How to create a VPN server on a Raspberry Pi with OpenVPN
The security of public Internet accesses often leaves much to be desired. To be able to connect away from home without taking risks , a virtual private network or VPN (Virtual Private Network or virtual private network) can be a good solution. If you also configure a personal VPN server, you will have access to the home local network from the Internet ..
To create a VPN, you only need a computer to act as a server, and for this, the Raspberry Pi represents a viable and economical alternative. OpenVPN is the software that allows you to turn your small computer into a VPN server.
Index
- Why create a VPN server: general functions
- Advantages of creating a VPN server with OpenVPN on a Raspberry Pi
- What do you need to install a VPN server on a Raspberry Pi?
- Set the IP address
- Mount a VPN server on a Raspberry Pi with OpenVPN: step by step manual
- Raspberry Pi Preparation
- OpenVPN installation and easy-rsa file creation
- Creating the certificates and keys for OpenVPN
- Generating the configuration file for the OpenVPN server
- Creating a script to access the Internet with a client
- Closing the clients configuration
- Why is it worth having a VPN server on a Raspberry Pi?
Why create a VPN server: general functions
Installed in a local network (LAN) to be able to access it from the outside, a VPN constitutes a virtual communication network in which the requests and responses between the VPN server and the VPN clients (devices connected to the server) are transferred over the Internet. This allows you to connect to the LAN from any Internet access and access data on it , communicate with devices by remote control (a printer or a fax) or use the Internet connection of the local network (home). Since the connection to the VPN server is encrypted, browsing is much more secure than from uncontrolled access (such as public wireless networks)..
In order to create this secure connection to a VPN server, a VPN server with a permanent Internet connection must be installed on a computer on the local network. This computer would then act as the host of the virtual network. With client software, the devices (laptop, smartphone, tablet) are connected to the server and an encrypted connection (VPN tunnel) allows one of these clients or terminals to access the VPN server from an external network to the personal LAN.
This VPN tunnel leads from the client to the VPN server, spanning the global Internet connection, making it a much more secure connection than any common Internet connection . It would be very difficult for hackers, for example, to access the tunnel to spy on data traffic. This makes VPNs the ideal solution in those cases in which sensitive data, for example banking, has to be worked on in open networks..
Advantages of creating a VPN server with OpenVPN on a Raspberry Pi
It is especially the low cost of a Raspberry Pi and its accessories that makes this minicomputer such an attractive candidate for a VPN server. The energy consumption involved in its permanent operation in the computer is also relatively low. All this makes this combination a favorite, even though some Raspberry Pi alternatives are already available in the meantime.
For its part, OpenVPN is the ideal architect for a VPN server for various reasons, but above all because it is a very widespread free software for VPN servers that supports a large number of operating systems (Windows, OS X, Android, iOS, Linux, etc.), convinces with its high stability and is very easy to install.
What do you need to install a VPN server on a Raspberry Pi?
To follow the steps in the tutorial that follows, you need the following components:
- Raspberry Pi (model 2 or higher)
- MicroSD memory card with Raspbien-Jessie operating system installed.
- Stable Internet connection (preferably by cable) and power supply (Micro USB cable).
You must also decide whether you want to install the VPN server directly on the Raspberry Pi (to which a monitor, mouse and keyboard are connected) or through an SSH client, a software that uses a Secure Shell protocol to connect remotely with another computer. Remote server maintenance with SSH is in most cases the most recommended variant, since this will make it easier to access the VPN server from a different computer.
If you finally opt for this second option, you can resort to various very popular alternatives to access and operate a Raspberry Pi remotely, such as PuTTY, WinSCP (for Windows) or OpenSSH (for Unix operating systems). To connect the software with the minicomputer, enter the IPv4 address of the Raspberry Pi in the client (that device from which you want to access the Raspberry Pi) and they connect to each other. Typing the address 192.168.0.1 in the browser opens the router menu of your Raspberry Pi, where the IP address is obtained.
Set the IP address
When using an SSH client it is recommended to assign a static private IP address to the Raspberry Pi on the local network. Otherwise, every time the minicomputer was accessed via SSH, a new temporary dynamic address would have to be found and connected to the client. However, even more important is to link the Raspberry Pi with a permanent IP address to be able to use OpenVPN, since the VPN server must always be available and under the same address on the local network so that it can be accessed continuously , as well as it must be permanently available on the Internet . However, an Internet connection only has a dynamic public IP address that changes after 24 hours, thus making it difficult for the server to be fully available under the same IP address. If your Internet connection does not have a public static IP address, you can resort to setting up a dynamic DNS (DDNS). In this other article you can see how to assign a static IP address to your Raspberry Pi and how a DDNS can be configured. If you want your Raspberry Pi to be always online as a server, it is important not to forget its due update and security.
