Setting up OpenVPN on a Raspberry Pi
You just bought your Raspberry Pi and don’t know what to do with it.
Let’s setup a VPN so you can access your home network of questionable and bootleg media from anywhere.
This assumes a few things.
You have a Pi with an operating system installed on it and you know how to use its command line. If you don’t, here.
You have a static IP address or know how to use Dynamic DNS. Free Dynamic host names here.
You know how to do port forwarding on your Router/Firewall. If not, here.
Basically, you’re going to be pointing your VPN client at an IP address or hostname that exists on your Firewall, that is going to Port Forward the connection down to your Pi.
Installing PiVPN is a quick way to do it, but you want to learn stuff so continue on.
Jump on your command line.
You may want to use ufw if you don’t already have a firewall running on the Pi. UFW is simple.
$ sudo ufw allow OpenSSH; sudo ufw enable
A few more commands to get started.
$ sudo apt-get update; sudo apt-get install openvpn easy-rsa; make-cadir ~/openvpn-ca
Confirm when prompted.
$ cd ~/openvpn-ca
We can peak into this new folder.
build-ca build-inter build-key-pass build-key-server build-req-pass inherit-inter openssl-0.9.6.cnf openssl-1.0.0.cnf revoke-full vars
build-dh build-key build-key-pkcs12 build-req clean-all list-crl openssl-0.9.8.cnf pkitool sign-req whichopensslcnf
We’re going to change the
vars file. Fire up your editor of choice.
Replace all the text with the text from here.
Crack off a few more commands.
~/openvpn-ca$ source vars; ./clean-all; ./build-ca; ./build-key-server server
Hit enter a few times for the default values, and no password required. Enter yes to any questions.
Build a Diffie-Helman key, which will take its sweet time.
Get some built-in extra security here.
~/openvpn-ca$ sudo openvpn --genkey --secret keys/ta.key
Building some keys for your client.
~/openvpn-ca$ source vars; ./build-key client1; cd ~/openvpn-ca/keys
Hit enter a few times, no password needed.
Let’s shunt some files around.
~/openvpn-ca/keys$ sudo cp ~/openvpn-ca/keys/ca.crt ~/openvpn-ca/keys/ca.key ~/openvpn-ca/keys/server.crt ~/openvpn-ca/keys/server.key ~/openvpn-ca/keys/ta.key ~/openvpn-ca/keys/dh2048.pem /etc/openvpn
Create a new file.
~/openvpn-ca/keys$ touch /etc/openvpn/server.conf
Pop it open in your editor and fill it with the text from here.
The important things to note from this file are the port, in this case 443, and the proto, in this case 443. Those will be the ports your client will need to use and the traffic your Router/Firewall will need to port forward.
Now edit the /etc/sysctl.conf file to enable routing. Uncomment the below line.
Activate the changes.
~/openvpn-ca/keys$ sudo sysctl -p
net.ipv4.ip_forward = 1
There’s another file we want to edit, /etc/ufw/before.rules.
Replace all the text with the text from here. It enables NATting, and declares the interface in use. If you type ifconfig in your command line and it looks similar to the output below, you should be fine.
eth0 Link encap:Ethernet HWaddr 6e:a5:6c:c3:a1:51
inet addr:220.127.116.11 Bcast:18.104.22.168 Mask:255.255.224.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6966 errors:0 dropped:0 overruns:0 frame:0
TX packets:5697 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:13795028 (13.7 MB) TX bytes:956055 (956.0 KB)
Another ufw file to edit, /etc/default/ufw.
Replace the text with the text from here.
Now we can enable ufw and start the OpenVPN server.
~/openvpn-ca/keys$ sudo ufw allow 443/tcp; sudo ufw disable; sudo ufw enable; sudo systemctl start openvpn@server
Let’s check on that server.
~/openvpn-ca/keys$ sudo systemctl status openvpn@server
If it looks good let’s get started.
~/openvpn-ca/keys$ sudo systemctl enable openvpn@server
Let’s setup some client stuff.
~/openvpn-ca/keys$ mkdir -p ~/client-configs/files; chmod 700 ~/client-configs/files
Make some changes to those files.
~/openvpn-ca/keys$ vi ~/client-configs/base.conf
Overwrite the file with the text from here.
Change the hostname or IP address of your Firewall/Router, port, and proto to match what you’ve decided to use.
If you need any further guidance in setting up your client configs, here.
That should be it.