This recipe describes how to cook up a Raspberry Pi as a VPN server to provide secure access to your network via a public internet connection.
The ingredients are:
- Raspberry Pi
- 8GB SD card with Raspian Lite
- Internet connection
- Local network connection with static IP (not DHCP)
- Access to your modem/router
Preparing the Pi
From a fresh install of Raspian Jessie Lite (April 2017 version):
Boot RaPi and log into the console with username "pi" and password "raspberry".
The following instructins assume a working internet connection.
Prepare the RaPi with the following commands:
sudo touch /boot/ssh
sudo adduser yourname
sudo adduser yourname sudo
sudo deluser pi
sudo mv /etc/sudoers.d/010_pi-nopasswd /etc/sudoers.d/010_yourname-nopassword
sudo nano /etc/sudoers.d/010_yourname-nopassword
You now in the file nano editor: change the user name pi to yourname. Ctrl-O to save and then Ctrl-X to exit the editor.
sudo apt-get update
sudo apt-get dist-upgrade
Your Pi will now perform a reboot. Log in via the console or via your local network using ssh.
Your RaPi is now up-to-date with the latest software.
You can find many different tutorials of varying complexity levels on the web but I found the simplest way to install OpenVPN on your Pi is by using PiVPN. To start the installation use the following command:
curl -L https://install.pivpn.io | bash
Follow the prompts and accept most of the default values.
Based on the STO principle I would recommend changing the default port number (1194) to a number between 10000 and 50000 - write it down!
Installation doesn't take very long but generating the security certificate can take some long time.
You will have the option of using a static public ip or DNS - using a free dns provider will work if your public Ip address is dynamic or if your ISP decides to change you static IP address.
Reboot at the end of install process and log back in to generate the client configuration:
Very important: Pick a very secure password! If someone gets hold of your client computer or the ovpn file the only thing left between a hacker and your network.
Transfer the ovpn file to your client computer:
scp ./client.ovpn email@example.com:~
The above secure file transfer example will work on Apple OS X or Linux clients and will place the ovpn in user's home directory.
Next we need to add a few rules with these commands:
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/iptables/rules.v4
The netmask 10.8.0.0/24 refers to the VPN tunnel address range. Check to see it matches the address in /etc/openvpn/server.conf "ifconfig" line.
This concludes the installation of OpenVPN.
OpenVPN V2.4 and above
From V2.4 checking of security certificate expiry has changed. To check openvpn version:
An expired certificate will produce the following error in /var/log/openvpn.log:
VERIFY ERROR: depth=0, error=CRL has expired C=……
To check the security certificate expire date:
openssl crl -in /etc/openvpn/crl.pem -text
To generate a new certificate and replace the old one:
mv pki/crl.pem /etc/openvpn
Default certificate expiry days is only 180 days
To get a longer expiry add to /etc/openvpn/easy-rsa/vars:
set_var EASYRSA_CRL_DAYS 18250
Before releasing your server into the wild install a certificate with an appropriate expiry date.
This part of the configuration is very specific to your hardware.
You need to know the [static] IP address of your RaPi and find the port forwarding setup in your router configuration. The port number used here should be the same as what you have chosen in the OpenVPN setup. Enable forwarding of UDP traffic from this port to the same port number on your RaPi IP address.
Activate the new configuration and your OpenVPN server is ready rock and roll.
For Apple OS X install tunnelblick.
After installation drag the ovpn file into the tunnleblick window and press "connect", after you enter the password you should see the connection established.