How to create a VPN server with Linode

Discover how to create your custom VPN server using Linode and Meshnet.

Introduction

In this guide, you will learn how to create a custom VPN server on Linode using Meshnet. One of the benefits of hosting your own VPN is having more control over your IP address, which can be advantageous in managing privacy and enhancing network security. This can be particularly useful if you need to access content that may be restricted by geographical location.

Linode, a well-known cloud hosting provider, lets you build a reliable VPN server featuring scalable resources, a variety of global data center locations, and the ability to migrate servers between data centers. With Meshnet, the process of setting up a VPN server on Linode is made accessible for users with different levels of technical expertise. Meshnet's routing capability allows you to bypass the complexity associated with traditional VPN configurations.

The guide will walk you through the steps of deploying a Linode instance, securing SSH access with key-based authentication, installing the NordVPN app, and routing traffic through the server using Meshnet.

Note

While setting up your own VPN server enhances your online privacy, it may not provide the same level of protection as connecting to a standard VPN server offered by NordVPN. NordVPN follows a strict no-logs policy, which is crucial for ensuring your online activities remain confidential.

Prerequisites

Before you begin, make sure you have a Linode account with billing activated. As a new customer, you are eligible to receive free credits.

If you do not have a Linode account yet, you can sign up for one by visiting the Linode signup page.

Deploy a Linode instance

First, you need to create a new Linode instance, also called a Linode, that will serve as the host for your personalized VPN server.

Note

While this tutorial focuses on configuring an Ubuntu-based instance, the steps below are applicable to other Linux distributions available on Linode, including CentOS, Debian, Fedora, and more.

To configure and launch a Linode instance:

  1. Log in to the Linode Cloud Manager, and then select Create and choose Linode from the dropdown menu.

  2. Select a distribution for your instance. It is recommended to use the latest version of Ubuntu, which is currently Ubuntu 22.04 LTS.

  3. Under Region, choose a data center location for your Linode instance.

  4. Choose a plan that aligns with your requirements for RAM, CPU, and storage. For example, you can select a shared CPU plan, such as Nanode 1GB, which is a popular choice for personal use.

  5. Under Linode label, provide a label that indicates the purpose of your instance. For example:

  6. Set a root password for your Linode instance. You can also add an SSH key at this stage or later. For instructions on generating and configuring an SSH key pair, refer to the Secure SSH access with key-based authentication section further in this guide.

  7. To initiate the deployment process, click the Create Linode button located at the bottom.

Once started, the creation process redirects you to the instance's information page, where you can track the deployment status and find the IP addresses of your instance.

Connect to your instance

Now that you have your Linode instance ready, you can access it from your local machine using an SSH client.

  1. On the instance information page, under the Access section, copy the SSH access command along with the public IPv4 address assigned to the instance.

  2. Paste the command into your local computer’s terminal and press Enter.

  3. When establishing a connection to the server for the first time, the SSH client asks you to review and confirm the host key's fingerprint. To proceed with the connection, type yes in response to the prompt, as shown:

You should now be successfully connected to your Linode instance.

Secure SSH access with key-based authentication

By default, when you connect to your Linode instance, authentication is done via a password. For enhanced security, you can switch to key-pair authentication instead. Follow the steps below to create a key pair and configure your instance to accept only key-based SSH logins.

Generate an SSH key pair

  1. On your local machine, open the terminal.

  2. Run the following command:

    ssh-keygen

  3. When prompted for the file name, you can either:

    • Press Enter to use the default names — id_rsa and id_rsa.pub — and save them in the default directory.

    • Type a custom path and file name to save the private and public keys with the specified name and location, as follows:

      </path/key-filename>

      Example

  4. When creating the key pair, you can choose to encrypt the private key with a passphrase to add security. If you prefer not to use a passphrase, leave the field blank and press Enter.

Note

If you are using a Windows machine, specify the custom path using the Windows format, such as C:\path\key_filename.

Set permissions for the private key

After creating the SSH key pair, set the appropriate permissions for the private key to ensure that only you can access it.

  1. Right-click the private key.

  2. Select Properties, choose the Security tab, and click Advanced.

  3. Click Disable inheritance > Convert inherited permissions into explicit permission on this object.

  4. Back in the Advanced security settings window, remove access for all users except your own account by selecting a permission entry and clicking Remove.

Add the public key to the instance

To add your public SSH key to the Linode instance, follow these steps:

  1. On your local computer, open the terminal (PowerShell on Windows).

  2. Display the contents of the public SSH key file by entering the cat command followed by the path to the file.

    cat </path/public-key-filename>

    Example

    cat /Users/MeshnetUser/.ssh/linode_key.pub

  3. The contents of your SSH key will be displayed in the terminal. Select and copy the output, which starts with ssh-rsa and ends with <your_username>@<hostname>.

