{"id":532,"date":"2019-03-17T12:41:33","date_gmt":"2019-03-17T11:41:33","guid":{"rendered":"https:\/\/notiz.comanet.xyz\/?p=532"},"modified":"2019-03-17T12:50:43","modified_gmt":"2019-03-17T11:50:43","slug":"raspberry-pi-vpn-server-openvpn","status":"publish","type":"post","link":"https:\/\/notiz.comanet.xyz\/?p=532","title":{"rendered":"raspberry Pi VPN Server (OPENVPN)"},"content":{"rendered":"<header class=\"masthead masthead-inline\" role=\"banner\">\n<div class=\"x-navbar-wrap\">\n<div class=\"x-navbar\">\n<div class=\"x-navbar-inner\">\n<h2 class=\"x-container max width\">HOW TO INSTALL YOUR OWN VPN SERVER ON RASPBERRY PI? (OPENVPN)<\/h2>\n<\/div>\n<\/div>\n<\/div>\n<\/header>\n<div class=\"x-container max width main\">\n<div class=\"offset cf\">\n<div class=\"x-main left\" role=\"main\">\n<article id=\"post-1157\" class=\"post-1157 post type-post status-publish format-standard has-post-thumbnail hentry category-how-to-tutorials\">\n<div class=\"entry-wrap\">\n<div class=\"entry-content content\">\n<p>Nowadays we have more and more multimedia devices at home<br \/>\nIn my case I have: file shares, Raspberry Pi devices for specific\u00a0projects, home automation and computers<br \/>\nDid you already ask yourself how to access them while not at home?<br \/>\nIt\u2019s possible if you set up a VPN server, even on a Raspberry Pi<span id=\"ezoic-pub-ad-placeholder-106\" class=\"ezoic-adpicker-ad\"><\/span><\/p>\n<p>How to install your own VPN server on Raspberry Pi?<br \/>\n<strong>You need to install a free service on your Raspberry Pi: OpenVPN<\/strong><br \/>\n<strong>This will allow you to use home\u00a0resources from anywhere via an app on your client<\/strong><br \/>\n<strong>The app is available on any operating system, even on your smartphone<\/strong><\/p>\n<p>I\u2019ll explain what a VPN is, how it works and how to install it on a Raspberry Pi step-by-step<br \/>\nIf you\u2019re familiar with VPN topics, use the table of contents below to move directly to the step you are interested in<\/p>\n<div id=\"ez-toc-container\" class=\"counter-hierarchy counter-decimal ez-toc-grey\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<p>&nbsp;<\/p>\n<\/div>\n<nav><\/nav>\n<\/div>\n<h2><span id=\"Whats_a_VPN\" class=\"ez-toc-section\">What\u2019s a VPN?<\/span><\/h2>\n<p>Before going further, let\u2019s start with a few reminders about VPN<\/p>\n<h3><span id=\"Introduction\" class=\"ez-toc-section\">Introduction<\/span><\/h3>\n<p>VPN stands for Virtual Private Network<br \/>\nAnd that\u2019s exactly what it is. When connected to a VPN, it\u2019s as if you were on a private network between you and the VPN server<\/p>\n<p>The main goal of a VPN is to encapsulate your data in a secure tunnel between you and the VPN server<span id=\"ezoic-pub-ad-placeholder-107\" class=\"ezoic-adpicker-ad\"><\/span><\/p>\n<p>Let\u2019s take an example<br \/>\nIf you share a web server at home with port forwarding (public_ip:80 =&gt; local_ip:80), data could be accessible to hackers, as data flows in clear on the network (man in the middle attacks are possible)<br \/>\nIf you use a VPN server on your Raspberry Pi, data flows in the secure tunnel, so nobody can decrypt them<\/p>\n<p>The goal of this tutorial is to create a secure tunnel between you (from anywhere in the world) and your local network at home<span id=\"ezoic-pub-ad-placeholder-108\" class=\"ezoic-adpicker-ad\"><\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-535 size-full\" src=\"https:\/\/notiz.comanet.xyz\/wp-content\/uploads\/2019\/03\/vpn-network.jpg\" alt=\"\" width=\"886\" height=\"261\" \/><\/p>\n<h3><span id=\"How_it_works\" class=\"ez-toc-section\">How it works<\/span><\/h3>\n<p>I won\u2019t bother you with details concerning data encryption technology<br \/>\nBut here is what you need to know:<\/p>\n<ul>\n<li>We need to install a new software on the client