Arctic communications station

Build a Private Home VPN with OpenFactory

March 15, 2026

← Back to Blog

Commercial VPN providers promise privacy, but you're still trusting a third party with all your traffic. They can log it, sell metadata, or get compelled to hand it over. The only VPN you can truly trust is one you run yourself.

The problem is that setting up a VPN server from scratch is a pain. Install StrongSwan, configure IPsec, set up certificates, enable IP forwarding, write firewall rules, configure DNS — it's a weekend project that most people abandon halfway through. OpenFactory turns it into a five-minute build.

Why Run Your Own VPN

  • No third-party trust — your traffic never touches someone else's servers. No logging policies to read, no “no-log” claims to hope are real.
  • ISP privacy — your ISP sees encrypted traffic to your VPN server, nothing more. No DNS leaks, no browsing history for sale.
  • Secure public WiFi — coffee shop, airport, hotel — all your traffic is encrypted back to your home server.
  • Access your home network — reach your NAS, home automation, security cameras, or development machines from anywhere.
  • Ad blocking for all devices — route DNS through dnsmasq with blocklists and every device on your VPN gets ad-free browsing — no per-device setup.

What You Get with OpenFactory

OpenFactory has a ready-made Personal VPN Router scenario that builds a complete VPN server as a bootable ISO. It's based on Ubuntu 24.04 and comes with everything configured:

  • StrongSwan IPsec with IKEv2 — the industry-standard VPN protocol. IKEv2 is natively supported on iOS, Android, macOS, and Windows — no third-party VPN app needed.
  • dnsmasq for DNS and ad-blocking — local DNS resolver that can double as a network-wide ad blocker. Add blocklists and every connected device benefits.
  • IP forwarding and NAT — full-tunnel routing configured out of the box. All client traffic routes through the server.
  • fail2ban — automatic brute-force protection for SSH and VPN services.
  • Monitoring — system health and resource monitoring pre-configured.
  • Network diagnostic tools — tcpdump, mtr, iperf3, ethtool — everything you need to troubleshoot connectivity.

How to Build It

The whole process takes about five minutes of your time (plus build time):

  1. Go to console.openfactory.tech and pick the Personal VPN Router scenario, or describe what you want in plain language.
  2. Customize if needed — change the admin username, add extra packages, adjust security settings.
  3. Build and download the ISO.
  4. Flash it to a mini PC, an old laptop, a Raspberry Pi, or deploy it on a VPS — anywhere you want your VPN endpoint.

No command line. No manual StrongSwan configuration. No wrestling with iptables rules. You get a complete, tested, bootable system.

Connecting Your Devices

IKEv2 is the protocol of choice here because every major OS supports it natively. No third-party VPN client needed.

  • iOS / iPadOS — Settings → VPN → Add VPN Configuration → IKEv2. Enter your server address, authentication details, done.
  • Android — Settings → Network → VPN → Add VPN (IKEv2/IPSec). Native support since Android 11, or use the strongSwan app on older versions.
  • macOS — System Settings → VPN → Add VPN Configuration → IKEv2. Built-in, no extra software.
  • Windows — Settings → Network → VPN → Add a VPN connection. Select IKEv2 as the type. Built into Windows 10 and 11.
  • Linux — NetworkManager has native IKEv2 support via the strongswan plugin, or configure manually with swanctl.

Where to Run It

The ISO works anywhere you can boot Linux:

  • Mini PC at home — an Intel NUC or similar mini PC makes an ideal always-on VPN server. Low power, silent, small.
  • Old laptop or desktop — that machine collecting dust in the closet is more than powerful enough. A VPN server needs almost no CPU or RAM.
  • Cloud VPS — deploy the ISO to a $5/month VPS (Hetzner, DigitalOcean, Vultr) for a VPN exit in a different country. You still control the server — not a VPN company.
  • Virtual machine — test it locally in VirtualBox or QEMU before deploying to hardware.

Why Not WireGuard?

WireGuard is excellent and we may add it as an option in the future. But IKEv2/IPsec has one major advantage for a home VPN: native OS support. Every phone, tablet, laptop, and desktop can connect without installing a third-party app. That matters when you want your family members to use the VPN without troubleshooting app installs on every device.

StrongSwan is also battle-tested, widely audited, and handles roaming (switching between WiFi and cellular) gracefully with IKEv2's MOBIKE extension.

Take Back Your Privacy

A VPN you run yourself is the only VPN you can trust completely. No logging policies to read, no jurisdiction shopping, no hoping that “no-log” actually means no logs. Your server, your rules.

OpenFactory makes it as easy as picking a scenario and flashing a USB stick. The hard part — StrongSwan config, certificate management, firewall rules, DNS setup — is already done.

Build Your VPN ServerBrowse Scenarios