Introduction
Sitting in a cafe, sipping delicious coffee, and thinking of enjoying the free Wi-Fi service of the cafe but the concern is safety. Have you ever felt this situation? Yes, of course accessing an unknown public wifi could be a risk to our online security. A Virtual Private Network (VPN) can help protect your data in such situations. VPNs encrypt your internet traffic, creating a secure tunnel between your device and the internet. This encryption makes it virtually impossible for hackers to steal your information.
There are so many paid, and non-paid VPN services available but weβre not gonna talk about those here. Instead, in this article, you will learn how to create a simple VPN server using Python. Weβll use the βsocketβ and βsslβ libraries to establish a secure connection between a client and a server.
Itβs important to note that this is for educational purposes only, and these homemade VPNs may not offer the same level of security and features as commercial VPN services.
Recommended: Create a Simple Proxy Server Using Python
Requirements and Installations
Before you begin, make sure Python is installed on your system. You can download it from www.python.org. Next, Install the pyOpenSSL library for SSL/TTLS connections using the following command:
pip install pyopenssl
Set Up the Environment
Create a separate folder named βVPN_Serverββ and navigate to this directory.
Itβs mandatory to generate SSL certificates to run the VPN server and client programs securely. So, open your terminal or command prompt and do the following step-by-step:
Generate a private key
openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:4096
Create a certificate signing request (CSR)
Create a file named βserver.csr.cnfβ with the following content:
[req] distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [req_distinguished_name] C = US ST = California L = San Francisco O = Example Company OU = IT CN = 127.0.0.1 [req_ext] subjectAltName = @alt_names [alt_names] IP.1 = 127.0.0.1
Then run the command:
openssl req -new -key server.key -out server.csr -config server.csr.cnf
Generate the self-signed certificate
Create a file named βserver.crt.cnfβ with the following content:
[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = California L = San Francisco O = Example Company OU = IT CN = 127.0.0.1 [v3_req] subjectAltName = @alt_names [alt_names] IP.1 = 127.0.0.1
Then run the command:
openssl x509 -req -in server.csr -signkey server.key -out server.crt -days 365 -extfile server.crt.cnf -extensions v3_req
The Program
We will create the VPN server and client programs separately.
vpn_server.py
import socket
import ssl
def start_vpn_server(host, port):
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile="server.crt", keyfile="server.key")
bindsocket = socket.socket()
bindsocket.bind((host, port))
bindsocket.listen(5)
print(f"VPN server listening on {host}:{port}")
while True:
newsocket, fromaddr = bindsocket.accept()
print(f"Connection from {fromaddr}")
conn = context.wrap_socket(newsocket, server_side=True)
try:
data = conn.recv(1024)
print(f"Received: {data}")
if data:
conn.sendall(b'Hello, VPN Client!')
except Exception as e:
print(f"Error: {e}")
finally:
try:
conn.shutdown(socket.SHUT_RDWR)
except OSError as e:
print(f"Error during shutdown: {e}")
conn.close()
if __name__ == "__main__":
start_vpn_server('127.0.0.1', 8443)Explanation
Letβs break down the key parts of the above Python script:
start_vpn_serverfunction: This function takes two arguments: βhostβ (the serverβs IP address) and βportβ (the port number the server listens on).context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH): This line creates an SSL context object. The βssl.Purpose.CLIENT_AUTHβ argument specifies that the server expects client authentication (meaning the client will also present a certificate).context.load_cert_chain(certfile="server.crt", keyfile="server.key"): This line loads the serverβs SSL certificate (βserver.crtβ) and private key (βserver.keyβ) into the context object. These files are crucial for establishing a secure connection.bindsocket = socket.socket(): This line creates a new TCP socket object (βbindsocketβ) using the socket library.bindsocket.bind((host, port)): This line binds the socket to the specified host and port. This tells the operating system to listen for incoming connections on that address and port combination.bindsocket.listen(5): This line sets the socket to listen for incoming connections. The 5 specifies the maximum number of pending connections that can be queued before the server starts refusing new connections.newsocket, fromaddr = bindsocket.accept(): This line waits for a new connection and assigns the new socket object (βnewsocketβ) and the clientβs address (βfromaddrβ) to variables.conn = context.wrap_socket(newsocket, server_side=True): This line wraps the new socket (βnewsocketβ) in an SSL socket (βconnβ) using the previously created SSL context. The βserver_side=Trueβ argument specifies that this is a server-side connection.data = conn.recv(1024): This line receives data (up to 1024 bytes) from the client through the secure SSL connection (conn).conn.sendall(b'Hello, VPN Client!'): If data was received, this line sends a simple message back to the client as a response.conn.shutdown(socket.SHUT_RDWR): This line shuts down both reading and writing on the secure connection.conn.close(): This line closes the secure connection (conn).start_vpn_server('127.0.0.1', 8443): This line calls the βstart_vpn_serverβ function with the serverβs IP address (127.0.0.1) and port number (8443).
vpn_client.py
import socket
import ssl
def vpn_client(host, port):
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
context.load_verify_locations("server.crt")
raw_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
raw_socket.connect((host, port))
conn = context.wrap_socket(raw_socket, server_hostname=host)
try:
conn.send(b"Hello, VPN Server!")
data = conn.recv(1024)
print(f"Received from server: {data}")
finally:
conn.close()
if __name__ == "__main__":
vpn_client('127.0.0.1', 8443)Explanation
Here is the breakdown of the key parts of the above Python script:
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH): This line creates an SSL context object (context). The βssl.Purpose.SERVER_AUTHβ argument specifies that the client expects server authentication (meaning it will verify the serverβs certificate).context.load_verify_locations("server.crt"): This line attempts to load the serverβs SSL certificate (βserver.crtβ) into the context object. This certificate is used to verify the serverβs identity for a secure connection.raw_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM): This line creates a new TCP socket object (βraw_socketβ) using the βsocketβ library. βsocket.AF_INETβ specifies the address family (IPv4 in this case), and βsocket.SOCK_STREAMβ specifies a stream socket for continuous data exchange.raw_socket.connect((host, port)): This line attempts to connect the socket (βraw_socketβ) to the server at the specified host and port.conn = context.wrap_socket(raw_socket, server_hostname=host): This line wraps the raw socket (βraw_socketβ) in an SSL socket (βconnβ) using the previously created SSL context (βcontextβ). The βserver_hostnameβ argument specifies the expected hostname of the server for certificate verification.
How to run the program?
Start the VPN Server
Open a terminal and navigate to the directory containing βvpn_server.pyβ. Now run the server script:
python vpn_server.py
You should see a message indicating that the server is listening on 127.0.0.1:8443.
Run the VPN Client
Open another terminal and navigate to the directory containing βvpn_client.pyβ. Now run the client script:
python vpn_client.py
The client should connect to the server, send a message, and print the response.
Output
When you run the server and client programs, you should see the following outputs:
Server Terminal Output
VPN server listening on 127.0.0.1:8443
Connection from ('127.0.0.1', 12345)
Received: b'Hello, VPN Server!'Client Terminal Output
Received from server: b'Hello, VPN Server!'
Recommended: Create a Python Network Scanner: Find IPs & MACs
Summary
In this tutorial, we built a simple VPN server using Python. We used the βsocketβ and βsslβ libraries to establish a secure connection between a client and a server. But before running the server and client scripts, itβs mandatory to generate SSL certificates to establish the connection securely.
Every step described in this tutorial is important to set up the VPN server and client successfully. So, follow every detail carefully. Remember, this is a great starting point for further exploration into secure communications and network programming with Python.
For any query, reach out to me at contact@pyseek.com.
Happy Coding!