computer to encrypt data<\/li>\n<li>On this client, we also have keys coming from the server to encrypt data in a way that only the VPN server can understand<\/li>\n<li>In the client configuration, we\u2019ll tell the software to connect to the VPN server public IP address<\/li>\n<li>When the encrypted data arrives to the VPN server, the server software will decrypt it and know what to do with it<\/li>\n<li>Same thing for packets coming from the home network to the VPN client<\/li>\n<\/ul>\n<div class=\"code-block code-block-1\"><\/div>\n<p>So we don\u2019t need a lot of things, just to install software on each side of your secure tunnel<\/p>\n<h3><span id=\"OpenVPN\" class=\"ez-toc-section\">OpenVPN<\/span><\/h3>\n<p>OpenVPN is the free software we\u2019ll use to do this<br \/>\nIt provides client and server parts, for all operating systems<\/p>\n<p>More precisely, we need to install:<\/p>\n<ul>\n<li>OpenVPN server, on our Raspberry Pi at home<\/li>\n<li>OpenVPN client, on our laptop computer or smartphone, to access home resources from anywhere<\/li>\n<\/ul>\n<h2><span id=\"How_to_install_OpenVPN_on_Raspberry_Pi\" class=\"ez-toc-section\">How to install OpenVPN on Raspberry Pi<\/span><\/h2>\n<p>You now understand how it works and what we need to do<br \/>\nLet\u2019s go to the technical part!<\/p>\n<h3><span id=\"Raspberry_Pi_side\" class=\"ez-toc-section\">Raspberry Pi side<\/span><\/h3>\n<h4><span id=\"Prerequisites\" class=\"ez-toc-section\">Prerequisites<\/span><\/h4>\n<p>Here is what you need to start this guide:<\/p>\n<ul>\n<li>A Raspberry Pi (tested on Zero, so any model should work)<\/li>\n<li>Raspbian installed (Follow\u00a0<a href=\"https:\/\/raspberrytips.com\/install-raspbian-raspberry-pi\/\" target=\"_blank\" rel=\"noopener noreferrer\">this tutorial to install Raspbian<\/a>\u00a0if not already done)<\/li>\n<li>Administrator access to your Internet router or firewall (for port forwarding)<\/li>\n<li>A static public IP address if possible or a dynamic host\u00a0(I don\u2019t have a static IP, so I\u2019m using\u00a0<a href=\"https:\/\/www.noip.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">No-IP<\/a>)<\/li>\n<\/ul>\n<h4><span id=\"OpenVPN_installation\" class=\"ez-toc-section\">OpenVPN installation<\/span><\/h4>\n<p>Let\u2019s move to the OpenVPN installation procedure:<\/p>\n<ul>\n<li>I recommend switching to the root user because you\u2019ll\u00a0type a lot of commands in this procedure that need root privileges\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">sudo su<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Start by updating your system\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">apt update<\/span><\/pre>\n<\/li>\n<li class=\" even\">\n<pre><span class=\"\">apt upgrade<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Install the OpenVPN package\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">apt install openvpn<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Extract the sample configuration file to the OpenVPN folder\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">gunzip -c \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz &gt; \/etc\/openvpn\/server.conf<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Edit this file\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">nano \/etc\/openvpn\/server.conf<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Make these changes\n<ul>\n<li>Comment out this line\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">push <\/span><span class=\"st0\">\"redirect-gateway def1 bypass-dhcp\"<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Comment this one (we don\u2019t need TLS authentication for the first try)\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">;tls-auth ta.key <\/span><span class=\"nu0\">0<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Edit the DNS server