Overview

In order to harden the security of my home server and home network, I decided to set up a VPN server so that I could reduce the number of points of entry to both. By having my own VPN server, I don’t have to leave my services exposed to the open internet, and can instead have them facing internally, using the VPN to gain access to my home network when I’m in an external location. I decided to use a spare Raspberry Pi I had since it has a very low power consumption and the lower processing power won’t be an issue since it only needs to serve one function.

Hardware and Software

I used a Raspberry Pi 3, a 64GB SD card, a phone charger and an ethernet cable for this project. I already had all of these items lying around, so there were no costs to setting things up. I plugged the Pi directly into my router as this will give the fastest, most secure, and most reliable connection.

For the operating system, I used an implementation of Arch Linux for the ARM processor architecture. I chose this as I am very familiar with Arch Linux, and installing it for this type of system would be a new experience.

For the VPN tunnel I used WireGuard, an open source application which allows for VPN connections with state of the art encryption while keeping a low resource usage. It also has a mobile app which only needs a QR code to get set up.

Security

Since there isn’t a lot running on the machine, there wasn’t much need for extensive additional security measures. I set up a firewall to only allow connections to the VPN tunnel’s port from external sources, and to only accept SSH connections from the internal network. This leaves two points of entry, both of which require some sort of password or key to access.

Challenges faced

Setting up the operating system was not as difficult as it could be thanks to my experience with UNIX like systems. I made an error somewhere along the way, likely related to something not pointing to the correct directory, but on the second attempt, I got through the process like a breeze.

The only real setback I faced was the difficulty of setting up the client for the VPN tunnel on my laptop. I had to spend a while looking through errors in log files before I could see what information my configuration file was missing. In future, I would look for a more streamlined approach, such as seeing if I can find a way to use information from a QR code to set up the connection, as is done on the mobile app.

Conclusion

I would rate this as a highly successful project. While small scale in nature, this effort made has greatly increased the security of my home server and network by reducing the number of points of entry to each, along with eliminating the need to have any URLs pointing at my home network.

My goal of increasing security has been met, and now I have the added benefit of use this VPN tunnel to encrypt my internet connections any time I’m on a public network. This eliminates the possibility of my data being exposed via packet sniffing, or any bad actor meaningfully making a man in the middle attack on my connections.

The only thing I would consider adding to this system in the near future would be a backup DNS server, to maintain that service should my main server go offline for any reason.