How to create a VPN server with Linode
Discover how to create your custom VPN server using Linode and Meshnet.
In this guide, you will learn how to create a custom VPN server on Linode using Meshnet. One of the benefits of hosting your own VPN is having more control over your IP address, which can be advantageous in managing privacy and enhancing network security. This can be particularly useful if you need to access content that may be restricted by geographical location.
Linode, a well-known cloud hosting provider, lets you build a reliable VPN server featuring scalable resources, a variety of global data center locations, and the ability to migrate servers between data centers. With Meshnet, the process of setting up a VPN server on Linode is made accessible for users with different levels of technical expertise. Meshnet's routing capability allows you to bypass the complexity associated with traditional VPN configurations.
The guide will walk you through the steps of deploying a Linode instance, securing SSH access with key-based authentication, installing the NordVPN app, and routing traffic through the server using Meshnet.
While setting up your own VPN server enhances your online privacy, it may not provide the same level of protection as connecting to a standard VPN server offered by NordVPN. NordVPN follows a strict no-logs policy, which is crucial for ensuring your online activities remain confidential.
Before you begin, make sure you have a Linode account with billing activated. As a new customer, you are eligible to receive free credits.
If you do not have a Linode account yet, you can sign up for one by visiting the Linode signup page.
First, you need to create a new Linode instance, also called a Linode, that will serve as the host for your personalized VPN server.
While this tutorial focuses on configuring an Ubuntu-based instance, the steps below are applicable to other Linux distributions available on Linode, including CentOS, Debian, Fedora, and more.
To configure and launch a Linode instance:
- 1.Log in to the Linode Cloud Manager, and then select Create and choose Linode from the dropdown menu.
- 2.Select a distribution for your instance. It is recommended to use the latest version of Ubuntu, which is currently Ubuntu 22.04 LTS.
- 3.Under Region, choose a data center location for your Linode instance.
- 4.Choose a plan that aligns with your requirements for RAM, CPU, and storage. For example, you can select a shared CPU plan, such as Nanode 1GB, which is a popular choice for personal use.
- 5.Under Linode label, provide a label that indicates the purpose of your instance. For example:
- 6.Set a root password for your Linode instance. You can also add an SSH key at this stage or later. For instructions on generating and configuring an SSH key pair, refer to the Secure SSH access with key-based authentication section further in this guide.
- 7.To initiate the deployment process, click the Create Linode button located at the bottom.
Once started, the creation process redirects you to the instance's information page, where you can track the deployment status and find the IP addresses of your instance.
Now that you have your Linode instance ready, you can access it from your local machine using an SSH client.
- 1.On the instance information page, under the Access section, copy the SSH access command along with the public IPv4 address assigned to the instance.
- 2.Paste the command into your local computer’s terminal and press Enter.
- 3.When establishing a connection to the server for the first time, the SSH client asks you to review and confirm the host key's fingerprint. To proceed with the connection, type
yesin response to the prompt, as shown:
You should now be successfully connected to your Linode instance.
By default, when you connect to your Linode instance, authentication is done via a password. For enhanced security, you can switch to key-pair authentication instead. Follow the steps below to create a key pair and configure your instance to accept only key-based SSH logins.
- 1.On your local machine, open the terminal.
- 2.Run the following command:ssh-keygen
- 3.When prompted for the file name, you can either:
- Press Enter to use the default names —
id_rsa.pub— and save them in the default directory.
- Type a custom path and file name to save the private and public keys with the specified name and location, as follows:</path/key-filename>Example
- 4.When creating the key pair, you can choose to encrypt the private key with a passphrase to add security. If you prefer not to use a passphrase, leave the field blank and press Enter.
If you are using a Windows machine, specify the custom path using the Windows format, such as
After creating the SSH key pair, set the appropriate permissions for the private key to ensure that only you can access it.
macOS and Linux
- 1.Right-click the private key.
- 2.Select Properties, choose the Security tab, and click Advanced.
- 3.Click Disable inheritance > Convert inherited permissions into explicit permission on this object.
- 4.Back in the Advanced security settings window, remove access for all users except your own account by selecting a permission entry and clicking Remove.
chmod 400command followed by the path to the generated private key:
chmod 400 </path/private-key-filename>
To add your public SSH key to the Linode instance, follow these steps:
- 1.On your local computer, open the terminal (PowerShell on Windows).
