Welcome to this turorial on how to install VPN Server and client software on a Raspberry Pi.
First follow step 1-3 on my tutorial LAMP with Raspberry Pi.
Login in as root so you don't have to use sudo.
Free, unencrypted wireless is everywhere, but you shouldn't be checking your bank account on it unless you don’t mind somebody else snooping. The solution? A virtual private network, or VPN.
A VPN extends your own private network into public places, so even if you’re using a public Wi-Fi connection, your Internet browsing stays encrypted and secure.
There are plenty of ways to set up a VPN, both with free and paid services, but each solution has its own pros and cons, determined by the way the VPN provider operates and charges and the kinds of VPN options it provides.
Either you config a static address on your Pi by editing
with (for example)(change text below with your actual values):
iface eth0 inet static
Or setup your router to always assign the same IP-address to your Pi.
You'll need to forward port 1194 (UDP traffic) to your Raspberry Pi’s internal IP address, but the way you do this will vary depending on your router, so check with your router manufacturer’s information. If you want to use another port or TCP, that’s fine, but just be sure to change 1194 in the tutorial to the correct number for you, and anywhere it says "UDP" to "TCP."
We need the open source software. Type:
sudo apt-get install openvpn
You don’t want anyone who finds your VPN server address to be able to connect. So next, we’re going to make a key for the server address. It’s just like keeping the door to your house locked.
OpenVPN comes with Easy_RSA, a light and easy package for using the RSA encryption method. Developed in 1977, RSA was one of the first usable cryptosystems that is still used today. The encryption key is public, while the decryption key is secret.
With Easy_RSA, you run an algorithm that comes with the software to generate a new unique key.
cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
Now, find and change EASY_RSA variable to:
Type Control+X to save your changes and exit the nano editor.
It’s time to build the CA Certificate and Root CA certificate.
In cryptography, a certificate authority (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key.
This will remove any previous keys, if there are any. If you have keys you don’t want to remove in this folder (like you’re doing this tutorial a second time), skip this command.
Now you can name the server (change below to a name of your choice).
Press enter or whatever you want, but pay attention to these three fields:
Common Name MUST be the server name you picked. It should default to this.
A challenge password? MUST be left blank.
Sign the certificate? [y/n] Obviously, you must type “y.”
1 out of 1 certificate requests certified, commit? [y/n] Obviously, type “y.”
That’s the server side setup.
Now it’s time to build keys for each user, or "client". It’s possible to be lazy and create just one client key for all of them, but in that case, only one device would be able to access the VPN at a time.
I found it simplest to make the usernames Client1, Client2, Client3… or the names of your employees.
And after that, more prompts!
Enter PEM pass phrase Make it a password you will remember! It asks you to input this twice, so there’s no danger of ruining it.
A challenge password? MUST be left blank.
Sign the certificate? [y/n] Signing certifies it for 10 more years.
openssl rsa -in Client1.key -des3 -out Client1.3des.key
Use the same passphrase as before. And then two more times, as shown.
Now that we’ve created a server certificate and (at least one) client certificate, type the following:
Now let’s generate the Diffie-Hellman key exchange. This is the central code that makes your VPN server tick, an exchange that lets two entities with no prior knowledge of one another share secret keys over a public server.
This could take a while, longer if you’re on 2048-bit encryption. There’s no way really to predict how long it will take because it is using random numbers and looking for some specific relationships. In fact, while I was making this tutorial, it only took 5 minutes with 1024-bit encryption.
Generate the static HMAC key with the following line:
openvpn --genkey --secret keys/ta.key
We have to actually create a .conf (configuration) file in the nano editor.
Fill it in with this:
local 192.168.0.200 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
proto udp #Some people prefer to use tcp. Don't change it if you don't know.
cert /etc/openvpn/easy-rsa/keys/Server.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/Server.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here!
server 10.8.0.0 255.255.255.0
# server and remote endpoints
#ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
#push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
#push "route 10.8.0.0 255.255.255.0"
# your local subnet
#push "route 192.168.0.200 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 126.96.36.199
push "dhcp-option DNS 192.168.0.1" # This should already match your router address and not need to be changed.
push "dhcp-option DNS 188.8.131.52" # Googles DNS
# Override the Client default gateway by using 0.0.0.0/1 and
# 184.108.40.206/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
status /var/log/openvpn-status.log 20
I commented in all caps where you absolutely need to change numbers and titles to your own IP address/names. Hit Control+X to save your changes.
Let’s edit another configuration file.
Near the top it says, “Uncomment the next line to enable packet forwarding for IPv4.”
To uncomment the line, remove the # immediately in front of it.
Hit Control+X to save your changes. Apply these changes by typing the following command:
We just made a functioning server that can access the Internet. But we can’t use it yet because Raspbian has a built-in firewall that will block incoming connections.
Additionally, Raspbian’s firewall configuration resets by default when you reboot the Pi. We want to make sure it remembers the OpenVPN connection is always permitted, so what we’re going to do is create a simple script which runs on boot:
This is currently a blank shell executable file. Fill it with this:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.200
Don’t forget to change the IP address 192.168.0.200 to your Pi’s IP address!
Let’s break this down: 10.8.0.0 is the default address for Raspberry Pi for clients that are connected to the VPN. "eth0" stands for ethernet port. Switch this to "wlan0" if you’re on a wireless connection, which is not recommended. Hit Control+X to save your changes.
