Build Your Own Free VPN with Oracle Cloud


  • A working debit/credit card. (You will not be charged, but it is a requirement nonetheless).
  • Free time.
  • A desire to learn.
  • Probably patience.

What is a VPN and why do you need one?


Creating an account on Oracle Cloud Infrastructure

Creating a Virtual Cloud Network (VCN)

  • Our instance must be launched into a VCN and subnet. A subnet is a subdivision of the VCN.
  • We use the navigation pane to navigate to Networking as shown above. Click on Virtual Cloud Networks
  • Our VCN will require network connectivity since we will be accessing it over the internet via the VM’s public IP. Click on Start VCN Wizard.
  • Select Create VCN with Internet Connectivity and then click Start VCN Wizard
  • We select the option for a VCN with internet connectivity.
  • The VCN should be configured as follows (feel free to do it differently, of course).
  • VCN Name for your cloud network. Avoid using confidential information as this will be incorporated into all related resources that will be automatically created.
  • Compartment defaults to the current compartment
  • VCN CIDR Block enter a valid (Classless Inter Domain Routing) CIDR block for the VCN.
  • For the purpose of this tutorial, you don’t need to understand any networking but, if you are curious, you can check this out [add link to a relatively short networking tutorial].
  • Enter
  • Public Subnet CIDR Block enter a valid CIDR block that is within range e.g.
  • Private Subnet CIDR Block: enter a valid CIDR block that is within range e.g. (must be different from the public subnet).
  • Accept all other defaults.
  • Click Next
  • Review all the resources. The wizard will create multiple resources and set up security list rules and route tables to enable basic network access for the VCN.
  • Click Create to create the components.
  • After creation, click View Virtual Cloud Network to view your network.
  • Your VCN will have the followeing resources and characteristics
  • Disclaimer

Launching a Linux instance

  • With our VCN set up, we can now create a Linux instance.
  • Navigate to Compute in the navigation pane, then select Instances
  • You can think of your instance as a computer running in the cloud. Unlike your personal computer, however, it runs on a server in a data center sharing hardware with many other instances that are isolated from each other.
  • Click Create instance
  • Name your instance, once again avoiding confidential information.
  • Customize your image and shape.
  • For this tutorial, we will use an ARM-based shape, VM.Standard.A1.Flex, running Ubuntu 22.04.
  • You’re free to choose a different distribution, but some commands in this tutorial might not work in that case.
  • The next step is to configure the networking to allow the instance to connect to the internet and other requried resources.
  • For the primary network, select Select existing VCN
  • Select the VCN from the dropdown menu
  • For the subnet, select Select existing subnet again
  • Select the Public Subnet from the dropdown menu
  • Select Assign a public IPv4 address to create an IP address for the instance. This is required to access the instance. If you have any problem here make sure that you have selected the public subnet that was created with your VCN.
  • In the Add SSH keys section, generate an SSH pair or upload your own public key.
  • Generate a key pair for me (Recommended): Use this option if you are using running Linux, Mac, or Windows 10/11, otherwise you may need to generate a key using PuTTY. Make sure that you have SSH installed on your device. Once the keys are generated, download them and keep them safe because anyone who has access to the private key can connect to your instance.
  • Upload public key files If you generate SSH keys with PuTTY or any similar client, you can upload the keys here.
  • Paste public keys paste the public key portion of your key pair in the box
  • Leave all options cleared in the Boot volume section.
  • Click Create.
  • Provisioning may take a few minutes before the state updates to running.
  • Once completed, you can click the instance name to see its details.
  • Make a note of the public IP address as we’ll need this later.

