Set up Raspberry Pi as a VPN server (OpenVPN tutorial)

The security of public internet access often leaves something to be desired. If you want to move around safely on the internet using your own VPN (“Virtual Private Network”) is a great way to do just that. By creating a personal VPN server, you also have access to the local home network via any internet connection.

To set up your own virtual, private network, you need a computer system that can function as its server. For this, Raspberry Pi is a cost-effective option. You can make your own VPN server on Raspberry Pi using the free VPN server software OpenVPN, which is available to download online.

A VPN set up in a local area network (LAN) enables you to access the network from outside. It’s a virtual communication network, where the queries and responses between the VPN server and the VPN clients (devices linked to the server) are usually transported over the internet.

With a self-established VPN, it’s possible to access your own local network from any internet source. You can use it to access data located in the LAN and address individual devices from a distance (e.g. printers or fax machines), as well as use the local network’s internet connection. With an encrypted connection to your VPN server, you can move around the network more securely than if you were relying on risky, open internet connections (such as public WLANs).

For a secure connection to a VPN server like this to be possible, you have to set up a VPN server on a computer system on your local network that’s permanently connected to the internet. The computer functions as a host for the virtual private network. You can connect devices (such as laptops, smartphones, or tablets) to the server over client software. Now, if you access your VPN with a client using an internet connection outside of your personal LAN it will be done via an encrypted connection (called a VPN tunnel).

The VPN tunnel starts at your client and ends at your VPN server – it extends over the entire internet connection. As a result, the tunnel is much safer than average public internet connections. This makes it accordingly difficult for hackers to infiltrate the tunnel and record the data traffic. With a personal VPN connection, you can also work with much more sensitive data (like, for example, online banking accounts) over public WLANs.

The minimal cost for Raspberry Pi is what makes it so attractive as a VPN server. The purchase price of the small computer is comparatively low. You will also need very few accessories to get things running. Additionally, it requires relatively little power for long-term operation as a server. All this adds up to the fact that this course of action offers a good price-to-performance ratio (although different alternatives to Raspberry Pi now do exist).

OpenVPN is very suitable for use as your VPN for several reasons: It’s a free, widely distributed VPN server software supported by a large number of operating systems (Windows, OS X, Android, iOS, Linux, and others). The program also boasts a comparatively simple set-up and a high level of stability.

For the tutorial given below, you will need the following:

• Raspberry Pi (recommended: Model 2 or higher)
• A micro-SD memory card with the Raspbian-Jessie operating system installed on it
• A continuously available internet connection (preferably via network cable) and power supply (via micro-USB cable) for Raspberry Pi

You must decide whether you want to set up the VPN server directly on Raspberry Pi (with a connected monitor, mouse, and keyboard) or through an SSH client. Remote maintenance of the server by means of SSH is the recommended choice in most cases since this is the easiest way to access the VPN server from another computer at a later date.

For this purpose, there are various widely-used software options such as PuTTY, WinSCP (for Windows), or OpenSSH (for Unix operating systems) through which you can control and operate Raspberry Pi. To connect the SSH to Raspberry Pi, you specify its IPv4 address in the client (the computer with which you want to access Raspberry Pi) and link them with each other. The IP address of your Raspberry Pi can be shown, for example, via the router menu of your browser. Normally, you can access the router menu by calling the address “192.168.1.1” (or myrouter.local for Linksys Smart Wi-Fi router users) in your browser.

To use an SSH client, it’s advisable to allocate a static, private IP address in the local network to Raspberry Pi – otherwise, you’ll have to reselect your current dynamic address and reconnect the client to the mini-computer every time that you want to access it via the SSH. Linking a constant private IP address with Raspberry Pi is more important for the use of OpenVPN: The VPN server needs to always be accessible on the local network at the same address if you want to have continual access. You should keep the VPN server constantly accessible at the same address over the internet as well. However, internet connections usually only have a dynamic public IP address, which changes at least after 24 hours and prevents the server from permanently being accessed at the same IP address. If you can’t regulate your internet connection at a static, public IP address, then you can make do by setting up a dynamic DNS (DDNS) instead.

You can read how to allocate a static IP address to your Raspberry Pi, and which options there are for the setup of a DDNS in another of our articles. If you want to make your Raspberry Pi permanently available online as a server, you should regularly update it and make security checks.

Now you can begin to set up OpenVPN. For this, open the terminal (the input console) of your Raspberry Pi.

Before you begin installing OpenVPN, it’s recommended that you check for and install updates for the existing packages on Raspberry Pi. To do this, enter the following commands into the console:

If you haven’t changed the default password for your Raspberry Pi yet (Username: “Pi”; Password: “Raspberry”), you should do that now: Otherwise, anyone can access the system – either locally or over the network via SSH. With the command below you can call up the configuration of the mini-computer, where you can create a secure password.

First, use the following command to install the OpenVPN software as well as OpenSSL which is used to encrypt the internet connection.

After installing OpenVPN, copy the pre-written script “easy-rsa” into the OpenVPN configuration index. This is where you’ll create the various certificates and keys. The following command only functions on Raspbian Jessie (in the earlier operation system Wheezy, the scripts are under “/usr/share/doc/openvpn/examples/easy-rsa/2.0”).

Next, open the file „/etc/openvpn/easy-rsa/vars“ in the console by running the following command:

Now you have to adjust this file. You change the settings by replacing the complete line “export EASY_RSA="`pwd`"” with the following:

The key length can also be adjusted in the file. This allows you to determine the security level of the encryption. Raspberry Pi has enough computing power to handle a 2048-bit key length without problems. But with Model 2, this encryption already results in a noticeable decrease in performance, so you should only use a 1024-bit encryption – depending, of course, on whether the speed or the level of encryption of the connection is more important. A 4096-bit encryption only makes sense to use in certain cases. You change the key length by adjusting the bit number in the “export KEY_SIZE=2048” line.

