My Journey Into Creating a VPN with Raspberry Pi, Part 2: SSH & Static IPs

Welcome to Part 2 of 1000,000,000 in my journey into making a VPN with my Raspberry Pi. Didn’t read Part 1? Forgot about Part 1? Here’s Part 1.

Last post, I explained why I would even try and attempt this and also listed the basic hardware you would need to begin. This week, I will try to explain how to enable Secure Shell and also set a static IP address and why you need to do that.

Again, disclaimer: I have almost no understanding of what I am doing. My knowledge comes from a mixture of Wikipedia, old, outdated tutorials and self conscious decisions based on rumors via message boards. All very good sources. I am very confident.

A lot of the time I feel like I’m aimlessly cd-ing into folders on my computer that don’t actually exist, using sudo commands and replacing text in my root directory files (probably breaking something important).

I might finish this and be like, “So…what was I doing again?”

This is a computer, right?

Getting Your Pi’s IP Address:

What’s an IP address? It’s the identifier, like a name-tag or SSN for your computer or other devices you use to make requests on the Internet. IP stands for “Internet Protocol”, IP uses a set of rules to send and receive messages at the Internet address level. It has a location, the general area of where you’re making those requests from.

*Side note, one of my favorite stories ever is about how the arbitrary and rather large area many IP addresses are connected to can ruin someone’s life.*

What’s SSH? It’s a secure shell! It’s a cryptographic network protocol that allows you to transfer info between your REAL, more EXPENSIVE computer and your Pi. Via Wikipedia, SSH provides: “a secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server.”

You need to set this up because a lot of projects, like creating a VPN, need you to be able to access the Pi’s command line from your normal computer without actually physically connecting them or getting a keyboard/monitor for your Pi.

SSH comes with most Raspberry Pi’s via the operating system called Raspbian. To use it you need to find out what your Pi’s IP address is so you can access it from your other computer. To find that info out, boot your Pi up and in the command line type:

sudo ifconfig

These three paragraphs will appear (photo from Adafruit)

If your Pi is connected to the internet via wifi, your Pi’s IP address will be in the “wlan0” paragraph the last one in this image. On the second line you will see inet addr: 192.168.1.10 .

If your Pi is connected via Ethernet, like mine is, it will be in the first paragraph in the “ethO” section. Just like with wifi, it the address will be after inet addr:

The address I am using as an example may or may not be the exact address of your Pi. That’s okay! Whatever the number is after inet addr is, that’s the IP for your Pi.

Now that you have the IP address, if you’re using a Mac like I am, it comes with built-in SSH. Launch your terminal and type:

ssh pi@192.168.1.10

the numbers after the “@” sign will be the IP of your Pi, which again, may or may not be the same as the example one I’m using.

Once you do this, you will be asked for a password. The default password for a raspberry pi is ALWAYS “raspberry”. Pretty good password, right? Maybe you already changed the password (that’s pretty cool, you must be a pro. Why are you reading this blog?). If you did, that’s the password you should enter, duh.

Back to the Pi’s command line, type this:

sudo apt-get install xrdp

Xrdp is a daemon. I had no idea what that was, but thanks to Wikipedia, I now know that it’s: “a computer program that runs as a background process, rather than being under the direct control of an interactive user.” In our case, it’s a computer program that’s going to run in the background that will support Microsoft Remote Desktop Client. Thanks, Xrdp! Once Xrdp is installed on your Pi, you’ll be able to access your Pi via your Mac or PC.

xrdp just looks scary, i swear he’s super nice and helpful

You should have a program on your computer called Remote Desktop Client. It’s hidden for some reason and doesn’t exist in the Applications folder so you have to search your computer for it. I did this but it turns out I actually didn’t have this app which I took as a bad omen but don’t fear, you can download it in the App store. Thanks, Apple!

The app will ask for an IP address. Input the IP address of your Pi from earlier. Once you’ve done that, an Xrdp window will pop up and ask for your username and password.

  • username: pi 
    password: raspberry

If this worked, you’ll know because you will be greeted by the beautiful Raspberry Pi desktop in a window on your computer screen.

standard raspberry pi desktop

Step one is complete! It was a long step, but it was a necessary step. Yay!

Making Your Pi’s IP Static:

Ok, so remember the IP address of your Pi you found really easily in step one? That IP address might be the IP address now, in this exact moment, this one time but it may not be that exact IP forever. Your router does not necessarily have to keep assigning the same IP address to your Pi every time you boot it up. Since your Pi is going to become a VPN, which is a server that other devices need to connect to, it needs to have the same IP address every time. If it doesn’t, the devices attempting to connect won’t know where to find the VPN. Get ready to type some stuff in your terminal!

ffhsdf00 pwd cd mkdir touch git clone -r sdiojfsdhjfdjkf

In the terminal of your Pi, which you can now access via your Desktop, type:

sudo ifconfig

These three paragraphs look familiar. Weird! No, not weird. You did this earlier when you found your Pi’s IP address. It’s like you totally know your way around the terminal now. Cool, now get a pen and some paper or copy the following addresses into a note on your computer. These addresses will all be listed in the “eth0” paragraph (the first paragraph):

  • inet addr (Pi’s current IP Address): 192.168.1.10
  • Bcast (The Broadcast IP Range): 192.168.1.255
  • Mask (Subnet Mask Address): 255.255.255.0

Once you’ve copied those numbers down you need some more info so type into the terminal:

netstat -nr

You’ll need the Gateway & Destination addresses:

  • Gateway: 192.168.1.254
  • Destination: 192.168.1.0

Next go to your router’s configuration.

…Umm okay, sure? How do I do that? I had no idea so I googled it and found this. If you’re too lazy to click the link, then just type this into the terminal:

ipconfig getpacket en0

It will list out some good info, including:

server_identifier, this is your DHCP server’s IP address. All of the addresses listed are addresses that are in use, this means that you cannot use them because they are reserved already. They got there first, it’s only fair.

The tutorial I was originally following was like: “okay great, once you’ve seen these addresses pick one out for your Pi and assign it. Next step…”

…As if I am supposed to all of a sudden know how to pick an IP address and assign it to my Pi? I’m looking at a tutorial for a reason! I thought that was the end of it for me…until I remembered a little thing called Google.

I have a Netgear router and hopefully you do too so you can just follow my tutorial. If not, google “how do I reserve an IP address on my _____ router?”

If you have a Netgear router, click this link: this link. It lists out all the steps better than I ever could so follow those steps. Once you’ve done all that, reboot your Pi by typing into the terminal:

sudo reboot

Then in the terminal type:

ifconfig

Once you do this, your new static settings should appear. Yay!


Forwarding Ports to the Pi:

The next step was the step I had the most difficulty with which was forwarding ports to the Pi. I had no idea, at this point, what a port was. The tutorial I was following explained it well:

“Ports are virtual pathways where information travels on the Internet. You sometimes need to forward a port in order to make a computer, like the Raspberry Pi, accessible to the Internet even if it’s behind a router. It’s kind of like dialing an extension on a phone network.”

There are over 65,000 ports, many are defaults for specific things like FTP (file transfer protocol). So like…which one do I know to use? I had no idea. I did a lot of searching. I got really frustrated. I had no idea what a port was at this point and my brain was already fried.

I ended up figuring out I needed to login to my internet service provider account. I use Optimum & again have a NETGEAR router. Once I was logged in, I went to my Router Settings. From there, these are the steps I took, I forget why exactly I took them but it’s what I did and I think it worked so try it out yourself:

Click on Internet drop down and then click “Router”
Advanced Settings
Port Management 
Port Forwarding → “Add Port Forwarding Rule”

Service Name: openvpn
Protocol: UDP
Port: 1194
Check “Same as Incoming Port”

(I wasn’t sure about this part, whether or not I should make it the same or add a different one. I couldn’t find any info online so I asked my friend Jason who is good at this stuff. He said: “you want to match the port in & out to make it secure, if you allow incoming ports to be routed to 1194 no matter their destination, you open your network to vulnerabilities”. Ooooh okay, thanks Jason!)

From dropdown menu, Select a Host: raspberrypi
Locate Device By: IP Address

Port 1194 is the default for setting up a VPN server, openvpn is a service name I somehow found and was told to use. I can’t really explain anything beyond that.

More from Jason: “Essentially port forwarding allows you to access the internet from your intranet (private network based on TCP/IP protocols, belonging to a private organization…in this case, the organization of YOU) but also your intranet from the internet.”

Okay, so now your Pi should be all set up and ready to turn into your own personal VPN. Next blog, we will begin the actual VPN set up! :)