Running your own OpenVPN service, and why you would want to...
It is dangerous! See Dangers of Open WiFi.
There is a solution. Shucks, there are two solutions!
Wondering how a VPN keeps your data private? See: How Does a VPN Work?
If you're not clear on Certificate Authorities, Keys, and Certificates, read this.
Your server will not have a list of authorized users, yet only authorized users can use your server! How is this possible? It is sort of like the State Department, your passport, and the INS.
OpenVPN uses a lot of keys and certificates.
Before you can run your VPN, you're going to need create keys and certificates.
For install instructions, see Basic Raspberry Pi Setup - Installing Raspbian
You don't have to use a Raspberry Pi and Raspbian. If you happen to have a Linux server at home, any Debian-based distribution will be similar. Other distributions will have differences in the commands to install packages and/or file locations, but the concepts will be the same.
Of course, if you're setting up OpenVPN on a consumer-grade router which bundles it, your router already has its OS.
If you're using a Pi, the next step is to set up an OpenVPN server on your Pi. You can use PiVPN but that means you're trusting the folks at pivpn.io. I don't know them. They're probably wonderful people who never make a mistake. OpenVPN is pretty thoroughly vetted, but PiVPN somewhat less so. I'm going to set up OpenVPN on my own.
You've got the server configured and you have key files for the clients. You still need configuration files for the clients. These files must line up with the server configuration. For example, if you told the server to use TCP instead of UDP, you have to tell the client the same. Likewise for which encryption algorithm to use, etc.
Once you've done that, download and install your OpenVPN client.
You can't connect to a VPN on your Pi if your firewall blocks access. Your Pi came with a built-in firewall. We need to open the necessary ports on your Pi.
You probably have a telco-provided router. If you're with AT&T, it is called a "Residential Gateway." If you get your Internet from a cable company, it is called a "Cable Modem." Regardless of what it is called, it is a router (among other things). You'll need to configure it so that when a computer outside your LAN tries to get into your LAN, the router forwards traffic to your Pi. The way you do this is probably to point your browser to your router's IP address. You may have to call your ISP and ask them how. I can tell you that on a 2Wire residential gateway, you do this by browsing to http://192.168.1.254 and looking under 'Firewall'.
However you do it, configure your telco router to send incoming traffic that hits port 443 to get passed to port 443 on your Pi.
Sooner or later, someone is going to lose a laptop or a cell phone and you'll need to revoke his/her certificate so that the thief can't use your VPN. When you put a .ovpn file on an client, be certain that client has a good password (e.g. a good screen-lock PIN on your cell phone or a strong Windows password on your Windows PC - with a short timeout on the lock-when-idle.)
I'd like to have a UDP instance too. As I've mentioned, in theory, running a VPN over UDP should work better than running it over TCP. When you have TCP layered over TCP, if you run into network latency, you can have both layers retransmitting, and the upper layer can exacerbate the latency of the lower layer with the extra traffic.
You may decide that you'd like your cell phone or computer to automatically connect to your VPN. Conceptually, this is easy -- if I'm connected to WiFi and I'm not on my home network, start my VPN. I had this set up for my phone and my Macbook but I never really got it as smooth as I wanted. If you're interested in pursuing this:
There's another use-case for VPN, besides tunneling on an unsafe WiFi. When you're out of town, whether you're in a hotel or visiting Grandma, you might like to fetch a file from your home LAN. Wouldn't it be nice to to connect to your home LAN?
In our walk-through above, we set up your VPN server so that everyone on your VPN has access to your home LAN. But maybe you don't trust your kid to keep his phone safe. Remember: If he loses that cell phone, he loses one of the keys to your VPN and if someone nefarious finds the key, he can connect to your VPN.