Connecting to your instance

  • We can check if we have been successful by connecting to the instance.
  • Open a shell in the directory where your private key is stored.
  • On Windows, you can navigate to the folder in Explorer and then simply type CMD in the address bar and press enter.
  • Check first if you have OpenSSH installed using ssh -V
  • In Powershell, type the following commands to restrict the permissions on your key file:
  • icacls.exe your_key_name.key /reset
  • icacls.exe your_key_name.key /grant:r "$($env:username):(r)"
  • icacls.exe your_key_name.key /inheritance:r
  • If you still get the error shown below, then make sure that your file is stored in a restricted folder like C:\Users\<Username>\*.
  • If you’re using a UNIX-style system (Linux or MacOS), you can run the following command to ensure that only you can read the private key file chmod 400 <private_key_file> . Replace <private_key_file> with the name of your key file which should look something like ssh-key-[date].key.
  • Type the command ssh -i <private_key_file> <username>@<public-ip-address> to connect to your instance.
  • <private_key_file>: the full path to the private key file. If you are in the same folder, you just need the file name as shown above.
  • <username>: the default username for the instance. For ubuntu, it should be *ubuntu.
  • <public-ip-address>: this is the external IP of the VM instance that we saved earlier.
  • For the first connection, you will need to provide confirmation for the key exchange.
  • Once you have successfully connected to your instance, login as root using sudo su.
  • Make sure that everything is up to date by running the sudo update and then sudo upgrade commands.

Allowing UDP traffic

  • Before we can configure our VPN, we must first modify the ingress firewall rules to allow our Wireguard traffic.
  • Go to Networking in the navigation pane.
  • Click on the VCN in which your instance is running.
  • If you are using the root compartment, you should have 2 subnets: Private Subnet-<your-vcn-name-here> and Public Subnet-<your-vcn-name-here>
  • Click on the public subnet.
  • Choose Default Security list for <your-vcn-name-here>
  • Click on Add Ingress Rules
  • Configure your ingress rules as shown below.
  • By leaving Source CIDR as, we allow traffic from any IP.
  • Destination Port Range is set to 51820 as specified in the Wireguard documentation.
  • The IP Protocol is set to UDP because of the advantages it offers such as greater speed.
  • The description tells us what this ingress rule is for in case we need to remove it in the future.

Installing the VPN

  • We install the VPN using PiVPN, which is a set of shell scripts developed to easily turn your Raspberry Pi into a VPN server.
  • It works well with our instance because it is also using an ARM processor.
  • Return to your shell window and check that you are still connected to your instance.
  • Use curl -L | bash to retrieve the installer from the server.
  • This should load the PiVPN Automated Installer as shown above.
  • Press enter to confirm your selection.
  • The next screen tells us that we need a static IP address. This is because our VPN creates a tunnel between your device and the VM instance, which we need to connect to via its public IP. If our IP was dynamic then we would need to always reconfigure our VPN to have the right address. Fortunately, Oracle gives our instance a static public IP which means we don’t need to worry about setting up dynamic DNS.
  • Press enter on subsequent screens until you see this screen.
  • Use the arrow keys to move the cursor down to ubuntu, use space bar to make the selection, then enter to confirm and continue.
  • Press Enter to maintain the default port 51820. Select Yes to confirm.
  • Select CloudFlare as your DNS provider.
  • Select our static IP address.
  • Press Enter to generate keys.
  • Press Enter to confirm unattended upgrades. This is important to ensure that our system is always kept up to date and not vulnerable to attacks.
  • Once we see this screen, then the installation is complete.
  • At this point it is recommended to reboot the system. Select Yes then Ok to confirm reboot.
  • After a few seconds, you can run the ssh command again to reconnect to your instance.

Adding a user

  • We can use PiVPN to manually grant access to users on our VPN.
  • We can use the pivpn add command to add a new user configuration. You'll be prompted to give the user a name.
  • Then, we use the command pivpn -qr to generate a QR code for the user to connect.
  • This will generate a QR code that you can scan with any of your devices. Ideally, you generate a unique QR code for each one of your devices.
  • If you have not already downlaoded the wireguard client, do so.
  • You can use this website to verify that your VPN is working.


  • If you have made it this far and your VPN is working, then well done. If not, try again. I hope you have learned something. Happy surfing!



A Fullstack Engineer seeking truth, wisdom, and, above all, enlightenment where technology and philosophy intersect. | Fiction lover 🌐:

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tawanda Eddie Jr.

A Fullstack Engineer seeking truth, wisdom, and, above all, enlightenment where technology and philosophy intersect. | Fiction lover 🌐: