Setting up OpenVPN on a Raspberry Pi

You just bought your Raspberry Pi and don’t know what to do with it.


Let’s setup a VPN so you can access your home network of questionable and bootleg media from anywhere.

This assumes a few things.

You have a Pi with an operating system installed on it and you know how to use its command line. If you don’t, here.

You have a static IP address or know how to use Dynamic DNS. Free Dynamic host names here.

You know how to do port forwarding on your Router/Firewall. If not, here.

Basically, you’re going to be pointing your VPN client at an IP address or hostname that exists on your Firewall, that is going to Port Forward the connection down to your Pi.

Installing PiVPN is a quick way to do it, but you want to learn stuff so continue on.

Jump on your command line.

You may want to use ufw if you don’t already have a firewall running on the Pi. UFW is simple.

$ sudo ufw allow OpenSSH; sudo ufw enable

A few more commands to get started.

$ sudo apt-get update; sudo apt-get install openvpn easy-rsa; make-cadir ~/openvpn-ca

Confirm when prompted.

$ cd ~/openvpn-ca

We can peak into this new folder.

~/openvpn-ca$ ls
build-ca  build-inter  build-key-pass    build-key-server  build-req-pass  inherit-inter  openssl-0.9.6.cnf  openssl-1.0.0.cnf  revoke-full  vars
build-dh  build-key    build-key-pkcs12  build-req         clean-all       list-crl       openssl-0.9.8.cnf  pkitool            sign-req     whichopensslcnf

We’re going to change the vars file. Fire up your editor of choice.

Replace all the text with the text from here.

Crack off a few more commands.

~/openvpn-ca$ source vars; ./clean-all; ./build-ca; ./build-key-server server

Hit enter a few times for the default values, and no password required. Enter yes to any questions.

Build a Diffie-Helman key, which will take its sweet time.

~/openvpn-ca$ ./build-dh

Get some built-in extra security here.

~/openvpn-ca$ sudo openvpn --genkey --secret keys/ta.key

Building some keys for your client.

~/openvpn-ca$ source vars; ./build-key client1; cd ~/openvpn-ca/keys

Hit enter a few times, no password needed.

Let’s shunt some files around.

~/openvpn-ca/keys$ sudo cp ~/openvpn-ca/keys/ca.crt ~/openvpn-ca/keys/ca.key ~/openvpn-ca/keys/server.crt ~/openvpn-ca/keys/server.key ~/openvpn-ca/keys/ta.key ~/openvpn-ca/keys/dh2048.pem /etc/openvpn

Create a new file.

~/openvpn-ca/keys$ touch /etc/openvpn/server.conf

Pop it open in your editor and fill it with the text from here.

The important things to note from this file are the port, in this case 443, and the proto, in this case 443. Those will be the ports your client will need to use and the traffic your Router/Firewall will need to port forward.

Now edit the /etc/sysctl.conf file to enable routing. Uncomment the below line.


Activate the changes.

~/openvpn-ca/keys$ sudo sysctl -p
net.ipv4.ip_forward = 1

There’s another file we want to edit, /etc/ufw/before.rules.

Replace all the text with the text from here. It enables NATting, and declares the interface in use. If you type ifconfig in your command line and it looks similar to the output below, you should be fine.

eth0      Link encap:Ethernet  HWaddr 6e:a5:6c:c3:a1:51
inet addr:  Bcast:  Mask:
RX packets:6966 errors:0 dropped:0 overruns:0 frame:0
TX packets:5697 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:13795028 (13.7 MB)  TX bytes:956055 (956.0 KB)

Another ufw file to edit, /etc/default/ufw.

Replace the text with the text from here.

Now we can enable ufw and start the OpenVPN server.

~/openvpn-ca/keys$ sudo ufw allow 443/tcp; sudo ufw disable; sudo ufw enable; sudo systemctl start openvpn@server

Let’s check on that server.

~/openvpn-ca/keys$ sudo systemctl status openvpn@server

If it looks good let’s get started.

~/openvpn-ca/keys$ sudo systemctl enable openvpn@server

Let’s setup some client stuff.

~/openvpn-ca/keys$ mkdir -p ~/client-configs/files; chmod 700 ~/client-configs/files

Make some changes to those files.

~/openvpn-ca/keys$ vi ~/client-configs/base.conf

Overwrite the file with the text from here.

Change the hostname or IP address of your Firewall/Router, port, and proto to match what you’ve decided to use.

If you need any further guidance in setting up your client configs, here.

That should be it.