I had problem with my iptables because of old firmware on the RPi. Run to update:
chmod 700 /etc/firewall-openvpn-rules.sh
chown root /etc/firewall-openvpn-rules.sh
We’ve created the script that punches an OpenVPN-shaped hole in the firewall. Now we just need to inject it into the interfaces setup code so it runs on boot.
Find the line that goes: “iface eth0 inet dhcp”. We want to add a line below it and at an indent. So this is what the two lines, existing and new, will look like when you’re done:
iface eth0 inet dhcp
Hit Control+X to save your changes (as you should be doing whenever you use nano).
Finally reboot your Pi.
Congratulations! That's the server!
The script will access our default settings to generate files for each client. The first thing we need to do, then, is create a blank text file in which those default settings can be read.
Fill in the blank text file with the following:
remote <YOUR_PUBLIC_IP_ADDRESS_HERE> 1194
Now, if you don’t have a static public IP address, you need to use a dynamic domain name system (DDNS) service to give yourself a domain name to put in place of the IP address. I recommend using the free service DTDNS, which lets you pick a name of your choice. Then on your Pi, you need to run DDclient to update your DDNS registry automatically. I wrote a full tutorial for how to do this here.
As always, press Control+X to save and exit the nano editor.
Next, we need to create the actual script file.
Here’s the script. Copy and paste it into your blank shell file:
# Default Variable Declarations
#Ask for a Client name
echo "Please enter an existing Client Name:"
#1st Verify that client’s Public Key Exists
if [ ! -f $NAME$CRT ]; then
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
echo "Client’s cert found: $NAME$CR"
#Then, verify that there is a private key for that client
if [ ! -f $NAME$KEY ]; then
echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY"
echo "Client’s Private Key found: $NAME$KEY"
#Confirm the CA public key exists
if [ ! -f $CA ]; then
echo "[ERROR]: CA Public Key not found: $CA"
echo "CA public Key found: $CA"
#Confirm the tls-auth ta key file exists
if [ ! -f $TA ]; then
echo "[ERROR]: tls-auth Key not found: $TA"
echo "tls-auth Private Key found: $TA"
#Ready to make a new .opvn file - Start by populating with the default file
cat $DEFAULT > $NAME$FILEEXT
#Now, append the CA Public Cert
echo "<ca>" >> $NAME$FILEEXT
cat $CA >> $NAME$FILEEXT
echo "</ca>" >> $NAME$FILEEXT
#Next append the client Public Cert
echo "<cert>" >> $NAME$FILEEXT
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT
echo "</cert>" >> $NAME$FILEEXT
#Then, append the client Private Key
echo "<key>" >> $NAME$FILEEXT
cat $NAME$KEY >> $NAME$FILEEXT
echo "</key>" >> $NAME$FILEEXT
#Finally, append the TA Private Key
echo "<tls-auth>" >> $NAME$FILEEXT
cat $TA >> $NAME$FILEEXT
echo "</tls-auth>" >> $NAME$FILEEXT
echo "Done! $NAME$FILEEXT Successfully Created."
#Script written by Eric Jodoin
You still need to give this script permission to run.
And then give it root privileges.
chmod 700 MakeOVPN.sh
Finally, execute the script with:
As the script runs, it'll ask you to input the names of the existing clients for whom you generated CA keys earlier. Example: “Client1”. Be sure to name only clients that already exist.
If all goes well, you should see this line appear:
Done! Client1.ovpn Successfully Created.
Repeat this step for each existing client.
The last thing to do is connect to your Raspberry Pi so you can download files from it. You need to use a SCP (Secure Copy Protocol) client in order to do this. For Windows, I recommend WinSCP. For Mac,use Fugu.
Note: if you cannot get permission to connect to your SCP client, you’ll need to grant yourself read/write access to the folder. Back on the Raspberry Pi, write:
chmod 777 -R /etc/openvpn
Be sure to undo this when you’re done copying files, so others can’t do it! Put the permission back to 600 when you’re done, so only the Pi user can read/write files:
chmod 600 -R /etc/openvpn
Put it into your client and you’re done.
Okay, the hard part is over. From here, we need to input the scripts we generated earlier into a Graphical User Interface. For your PC, Android, or iOS mobile device, you can download OpenVPN Connect. There isn't one for your Mac computer, but the free Tunnelblick is a good choice.
Download the version of Tunnelblick that works for your version of OS X. I'm using Mavericks, so I downloaded the beta. The fact that it popped up in a bunch of languages looked funny to me, but that's the legitimate download.
Then, it'll ask if you already have a file you want to use. I did—my Client5.ovpn file.
It will then ask if your configuration file is in .ovpn format or .tblk. If you select .ovpn, it'll walk you through changing the file type to Tunnelblick's native type. I did this by transferring Client5.ovpn into a folder Tunnelblick provided, and then changing the name of the folder to Client5.tblk.
Now you're all set to connect. Click the Tunnelblick icon on the top right of your screen and select Client5.
It will ask you for a pass phrase. This is the same pass phrase we generated last tutorial, back when we were generating keys for each client.
If you get the password right, it'll look like this!
Try out your new connection at coffee shop, the local library, anywhere there's unencrypted Wi-Fi. You may still be using the public connection, but over VPN, your data is anything but out in the open.