A very good question, and if you’ve found this blog, chances are you already know that answer. But I’m going to try and answer that question. But of course, before you can explain why you would want a VPN, we should really explain what a VPN is in the first place. Wikipedia has a fairly simple definition (emphasis added):

A virtual private network also known as a VPN is a private network that extends across a public network or internet. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

So to make things simpler, let’s define a fictitious, but a plausible environment that should be familiar to most people. This is by no means an endorsement of any technology or provider, but solely for demonstrative purposes.

At your house, you have Comcast high-speed internet. You own your own cable modem, and that is plugged into your Linksys-WRT54G router.

You have wireless printers inside of your home network.

You subscribe to Comcast’s Xfinity X1 television package. This includes the X1 cable box. You can also use iOS apps, Android apps, and computers to access your cable and DVR content. For example, from your notebook, you could login to Comcast and watch live TV from any computer in your house.

You have a Netflix subscription.

You own an iPhone, and your spouse has an Android phone. You are using a T-Mobile “family” plan. That plan allows you to use both of your phones as wireless hotspots.

You also own a notebook computer and an iPad mini.

Your office provides Wi-Fi access, which you use for both your work notebook, but also for your mobile devices.

Periodically you travel, both domestically and internationally and access the internet from hotels, Starbucks, etc.

IP addresses determine your location

When your cable modem is connected to the internet, it is assigned an IP address provided to you by Comcast. You can find this address by using one of many services such as IP Location, which will not only display your WAN IP, but it will also tell you the general physical location of your cable modem. If you’ve ever wondered how some websites target you with ads for products in your physical area, this is how they do it. They examine the IP address and search a database to determine your physical location.

Content providers often limit your access to their services based upon your physical location.

Let’s take Netflix as an example. The movies and shows you are allowed to access is based upon your location If you are in the US, you can access certain programs and if you are in the UK, you will have access to a different set of programming. Now often some of this content overlaps, but not always. If you travel from your home in Philidelphia to London suddenly you may no longer be able to watch Trailer Park Boys. That’s a bummer.

The Xfinity X1 service is even more restrictive than Netflix. For a large portion of the content available, you must be on the same network as your X1 cable box.

Other services, such as MLB-TV also check your IP address to make sure you aren’t trying to skirt blackout rules.

Some networks block access to specific content entirely.

If you are at work and using their network, it should come as no shock to you that they don’t want you watching Netflix when you should be working. So they will configure their network to block access to Netflix’s servers. They will probably block other content, such as pornography and any site they deem to be inappropriate.

Enter the VPN

With a properly configured VPN (and sufficient bandwidth) you can connect any of your devices to your “home network” via a VPN “tunnel” and you can access any device on your network (such as your printer) and any services that you use will think you are using your home WAP IP. For example, let’s say you use an IP locator site to determine your WAN IP at home is 167.127.163.203 (Northbook, IL). You then take a business trip to Germany and connect to the hotel’s Wi-Fi network, and now the IP locator site reports that your IP address is now 195.93.72.18.

So if you try to access Netflix, you won’t have the same programming options you would have available at home. If you try to connect to your X1 service, it will tell you that you are “out of home” and won’t allow you to access most of your content.

But if you connect to your VPN based inside your home network, the site will report your IP address as 167.127.163.203 (which is exactkly what you would see if you tried this at home). Now tha you are connected, you should be able to access US based Netflix content in addition to being able to access your X1 platform content.

Before setting up your VPN

In the next section, I will describe how to install and configure your VPN server and connect your clients (your notebooks, mobile devices etc) to the network. There are many VPN technologies, but I will be showing how to use OpenVPN, an open-source (and free) VPN solution.

In this example, I will be using Windows, but you can use Linux or OSX as well. You will need a computer to host the OpenVPN server. It doesn’t have to be powerful, you just need a machine with an Ethernet port. If you have a router than can support a custom firmware, such as TomatoUSB or DD-WRT, they even have OpenVPN server’s built-in!

Warning: While you can use a small factor machine like a Raspberry Pi, the ethernet port on those devices uses the USB port, so the throughput will be slow, and thus will be unsuitable for streaming services like Netflix or X1.

First things first. Make sure you have a domain name that resolves to your WAN IP address

Before you get started with setting up OpenVPN make sure that you have a domain name that resolves to your WAN IP address.

