloud VPN server. 1. On your Hetzner Cloud console, under your new project, select **Create server**.

Clicking 'Create server' on the Hetzner Cloud console.

2. On the **Create a server** page, select your preferred location, operating system (OS) image, such as Ubuntu 22.04, and server type for your VPN server. 3. In the **Networking** section, make sure that **Public IPv4** is selected. Optionally, you can choose to enable **Private networks** and configure the network to allow multiple cloud servers to interact with one another. 4. If you choose to use SSH key authentication, under **SSH keys**, select your imported SSH key.

5. Under **Name**, enter a custom name for your VPN server. 6. Double-check all of your settings and click **Create & buy now**. Within a few minutes, your cloud server should be deployed and active.

## Access your VM instance Once the cloud server is created, you can connect to it over SSH. Depending on the SSH authentication method you chose, the ways to connect to the VM are slightly different. {% tabs %} {% tab title="SSH key authentication" %} 1. Locate the public IP address of your VM. It can be found in the **Servers** section of your Hetzner Cloud project.

Copying the public IP address of the cloud VM.

2. Open **PowerShell** (on Windows) or **Terminal** (on macOS and Linux). 3. Run the `ssh -i root@` command, where: * `` is the location of your private SSH key file. * `` is the external IP address of your cloud VM.\ \ **Example**

ssh -i C:\Users\secretmeerkat/.ssh/hetzner-vpn root@135.181.201.210

4. When establishing a connection to the server for the first time, the SSH client asks you to review and confirm the host key's fingerprint. To proceed with the connection, type `yes` in response to the prompt. You should now be successfully connected to your cloud VM instance. {% endtab %} {% tab title="SSH password authentication" %} 1. Locate the public IP address of your VM. It can be found in the **Servers** section of your Hetzner Cloud project.

2. Open **PowerShell** (on Windows) or **Terminal** (on macOS and Linux). 3. Run the `ssh root@` command, replacing `` with the VM’s public IP address.\ \ **Example**

ssh root@135.181.201.210

4. When establishing a connection to the server for the first time, the SSH client asks you to review and confirm the host key's fingerprint. To proceed with the connection, type `yes` in response to the prompt. 5. Enter the password you received from Hetzner via email.\ \ ![SSH password received via email from Hetzner.](https://3559400189-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0cTezbT2vN0lurEio8Z5%2Fuploads%2FBgDkRymwbKuSnQgJ0WuS%2Fhetzner_ssh_pass_email.png?alt=media\&token=2e57ff26-05b0-4126-bb7c-7966b57c23cd) You should now be successfully connected to your cloud VM instance. {% endtab %} {% endtabs %} ## Install NordVPN on the VM To set up NordVPN on your cloud VM, follow these steps: 1. Download and execute the NordVPN installation script by running this command:

sh <(wget -qO - https://downloads.nordcdn.com/apps/linux/install.sh)

2. Log in to your NordVPN account. ### Log in to NordVPN You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways: * By running the `nordvpn login` command with the `--token` flag * By running the `nordvpn login` command with the `--callback` flag Instructions for both methods are outlined below.

1. On any device, log in to your [Nord Account](https://my.ndaccount.com/) dashboard and select the **Meshnet (by NordVPN)** card.

"Meshnet (by NordVPN)" card highlighted.

2. Under **Advanced settings**, select **Get access token**.

Clicking the 'Set up NordVPN manually' button.

3. Enter the verification code sent to your email address. 4. Under **Access token**, click **Generate new token**.

5. In the dialog that appears, choose either a token that expires in 30 days or one that never expires, and then select **Generate token**.

6. Select **Copy and close**. 7. On your VM, enter the `nordvpn login --token` command along with the copied token:

nordvpn login --token <your_token>

\ **Example**

nordvpn login --token 3fe460cefb8dcf1478c92e45908cec9f9bdbadf7a456a6dfb35dc2c58ee39d5b

You should now see a welcome message.

1. Run the following command:

nordvpn login

2. Open the provided link on any device in your browser. 3. Complete the login procedure. 4. Right-click the **Continue** button and select **Copy link address**. 5. Run the following command, replacing `` with the previously copied link address:

nordvpn login --callback "<URL>"

\ **Example**

nordvpn login --callback "nordvpn://login?action=login&exchange_token=MGFlY2E1NmE4YjM2NDM4NjUzN2VjOWIzYWM3ZTU3ZDliNDdiNzRjZTMwMjE5YjkzZTNhNTI3ZWZlOTIwMGJlOQ%3D%3D&status=done"

You should now see a welcome message.

{% hint style="success" %} **Tip** To preserve your token when logging out of the NordVPN app, use the `nordvpn logout --persist-token` command. Otherwise, your token will be revoked. {% endhint %} {% hint style="info" %} **Note** If you encounter the error message “Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock,” enter `sudo usermod -aG nordvpn $USER`. Then, reboot your instance and log back in. {% endhint %} ## Enable Meshnet On your instance, [enable Meshnet](https://meshnet.nordvpn.com/getting-started/how-to-start-using-meshnet/using-meshnet-on-linux) by typing this command: {% code overflow="wrap" %} ```bash nordvpn set meshnet on ``` {% endcode %} To view the Nord name and Meshnet IP address of your instance, enter the following command. {% code overflow="wrap" %} ```bash nordvpn meshnet peer list ``` {% endcode %}

Nord name and Meshnet IP address of the VM.

You will also see all of your Meshnet peer devices with their [corresponding permissions](https://meshnet.nordvpn.com/features/explaining-permissions). ### Grant the traffic routing permission To begin using the VPN server, you need to grant the traffic routing permission for each peer device that you want to have access to the server. Enable this permission from the server machine using the following command: {% code overflow="wrap" %} ```bash nordvpn meshnet peer routing allow ``` {% endcode %} **Example** {% code overflow="wrap" %} ```bash nordvpn meshnet peer routing allow secret.meerkat-everest.nord ``` {% endcode %} For more information, see the [Traffic routing permissions](https://meshnet.nordvpn.com/features/explaining-permissions/traffic-routing-permissions#changing-permissions) page. ## Start using your VPN server To start using your new cloud VM as a VPN server, you need to start routing internet traffic from a client device through the VM. 1. On your client device, open NordVPN and log in to your account. 2. Start routing traffic through the linked host device.\ \ **Example**

Selecting a traffic routing host device under the "Devices" tab.

For specific instructions, see the [Routing traffic in Meshnet](https://meshnet.nordvpn.com/features/routing-traffic-in-meshnet#see-also) article. [Your IP address](https://nordvpn.com/what-is-my-ip/) should now be the same as the virtual machine’s. This way, your real public IP address is protected, and the websites you visit will see the location of your VPN server instead of your actual device.

Checking the new IP address after connecting to the VPN server.