Build a Private Home VPN with OpenFactory

You're away from home and you need to reach your NAS, pull up a camera feed, SSH into a development box, or print to the printer in your office. The naive answer is to forward ports on your router and expose those services to the open internet. The right answer is a VPN you run yourself: a single encrypted door into your LAN that makes every device behave as if you were sitting on the couch. This post is about that remote-access use case. If you instead want a private exit for your outbound browsing — the thing a commercial VPN sells — see our companion piece on owning your VPN.

The problem is that setting up a VPN server from scratch is a pain. Install StrongSwan, configure IPsec, set up certificates, enable IP forwarding, write firewall rules, configure DNS — it's a weekend project that most people abandon halfway through. OpenFactory turns it into a five-minute build.

Why Run Your Own VPN

A self-hosted remote-access VPN gives you one encrypted door into your home network, so your NAS, cameras, home automation, and dev machines are reachable from anywhere — without exposing a single port to the public internet. As a bonus you also get encrypted public-WiFi sessions and network-wide ad blocking.

Running your own remote-access endpoint is no longer an exotic homelab move; it is the mainstream pattern. In the 2026 IDC Enterprise VPN survey, WireGuard had become the primary remote-access VPN for the majority of large enterprises, up sharply from roughly a third in 2023 — the same protocols and tunnel model that secure a global workforce work just as well for a household of five. The difference with a self-hosted box is simply who holds the keys: you do.

• Reach your home network — your NAS, home automation, security cameras, or development machines, all addressable by their private IPs from a hotel room or a train. This is the whole point of a remote-access VPN.
• No exposed ports — instead of forwarding SSH, RDP, and a camera UI to the internet (and onto every scanner's target list), you expose exactly one authenticated VPN endpoint. Everything else stays invisible behind it.
• Secure public WiFi — coffee shop, airport, hotel — the traffic you choose to route is encrypted back to your home server before it ever touches the local network.
• No third-party trust — your tunnel terminates on hardware you own. No logging policies to read, no “no-log” claims to hope are real.
• Ad blocking for all devices — point DNS at dnsmasq with blocklists and every device on the tunnel gets ad-free browsing — no per-device setup.

What You Get with OpenFactory

OpenFactory's Personal VPN Router scenario builds a complete, bootable ISO with StrongSwan IKEv2, dnsmasq for DNS and ad-blocking, full-tunnel NAT routing, fail2ban brute-force protection, system monitoring, and network diagnostic tools — all pre-configured on Ubuntu 24.04.

OpenFactory has a ready-made Personal VPN Router scenario that builds a complete VPN server as a bootable ISO. It's based on Ubuntu 24.04 and comes with everything configured:

• StrongSwan IPsec with IKEv2 — the industry-standard VPN protocol. IKEv2 is natively supported on iOS, Android, macOS, and Windows — no third-party VPN app needed.
• dnsmasq for DNS and ad-blocking — local DNS resolver that can double as a network-wide ad blocker. Add blocklists and every connected device benefits.
• IP forwarding and NAT — full-tunnel routing configured out of the box. All client traffic routes through the server.
• fail2ban — automatic brute-force protection for SSH and VPN services.
• Monitoring — system health and resource monitoring pre-configured.
• Network diagnostic tools — tcpdump, mtr, iperf3, ethtool — everything you need to troubleshoot connectivity.

How to Build It

Building your private VPN takes about five minutes: pick the Personal VPN Router scenario on console.openfactory.tech, optionally customize settings like admin username or security level, build and download the ISO, then flash it to any hardware or deploy it on a cloud VPS.

1. Go to console.openfactory.tech and pick the Personal VPN Router scenario, or describe what you want in plain language.
2. Customize if needed — change the admin username, add extra packages, adjust security settings.
3. Build and download the ISO.
4. Flash it to a mini PC, an old laptop, a Raspberry Pi, or deploy it on a VPS — anywhere you want your VPN endpoint.

No command line. No manual StrongSwan configuration. No wrestling with iptables rules. You get a complete, tested, bootable system.

Connecting Your Devices

IKEv2 is natively supported on iOS, Android, macOS, Windows, and Linux, so no third-party VPN client is required. Each platform has a built-in VPN configuration screen where you enter your server address and authentication details to connect in seconds.

