Set up Raspberry Pi as a VPN server: OpenVPN tutorial

The security of public internet access often leaves something to be desired. If you want to move around safely on the internet using your own VPN (“Virtual Private Network”) is a great way to do just that. By creating a personal VPN server, you also have access to the local home network via any internet connection.

To set up your own virtual, private network, you need a computer system that can function as its server. For this, Raspberry Pi is a cost-effective option. You can make your own VPN server on Raspberry Pi using the free VPN server software OpenVPN, which is available to download online.

Setting up your own VPN server: Functions overview

A VPN set up in a local area network (LAN) enables you to access the network from outside. It’s a virtual communication network, where the queries and responses between the VPN server and the VPN clients (devices linked to the server) are usually transported over the internet.

With a self-established VPN, it’s possible to access your own local network from any internet source. You can use it to access data located in the LAN and address individual devices from a distance (e.g. printers or fax machines), as well as use the local network’s internet connection. With an encrypted connection to your VPN server, you can move around the network more securely than if you were relying on risky, open internet connections (such as public WLANs).

For a secure connection to a VPN server like this to be possible, you have to set up a VPN server on a computer system on your local network that’s permanently connected to the internet. The computer functions as a host for the virtual private network. You can connect devices (such as laptops, smartphones, or tablets) to the server over client software. Now, if you access your VPN with a client using an internet connection outside of your personal LAN it will be done via an encrypted connection (called a VPN tunnel).

The VPN tunnel starts at your client and ends at your VPN server – it extends over the entire internet connection. As a result, the tunnel ismuch safer than average public internet connections. This makes it accordingly difficult for hackers to infiltrate the tunnel and record the data traffic. With a personal VPN connection, you can also work with much more sensitive data (like, for example, online banking accounts) over public WLANs.

Creating a VPN server on Raspberry Pi and OpenVPN: The benefits

The minimal cost for Raspberry Pi is what makes it so attractive as a VPN server. The purchase price of the small computer is comparatively low. You will also need very few accessories to get things running. Additionally, it requires relatively little power for long-term operation as a server. All this adds up to the fact that this course of action offers a good price-to-performance ratio (although different alternatives to Raspberry Pi now do exist).

OpenVPN is very suitable for use as your VPN for several reasons: It’s a free, widely distributed VPN server software supported by a large number of operating systems (Windows, OS X, Android, iOS, Linux, and others). The programme also boasts a comparatively simple set-up and a high level of stability.

What’s required to set up a VPN server on Raspberry Pi?

For the tutorial given below, you will need the following:

  • Raspberry Pi (recommended: Model 2 or higher)
  • A micro-SD memory card with the Raspbian-Jessie operating system installed on it
  • A continuously available internet connection (preferably via network cable) and power supply (via micro-USB cable) for Raspberry Pi

You must decide whether you want to set up the VPN server directly on Raspberry Pi (with a connected monitor, mouse, and keyboard) or through an SSH client. Remote maintenance of the server by means of SSH is the recommended choice in most cases since this is the easiest way to access the VPN server from another computer at a later date.

For this purpose, there are various widely-used software options such as PuTTY, WinSCP (for Windows), or OpenSSH (for Unix operating systems) through which you can control and operate Raspberry Pi. To connect the SSH to Raspberry Pi, you specify its IPv4 address in the client (the computer with which you want to access Raspberry Pi) and link them with each other. The IP address of your Raspberry Pi can be shown, for example, via the router menu of your browser. Normally, you can access the router menu by calling the address “192.168.1.1” (or myrouter.local for Linksys Smart Wi-Fi router users) in your browser.

Customising IP addresses

To use an SSH client, it’s advisable to allocate a static, private IP address in the local network to Raspberry Pi – otherwise, you’ll have to reselect your current dynamic address and reconnect the client to the mini-computer every time that you want to access it via the SSH. Linking a constant private IP address with Raspberry Pi is more important for the use of OpenVPN: The VPN server needs to always be accessible on the local network at the same address if you want to have continual access. You should keep the VPN server constantly accessible at the same address over the internet as well. However, internet connections usually only have a dynamic public IP address, which changes at least after 24 hours and prevents the server from permanently being accessed at the same IP address. If you can’t regulate your internet connection at a static, public IP address, then you can make do by setting up a dynamic DNS (DDNS) instead.

You can read how to allocate a static IP address to your Raspberry Pi, and which options there are for the setup of a DDNS in another of our articles. If you want to make your Raspberry Pi permanently available online as a server, you should regularly update it and make security checks.

Install your own VPN server on Raspberry Pi with OpenVPN

Now you can begin to set up OpenVPN. For this, open the terminal (the input console) of your Raspberry Pi.