to fit your needs\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">push <\/span><span class=\"st0\">\"dhcp-option DNS 8.8.8.8\"<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<p>In my case, I\u2019m using the Google DNS Server (8.8.8.8) but set what you want<br \/>\nLet the default option if you don\u2019t know what it is<br \/>\nYou can also set a second DNS server in the line above<\/li>\n<li>Comment out the user and group options\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">user nobody<\/span><\/pre>\n<\/li>\n<li class=\" even\">\n<pre><span class=\"\">group nogroup<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<\/ul>\n<\/li>\n<li>Save and exit (CTRL+O, CTRL+X)<\/li>\n<\/ul>\n<p>We\u2019ll come back to this configuration file later, for the moment it\u2019s fine<\/p>\n<h4><span id=\"Allow_IP_Forwarding\" class=\"ez-toc-section\">Allow IP Forwarding<\/span><\/h4>\n<p>By default, Linux doesn\u2019t allow IP forwarding<br \/>\nAs our Raspberry Pi will be the router between VPN clients and the local network, we have to enable it<\/p>\n<ul>\n<li>Paste this command to enable it immediately\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">echo <\/span><span class=\"nu0\">1<\/span><span class=\"\"> &gt; \/proc\/sys\/net\/ipv4\/ip_forward<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Then open this file to enable it on boot\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">nano \/etc\/sysctl.conf<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Comment out this line\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">net.ipv4.ip_forward=<\/span><span class=\"nu0\">1<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Save and exit (CTRL+O, CTRL+X)<\/li>\n<\/ul>\n<p>Your Raspberry Pi can now act as a router<span id=\"ezoic-pub-ad-placeholder-109\" class=\"ezoic-adpicker-ad\"><\/span><\/p>\n<h4><span id=\"Easy-RSA_configuration\" class=\"ez-toc-section\">Easy-RSA configuration<\/span><\/h4>\n<p>The next step is to generate all the keys on the server side to secure the connection<br \/>\nEasy-RSA will help us for this part<\/p>\n<ul>\n<li>Copy Easy-RSA files to the OpenVPN configuration folder\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">cp -r \/usr\/share\/easy-rsa\/ \/etc\/openvpn<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Create a new sub-folder for the keys\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">mkdir \/etc\/openvpn\/easy-rsa\/keys<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Edit the vars file to set your preferences\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">nano \/etc\/openvpn\/easy-rsa\/vars<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<ul>\n<li>\n<pre>Change the KEY_CONFIG option to use this syntax instead\r\n\r\n<\/pre>\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\"><span class=\"\">export KEY_CONFIG=$EASY_RSA\/openssl-<\/span><span class=\"nu0\">1.0<\/span><span class=\"nu0\">.0<\/span><span class=\"\">.cnf<\/span><\/li>\n<\/ul>\n<pre>I had issues with this line, this one works with my 1.1.0j OpenSSL version\r\nIf you have another version, check in the easy-vars\/ folder if you have a file closer from your version, and edit this line<\/pre>\n<\/li>\n<li>Fill the other KEY options with your own information, for example:\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">export KEY_COUNTRY=<\/span><span class=\"st0\">\"US\"<\/span><\/pre>\n<\/li>\n<li class=\" even\">\n<pre><span class=\"\">export KEY_PROVINCE=<\/span><span class=\"st0\">\"CA\"<\/span><\/pre>\n<\/li>\n<li class=\" odd\">\n<pre><span class=\"\">export KEY_CITY=<\/span><span class=\"st0\">\"Los Angeles\"<\/span><\/pre>\n<\/li>\n<li class=\" even\">\n<pre><span class=\"\">export KEY_ORG=<\/span><span class=\"st0\">\"Raspberry Tips\"<\/span><\/pre>\n<\/li>\n<li class=\" odd\">\n<pre><span class=\"\">export