How to create a VPN server with Hetzner
Learn how to configure a personal VPN server with Hetzner and Meshnet.
Last updated
Learn how to configure a personal VPN server with Hetzner and Meshnet.
Last updated
© 2024 Nord Security. All Rights Reserved.
Having a personal VPN server can prove to be beneficial in many scenarios: having a static IP address, accessing geo-restricted information online, or simply learning the basics of networking. In addition, you can use a single VPN server between several individuals to have IP-restricted access to certain resources, for example, important documents.
Hetzner is a large data center operator that offers a wide range of reliable and affordable cloud services, such as cloud servers, dedicated servers, and cloud storage. When used in conjunction with Meshnet and its traffic routing feature, Hetzner’s servers can be turned into VPN servers in just a few minutes.
This article goes over the process of deploying a virtual machine (VM) in the cloud using Hetzner and configuring it as a VPN server with the use of Meshnet.
Note
While setting up your own VPN server enhances your online privacy, it may not provide the same level of protection as connecting to a standard VPN server offered by NordVPN. NordVPN follows a strict no-logs policy, which is crucial for ensuring your online activities remain confidential.
Before you start, make sure that you have an active Hetzner account. During registration, you are required to provide your billing details.
When creating your VPN server, you will need to choose an SSH authentication method. It is recommended to use SSH key authentication for a more secure connection between your devices. If you intend to use SSH keys, proceed with the instructions below to generate an SSH key pair on your device:
Open PowerShell (on Windows) or Terminal (on macOS and Linux).
Execute the following command, where </path/key-name>
is the desired path and the filename for the SSH key pair:
Example
This command generates private and public SSH keys at the specified directory.
Display the contents of the public SSH key file by entering the cat
command followed by the path to the file, as shown:
Example
Select and copy the command line output to your clipboard. The copied content will be required when configuring SSH access to the VM.
Your SSH key pair is now created and ready for use.
With the prerequisites taken care of, you can start working on creating your VPN server on Hetzner.
Hetzner allows you to group servers and other related resources into projects. With projects, you can share the resources with your peers and assign different roles for all users involved. For convenient management, it is recommended to create a new project for your VPN server by taking these steps:
On your Hetzner Cloud console, select New project.
Enter a custom name for your project.
Click Add project.
A new panel for your project should appear on your Hetzner dashboard.
If you want to use SSH key authentication to connect to your cloud VM, you can import the SSH key to the Hetzner project.
On your Hetzner Cloud console, click your newly created project.
From the menu on the left, select Security.
On the SSH keys page, click Add SSH key.
In the new dialog, in the SSH key field, paste the content of your public SSH key file.
In the Name field, enter a custom name for this specific SSH key or leave the automatically generated one.
You should now see an entry for your key on the SSH keys page.
With the project created, you can proceed to configure your cloud VPN server.
On your Hetzner Cloud console, under your new project, select Create server.
On the Create a server page, select your preferred location, operating system (OS) image, such as Ubuntu 22.04, and server type for your VPN server.
In the Networking section, make sure that Public IPv4 is selected. Optionally, you can choose to enable Private networks and configure the network to allow multiple cloud servers to interact with one another.
If you choose to use SSH key authentication, under SSH keys, select your imported SSH key.
Under Name, enter a custom name for your VPN server.
Double-check all of your settings and click Create & buy now.
Within a few minutes, your cloud server should be deployed and active.
Once the cloud server is created, you can connect to it over SSH. Depending on the SSH authentication method you chose, the ways to connect to the VM are slightly different.
Locate the public IP address of your VM. It can be found in the Servers section of your Hetzner Cloud project.
Open PowerShell (on Windows) or Terminal (on macOS and Linux).
Run the ssh -i </path/to/private/key> root@<server>
command, where:
</path/to/private/key>
is the location of your private SSH key file.
<server>
is the external IP address of your cloud VM.
Example
When establishing a connection to the server for the first time, the SSH client asks you to review and confirm the host key's fingerprint. To proceed with the connection, type yes
in response to the prompt.
You should now be successfully connected to your cloud VM instance.
To set up NordVPN on your cloud VM, follow these steps:
Download and execute the NordVPN installation script by running this command:
Log in to your NordVPN account.
You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways:
By running the nordvpn login
command with the --token
flag
By running the nordvpn login
command with the --callback
flag
Instructions for both methods are outlined below.
Tip
To preserve your token when logging out of the NordVPN app, use the nordvpn logout --persist-token
command. Otherwise, your token will be revoked.
Note
If you encounter the error message “Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock,” enter sudo usermod -aG nordvpn $USER
. Then, reboot your instance and log back in.
On your instance, enable Meshnet by typing this command:
To view the Nord name and Meshnet IP address of your instance, enter the following command.
You will also see all of your Meshnet peer devices with their corresponding permissions.
To begin using the VPN server, you need to grant the traffic routing permission for each peer device that you want to have access to the server. Enable this permission from the server machine using the following command:
Example
For more information, see the Traffic routing permissions page.
To start using your new cloud VM as a VPN server, you need to start routing internet traffic from a client device through the VM.
On your client device, open NordVPN and log in to your account.
Start routing traffic through the linked host device. Example
For specific instructions, see the Routing traffic in Meshnet article.
Your IP address should now be the same as the virtual machine’s. This way, your real public IP address is protected, and the websites you visit will see the location of your VPN server instead of your actual device.
Select Add SSH key.
Enter the password you received from Hetzner via email.