Search
K
Links

How to create a VPN server with Hetzner

Learn how to configure a personal VPN server with Hetzner and Meshnet.

Introduction

Having a personal VPN server can prove to be beneficial in many scenarios: having a static IP address, accessing geo-restricted information online, or simply learning the basics of networking. In addition, you can use a single VPN server between several individuals to have IP-restricted access to certain resources, for example, important documents.
Hetzner is a large data center operator that offers a wide range of reliable and affordable cloud services, such as cloud servers, dedicated servers, and cloud storage. When used in conjunction with Meshnet and its traffic routing feature, Hetzner’s servers can be turned into VPN servers in just a few minutes.
This article goes over the process of deploying a virtual machine (VM) in the cloud using Hetzner and configuring it as a VPN server with the use of Meshnet.
Note
While setting up your own VPN server enhances your online privacy, it may not provide the same level of protection as connecting to a standard VPN server offered by NordVPN. NordVPN follows a strict no-logs policy, which is crucial for ensuring your online activities remain confidential.

Prerequisites

Before you start, make sure that you have an active Hetzner account. During registration, you are required to provide your billing details.

Generate an SSH key (optional)

When creating your VPN server, you will need to choose an SSH authentication method. It is recommended to use SSH key authentication for a more secure connection between your devices. If you intend to use SSH keys, proceed with the instructions below to generate an SSH key pair on your device:
  1. 1.
    Open PowerShell (on Windows) or Terminal (on macOS and Linux).
  2. 2.
    Execute the following command, where </path/key-name> is the desired path and the filename for the SSH key pair:
    ssh-keygen -f </path/key-name>
    Example
    ssh-keygen -f C:\Users\secretmeerkat/.ssh/hetzner-vpn
    This command generates private and public SSH keys at the specified directory.
  3. 3.
    Display the contents of the public SSH key file by entering the cat command followed by the path to the file, as shown:
    cat </path/key-name>
    Example
    cat C:\Users\secretmeerkat/.ssh/hetzner-vpn
  4. 4.
    Select and copy the command line output to your clipboard. The copied content will be required when configuring SSH access to the VM.
    Content of the SSH public key visible in the terminal window.
Your SSH key pair is now created and ready for use.

Create a VM instance on Hetzner

With the prerequisites taken care of, you can start working on creating your VPN server on Hetzner.

Create a new project

Hetzner allows you to group servers and other related resources into projects. With projects, you can share the resources with your peers and assign different roles for all users involved. For convenient management, it is recommended to create a new project for your VPN server by taking these steps:
  1. 1.
    On your Hetzner Cloud console, select New project.
  2. 2.
    Enter a custom name for your project.
  3. 3.
    Click Add project.
    Adding a new project called 'VPN servers' in Hetzner.
A new panel for your project should appear on your Hetzner dashboard.

Import your SSH key (optional)

If you want to use SSH key authentication to connect to your cloud VM, you can import the SSH key to the Hetzner project.
  1. 1.
    On your Hetzner Cloud console, click your newly created project.
  2. 2.
    From the menu on the left, select Security.
  3. 3.
    On the SSH keys page, click Add SSH key.
  4. 4.
    In the new dialog, in the SSH key field, paste the content of your public SSH key file.
  5. 5.
    In the Name field, enter a custom name for this specific SSH key or leave the automatically generated one.
  6. 6.
    Select Add SSH key. Adding the generated SSH key to the Hetzner project.
You should now see an entry for your key on the SSH keys page.
New entry for the added SSH key.

Configure the VM

With the project created, you can proceed to configure your cloud VPN server.
  1. 1.
    On your Hetzner Cloud console, under your new project, select Create server.
    Clicking 'Create server' on the Hetzner Cloud console.
  2. 2.
    On the Create a server page, select your preferred location, operating system (OS) image, such as Ubuntu 22.04, and server type for your VPN server.
  3. 3.
    In the Networking section, make sure that Public IPv4 is selected. Optionally, you can choose to enable Private networks and configure the network to allow multiple cloud servers to interact with one another.
  4. 4.
    If you choose to use SSH key authentication, under SSH keys, select your imported SSH key.
    Selecting the imported SSH key.
  5. 5.
    Under Name, enter a custom name for your VPN server.
  6. 6.
    Double-check all of your settings and click Create & buy now.
Within a few minutes, your cloud server should be deployed and active.
Entry for the created cloud VM.