KEY_EMAIL=<\/span><span class=\"st0\">\"email@domain.com\"<\/span><\/pre>\n<\/li>\n<li class=\" even\">\n<pre><span class=\"\">export KEY_OU=<\/span><span class=\"st0\">\"Raspberry Tips\"<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Then set the KEY_NAME like this\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">export KEY_NAME=<\/span><span class=\"st0\">\"server\"<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<p>This is just for the key file name<\/li>\n<\/ul>\n<\/li>\n<li>Save and exit (CTRL+O, CTRL+X)<\/li>\n<\/ul>\n<p>Once the vars file is properly set, we can start with keys generation<\/p>\n<h4><span id=\"Generate_the_keys\" class=\"ez-toc-section\">Generate the keys<\/span><\/h4>\n<p>Now we use dhparam to generate the Diffie-Helman file<\/p>\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\"><span class=\"\">openssl dhparam -out \/etc\/openvpn\/dh2048.pem <\/span><span class=\"nu0\">2048<\/span><\/li>\n<\/ul>\n<\/div>\n<p>This may take a long time (One hour on Pi Zero!)<br \/>\nThen we move to the last steps with the server keys generation<\/p>\n<ul>\n<li>Check you\u2019re always in the easy-rsa folder (and using root)\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">cd \/etc\/openvpn\/easy-rsa<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Run the initialization step\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">. .\/vars<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<p>The first dot is normal, never seen that, but it works\u00a0\ud83d\ude42<\/li>\n<li>Clean the folder (don\u2019t pay attention to the warning you got before)\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">.\/clean-all<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Build CA\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">.\/build-ca<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>If it works, fine, you\u2019re lucky<br \/>\nIn my test, I got errors about files missing in the keys sub-folder<br \/>\nCopying them from the examples directory fixed this issue<\/p>\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">cp \/usr\/share\/doc\/openvpn\/examples\/sample-keys\/sample-ca\/index.txt keys\/<\/span><\/pre>\n<\/li>\n<li class=\" even\">\n<pre><span class=\"\">cp \/usr\/share\/doc\/openvpn\/examples\/sample-keys\/sample-ca\/index.txt.attr keys\/<\/span><\/pre>\n<\/li>\n<li class=\" odd\">\n<pre><span class=\"\">cp \/usr\/share\/doc\/openvpn\/examples\/sample-keys\/sample-ca\/serial keys\/<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<p>Then redo the previous command and it should be fine<\/li>\n<li>Finally, generate the server keys with:\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">.\/build-key-server server<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<p>Let all fields by default, and password and company name empty<br \/>\nAnswer yes to both questions<\/li>\n<\/ul>\n<p>That\u2019s it, the work is almost done<br \/>\nWe just\u00a0need to move the keys to the OpenVPN configuration folder and start the service<\/p>\n<ul>\n<li>Copy the keys under the configuration folder\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">cp \/etc\/openvpn\/easy-rsa\/keys\/ca.crt \/etc\/openvpn<\/span><\/pre>\n<\/li>\n<li class=\" even\">\n<pre><span class=\"\">cp \/etc\/openvpn\/easy-rsa\/keys\/server.crt \/etc\/openvpn<\/span><\/pre>\n<\/li>\n<li class=\" odd\">\n<pre><span class=\"\">cp \/etc\/openvpn\/easy-rsa\/keys\/server.key \/etc\/openvpn<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Start (or restart) the service\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">service openvpn start<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Check if everything seems ok\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">service openvpn status<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<\/ul>\n<p>Wow, good work<br \/>\nYou finish the server part, we now need to create the client configuration<\/p>\n<h3><span id=\"Client\" class=\"ez-toc-section\">Client<\/span><\/h3>\n<p>The remote client also needs keys to secure the connection with the server<br \/>\nWe\u2019ll create them now<span id=\"ezoic-pub-ad-placeholder-110\" class=\"ezoic-adpicker-ad\"><\/span><\/p>\n<ul>\n<li>It\u2019s like what we did for the server, run this command to start:\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">cd \/etc\/openvpn\/easy-rsa\/<\/span><\/pre>\n<\/li>\n<li class=\" even\">\n<pre><span class=\"\">.