There are several free services out there, like Afraid.org that will let you create a sub-domain like zeus.afraid.org and tools that will update that entry to point to your WAN address. Most routers have this functionality built in. There are also desktop programs that you can run on the same machine as your OpenVPN server that will do the same. If you want to create your own domain, such as yourname.com you can purchase one for as little as $12/year. Google Domains has a nice service and also provides DNS services as well. It will generate a “tokenized” URL that when called, it will update your domain name automagically. I use a token like the one below in my TomatoUSB firmware to update my domain anytime my WAN IP address changes.

https://abcdefg:hijklmnop@domains.google.com/nic/update?hostname=yourname.com

Setting up your OpenVPN server

Ok, I’m not trying to re-invent the wheel. Use this guide to get started with installing OpenVPN and creating your certificates. I modified the settings for both server and client to accept multiple connections per client and use the router’s DNS server to assign the client an address so it appears inside the network. The guide above puts the certificates in and keys in separate files, but this makes it more difficult to copy the clients to different machines. And for mobile devices, this makes it makes it even more difficult, so I find that putting all of the certificate and key information in the same file to be the simplest way to get a certficate installed on a mobile device.

A note about client certificates:

You can generate as many client certificates as you want, and you can “revoke” a certificate by adding it to a “revoke” section in the server.ovpn file. I find it a lot simpler to create just one client certificate and allow it multiple logins. If I ever need to “revoke” that certificate, it’s easier to just rebuild both the server.ovpn and client.ovpn files.

Open the server.ovpn file and change the contents to the following. Note make sure that you replace 192.168.68.1 with the ip address of your router. Also, make sure that the path’s to the crt, key, and pem files are correct. Notice the (\\) which are used to escape the single slash used in a windows path.

port 1194 proto tcp dev tun ca "C:\\Program Files\\OpenVPN\\config\\ca.crt" cert "C:\\Program Files\\OpenVPN\\config\\server.crt" key "C:\\Program Files\\OpenVPN\\config\\server.key" dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem" server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 192.168.1.1" client-to-client duplicate-cn ifconfig-pool-persist ipp.txt status openvpn-status.log keepalive 10 120 cipher BF-CBC comp-lzo max-clients 10 persist-key persist-tun log openvpn.log verb 3

Now create a new text file called client.ovpn and paste the following code. Make sure you replace yourdomain.com with whatever domain (or subdomain, eg vpn.yourdomain.com) you created.

Also, open each of the files listed (eg C:\Program Files\OpenVPN\config\ca.crt) in notepad and copy the ENTIRE contents and replace each block of:

—–BEGIN CERTIFICATE—–

—–END CERTIFICATE—–

with the contents of that file. So you should end up with something like (with many more lines of gobbledegook text)

—–BEGIN CERTIFICATE REQUEST—–

MIIEoTCCAokCADBdMQswCQYDVQQGEwJVUzEQMA4GA1UEAxMHZm9vLmNvbTESMBAG

—–END CERTIFICATE REQUEST—–

client dev tun proto tcp remote yourdomain.com 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server comp-lzo verb 3 #ca "C:\\Program Files\\OpenVPN\\config\\ca.crt" -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- #cert "C:\\Program Files\\OpenVPN\\config\\my-client.crt" -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- #key "C:\\Program Files\\OpenVPN\\config\\my-client.key" -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----

Save this client.ovpn file. If you are using OpenVPN on a client computer put a copy of this file in C:\Program Files\OpenVPN\config.

Follow the guide to start your OpenVPN server (it should use the server.ovpn file and associated keys, crts, etc) you created. In later versions of Windows you may have to run it as an Administrator. You can also create a service so it starts automatically whenever windows start it will start OpenVPN.

On your client machine where you have already installed OpenVPN, copy the client.ovpn file to C:\Program Files\OpenVPN\config. Start OpenVPN (once again as as Administrator) and you should be able to connect.

On mobile devices, install the OpenVPN app You need to import the client.ovpn file to your app, and after that you should be able to connect to your VPN. On iOS I use Dropbox and open the file and use the “open with” function to send it to OpenVPN. From there “import the certificate” and you’re ready to go.

I hope this helps get you started so you can take your paid services with you, no mater where you go.