DownloadBlog
Search
⌃K
Links

How to create a VPN server with Linode

Discover how to create your custom VPN server using Linode and Meshnet.

Introduction

In this guide, you will learn how to create a custom VPN server on Linode using Meshnet. One of the benefits of hosting your own VPN is having more control over your IP address, which can be advantageous in managing privacy and enhancing network security. This can be particularly useful if you need to access content that may be restricted by geographical location.
Linode, a well-known cloud hosting provider, lets you build a reliable VPN server featuring scalable resources, a variety of global data center locations, and the ability to migrate servers between data centers. With Meshnet, the process of setting up a VPN server on Linode is made accessible for users with different levels of technical expertise. Meshnet's routing capability allows you to bypass the complexity associated with traditional VPN configurations.
The guide will walk you through the steps of deploying a Linode instance, securing SSH access with key-based authentication, installing the NordVPN app, and routing traffic through the server using Meshnet.
Note
While setting up your own VPN server enhances your online privacy, it may not provide the same level of protection as connecting to a standard VPN server offered by NordVPN. NordVPN follows a strict no-logs policy, which is crucial for ensuring your online activities remain confidential.

Prerequisites

Before you begin, make sure you have a Linode account with billing activated. As a new customer, you are eligible to receive free credits.
If you do not have a Linode account yet, you can sign up for one by visiting the Linode signup page.

Deploy a Linode instance

First, you need to create a new Linode instance, also called a Linode, that will serve as the host for your personalized VPN server.
Note
While this tutorial focuses on configuring an Ubuntu-based instance, the steps below are applicable to other Linux distributions available on Linode, including CentOS, Debian, Fedora, and more.
To configure and launch a Linode instance:
  1. 1.
    Log in to the Linode Cloud Manager, and then select Create and choose Linode from the dropdown menu.
    Creating a new Linode from the Linode Cloud Manager.
  2. 2.
    Select a distribution for your instance. It is recommended to use the latest version of Ubuntu, which is currently Ubuntu 22.04 LTS.
    Ubuntu 22.04 LTS selected as the distribution.
  3. 3.
    Under Region, choose a data center location for your Linode instance.
    Selecting the region of the VM.
  4. 4.
    Choose a plan that aligns with your requirements for RAM, CPU, and storage. For example, you can select a shared CPU plan, such as Nanode 1GB, which is a popular choice for personal use.
    Selecting the Nanode 1GB shared CPU plan.
  5. 5.
    Under Linode label, provide a label that indicates the purpose of your instance. For example:
    Adding custom labels and tags to the VM instance.
  6. 6.
    Set a root password for your Linode instance. You can also add an SSH key at this stage or later. For instructions on generating and configuring an SSH key pair, refer to the Secure SSH access with key-based authentication section further in this guide.
  7. 7.
    To initiate the deployment process, click the Create Linode button located at the bottom.
Once started, the creation process redirects you to the instance's information page, where you can track the deployment status and find the IP addresses of your instance.

Connect to your instance

Now that you have your Linode instance ready, you can access it from your local machine using an SSH client.
  1. 1.
    On the instance information page, under the Access section, copy the SSH access command along with the public IPv4 address assigned to the instance.
    Copying the SSH access details from Linode.
  2. 2.
    Paste the command into your local computer’s terminal and press Enter.
  3. 3.
    When establishing a connection to the server for the first time, the SSH client asks you to review and confirm the host key's fingerprint. To proceed with the connection, type yes in response to the prompt, as shown:
    Confirming VM's authenticity while establishing an SSH connection.
You should now be successfully connected to your Linode instance.

Secure SSH access with key-based authentication

By default, when you connect to your Linode instance, authentication is done via a password. For enhanced security, you can switch to key-pair authentication instead. Follow the steps below to create a key pair and configure your instance to accept only key-based SSH logins.

Generate an SSH key pair

  1. 1.
    On your local machine, open the terminal.
  2. 2.
    Run the following command:
    ssh-keygen
  3. 3.
    When prompted for the file name, you can either:
    • Press Enter to use the default names — id_rsa and id_rsa.pub — and save them in the default directory.
    • Type a custom path and file name to save the private and public keys with the specified name and location, as follows:
      </path/key-filename>
      Example
      Generating a new SSH key pair in a specified location.
  4. 4.
    When creating the key pair, you can choose to encrypt the private key with a passphrase to add security. If you prefer not to use a passphrase, leave the field blank and press Enter.
Note
If you are using a Windows machine, specify the custom path using the Windows format, such as C:\path\key_filename.

Set permissions for the private key

After creating the SSH key pair, set the appropriate permissions for the private key to ensure that only you can access it.
Windows
macOS and Linux
  1. 1.
    Right-click the private key.
  2. 2.
    Select Properties, choose the Security tab, and click Advanced.
  3. 3.
    Click Disable inheritance > Convert inherited permissions into explicit permission on this object.
  4. 4.
    Back in the Advanced security settings window, remove access for all users except your own account by selecting a permission entry and clicking Remove.
    Changing permissions for the SSH private key.
Enter the chmod 400 command followed by the path to the generated private key:
chmod 400 </path/private-key-filename>
Example
Running the 'chmod 400' command in the terminal.