\/build-key client1<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<p>Keep all the default values (hit enter for each question)<br \/>\nAnd answer yes for the two last questions<\/li>\n<li>Then copy the sample configuration file\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/client.conf \/etc\/openvpn\/easy-rsa\/keys\/client.ovpn<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Edit this file to set your network preferences\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">nano \/etc\/openvpn\/easy-rsa\/keys\/client.ovpn<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Find this line\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">remote your_server_ip <\/span><span class=\"nu0\">1194<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Edit with your static public IP address, or your dynamic host name<br \/>\nFor example:<\/p>\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">remote myhost.ddns.net <\/span><span class=\"nu0\">1194<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Comment out user and group\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">user nobody<\/span><\/pre>\n<\/li>\n<li class=\" even\">\n<pre><span class=\"\">group nogroup<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>Save and exit<\/li>\n<\/ul>\n<div class=\"code-block code-block-1\"><\/div>\n<p>The client configuration is almost ready<\/p>\n<h4><span id=\"Create_a_unified_configuration_file\" class=\"ez-toc-section\">Create a unified configuration file<\/span><\/h4>\n<p>You can use directly all the files generated (client.ovpn with\u00a0ca.crt, client.crt, client.key)<br \/>\nBut I prefer to have only one file with all the keys inside, it\u2019s easier to import it on the client (especially for smartphones)<\/p>\n<p>To do this, follow this procedure:<\/p>\n<ul>\n<li>Open the configuration file again<\/li>\n<li>Comment this lines\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">;ca ca.crt<\/span><\/pre>\n<\/li>\n<li class=\" even\">\n<pre><span class=\"\">;cert client.crt<\/span><\/pre>\n<\/li>\n<li class=\" odd\">\n<pre><span class=\"\">;key client.key<\/span><\/pre>\n<\/li>\n<li class=\" even\">\n<pre><span class=\"\">;ta ta.key<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>\n<pre>Save and exit<\/pre>\n<\/li>\n<li>Then run these commands to integrate the key inside\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">echo <\/span><span class=\"st0\">'&lt;ca&gt;'<\/span><span class=\"\"> &gt;&gt; \/etc\/openvpn\/easy-rsa\/keys\/client.ovpn<\/span><\/pre>\n<\/li>\n<li class=\" even\">\n<pre><span class=\"\">cat \/etc\/openvpn\/ca.crt &gt;&gt; \/etc\/openvpn\/easy-rsa\/keys\/client.ovpn<\/span><\/pre>\n<\/li>\n<li class=\" odd\">\n<pre><span class=\"\">echo <\/span><span class=\"st0\">'&lt;\/ca&gt;'<\/span><span class=\"\"> &gt;&gt; \/etc\/openvpn\/easy-rsa\/keys\/client.ovpn<\/span><\/pre>\n<\/li>\n<li class=\" even\">\n<pre><span class=\"\">echo <\/span><span class=\"st0\">'&lt;cert&gt;'<\/span><span class=\"\"> &gt;&gt; \/etc\/openvpn\/easy-rsa\/keys\/client.ovpn<\/span><\/pre>\n<\/li>\n<li class=\" odd\">\n<pre><span class=\"\">cat \/etc\/openvpn\/easy-rsa\/keys\/client1.crt &gt;&gt; \/etc\/openvpn\/easy-rsa\/keys\/client.ovpn<\/span><\/pre>\n<\/li>\n<li class=\" even\">\n<pre><span class=\"\">echo <\/span><span