How to Turn A Raspberry Pi Into a VPN
Do you want to know how to turn a Raspberry Pi into a VPN? There are plenty of reasons that you’d want to access your home network remotely, and the best way to do that is with a VPN server. Some routers actually let you set up a VPN server directly within the router, but in a lot of cases, you’re going to need to set one up yourself.
A Raspberry Pi is a great way to accomplish this. They don’t require a lot of energy to run, and they have enough power to run a VPN server. You can set one up next to your router and basically forget about it.
When you have access to your home network remotely, you can get to your files from anywhere. You can run your home computers remotely. You can even use your home’s VPN connection from the road. A setup like this lets your phone, tablet, or laptop act just like it was at home from anywhere.
How to Turn A Raspberry Pi Into a VPN
Set Up The Pi
Before you can start setting up the VPN, you’re going to need to set up your Raspberry Pi. It’s best to set up the Pi with a case and decent size memory card, 16GB should be more than enough. If possible, connect your Pi to your router with an Ethernet cable. It’ll minimize any network delays.
The best operating system to use on your Pi is Raspbian. It’s the default choice put out by the Raspberry Pi foundation, and it’s based on Debian, one of the most secure and stable Linux versions available.
Go to the Rasbian download page, and grab the latest version. You can use the “Lite” version here, because you don’t actually need a graphical desktop.
While that’s downloading, get the latest version of Etcher for your operating system. After the download completes, extract the Raspbian image. Then, open Etcher. Select the Raspbian image from where you extracted it. Select your SD card(Insert it first). Finally, write the image to the card.
Leave the SD card in your computer when it’s done. Open up a file manager and browse to the card. You should see a couple of different partitions. Look for the “boot” partition. It’s the one with a “kernel.img” file in it. Create an empty text file on the “boot” partition, and call it “ssh” with no file extension.
You can finally connect up your Pi. Make sure that you plug it in last. You’re not going to need a screen, keyboard, or mouse. You’re going to remotely access the Raspberry Pi over your network.
Give the Pi a few minutes to set itself up. Then, open a web browser and navigate to your router’s management screen. Find the Raspberry Pi and note its IP address.
Whether you’re on Windows, Linux, or Mac, open up OpenSSH. Connect to the Raspberry Pi with SSH.
$ ssh [email protected]
Obviously, use the actual IP address of the Pi. The username is always pi, and the password is raspberry.
Set Up OpenVPN
OpenVPN isn’t exactly simple to set up as a server. The good news is, you only need to do it once. So, before you dig in, make sure that Raspbian is completely up to date.
$ sudo apt update $ sudo apt upgrade
After the update finishes, you can install OpenVPN and the certificate utility that you need.
$ sudo apt install openvpn easy-rsa
In order to authenticate your devices when they try to connect to the server, you need to set up a certificate authority to create sigining keys. These keys will ensure that only your devices will be able to connect to your home network.
First, create a directory for your certificates. Move into that directory.
$ sudo make-cadir /etc/openvpn/certs $ cd /etc/openvpn/certs
Look around for OpenSSL configuration files. Then, link the latest one with openssl.cnf.
$ ls | grep -i openssl $ sudo ln -s openssl-1.0.0.cnf openssl.cnf
In that same “certs” folder is a file called “vars.” Open that file up with your text editor. Nano is the default, but feel free to install Vim, if you’re more comfortable with it.
Find the KEY_SIZE variable first. It’s set to 2048 by default. Change it to 4096.
The main block that you need to deal with establishes information about your certificate authority. It helps if this info is accurate, but anything that you can remember is fine.
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="[email protected]" export KEY_OU="MyOrganizationalUnit" export KEY_NAME="HomeVPN"
When you have everything, save and exit.
That Easy-RSA package that you installed before contains a lot of scripts that help to set up everything that you need. You just need to run them. Start by adding the “vars” file as a source. That’ll load all of the variables that you just set.
$ sudo source ./vars
Next, clean up the keys. You don’t have any, so don’t worry about the message telling you that your keys will be deleted.
$ sudo ./clean-install
Finally, build your certificate authority. You already set the defaults, so you can just accept the defaults that it presents. Remember to set a strong password and answer “yes” to the last two questions, following the password.
$ sudo ./build-ca
Make Some Keys
You went through all that trouble to set up a certificate authority so you can sign keys. Now, it’s time to make some. Start by building the key for your server.
$ sudo ./build-key-server server
Next, build the Diffie-Hellman PEM. It’s what OpenVPN uses to secure your client connections to the server.
$ sudo openssl dhparam 4096 > /etc/openvpn/dh4096.pem
The last key that you need from now is called an HMAC key. OpenVPN uses this key to sign each individual packet of information exchanged between the client and the server. It helps to prevent certain kinds of attacks on the connection.
$ sudo openvpn --genkey --secret /etc/openvpn/certs/keys/ta.key
You have the keys. The next piece in setting up OpenVPN is the server configuration itself. Thankfully, there isn’t all that much that you need to do here. Debian provides a base configuration that you can use to get started. So, begin by getting that configuration file.