- 2.Display the contents of the public SSH key file by entering the
catcommand followed by the path to the file.cat </path/public-key-filename>Examplecat /Users/MeshnetUser/.ssh/linode_key.pub
- 3.The contents of your SSH key will be displayed in the terminal. Select and copy the output, which starts with
ssh-rsaand ends with
- 4.Connect to your Linode instance via SSH, as described in the Connect to your instance section:
- 5.Create the
authorized_keysfile, and set appropriate permissions, as follows:mkdir -p ~/.ssh && touch ~/.ssh/authorized_keyschmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
- 6.Open the
authorized_keysfile with a text editor, such as nano, by entering this command:nano ~/.ssh/authorized_keys
- 7.Paste the contents of your public key on a new line and press Ctrl + X, followed by Y, and then press Enter to save the changes.
You can automate the public SSH key upload process as described in the How to access remote systems over Meshnet using SSH article. This method is useful for managing multiple instances or frequent key uploads.
To further secure your server, you can disable password authentication and rely solely on SSH key-pair authentication. However, before doing so, make sure that you can access your instance through SSH key-pair authentication.
- 1.Exit the current SSH session on your Linode instance by typing
exitand pressing Enter.
- 2.To establish an SSH connection using key-based authentication, enter the following command:Replace
</path/private-key-file>with the path to your private SSH key file and
<linode-ip-address>with the IP address of your Linode instance. Example
If you set a passphrase for your private key, you'll be prompted to enter it when connecting. Once you enter the correct passphrase, you should be logged in to your Linode.
Once you've verified that you can access your instance using SSH key-pair authentication, you may want to consider disabling password authentication.
- 1.Open the SSH configuration file in a text editor, such as nano, by entering:sudo nano /etc/ssh/sshd_config
- 2.Locate the line that begins with
PasswordAuthenticationand change the value to
no, as shown:
- 3.To save and close the file, press Ctrl + X, followed by Y, and then press Enter.
- 4.Restart the SSH service to apply the changes by entering:sudo systemctl restart sshd
If you're able to log in to the instance successfully without entering a password, it confirms that your public key has been added and your private key is working as expected.
To set up NordVPN on your instance, follow these steps:
- 1.Download and install the NordVPN Linux client by entering this command in the instance terminal:sh <(wget -qO - https://downloads.nordcdn.com/apps/linux/install.sh)
- 2.Log in to your NordVPN account.
You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways:
- By running the
nordvpn logincommand with the
- By running the
nordvpn logincommand with the
Instructions for both methods are outlined below.
Log in using a token
Log in using a URL
- 1.On any device, log in to your Nord Account dashboard and, under NordVPN Meshnet free, select View details.
- 2.Scroll down until you see Manual setup, and select Set up NordVPN manually.
- 3.Enter the verification code sent to your email address.
- 4.Under Access token, select Generate new token.
- 5.In the dialog that appears, choose either a token that expires in 30 days or one that never expires, and then select Generate token.
- 6.Select Copy and close.
- 7.On your VM, enter the
nordvpn login --tokencommand along with the copied token:nordvpn login --token <your_token>Examplenordvpn login --token 3fe460cefb8dcf1478c92e45908cec9f9bdbadf7a456a6dfb35dc2c58ee39d5b
You should now see a welcome message.
To preserve your token when logging out of the NordVPN app, use the
nordvpn logout --persist-tokencommand. Otherwise, your token will be revoked.
- 1.Run the following command:nordvpn login
- 2.Open the provided link on any device in your browser.
- 3.Complete the login procedure.
- 4.Right-click the Continue button and select Copy link address.
- 5.Run the following command, replacing
<URL>with the previously copied link address:nordvpn login --callback "<URL>"Examplenordvpn login --callback "nordvpn://login?action=login&exchange_token=MGFlY2E1NmE4YjM2NDM4NjUzN2VjOWIzYWM3ZTU3ZDliNDdiNzRjZTMwMjE5YjkzZTNhNTI3ZWZlOTIwMGJlOQ%3D%3D&status=done"
You should now see a welcome message.
If you encounter the error message “Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock,” enter
sudo usermod -aG nordvpn $USER. Then, exit and log back in to your instance.
nordvpn set meshnet on
To view the Nord name and Meshnet IP address of your instance, enter the following command.
nordvpn meshnet peer list
Additionally, you will see all the devices connected to your network. Depending on the Meshnet permissions granted to each device, they will have access to this server via Meshnet.
To begin using your instance as a VPN server, you need to route traffic from a client device through the instance. Follow these steps:
- 1.On your client device, open NordVPN and log in to your account.
- 2.Start routing traffic through the linked host device you set up.For detailed guidance on enabling traffic routing, refer to Routing traffic in Meshnet.
Your device's IP address should now match the public IP address of your instance. This way, your real IP address remains secure, and the websites you visit will detect the location of your VPN server instead of your actual device.