class=\"st0\">'&lt;\/cert&gt;'<\/span><span class=\"\"> &gt;&gt; \/etc\/openvpn\/easy-rsa\/keys\/client.ovpn<\/span><\/pre>\n<\/li>\n<li class=\" odd\">\n<pre><span class=\"\">echo <\/span><span class=\"st0\">'&lt;key&gt;'<\/span><span class=\"\"> &gt;&gt; \/etc\/openvpn\/easy-rsa\/keys\/client.ovpn<\/span><\/pre>\n<\/li>\n<li class=\" even\">\n<pre><span class=\"\">cat \/etc\/openvpn\/easy-rsa\/keys\/client1.key &gt;&gt; \/etc\/openvpn\/easy-rsa\/keys\/client.ovpn<\/span><\/pre>\n<\/li>\n<li class=\" odd\">\n<pre><span class=\"\">echo <\/span><span class=\"st0\">'&lt;\/key&gt;'<\/span><span class=\"\"> &gt;&gt; \/etc\/openvpn\/easy-rsa\/keys\/client.ovpn<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<\/ul>\n<p>And it\u2019s ready<br \/>\nI\u2019ll show you in the next section how to use this configuration file on any device<\/p>\n<h4><span id=\"Port_forwarding\" class=\"ez-toc-section\">Port forwarding<\/span><\/h4>\n<p>As you may have seen in the server.conf, the OpenVPN server is listening on the port 1194<br \/>\nTo access it from another location, you need to enable IP forwarding in your Internet router configuration<br \/>\nThat\u2019s to say, redirect &lt;your_public_ip&gt;:1194 to &lt;your_raspberry_ip&gt;:1194<\/p>\n<p>I can\u2019t help you more about this, it all depends on your router software<br \/>\nYou\u2019ll often find a NAT configuration page in the advanced options<br \/>\nAsk your Internet provider support if you don\u2019t know how to do this<\/p>\n<h3><span id=\"Client_installation\" class=\"ez-toc-section\">Client installation<\/span><\/h3>\n<p>OpenVPN is available for all devices with any operating system, even smartphones<br \/>\nDon\u2019t forget, you need to be out of the local network to test the connection<br \/>\nUse a mobile connection while testing<\/p>\n<h4><span id=\"Desktop\" class=\"ez-toc-section\">Desktop<\/span><\/h4>\n<p>On desktop devices, OpenVPN is available for free from the\u00a0<a href=\"https:\/\/openvpn.net\/community-downloads\/\" target=\"_blank\" rel=\"noopener noreferrer\">community section of the official website<\/a><br \/>\nYou\u2019ll find downloads for Linux or Windows<\/p>\n<p>For both operating systems, you need to transfer the client.ovpn file from the Raspberry Pi to the computer (use WinSCP or Filezilla to do this)<\/p>\n<h5><span id=\"For_Windows\" class=\"ez-toc-section\">For Windows<\/span><\/h5>\n<ul>\n<li>Download the file from the OpenVPN website<\/li>\n<li>Install it following the setup wizard<\/li>\n<li>Find the OpenVPN GUI in the start menu and launch it<\/li>\n<li>Right click on the icon in the notification panel<br \/>\n<img class=\"aligncenter size-full wp-image-1172\" alt=\"vpn gui icon\" width=\"165\" height=\"81\" data-lazy-src=\"https:\/\/raspberrytips.com\/wp-content\/uploads\/2019\/01\/vpn-gui.jpg\" \/><\/li>\n<li>Select \u201cImport file\u201d\u00a0and select the client.ovpn file<\/li>\n<\/ul>\n<h5><span id=\"For_Linux\" class=\"ez-toc-section\">For Linux<\/span><\/h5>\n<ul>\n<li>You have two choices for the installation:\n<ul>\n<li>With a Debian like distribution: use apt to install OpenVPN\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">apt install openvpn<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<p>On a\u00a0Redhat like distribution, you can use yum the same way<\/li>\n<li>For others cases, download the sources from the official website, and follow the documentation<\/li>\n<\/ul>\n<\/li>\n<li>Then to connect you have also two choices\n<ul>\n<li>With desktop distributions, look in your network manager if you have a VPN tab to set the configuration<\/li>\n<li>Or use the command line\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">sudo openvpn client.ovpn<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>I don\u2019t have a Mac to give you the procedure on Mac OS<br \/>\nI\u2019ll let you