Mount a VPN server on a Raspberry Pi with OpenVPN: step by step manual
After this introduction and the review of the requirements and basic concepts, we can now go to practice with the installation of OpenVPN.
Raspberry Pi Preparation
Before installing OpenVPN, the first step is to open your Raspberry Pi terminal to check if there are any pending updates for the packages already installed. This is done with the following commands:
sudo apt-get update sudo apt-get upgrade
If you have not done it before, now is the time to change the standard password of the minicomputer (username:? PI ?, password:? Raspberry?) To avoid any unauthorized access to the system, both locally and via SSH from the net.
With this command we open the configuration of the minicomputer where you can create a secure password.
OpenVPN installation and easy-rsa file creation
To install OpenVPN and Open SSL, software that encrypts the Internet connection, enter this command:
sudo apt-get install openvpn openssl
Once OpenVPN is installed, we copy the predefined easy-rsa scripts into the OpenVPN configuration directory? Is this where the certificates and keys are stored? With a command that only works with Raspbien Jessie (in the previous Wheezy OS the files are in /usr/share/doc/openvpn/examples/easy-rsa/2.0):
sudo cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa
Now open the / etc / openvpn / easy-rsa / vars file in the console using this command in order to configure it:
sudo nano /etc/openvpn/easy-rsa/vars
To change the settings, replace the export EASY_RSA = "` pwd` "line with
export EASY_RSA="/etc/openvpn/easy-rsa"
In this file you can also modify the length of the key. With this you can determine the level of security of the encryption. A Raspberry Pi 3 enjoys sufficient performance to be able to effortlessly process a 2048-bit key length. In model 2, on the other hand, this encryption causes serious performance losses, so in this case only a 1024-bit encryption could be used (depending on what your priority is: the speed or the encryption of the connection). A 4096-bit encryption, on the other hand, is only useful in a few cases. To change the length of the key, set the number of bits in the export KEY_SIZE = 2048 line .
Now we go back to the easy-rsa configuration file, where you need to have superuser rights to integrate the settings made in the environment variables. For this we execute the vars script with the source command . Finally, make the generated configuration file accessible with a symbolic link under the name openssl.cnf :
cd /etc/openvpn/easy-rsa sudo su source vars ln -s openssl-1.0.0.cnf openssl.cnf
Creating the certificates and keys for OpenVPN
Before creating new keys for OpenVPN, make sure that there are no old ones (examples, etc.). This is done with this command:
./clean-all ./build-ca OpenVPN
Here you are asked to enter various data to identify the server's certificate to clients (such as the two-letter country code ), but you can confirm the default information due to its low importance in operation by pressing the Enter key. Finally, it generates the certificate for the server (which the CA will sign to give it reliability):
./build-key-server server
Enter the national code again and ignore the other fields. To conclude, confirm the creation of a certificate by entering? And? (yes) twice.
Once the CA and the server certificate have been created, the VPN clients must be installed . For this you have to create a certificate and a key for each of the devices with which you want to access the VPN server. The process is similar to the one you have followed to create a certificate and a key for the server (enter the country code and confirm twice). You can give each device a specific name. In the following example, three clients have been created:? Laptop ?,? Smartphone? and? tablet ?:
./build-key laptop ./build-key smartphone ./build-key tablet ?
Now, to protect each of them with a password , instead of the previous commands the following would be used:
./build-key-pass laptop ./build-key-pass smartphone ./build-key-pass tablet ?
The creation of certificates and keys concludes with the command to create the DH key (Diffie-Hellman) that the server will use for the exchange of keys:
Once this process is finished, which could take a few minutes, you log out as a user with root permission with:
Generating the configuration file for the OpenVPN server
Keys have been created for the server and clients to recognize each other, confirmed by the CA. Now we go into the configuration of the VPN server.
Open the OpenVPN configuration file :
sudo nano /etc/openvpn/openvpn.conf
This empty file has to be completed with some commands shown below:
dev tun proto udp port 1194
In the next step an SSL / TLS ( ca ) root certificate , a digital certificate ( cert ) and a digital key ( key ) are created in the easy-rsa directory . Don't forget to enter the correct bit encryption (1024, 2048, etc.).
ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem
Now specify that the Raspberry Pi is used as a VPN server. For this, it names its IP address, as well as the network mask to be assigned to the VPN:
server 10.8.0.0 255.255.255.0
The redirect-gateway def1 bypass-dhcp command tells clients that all traffic is redirected through the VPN tunnel. You can try this setting if security is very important to you, but if difficulties arise or navigation slows down, cancel it. The instructions listed below, on the other hand, must be used in any case, since with them you name the public DNS servers with which the VPN server will work. The following lines use a server from IONOS (217.237.150.188) and one from Google (8.8.8.8) as an example, although it can be substituted for another DNS server indicating the IPv4 address. With log-append / var / log / openvpn you arrange that the server events will be written to the file / var / log / openvpn.
push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 217.237.150.188" push "dhcp-option DNS 8.8.8.8" log-append /var/log/openvpn
Once the server is configured, we can proceed to the configuration of the VPN clients. For this we create a configuration file in which the following information must be entered:
persist-key persist-tun user nobody group nogroup status /var/log/openvpn-status.log verb 3 client-to-client comp-lzo
Finally, with the client-to-client command we determine that the VPN clients not only recognize the server, but also other VPN clients and with comp-lzo the LZO compression is enabled (which must also be indicated in the configuration file of the client).
We save the changes with Ctrl + 0 and close the editor with Ctrl + X.
Creating a script to access the Internet with a client
To access the Internet connection of your local network through the VPN tunnel we are going to create a redirect. For this, the file /etc/init.d/rpivpn is created :
Sudo nano /etc/init.d/rpivpn
Copying the following comments into the file creates a header for a Linux-Init file:
#! /bin/sh ### BEGIN INIT INFO # Provides: rpivpn # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: VPN initialization script ### END INIT INFO
Next we activate the redirection ip_forward writing in the file a 1 in this way:
echo 'echo "1" > /proc/sys/net/ipv4/ip_forward' | sudo -s
Once this is done, we create a redirect for VPN packets with the iptables packet filter :
iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT
Now we only have to create the necessary commands that allow VPN clients to access the LAN and the Internet. This is achieved with the following lines:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -F POSTROUTING iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
We save and close the file again.
But for the redirection to be effective, you have to assign the corresponding rights to the script and install it as an Init file:
sudo chmod +x /etc/init.d/rpivpn sudo update-rc.d rpivpn defaults
We run the script and restart the OpenVPN server:
sudo /etc/init.d/rpivpn sudo /etc/init.d/openvpn restart
Closing the clients configuration
In the last step we gather the certificates and keys of each client in their own package . For this we need superuser rights again. Once assigned, we open the / etc / openvpn / easy-rsa / keys / folder and place the clients' configuration file in it. With the following command we open the laptop client file . All clients are configured in the same way, the only thing that needs to be changed is the device name:
sudo su cd /etc/openvpn/easy-rsa/keys nano laptop.ovpn
In the client's .ovpn file this is added:
dev tun client proto udp remote x.x.x.x 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert laptop.crt key laptop.key comp-lzo verb 3
However, this content must be adjusted. In the fourth line, we replace xxxx with the IP address of the DDNS provider , although you can also include a static public IP address here if you have one; it is followed by the port on which the VPN server is to be available.
In the third and fourth at the end we write the name of the client (here? Laptop?). Made the changes, we save and close with the known commands.
Finally, it compresses the configuration file, along with its certificates and keys, into a zip file. In case you have not yet installed a compression package on your Raspberry Pi , you can do it with the following command:
To create the compressed file we use the following command (taking care to always use the correct client name ):
zip /home/pi/raspberry_laptop.zip ca.crt laptop.crt laptop.key laptop.ovpn
Now we only have to configure the rights of the files and we end with exit :
chown pi:pi /home/pi/raspberry_laptop.zip exit
This compressed file is transferred from the Raspberry Pi to the client with an SCP or SFTP program and the client is configured on the device. This would now be ready to access the local network connected to the client and its Internet connection from any external access point.
Why is it worth having a VPN server on a Raspberry Pi?
Creating your own VPN is not as prohibitive as is often thought, since the low power consumption of the Raspberry Pi keeps costs considerably at bay, as well as the price of the server components (Raspberry Pi, micro SD card, etc.) is also very affordable. To this must be added the many advantages of installing a VPN server on the 21st century minicomputer: this server allows you to access your local network from anywhere on the planet with an encrypted connection that allows you to safely navigate the network even on WiFi connections of questionable quality or using mobile phone data. Little more security could offer a mobile Internet connection.
