How to use a Raspberry PI to encrypt network traffic when traveling
As a gift I was a given a Raspberry PI a few weeks back. So far I’ve set it up to do everything from being a VPN server while traveling, a CalDAV and CardDAV server for calendar and contacts and even set it up using a PicoBorg to automate feeding my cat while away using the Twilio api. For my first article, I wanted to dive into how to use your Raspberry PI to encrypt your network traffic while traveling or using public WiFi.
When traveling you probably find your self using a lot of public wifi spots, one problem when using these hotspots is that anyone can snoop (rather easily) on any webpage you load or request.
While https will save your banking information from being blasted out into the open. Even in 2016 not every website is served using https just yet.
Also depending on where you are going you may find certain services (Instagram, Facebook, etc) are blocked behind the countries firewall.
So thats where VPN comes in to save the day. Using a VPN server we can encrypt all of our traffic using our home internet connection. Making it impossible to snoop on our internet traffic or even know what websites we are browsing. While services exist that you can pay to use as a VPN for just ~45 USD you can buy a Raspberry PI kit and setup your own VPN server.
- Raspberry PI
- Micro SD Card (recommend 8gb)
- Cat 5e ethernet cable
If you want a decent setup I recommend this kit it includes everything you need to get setup. I will caution against using the wifi card however as it won’t be as reliable as a wired connection.
Setup SSH (and optionally VNC)
Setting up SSH is a good first step since you will want to run your PI headless.
Open a terminal and run
Look for advanced options and then ssh.
From there hit Enable SSH server.
On your computer run (sorry Windows users you will need to find a ssh client)
ssh <ip_address> -l pi
If you haven’t changed the password the default password will be raspberry
Optionally also run
sudo apt-get install tightvncserver
Then using something like VNC Viewer you can remotely connect and work with your PI.
Tip: To use ssh or vnc you will need the ip address of your device. Run “sudo ifconfig” to find it. If using a wired connection it will be under etho (wireless will be wlan0) Then look for inet addr
Now that we have ssh up and running we need to install OpenVPN.
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install openvpn
The first two commands will update the packages on your Raspberry PI to be safe. You can skip those commands if you don’t want to update.
Now we need to get a super user session, the reason for doing this is the next couple of commands won’t work if we don’t have the right permission.
From there open /etc/openvpn/server.conf using your favorite editor for this guide I will work with nano.
and copy and paste the contents of the gist into it. Remember to update it to use your PI’s ip address.
Below I broke down some of the lines to explain what they do
We are using dh2048.pem over dh1024.pem to to double the strength of our key. This means it will take a little longer to generate a cert, feel free to use 1024 if you think this is overkill.
push "redirect-gateway def1 bypass-dhcp"
This will have all clients that connect to our OpenVPN server push all their traffic through the server.
Next lets setup what DNS server to use. I prefer OpenDNS and by default its the recommended DNS server for OpenVPN. This will help prevent domain name lookups from leaking outside the VPN server.
push "dhcp-option DNS 220.127.116.11"
push "dhcp-option DNS 18.104.22.168"
You can of course change the ip address to be any DNS server you want like Google’s (22.214.171.124 and 126.96.36.199.)
Now the last change and a very important one.
By default OpenVPN will run as root which is not ideal. Why? Well if a vulnerability is found in OpenVPN the attacker can use the root privileges of the application to do as they please with your device. User nobody is an unprivileged user which is often used for running applications like servers. This reduces the scope any attacker would have if they were able to gain access. Now save and write out the changes you have made.
Next we need to create a few keys, these make it so the actual traffic is encrypted and so not just anyone who knows the ip address of our device can connect.
Copy over the RSA scripts
cp -r /usr/share/easy-rsa/ /etc/openvpn
Then make a directory to hold them
Now lets modify those scripts a bit by opening it up
Look for the following keys and change them to what suits you.
export KEY_CITY="San Francisco"
export KEY_ORG="Speed Force"
export KEY_OU="The Rising Tide"
Now we need to generate the Diffie-Hellman parameters, since we are using 2048 this may take a bit (15 to 45 minutes.)
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
So what is this doing? Well in order for the server and client to exchange keys without any prior knowledge of each other this sets them up in a way that they can communicate with each other until they create a secure channel and exchange keys.
Now lets switch back to the easy-rsa directory and build our Certificate Authority
Now simply press enter while being asked a serious of questions, if you need to change something while going through the prompt just update it inline.
Generate a Certificate and Key for the Server
Press enter through all the prompts. When asked for a challenge password hit enter as well. When asked to sign and commit the cert say Y to both.
Everything should finish with
Write out database with 1 new entries
Data Base Updated
Now lets run the OpenVPN service
service openvpn start
service openvpn status
Everything should be up and running!
Create keys for the client
Now we’ve setup the server with all the keys and certs it needs, now we need to create certs for our devices. Each device should have its own cert ideally. Out of the box OpenVPN will not allow multiple connections with the same cert.
Since I’m making the first cert for my iPhone I will run
openssl rsa -in iphone.key -des3 -out iphone.3des.key
But feel free to change iphone to whatever device you are creating this cert for. Do the same as before and hit enter at each prompt and Y to both questions at the end.
When asked for a passphrase come up with a decent password and remember it!
Do the following steps for each client you have.
Enable DoS attack protection
Now we need you to enable the built in denial of service protection OpenVPN comes with.
openvpn –-genkey –-secret keys/ta.key
Setup the Raspberry to forward traffic
Now we need to forward traffic from to our PI to the outside
Uncomment the next line below that says (remove the # in front of it)
Uncomment the next line to enable packet forwarding for IPv4.
to have the changes applied.
Now we need to open a hole in the Raspberry PI to forward traffic OpenVPN.
and change it to
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT — to-source 192.168.XX.X
Change the XX.X to the ip address for your PI
Now update the permissions of the firewall file so we can run it
chmod 700 /etc/firewall-openvpn-rules.sh
chown root /etc/firewall-openvpn-rules.sh
Now we have a file we can run to open the connection we need. Now we just need to update our config so it runs at boot
iface eth0 inet manual
Please note you will need to place the new line with an ident (tab)
which should look like
Now lets reboot our PI.
Install the cert on your device
So to recap so far we’ve done quite a lot. We’ve setup our server, installed the OpenVPN software and created our certs.
Now we need to install our client certs to the device and get it up and running.
Making a new cert for each client will be a lot of work so we can use a script to help us with that.
First lets create a file and copy/paste the contents of the gist into it
Make sure to change that public ip to your public ip address. This file is basically used to append to the top of your ovpn config file we will be making later.
If you don’t have a static ip address I suggest running a DDNS service instead to update based on ip address changes.
Now we need to run a script to generate the certs.
Create an other file and fill it with the contents of this gist
chmod 700 makeOVPN.sh
This will also make the script runnable, now run
and give it the name of the client you created before (for me in this case its iphone)
Copy files off Raspberry PI
Now we need to copy the files off the Raspberry PI to some other device.
First lets change the permission of the file to help us
chmod 777 -R /etc/openvpn/easy-rsa/keys/
Then lets exit ssh and copy the file over to our downloads folder
scp pi@<ip address of pi>:/etc/openvpn/easy-rsa/keys/iphone.ovpn ~/Downloads
Then lets ssh back in and undo the permission changes we made
chmod 600 -R /etc/openvpn/easy-rsa/keys/
Now open install the “.ovpn” cert using iTunes and the OpenVPN app on iOS and you should be good to go! You should now see a VPN icon in the status bar.