I don’t want to write an article on how to set up a VPN as there are thousands of them on the Internet each for different tastes and specific needs.
Today I just want to talk about just a few simple things that bring a lot of misunderstandings and tons of questions (even from geeks).
VPN client can be installed on almost any access point
Even with very old access point you can get an upgrade or install the desired package. For example, for my old Zyxel Keenetic Ultra, I was able to find an unofficial update that contained a lot of useful things, including the OpenVPN client.
For your access point, there may also be a firmware available for free download. If you have initially set up all the access points for working with VPN, then life as a whole becomes much easier.
VPN allows to selectively route traffic
You only need to know the address of the subnet you want to connect to using a VPN. Then you add\update the list of these networks on your VPN server, the client receives them and starts to drive only the necessary\specified traffic through a VPN. The rest of traffic goes directly and without VPNs. Important: there are many guides and instructions, after following which you route 100% of your traffic through a VPN. This is often slow, expensive, and you hardly need it all the time.
Mobile devices
For some reason, many people believe that VPN and mobile devices work by the principle: “All or Nothing.” No, it is not so. Even with iPhone, you can also drive only the necessary traffic through a VPN.
Tor
I would also like to add that, for reasons unknown to me, most people forget about Tor, which also helps with similar tasks, and currently works stably and quickly.
My example
As a simple home solution, I would recommend Google Compute Engine, where at the lowest cost I have an OpenVPN server running. Of course, you can choose any other hosting provider and VPN server.
The clients for this server are present on my access point (the native client), on the laptop, and on the phone. (Android, the standard client, for some reason, refused to read the config, but the client from Arne Schwabe got installed and started). It works just fine, no complaints at all.
I am much more confident in the security and durability of a personal server than any free or even paid one. I am able to control everything here including possible virus penetration attempts. I believe it will always be up and running without downtimes, there is no reason to believe the opposite (well, except that the huge range of Google addresses get blocked, but changing the server’s IP address is pretty easy).
Bellow, I am providing my client setup example (of course, without keys). The server and client were set up within several hours in the evening, despite the fact that this is my first experience deploying OpnVPN.
Configuring the client
Certificates can be added directly to the configuration file to feed it smoothly to the access point or phone:
client
dev tun
proto udp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist tun
verb 3
<ca>
PUT YOUR CA CERTIFICATE HERE
</ ca>
<cert>
PUT YOUR CERTIFICATE HERE
</ cert>
<key>
PUT YOUR PRIVATE KEY CERTIFICATE HERE
</ key>
key-direction 1
<tls-auth>
PUT YOUR STATIC KEY CERTIFICATE HERE
</ tls-auth>
I am using almost default server settings. Just one thing — I added pushes there — so that only the necessary traffic goes through a VPN:
It looks like this:
push “route x.x.x.x 255.255.255.255”
push “route x.x.x.0 255.255.255.0”
That’s it. All the best!