• iOS / iPadOS — Settings → VPN → Add VPN Configuration → IKEv2. Enter your server address, authentication details, done.
• Android — Settings → Network → VPN → Add VPN (IKEv2/IPSec). Native support since Android 11, or use the strongSwan app on older versions.
• macOS — System Settings → VPN → Add VPN Configuration → IKEv2. Built-in, no extra software.
• Windows — Settings → Network → VPN → Add a VPN connection. Select IKEv2 as the type. Built into Windows 10 and 11.
• Linux — NetworkManager has native IKEv2 support via the strongswan plugin, or configure manually with swanctl.

Where to Run It

The bootable ISO runs anywhere Linux runs: a mini PC like an Intel NUC for an always-on home server, an old laptop or desktop repurposed as a VPN endpoint, a $5/month cloud VPS for a foreign exit node, or a local virtual machine for testing before deployment.

• Mini PC at home — an Intel NUC or similar mini PC makes an ideal always-on VPN server. Low power, silent, small.
• Old laptop or desktop — that machine collecting dust in the closet is more than powerful enough. A VPN server needs almost no CPU or RAM.
• Cloud VPS — deploy the ISO to a $5/month VPS (Hetzner, DigitalOcean, Vultr) for a VPN exit in a different country. You still control the server — not a VPN company.
• Virtual machine — test it locally in VirtualBox or QEMU before deploying to hardware.

Why Not WireGuard?

IKEv2/IPsec is chosen over WireGuard because every major operating system supports it natively without third-party apps. This is critical for home VPN use where family members need simple connectivity. StrongSwan is also battle-tested, widely audited, and handles WiFi-to-cellular roaming via MOBIKE.

WireGuard is excellent and we may add it as an option in the future. But IKEv2/IPsec has one major advantage for a home VPN: native OS support. Every phone, tablet, laptop, and desktop can connect without installing a third-party app. That matters when you want your family members to use the VPN without troubleshooting app installs on every device.

StrongSwan is also battle-tested, widely audited, and handles roaming (switching between WiFi and cellular) gracefully with IKEv2's MOBIKE extension.

Owning It Means Maintaining It

A remote-access endpoint sits on the public internet by definition, so a few habits matter: keep StrongSwan patched, rotate keys and certificates, lock the firewall to the VPN port only, and confirm there are no DNS leaks. OpenFactory ships these defaults; the list below is what to keep an eye on over time.

Keep the daemon patched

IKEv2 is mature, but it is still software. StrongSwan's CVE-2023-26463 let a client present an untrusted certificate during TLS-based EAP and crash the daemon — a denial of service with possible code execution — in versions 5.9.8 and 5.9.9, fixed in 5.9.10. The lesson is not “avoid StrongSwan”; it is “apply updates.” Because your image is just Ubuntu underneath, unattended-upgrades keeps the VPN daemon current automatically.

Rotate keys, lock the firewall, check for DNS leaks

• Rotate credentials — issue per-device certificates rather than one shared secret, and revoke a device's cert the day a phone is lost or a family member leaves. Short certificate lifetimes turn a leaked key into a problem that expires on its own.
• Expose one port — IKEv2 lives on UDP 500 and UDP 4500. Forward only those from your router; everything behind the gateway stays unreachable from the internet. fail2ban handles the brute-force noise.
• Push DNS through the tunnel — the most common self-hosted leak is a client that keeps using its local resolver. Hand out your dnsmasq address as the tunnel DNS server and verify with a leak test that lookups exit via your gateway, not the hotel WiFi.
• Decide split vs. full tunnel — for pure home access, route only your LAN subnet (split tunnel) so general browsing stays local and fast. Route everything (full tunnel) only when you also want the privacy-exit behavior described in the companion post.

Take Back Your Privacy

A self-hosted VPN is the only VPN you can trust completely. There are no logging policies to parse, no jurisdiction concerns, and no reliance on provider promises. OpenFactory makes it as simple as picking a scenario and flashing a USB stick — all the hard configuration is already done.

A VPN you run yourself is the only VPN you can trust completely. No logging policies to read, no jurisdiction shopping, no hoping that “no-log” actually means no logs. Your server, your rules.

OpenFactory makes it as easy as picking a scenario and flashing a USB stick. The hard part — StrongSwan config, certificate management, firewall rules, DNS setup — is already done.

A home VPN is one piece of a self-hosted stack. Pair it with taking back your data from cloud services and browser isolation without the vendor lock-in, and you control the whole path from your device to your data. Want the same thing for a team, with managed fleets and SSO? That's what OpenFactory Enterprise is for — see pricing.