  4. Connect to your Linode instance via SSH, as described in the Connect to your instance section:

    ssh root@<linode-ip-address>

  5. Create the ~/.ssh directory and authorized_keys file, and set appropriate permissions, as follows:

    mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys 
    chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys

  6. Open the authorized_keys file with a text editor, such as nano, by entering this command:

    nano ~/.ssh/authorized_keys

  7. Paste the contents of your public key on a new line and press Ctrl + X, followed by Y, and then press Enter to save the changes.

Tip

You can automate the public SSH key upload process as described in the How to access remote systems over Meshnet using SSH article. This method is useful for managing multiple instances or frequent key uploads.

Connect to the instance using the SSH keys

To further secure your server, you can disable password authentication and rely solely on SSH key-pair authentication. However, before doing so, make sure that you can access your instance through SSH key-pair authentication.

  1. Exit the current SSH session on your Linode instance by typing exit and pressing Enter.

  2. To establish an SSH connection using key-based authentication, enter the following command:

    ssh -i </path/private-key-file> root@<linode-ip-address>

    Replace </path/private-key-file> with the path to your private SSH key file and <linode-ip-address> with the IP address of your Linode instance. Example

If you set a passphrase for your private key, you'll be prompted to enter it when connecting. Once you enter the correct passphrase, you should be logged in to your Linode.

Disable password authentication

Once you've verified that you can access your instance using SSH key-pair authentication, you may want to consider disabling password authentication.

  1. Open the SSH configuration file in a text editor, such as nano, by entering:

    sudo nano /etc/ssh/sshd_config

  2. Locate the line that begins with PasswordAuthentication and change the value to no, as shown:

  3. To save and close the file, press Ctrl + X, followed by Y, and then press Enter.

  4. Restart the SSH service to apply the changes by entering:

    sudo systemctl restart sshd

If you're able to log in to the instance successfully without entering a password, it confirms that your public key has been added and your private key is working as expected.

Install NordVPN on the instance

To set up NordVPN on your instance, follow these steps:

  1. Download and install the NordVPN Linux client by entering this command in the instance terminal:

    sh <(wget -qO - https://downloads.nordcdn.com/apps/linux/install.sh)

  2. Log in to your NordVPN account.

Log in to NordVPN

You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways:

  • By running the nordvpn login command with the --token flag

  • By running the nordvpn login command with the --callback flag

Instructions for both methods are outlined below.

Log in using a token
  1. On any device, log in to your Nord Account dashboard and select the Meshnet (by NordVPN) card.

  2. Under Manual setup, select Set up NordVPN manually.

  3. Enter the verification code sent to your email address.

  4. Under Access token, click Generate new token.

  5. In the dialog that appears, choose either a token that expires in 30 days or one that never expires, and then select Generate token.

  6. Select Copy and close.

  7. On your VM, enter the nordvpn login --token command along with the copied token:

    nordvpn login --token <your_token>

    Example

    nordvpn login --token 3fe460cefb8dcf1478c92e45908cec9f9bdbadf7a456a6dfb35dc2c58ee39d5b

You should now see a welcome message.

Log in using a URL
  1. Run the following command:

    nordvpn login

  2. Open the provided link on any device in your browser.

  3. Complete the login procedure.

  4. Right-click the Continue button and select Copy link address.

  5. Run the following command, replacing <URL> with the previously copied link address:

    nordvpn login --callback "<URL>"

    Example

    nordvpn login --callback "nordvpn://login?action=login&exchange_token=MGFlY2E1NmE4YjM2NDM4NjUzN2VjOWIzYWM3ZTU3ZDliNDdiNzRjZTMwMjE5YjkzZTNhNTI3ZWZlOTIwMGJlOQ%3D%3D&status=done"

You should now see a welcome message.

Tip

To preserve your token when logging out of the NordVPN app, use the nordvpn logout --persist-token command. Otherwise, your token will be revoked.

Note

If you encounter the error message “Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock,” enter sudo usermod -aG nordvpn $USER. Then, reboot your instance and log back in.

Enable Meshnet

On your instance, enable Meshnet by typing this command:

nordvpn set meshnet on

To view the Nord name and Meshnet IP address of your instance, enter the following command.

nordvpn meshnet peer list

Additionally, you will see all the devices connected to your network. Depending on the Meshnet permissions granted to each device, they will have access to this server via Meshnet.

Grant the traffic routing permission

To begin using the VPN server, you need to grant the traffic routing permission for each peer device that you want to have access to the server. Enable this permission from the server machine using the following command:

nordvpn meshnet peer routing allow <device>

Example

nordvpn meshnet peer routing allow secret.raccoon-everest.nord

For more information, see the Traffic routing permissions page.

Route traffic through your server

To begin using your instance as a VPN server, you need to route traffic from a client device through the instance. Follow these steps:

  1. On your client device, open NordVPN and log in to your account.

  2. Start routing traffic through the linked host device you set up.

    For detailed guidance on enabling traffic routing, refer to Routing traffic in Meshnet.

Your device's IP address should now match the public IP address of your instance. This way, your real IP address remains secure, and the websites you visit will detect the location of your VPN server instead of your actual device.

Last updated

© 2024 Nord Security. All Rights Reserved.