Add the public key to the instance

To add your public SSH key to the Linode instance, follow these steps:
  1. 1.
    On your local computer, open the terminal (PowerShell on Windows).
  2. 2.
    Display the contents of the public SSH key file by entering the cat command followed by the path to the file.
    cat </path/public-key-filename>
    Example
    cat /Users/MeshnetUser/.ssh/linode_key.pub
  3. 3.
    The contents of your SSH key will be displayed in the terminal. Select and copy the output, which starts with ssh-rsa and ends with <your_username>@<hostname>.
  4. 4.
    Connect to your Linode instance via SSH, as described in the Connect to your instance section:
    ssh [email protected]<linode-ip-address>
  5. 5.
    Create the ~/.ssh directory and authorized_keys file, and set appropriate permissions, as follows:
    mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys
    chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
  6. 6.
    Open the authorized_keys file with a text editor, such as nano, by entering this command:
    nano ~/.ssh/authorized_keys
  7. 7.
    Paste the contents of your public key on a new line and press Ctrl + X, followed by Y, and then press Enter to save the changes.
Tip
You can automate the public SSH key upload process as described in the How to access remote systems over Meshnet using SSH article. This method is useful for managing multiple instances or frequent key uploads.

Connect to the instance using the SSH keys

To further secure your server, you can disable password authentication and rely solely on SSH key-pair authentication. However, before doing so, make sure that you can access your instance through SSH key-pair authentication.
  1. 1.
    Exit the current SSH session on your Linode instance by typing exit and pressing Enter.
  2. 2.
    To establish an SSH connection using key-based authentication, enter the following command:
    ssh -i </path/private-key-file> [email protected]<linode-ip-address>
    Replace </path/private-key-file> with the path to your private SSH key file and <linode-ip-address> with the IP address of your Linode instance. Example
    Accessing the Linode VM over SSH using the generated SSH keys for authentication.
If you set a passphrase for your private key, you'll be prompted to enter it when connecting. Once you enter the correct passphrase, you should be logged in to your Linode.

Disable password authentication

Once you've verified that you can access your instance using SSH key-pair authentication, you may want to consider disabling password authentication.
  1. 1.
    Open the SSH configuration file in a text editor, such as nano, by entering:
    sudo nano /etc/ssh/sshd_config
  2. 2.
    Locate the line that begins with PasswordAuthentication and change the value to no, as shown:
    Disabling SSH password authentication on the Linode VM.
  3. 3.
    To save and close the file, press Ctrl + X, followed by Y, and then press Enter.
  4. 4.
    Restart the SSH service to apply the changes by entering:
    sudo systemctl restart sshd
If you're able to log in to the instance successfully without entering a password, it confirms that your public key has been added and your private key is working as expected.

Install NordVPN on the instance

To set up NordVPN on your instance, follow these steps:
  1. 1.
    Download and install the NordVPN Linux client by entering this command in the instance terminal:
    sh <(wget -qO - https://downloads.nordcdn.com/apps/linux/install.sh)
  2. 2.
    Log in to your NordVPN account.

Log in to NordVPN

You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways:
  • By running the nordvpn login command with the --token flag
  • By running the nordvpn login command with the --callback flag
Instructions for both methods are outlined below.
Log in using a token
Log in using a URL
  1. 1.
    On any device, log in to your Nord Account dashboard and, under NordVPN Meshnet free, select View details.
    Clicking the 'View details' button under NordVPN Meshnet free.
  2. 2.
    Scroll down until you see Manual setup, and select Set up NordVPN manually.
    Clicking the 'Set up NordVPN manually' button.
  3. 3.
    Enter the verification code sent to your email address.
  4. 4.
    Under Access token, select Generate new token.
    Clicking 'Generate new token'
  5. 5.
    In the dialog that appears, choose either a token that expires in 30 days or one that never expires, and then select Generate token.
    Selecting the token expiration date.
  6. 6.
    Select Copy and close.
  7. 7.
    On your VM, enter the nordvpn login --token command along with the copied token:
    nordvpn login --token <your_token>
    Example
    nordvpn login --token 3fe460cefb8dcf1478c92e45908cec9f9bdbadf7a456a6dfb35dc2c58ee39d5b
You should now see a welcome message.
Tip
To preserve your token when logging out of the NordVPN app, use the nordvpn logout --persist-token command. Otherwise, your token will be revoked.
  1. 1.
    Run the following command:
    nordvpn login
  2. 2.
    Open the provided link on any device in your browser.
  3. 3.
    Complete the login procedure.
  4. 4.
    Right-click the Continue button and select Copy link address.
  5. 5.
    Run the following command, replacing <URL> with the previously copied link address:
    nordvpn login --callback "<URL>"
    Example
    nordvpn login --callback "nordvpn://login?action=login&exchange_token=MGFlY2E1NmE4YjM2NDM4NjUzN2VjOWIzYWM3ZTU3ZDliNDdiNzRjZTMwMjE5YjkzZTNhNTI3ZWZlOTIwMGJlOQ%3D%3D&status=done"
You should now see a welcome message.
Note
If you encounter the error message “Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock,” enter sudo usermod -aG nordvpn $USER. Then, exit and log back in to your instance.

Enable Meshnet

On your instance, enable Meshnet by typing this command:
nordvpn set meshnet on
To view the Nord name and Meshnet IP address of your instance, enter the following command.
nordvpn meshnet peer list
Additionally, you will see all the devices connected to your network. Depending on the Meshnet permissions granted to each device, they will have access to this server via Meshnet.

Route traffic through your server

To begin using your instance as a VPN server, you need to route traffic from a client device through the instance. Follow these steps:
  1. 1.
    On your client device, open NordVPN and log in to your account.
  2. 2.
    Start routing traffic through the linked host device you set up.
    Starting routing traffic through the Linode VM.
    For detailed guidance on enabling traffic routing, refer to Routing traffic in Meshnet.
Your device's IP address should now match the public IP address of your instance. This way, your real IP address remains secure, and the websites you visit will detect the location of your VPN server instead of your actual device.
Checking the new IP address after connecting to the VPN server.
Previous
How to create a VPN server with Google Cloud
Next
How to create a VPN server with Hetzner
Last modified 2d ago
© 2023 Nord Security. All Rights Reserved.