Preparation of Raspberry Pi

Before you begin installing OpenVPN, it’s recommended that you check for and install updates for the existing packages on Raspberry Pi. To do this, enter the following commands into the console:

sudo apt-get update

sudo apt-get upgrade

If you haven’t changed the default password for your Raspberry Pi yet (Username: “Pi”; Password: “Raspberry”), you should do that now: Otherwise, anyone can access the system – either locally or over the network via SSH. With the command below you can call up the configuration of the mini-computer, where you can create a secure password.

sudo raspi-config

Install OpenVPN and set up easy-rsa files

First, use the following command to install the OpenVPN software as well as OpenSSL which is used to encrypt the internet connection.

sudo apt-get install openvpn openssl

After installing OpenVPN, copy the pre-written script “easy-rsa” into the OpenVPN configuration index. This is where you’ll create the various certificates and keys. The following command only functions on Raspbian Jessie (in the earlier operation system Wheezy, the scripts are under “/usr/share/doc/openvpn/examples/easy-rsa/2.0”).

sudo cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa

Next, open the file „/etc/openvpn/easy-rsa/vars“ in the console by running the following command:

sudo nano /etc/openvpn/easy-rsa/vars

Now you have to adjust this file. You change the settings by replacing the complete line “export EASY_RSA="`pwd`"” with the following:

export EASY_RSA="/etc/openvpn/easy-rsa"

The key length can also be adjusted in the file. This allows you to determine the security level of the encryption. Raspberry Pi has enough computing power to handle a 2048-bit key length without problems. But with Model 2, this encryption already results in a noticeable decrease in performance, so you should only use a 1024-bit encryption – depending, of course, on whether the speed or the level of encryption of the connection is more important. A 4096-bit encryption only makes sense to use in certain cases. You change the key length by adjusting the bit number in the “export KEY_SIZE=2048” line.

Now go back to the “easy-rsa” configuration index, give root permissions, and then integrate the previously made settings into the environment variables by executing the “vars” script using the “source” command. You can make the resulting configuration file accessible via a symbolic link under the name “openssl.cnf”.

cd /etc/openvpn/easy-rsa
sudo su
source vars
ln -s openssl-1.0.0.cnf openssl.cnf

Set up certificates and keys for OpenVPN

First, reset the keys and then create the first key files for OpenVPN.

./clean-all
./build-ca OpenVPN

You are asked to enter the two-letter “CountryName” of your country (UK for the United Kingdom, IE for Ireland). The subsequent queries are no longer relevant, and you can simply confirm them with the Enter key.

You then generate the key files for the server:

./build-key-server server

Enter the two-letter country code again, and then leave the other fields blank. Finally, confirm the request to generate the certificate twice with “Y”.

The following directions will tell you how to set up one or more VPN clients. You’ll create a certificate and a key for every device that you want to access the VPN server from. The process is similar to the set-up of certificates and keys for a server (enter the country code and confirm twice). You can assign each device a specific name (in our commands below, clients for a “laptop”, “smartphone”, and “tablet” are created).

./build-key laptop
./build-key smartphone
./build-key tablet
…

If you want to provide the clients with a password, you’ll use the following commands instead of the ones listed above:

./build-key-pass laptop
./build-key-pass smartphone
./build-key-pass tablet
…

Generating the certificates and keys is finished with the command for the Diffie-Hellman key exchange:

./build-dh

This may take some time. Once the process is complete, log off as the root user:

exit

Generate configuration files for the OpenVPN server

Call up the OpenVPN configuration files:

sudo nano /etc/openvpn/openvpn.conf

Now you can fill the empty files with various commands that we’ll illustrate for you in the following examples. First, activate the routing through an IP tunnel with “dev tun” and select EDP as the transport protocol with “proto udp” (if you want to use TCP, select “proto tcp”). In the following lines, determine that the OpenVPN server is accessible on port 1194 – although you can change this if you want.

dev tun
proto udp
port 1194

Next, create a SSL/TLS root certificate (ca), a digital certificate (cert) and a digital key (key) in the “easy-rsa” index. You should also make sure that you enter the correct bit encryption (1024, 2048, etc).

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem

Now you can specify that Raspberry Pi is used as the VPN server. To do this, you need to name the IP address as well as the netmask to be assigned to the VPN.

server 10.8.0.0 255.255.255.0

With the “redirect-gateway def1 bypass-dhcp” command, you can now route all IP traffic through the IP tunnel. If you have higher security requirements, you can experiment with the settings – but if this causes difficulties or the surfing becomes too slow, it’s advisable to switch this configuration off again. You should always use the other instructions listed below to name the public DNS servers that your VPN server will work with. In the following command, a server from 1&1 IONOS is listed with “217.237.150.188”, as well as a server from Google listed with “8.8.8.8”. You can change this if you want by specifying the IPv4 addresses of other DNS servers. Using “log-append /var/log/openvpn” make sure that the log information is written to the “/var/log/openvpn” file.