Now go back to the “easy-rsa” configuration index, give root permissions, and then integrate the previously made settings into the environment variables by executing the “vars” script using the “source” command. You can make the resulting configuration file accessible via a symbolic link under the name “openssl.cnf”.

First, reset the keys and then create the first key files for OpenVPN.

You are asked to enter the two-letter “Country Name” of your country (US for the United States, CA for Canada). The subsequent queries are no longer relevant, and you can simply confirm them with the Enter key.

You then generate the key files for the server:

Enter the two-letter country code again, and then leave the other fields blank. Finally, confirm the request to generate the certificate twice with “Y”.

The following directions will tell you how to set up one or more VPN clients. You’ll create a certificate and a key for every device that you want to access the VPN server from. The process is similar to the set-up of certificates and keys for a server (enter the country code and confirm twice). You can assign each device a specific name (in our commands below, clients for a “laptop”, “smartphone”, and “tablet” are created).

If you want to provide the clients with a password, you’ll use the following commands instead of the ones listed above:

Generating the certificates and keys is finished with the command for the Diffie-Hellman key exchange:

This may take some time. Once the process is complete, log off as the root user:

Call up the OpenVPN configuration files:

Now you can fill the empty files with various commands that we’ll illustrate for you in the following examples. First, activate the routing through an IP tunnel with “dev tun” and select EDP as the transport protocol with “proto udp” (if you want to use TCP, select “proto tcp”). In the following lines, determine that the OpenVPN server is accessible on port 1194 – although you can change this if you want.

Next, create a SSL/TLS root certificate (ca), a digital certificate (cert) and a digital key (key) in the “easy-rsa” index. You should also make sure that you enter the correct bit encryption (1024, 2048, etc).

Now you can specify that Raspberry Pi is used as the VPN server. To do this, you need to name the IP address as well as the netmask to be assigned to the VPN.

With the “redirect-gateway def1 bypass-dhcp” command, you can now route all IP traffic through the IP tunnel. If you have higher security requirements, you can experiment with the settings – but if this causes difficulties or the surfing becomes too slow, it’s advisable to switch this configuration off again. You should always use the other instructions listed below to name the public DNS servers that your VPN server will work with. In the following command, a server from IONOS is listed with “217.237.150.188”, as well as a server from Google listed with “8.8.8.8”. You can change this if you want by specifying the IPv4 addresses of other DNS servers. Using “log-append /var/log/openvpn” make sure that the log information is written to the “/var/log/openvpn” file.

Via “persist-key," key files are not read again, and the TUN and TAP network drivers are not restarted with “persist-tun”. The rights of the OpenVPN daemon after a program start are reduced by “user nobody” and “group nogroup”. With “status /var/log/openvpn-status.log” you can create a statue file that shows you the current connection. It’s advisable to reconcile the details of the log information with the “verb” command. If you choose “0," you won’t receive any issue reports other than actual error messages. A value between 1 and 4 is suitable for normal use, while higher values are best for troubleshooting. Finally, use the “client-to-client” command to specify that VPN clients not only recognize the server but also other VPN clients as well, and with “comp-lzo” activate the LZO compression (you also need to release it in the config-file of the client).

Save the changes with “Ctrl + O” and close the editor with “Ctrl + X”.

To access your local area network through your VPN tunnel, you need to create a redirect. To do this, you’ll first create the “/etc/init.d/rpivpn” file:

By copying the following comments to the file, you create a header for a Linux init script:

Next, activate “ip_forward” by writing a “1” into the file:

Now create a forwarding for VPN packets by using the packet filter “iptables”:

You need commands that allow your VPN clients to access the LAN as well as the internet. You can set these with the following lines:

Save and close the file again using “Ctrl + O” and “Ctrl + X”.

For the redirection to work, you need to assign the appropriate permissions to the script and then install it as an init script.

Now implement the script and restart the OpenVPN server.

In the last step, bundle the certificate and key for each client into a single packet. Give yourself root permissions again, open the “/etc/openvpn/easy-rsa/keys/” file, and create the client configuration file. Using the following commands, access the “laptop” file. The set-up for each client functions in the same way – you just need to adjust the name of the device accordingly.

In the “.ovpn” client file, insert the following:

The file content above still needs to be adjusted. In the fourth line, replace “xxxx” with the IP address of your DDNS provider (if you use a static public IP address, you can just enter it there), followed by the port through which the VPN server should be accessible. In the third and fourth last lines, enter the name of your client (here: “laptop”). After you have made the changes, save them with “Ctrl + O” and close the editor with “Ctrl + X”.

Finally, assemble the entire configuration file along with your certificates and keys into a zip file. If you don’t have a zip package installed on Raspberry Pi yet, you can do this with the following command:

To create the zip file, use the following commands, once again making sure that you’ve entered the correct client names each time.

Now you have to adjust the permissions of the files and exit the set-up with “exit”.

Transfer the finished zip file now from your Raspberry Pi to the client (for example, via an SCP or SFTP program) and then set up the client on the device. You can now use this device to access the local network connected to the client and its internet connection from any other internet connection.

A personal VPN is far less expensive than many may think: Thanks to the low power requirements of Raspberry Pi and the low cost of the individual server components (Raspberry Pi, micro SD card, etc.) there are no major operating costs to worry about.

A Raspberry Pi VPN server is also capable of a lot. With your own hosted VPN server on Raspberry Pi, you can access your local computer network from any internet connection. The VPN connection is encrypted and enables you to move around much more securely on the internet, both in open and/or untrusted WLAN networks, as well as through the data line of your mobile provider. A mobile internet connection could hardly offer more protection.