$ sudo gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
Use you’re text editor again to open up /etc/openvpn/server.conf. The first things you need to find are the ca, cert, and key files. You need to set them to match the actual locations of the files that you created, which are all in /etc/openvpn/certs/keys.
ca /etc/openvpn/certs/keys/ca.crt cert /etc/openvpn/certs/keys/server.crt key /etc/openvpn/certs/keys/server.key # This file should be kept secret
Find the dh setting, and change it to match the Diffie-Hellman .pem that you created.
Set the path for your HMAC key too.
tls-auth /etc/openvpn/certs/keys/ta.key 0
Find the cipher and make sure it matches the example below.
The next couple of options are there, but they’re commented out with a ;. Remove the semicolons in front of each option to enable them.
push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 220.127.116.11" push "dhcp-option DNS 18.104.22.168"
Look for the user and group options. Uncomment them, and change the user to “openvpn.”
user openvpn group nogroup
Finally, these last two lines aren’t in the default configuration. You’ll need to add them at the end of the file.
Set the authentication digest to specify stronger encryption for user authentication.
# Authentication Digest auth SHA512
Then, limit the cipers that OpenVPN can use to only stronger ones. This helps limit possible attacks on weak ciphers.
# Limit Ciphers tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
That’s all for configuration. Save the file and exit.
Start The Server
Before you can start up the server, you need to make that openvpn user that you specified.
$ sudo adduser --system --shell /usr/sbin/nologin --no-create-home openvpn
It’s a special user just for running OpenVPN, and it won’t do anything else.
Now, start up the server.
$ sudo systemctl start openvpn $ sudo systemctl start [email protected]
Check that they’re both running
$ sudo systemctl status openvpn*.service
If everything looks good, enable them at startup.
$ sudo systemctl enable openvpn $ sudo systemctl enable [email protected]
You server is now set up and running. Next, you need to set up your client configuration. This is the configuration that you’ll use to connect your devices to your server. Return to the certs folder and prepare to build the client key(s). You can choose to build separate keys for each client or one key for all clients. For home use, one key should be fine.
$ cd /etc/openvpn/certs $ sudo source ./vars $ sudo ./build-key client
The process is almost identical to the server one, so follow the same procedure.
The configuration for clients is very similar to the one for the server. Again, you have a pre-made template to base your configuration on. You only need to modify it to match the server.
Change into the client directory. Then, unpack the sample configuration.
$ cd /etc/openvpn/client $ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client/client.ovpn
Open up the client.ovpn file with your text editor. Then, find the remote option. Assuming you’re not already using a VPN, Google search “What is my IP.” Take the address that it displays, and set the remote IP address to it. Leave the port number.
remote 22.214.171.124 1194 #That IP ironically is a VPN
Change the certs to reflect the ones you created, just like you did with the server.
ca ca.crt cert client.crt key client.key
Find the user options, and uncomment them. It’s fine to run the clients as nobody.
user nobody group nogroup
Uncomment the tls-auth option for HMAC.
tls-auth ta.key 1
Next, look for the cipher option and make sure that it matches the server.
Then, just add the authentication digest and cipher restrictions at the bottom of the file.
# Authentication Digest auth SHA512 # Cipher Restrictions tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
When everything looks right, save the file and exit. Use tar to pack up the configuration and the certs, so you can send them over to the client.
$ sudo tar cJf /etc/openvpn/clients/client.tar.xz -C /etc/openvpn/certs/keys ca.crt client.crt client.key ta.key -C /etc/openvpn/clients/client.ovpn
Transfer that package to the client however you choose. SFTP, FTP, and a USB drive are all great options.
In order for any of this to work, you need to configure your router to forward incoming VPN traffic to the Pi. If you’re already using a VPN, you need to make sure that you aren’t connecting on the same port. If you are, change the port on your client and server configurations.
Connect to your router’s web interface by typing in its IP address on your browser.
Every router is different. Even still, they all have should have some form of this functionality. Find it on your router.
The setup is basically the same on every router. Enter the start and end ports. They should be the same as each other and the one that you set in your configurations. Then, for the IP address, set that to your Raspberry Pi’s IP. Save your changes.
Connect To The Client
Every client is different, so there isn’t a universal solution. If you’re on Windows, you’ll need the Windows OpenVPN client.
On Android, you can open up your tarball, and transfer the keys onto your phone. Then, install the OpenVPN app. Open up the app, and plug in the information from your configuration file. Then select your keys.
On Linux, you need to install OpenVPN a lot like you did for the server.
$ sudo apt install openvpn
Then, change into /etc/openvpn, and unpack the tarball that you sent over.
$ cd /etc/openvpn $ sudo tar xJf /path/to/client.tar.xz
Rename the client file.
$ sudo mv client.ovpn client.conf
Do not start the client yet. It will fail. You need to enable port forwarding on your router first.
Final Thoughts on How to Turn a Raspberry Pi Into a VPN
After knowing how to turn a Raspberry Pi into a VPN, you should now have a working setup. Your client will connect directly through your router to the Pi. From there, you can share and connect over your virtual network, as long as all devices are connected to the VPN. There’s no limit, so you can always connect all of your computers to the Pi VPN.