Access your VM instance

Once the cloud server is created, you can connect to it over SSH. Depending on the SSH authentication method you chose, the ways to connect to the VM are slightly different.
SSH key authentication
SSH password authentication
  1. 1.
    Locate the public IP address of your VM. It can be found in the Servers section of your Hetzner Cloud project.
    Copying the public IP address of the cloud VM.
  2. 2.
    Open PowerShell (on Windows) or Terminal (on macOS and Linux).
  3. 3.
    Run the ssh -i </path/to/private/key> root@<server> command, where:
    • </path/to/private/key> is the location of your private SSH key file.
    • <server> is the external IP address of your cloud VM. Example
      ssh -i C:\Users\secretmeerkat/.ssh/hetzner-vpn [email protected]
  4. 4.
    When establishing a connection to the server for the first time, the SSH client asks you to review and confirm the host key's fingerprint. To proceed with the connection, type yes in response to the prompt.
You should now be successfully connected to your cloud VM instance.
  1. 1.
    Locate the public IP address of your VM. It can be found in the Servers section of your Hetzner Cloud project.
    Copying the public IP address of the cloud VM.
  2. 2.
    Open PowerShell (on Windows) or Terminal (on macOS and Linux).
  3. 3.
    Run the ssh root@<server> command, replacing <server> with the VM’s public IP address. Example
  4. 4.
    When establishing a connection to the server for the first time, the SSH client asks you to review and confirm the host key's fingerprint. To proceed with the connection, type yes in response to the prompt.
  5. 5.
    Enter the password you received from Hetzner via email. SSH password received via email from Hetzner.
You should now be successfully connected to your cloud VM instance.

Install NordVPN on the VM

To set up NordVPN on your cloud VM, follow these steps:
  1. 1.
    Download and execute the NordVPN installation script by running this command:
    sh <(wget -qO - https://downloads.nordcdn.com/apps/linux/install.sh)
  2. 2.
    Log in to your NordVPN account.

Log in to NordVPN

You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways:
  • By running the nordvpn login command with the --token flag
  • By running the nordvpn login command with the --callback flag
Instructions for both methods are outlined below.
Log in using a token
  1. 1.
    On any device, log in to your Nord Account dashboard and, under NordVPN Meshnet free, select View details.
    Clicking the 'View details' button under NordVPN Meshnet free.
  2. 2.
    Scroll down until you see Manual setup, and select Set up NordVPN manually.
    Clicking the 'Set up NordVPN manually' button.
  3. 3.
    Enter the verification code sent to your email address.
  4. 4.
    Under Access token, select Generate new token.
    Clicking 'Generate new token'
  5. 5.
    In the dialog that appears, choose either a token that expires in 30 days or one that never expires, and then select Generate token.
    Selecting the token expiration date.
  6. 6.
    Select Copy and close.
  7. 7.
    On your VM, enter the nordvpn login --token command along with the copied token:
    nordvpn login --token <your_token>
    Example
    nordvpn login --token 3fe460cefb8dcf1478c92e45908cec9f9bdbadf7a456a6dfb35dc2c58ee39d5b
You should now see a welcome message.
Log in using a URL
  1. 1.
    Run the following command:
    nordvpn login
  2. 2.
    Open the provided link on any device in your browser.
  3. 3.
    Complete the login procedure.
  4. 4.
    Right-click the Continue button and select Copy link address.
  5. 5.
    Run the following command, replacing <URL> with the previously copied link address:
    nordvpn login --callback "<URL>"
    Example
    nordvpn login --callback "nordvpn://login?action=login&exchange_token=MGFlY2E1NmE4YjM2NDM4NjUzN2VjOWIzYWM3ZTU3ZDliNDdiNzRjZTMwMjE5YjkzZTNhNTI3ZWZlOTIwMGJlOQ%3D%3D&status=done"
You should now see a welcome message.
Tip
To preserve your token when logging out of the NordVPN app, use the nordvpn logout --persist-token command. Otherwise, your token will be revoked.
Note
If you encounter the error message “Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock,” enter sudo usermod -aG nordvpn $USER. Then, reboot your instance and log back in.

Enable Meshnet

On your instance, enable Meshnet by typing this command:
nordvpn set meshnet on
To view the Nord name and Meshnet IP address of your instance, enter the following command.
nordvpn meshnet peer list
Nord name and Meshnet IP address of the VM.
You will also see all of your Meshnet peer devices with their corresponding permissions.

Start using your VPN server

To start using your new cloud VM as a VPN server, you need to start routing internet traffic from a client device through the VM.
  1. 1.
    On your client device, open NordVPN and log in to your account.
  2. 2.
    Start routing traffic through the linked host device. Example
    Starting to route traffic through the cloud VM.
For specific instructions, see the Routing traffic in Meshnet article.
Your IP address should now be the same as the virtual machine’s. This way, your real public IP address is protected, and the websites you visit will see the location of your VPN server instead of your actual device.
Checking the new IP address after connecting to the VPN server.
© 2023 Nord Security. All Rights Reserved.