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 217.237.150.188"
push "dhcp-option DNS 8.8.8.8"
log-append /var/log/openvpn

Via “persist-key," key files are not read again, and the TUN and TAP network drivers are not restarted with “persist-tun”. The rights of the OpenVPN daemon after a programme start are reduced by “user nobody” and “group nogroup”. With “status /var/log/openvpn-status.log” you can create a statue file that shows you the current connection. It’s advisable to reconcile the details of the log information with the “verb” command. If you choose “0," you won’t receive any issue reports other than actual error messages. A value between 1 and 4 is suitable for normal use, while higher values are best for troubleshooting. Finally, use the “client-to-client” command to specify that VPN clients not only recognise the server but also other VPN clients as well, and with “comp-lzo” activate the LZO compression (you also need to release it in the config-file of the client).

persist-key
persist-tun
user nobody
group nogroup
status /var/log/openvpn-status.log
verb 3
client-to-client
comp-lzo

Save the changes with “Ctrl + O” and close the editor with “Ctrl + X”.

Create a script for internet access with a client

To access your local area network through your VPN tunnel, you need to create a redirect. To do this, you’ll first create the “/etc/init.d/rpivpn” file:

Sudo nano /etc/init.d/rpivpn

By copying the following comments to the file, you create a header for a Linux init script:

#! /bin/sh
### BEGIN INIT INFO
# Provides:          rpivpn
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: VPN initialization script
### END INIT INFO

Next, activate “ip_forward” by writing a “1” into the file:

echo 'echo "1" > /proc/sys/net/ipv4/ip_forward' | sudo -s

Now create a forwarding for VPN packets by using the packet filter “iptables”:

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

You need commands that allow your VPN clients to access the LAN as well as the internet. You can set these with the following lines:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Save and close the file again using “Ctrl + O” and “Ctrl + X”.

For the redirection to work, you need to assign the appropriate permissions to the script and then install it as an init script.

sudo chmod +x /etc/init.d/rpivpn
sudo update-rc.d rpivpn defaults

Now implement the script and restart the OpenVPN server.

sudo /etc/init.d/rpivpn
sudo /etc/init.d/openvpn restart

Finish setting up the clients

In the last step, bundle the certificate and key for each client into a single packet. Give yourself root permissions again, open the “/etc/openvpn/easy-rsa/keys/” file, and create the client configuration file. Using the following commands, access the “laptop” file. The set-up for each client functions in the same way – you just need to adjust the name of the device accordingly.

sudo su
cd /etc/openvpn/easy-rsa/keys
nano laptop.ovpn

In the “.ovpn” client file, insert the following:

dev tun
client
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert laptop.crt
key laptop.key
comp-lzo
verb 3

The file content above still needs to be adjusted. In the fourth line, replace “xxxx” with the IP address of your DDNS provider (if you use a static public IP address, you can just enter it there), followed by the port through which the VPN server should be accessible. In the third and fourth last lines, enter the name of your client (here: “laptop”). After you have made the changes, save them with “Ctrl + O” and close the editor with “Ctrl + X”.

Finally, assemble the entire configuration file along with your certificates and keys into a zip file. If you don’t have a zip package installed on Raspberry Pi yet, you can do this with the following command:

apt-get install zip

To create the zip file, use the following commands, once again making sure that you’ve entered the correct client names each time.

zip /home/pi/raspberry_laptop.zip ca.crt laptop.crt laptop.key laptop.ovpn

Now you have to adjust the permissions of the files and exit the set-up with “exit”.

chown pi:pi /home/pi/raspberry_laptop.zip
exit

Transfer the finished zip file now from your Raspberry Pi to the client (for example, via an SCP or SFTPprogramme) and then set up the client on the device. You can now use this device to access the local network connected to the client and its internet connection from any other internet connection.

Setting up your own VPN server on Raspberry Pi is worth it

A personal VPN is far less expensive than many may think: Thanks to the low power requirements of Raspberry Pi and the low cost of the individual server components (Raspberry Pi, micro SD card, etc.) there are no major operating costs to worry about.

A Raspberry Pi VPN server is also capable of a lot. With your own hosted VPN server on Raspberry Pi, you can access your local computer network from any internet connection. The VPN connection is encrypted and enables you to move around much more securely on the internet, both in open and/or untrusted WLAN networks, as well as through the data line of your mobile provider. A mobile internet connection could hardly offer more protection.


Wait! We’ve got something for you!
Get your .co.uk domain now, the first year is free.

Enter the web address of your choice in the search bar to check its availability.
12 month for £0/year
then £10/year