How to create a VPN server with Linode
Discover how to create your custom VPN server using Linode and Meshnet.
Introduction
In this guide, you will learn how to create a custom VPN server on Linode using Meshnet. One of the benefits of hosting your own VPN is having more control over your IP address, which can be advantageous in managing privacy and enhancing network security. This can be particularly useful if you need to access content that may be restricted by geographical location.
Linode, a well-known cloud hosting provider, lets you build a reliable VPN server featuring scalable resources, a variety of global data center locations, and the ability to migrate servers between data centers. With Meshnet, the process of setting up a VPN server on Linode is made accessible for users with different levels of technical expertise. Meshnet's routing capability allows you to bypass the complexity associated with traditional VPN configurations.
The guide will walk you through the steps of deploying a Linode instance, securing SSH access with key-based authentication, installing the NordVPN app, and routing traffic through the server using Meshnet.
Note
While setting up your own VPN server enhances your online privacy, it may not provide the same level of protection as connecting to a standard VPN server offered by NordVPN. NordVPN follows a strict no-logs policy, which is crucial for ensuring your online activities remain confidential.
Prerequisites
Before you begin, make sure you have a Linode account with billing activated. As a new customer, you are eligible to receive free credits.
If you do not have a Linode account yet, you can sign up for one by visiting the Linode signup page.
Deploy a Linode instance
First, you need to create a new Linode instance, also called a Linode, that will serve as the host for your personalized VPN server.
Note
While this tutorial focuses on configuring an Ubuntu-based instance, the steps below are applicable to other Linux distributions available on Linode, including CentOS, Debian, Fedora, and more.
To configure and launch a Linode instance:
Log in to the Linode Cloud Manager, and then select Create and choose Linode from the dropdown menu.
Select a distribution for your instance. It is recommended to use the latest version of Ubuntu, which is currently Ubuntu 22.04 LTS.
Under Region, choose a data center location for your Linode instance.
Choose a plan that aligns with your requirements for RAM, CPU, and storage. For example, you can select a shared CPU plan, such as Nanode 1GB, which is a popular choice for personal use.
Under Linode label, provide a label that indicates the purpose of your instance. For example:
Set a root password for your Linode instance. You can also add an SSH key at this stage or later. For instructions on generating and configuring an SSH key pair, refer to the Secure SSH access with key-based authentication section further in this guide.
To initiate the deployment process, click the Create Linode button located at the bottom.
Once started, the creation process redirects you to the instance's information page, where you can track the deployment status and find the IP addresses of your instance.
Connect to your instance
Now that you have your Linode instance ready, you can access it from your local machine using an SSH client.
On the instance information page, under the Access section, copy the SSH access command along with the public IPv4 address assigned to the instance.
Paste the command into your local computer’s terminal and press Enter.
When establishing a connection to the server for the first time, the SSH client asks you to review and confirm the host key's fingerprint. To proceed with the connection, type
yes
in response to the prompt, as shown:
You should now be successfully connected to your Linode instance.
Secure SSH access with key-based authentication
By default, when you connect to your Linode instance, authentication is done via a password. For enhanced security, you can switch to key-pair authentication instead. Follow the steps below to create a key pair and configure your instance to accept only key-based SSH logins.
Generate an SSH key pair
On your local machine, open the terminal.
Run the following command:
When prompted for the file name, you can either:
Press Enter to use the default names —
id_rsa
andid_rsa.pub
— and save them in the default directory.Type a custom path and file name to save the private and public keys with the specified name and location, as follows:
Example
When creating the key pair, you can choose to encrypt the private key with a passphrase to add security. If you prefer not to use a passphrase, leave the field blank and press Enter.
Note
If you are using a Windows machine, specify the custom path using the Windows format, such as C:\path\key_filename
.
Set permissions for the private key
After creating the SSH key pair, set the appropriate permissions for the private key to ensure that only you can access it.
Right-click the private key.
Select Properties, choose the Security tab, and click Advanced.
Click Disable inheritance > Convert inherited permissions into explicit permission on this object.
Back in the Advanced security settings window, remove access for all users except your own account by selecting a permission entry and clicking Remove.
Add the public key to the instance
To add your public SSH key to the Linode instance, follow these steps:
On your local computer, open the terminal (PowerShell on Windows).
Display the contents of the public SSH key file by entering the
cat
command followed by the path to the file.Example
The contents of your SSH key will be displayed in the terminal. Select and copy the output, which starts with
ssh-rsa
and ends with<your_username>@<hostname>
.Create the
~/.ssh
directory andauthorized_keys
file, and set appropriate permissions, as follows:Open the
authorized_keys
file with a text editor, such as nano, by entering this command:Paste the contents of your public key on a new line and press Ctrl + X, followed by Y, and then press Enter to save the changes.
Tip
You can automate the public SSH key upload process as described in the How to access remote systems over Meshnet using SSH article. This method is useful for managing multiple instances or frequent key uploads.
Connect to the instance using the SSH keys
To further secure your server, you can disable password authentication and rely solely on SSH key-pair authentication. However, before doing so, make sure that you can access your instance through SSH key-pair authentication.
Exit the current SSH session on your Linode instance by typing
exit
and pressing Enter.To establish an SSH connection using key-based authentication, enter the following command:
Replace
</path/private-key-file>
with the path to your private SSH key file and<linode-ip-address>
with the IP address of your Linode instance. Example
If you set a passphrase for your private key, you'll be prompted to enter it when connecting. Once you enter the correct passphrase, you should be logged in to your Linode.
Disable password authentication
Once you've verified that you can access your instance using SSH key-pair authentication, you may want to consider disabling password authentication.
Open the SSH configuration file in a text editor, such as nano, by entering:
Locate the line that begins with
PasswordAuthentication
and change the value tono
, as shown:To save and close the file, press Ctrl + X, followed by Y, and then press Enter.
Restart the SSH service to apply the changes by entering:
If you're able to log in to the instance successfully without entering a password, it confirms that your public key has been added and your private key is working as expected.
Install NordVPN on the instance
To set up NordVPN on your instance, follow these steps:
Download and install the NordVPN Linux client by entering this command in the instance terminal:
Log in to your NordVPN account.
Log in to NordVPN
You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways:
By running the
nordvpn login
command with the--token
flagBy running the
nordvpn login
command with the--callback
flag
Instructions for both methods are outlined below.
Tip
To preserve your token when logging out of the NordVPN app, use the nordvpn logout --persist-token
command. Otherwise, your token will be revoked.
Note
If you encounter the error message “Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock,” enter sudo usermod -aG nordvpn $USER
. Then, reboot your instance and log back in.
Enable Meshnet
On your instance, enable Meshnet by typing this command:
To view the Nord name and Meshnet IP address of your instance, enter the following command.
Additionally, you will see all the devices connected to your network. Depending on the Meshnet permissions granted to each device, they will have access to this server via Meshnet.
Grant the traffic routing permission
To begin using the VPN server, you need to grant the traffic routing permission for each peer device that you want to have access to the server. Enable this permission from the server machine using the following command:
Example
For more information, see the Traffic routing permissions page.
Route traffic through your server
To begin using your instance as a VPN server, you need to route traffic from a client device through the instance. Follow these steps:
On your client device, open NordVPN and log in to your account.
Start routing traffic through the linked host device you set up.
For detailed guidance on enabling traffic routing, refer to Routing traffic in Meshnet.
Your device's IP address should now match the public IP address of your instance. This way, your real IP address remains secure, and the websites you visit will detect the location of your VPN server instead of your actual device.
Last updated