Raspberry Pi OpenVPN server

My motivation for writing this review is to demonstrate a method of securing access to IOT devices with minimum effort. Many IOT devices like security cameras have lackluster access controls and suffer from lack of software updates. Generally it’s bad practice to expose such insecure devices directly to the internet where they’re easy prey for botnets and miscreants. This guide will show you how to set up a bulletproof VPN server on a Raspberry Pi allowing you to securely access your home or business network.

Required hardware

  • Raspberry Pi B/2B/2B+/3
  • SD Card
  • SD card reader
  • another PC or Mac
  • micro USB cable
  • USB power supply
  • ethernet cable

1. Set up Raspberry Pi

  1. Download Raspbian
  2. Download Etcher
  3. Burn the Raspbian image to the SD card using Etcher
  4. Enable SSH on first boot
    • Create an empty file named ssh on the SD card boot volume
  5. Insert the SD card into the Pi
  6. Plug in ethernet and power to the Pi

2. Find your Pi on the network

Mac OS and Linux

  1. Open a terminal
  2. Run nmap to scan your network sudo nmap 192.168.1-254

Look for the entry with a MAC address with Raspberry Pi Foundation

Nmap scan report for 10.10.10.147
Host is up (0.0044s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: B8:27:EB:48:25:AD (Raspberry Pi Foundation)

SSH into the Pi using the IP address from above. The default password is raspberry.

ssh pi@10.10.10.147

Windows users: Nmap is available for Windows here. You can use the graphical interface that is bundled with the nmap instead of the command line for this step.

Windows doesn’t have a built in SSH client, so you’ll need to grab PuTTY.

More instructions on how to use PuTTY to connect to your Pi here

3. Install PiVPN

Run the following commands in your Pi SSH session.

# update package indexes
sudo apt-get update -y

# upgrade all installed packages
sudo apt-get upgrade -y

# Download the PiVPN installer
curl -L https://install.pivpn.io > pivpn-install.sh

# Make the installer executable
chmod +x pivpn-install.sh

# Run the installer
./pivpn-install.sh

Follow the wizard steps to install OpenVPN on the Pi. The default settings should be fine.

4. Generate client certs

Run the following command to create a client certificate. Substitute myclient with any client name of your choosing.

pivpn add -n myclient nopass

You should see output similar to this.

spawn ./easyrsa build-client-full myclient nopass

Note: using Easy-RSA configuration from: ./vars
rand: Use -help for summary.
Generating a 2048 bit RSA private key
....................................................................+++
.....................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/myclient.key.CEDANWcNP0'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'myclient'
Certificate is to be certified until Jan 26 21:36:33 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
Client's cert found: myclient.crt
Client's Private Key found: myclient.key
CA public Key found: ca.crt
tls-auth Private Key found: ta.key


========================================================
Done! myclient.ovpn successfully created!
myclient.ovpn was copied to:
  /home/pi/ovpns
for easy transfer. Please use this profile only on one
device and create additional profiles for other devices.
========================================================

5. Retrieve your certs

Open a new terminal. Use scp to retrieve your Openvpn config. Again, substitute myclient for the client name you used in the previous step.

scp /home/pi/ovpns/myclient.ovpn myclient.ovpn

Windows users: Download and run PuTTY SCP to perform this task. More info here

6. Forward ports on your router

Before your Raspberry Pi can accept connections from the Internet, ports must be forwarded from your router. Consult your router’s documentation on how to do this. Forward port 1194 UDP and TCP to your Raspberry Pi’s IP address (see step 2 for IP address).

7. Configure your client

OpenVPN runs on all desktop OS platforms as well as Android and iOS. Copy the OpenVPN config file from the previous step to your device. You’ll probably want to set this up on a mobile device to make it easy to test out your VPN.

On Android

  1. Download OpenVPN Connect from Google play
  2. Copy the openvpn client file from your computer to your Android SD card
  3. Launch OpenVPN connect app
  4. Import the openvpn client file from your SD card using the menu
  5. Disconnect from WiFi and use cellular data
  6. Click connct in the OpenVPN client app.
  7. When the app says “OpenVPN: connected” at the top, you win.

8 Use your VPN

Once connected to the VPN you can access your local network devices by their LAN IP addresses. For example, if you have an IP camera on your network, connect to it using it’s 192.168.x.x address rather than your public IP address.

Caveats

Residential ISPs often don’t provide a static IP address, meaning that your external IP will change every few days. This means you won’t be able to connect to your VPN unless you modify the server IP when this happens. A common way of getting around this is to configure Dynamic DNS. Services like No-ip will serve this purpose nicely. Setup of dynamic DNS is beyond the scope of this guide however.