follow\u00a0<a href=\"https:\/\/openvpn.net\/vpn-server-resources\/installation-guide-for-openvpn-connect-client-on-macos\/\" target=\"_blank\" rel=\"noopener noreferrer\">this documentation from OpenVPN<\/a><\/p>\n<h4><span id=\"Android_iOS\" class=\"ez-toc-section\">Android \/ iOS<\/span><\/h4>\n<p>On your smartphone, you can find the \u201cOpenVPN Connect\u201d app in the Android or iOS app store<br \/>\nInstall it,\u00a0then go to \u201cOVPN profile\u201d and import your client configuration file<\/p>\n<p>The easiest way is to send the file to you by email and download it from your email client<br \/>\nThen browse your local storage to the Downloads folder, and import the file<\/p>\n<h2><span id=\"Note_about_network_routing\" class=\"ez-toc-section\">Note about network routing<\/span><\/h2>\n<p>Once connected from a remote device, you can access the Raspberry Pi hosting the VPN server<br \/>\nBut you may not able to access other devices on your local network<\/p>\n<p>Your local network differs from the VPN clients network<br \/>\nIn my case, my local network is 192.168.1.0, and my VPN network is 10.8.0.0 (default)<\/p>\n<p><img class=\"aligncenter size-full wp-image-1168\" alt=\"schema vpn\" width=\"787\" height=\"419\" data-lazy-src=\"https:\/\/raspberrytips.com\/wp-content\/uploads\/2019\/01\/schema.jpg\" \/><\/p>\n<p>A could see the Raspberry Pi, B too, but A could not see B<br \/>\nIn fact, local devices doesn\u2019t know how to talk to VPN clients<br \/>\nYou need to create a route between them,\u00a0to tell that 10.8.0.0 is accessible through the Raspberry Pi<\/p>\n<p>If the main router on your local network can\u00a0do this, add a static route<br \/>\nIf not, you need to add this route on every device in your local network<\/p>\n<p><strong>On Linux\/Mac:<\/strong><\/p>\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">route add -net <\/span><span class=\"nu0\">10.8<\/span><span class=\"nu0\">.0<\/span><span class=\"nu0\">.0<\/span><span class=\"\"> netmask <\/span><span class=\"nu0\">255.255<\/span><span class=\"nu0\">.255<\/span><span class=\"nu0\">.0<\/span><span class=\"\"> gw <\/span><span class=\"nu0\">192.168<\/span><span class=\"nu0\">.1<\/span><span class=\"nu0\">.18<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<p>Change the values to match your server.conf settings<\/p>\n<p><strong>On Windows:<\/strong><\/p>\n<p>&nbsp;<\/p>\n<div class=\"EnlighterJSWrapper godzillaEnlighterJSWrapper\">\n<ul class=\"hoverEnabled godzillaEnlighterJS EnlighterJS\">\n<li class=\" odd\">\n<pre><span class=\"\">route -p ADD <\/span><span class=\"nu0\">10.8<\/span><span class=\"nu0\">.0<\/span><span class=\"nu0\">.0<\/span><span class=\"\"> MASK <\/span><span class=\"nu0\">255.255<\/span><span class=\"nu0\">.255<\/span><span class=\"nu0\">.0<\/span> <span class=\"nu0\">192.168<\/span><span class=\"nu0\">.1<\/span><span class=\"nu0\">.18<\/span><\/pre>\n<\/li>\n<\/ul>\n<\/div>\n<p>This solution is fine if you only have computers or servers to access through the VPN connection<br \/>\nBut for other devices I didn\u2019t look for a solution (if you know how to do this in another way, please leave a comment)<\/p>\n<h2><span id=\"Related_questions\" class=\"ez-toc-section\">Related questions<\/span><\/h2>\n<div class=\"code-block code-block-1\"><\/div>\n<p><strong>Is it possible to use it in the other way, to secure the outgoing traffic?<\/strong>\u00a0Not really. There is a way to use your Raspberry Pi as an anonymizer gateway using Tor or any VPN offer in the market. But it has nothing to do with what we did. It\u2019s another project where the Raspberry Pi will be the client, not the server<\/p>\n<p><strong>Is it possible to have multiple clients?<\/strong>\u00a0Yes absolutely. You just\u00a0need new configuration file and keys for each client. Repeat the client configuration steps above to generate multiple ovpn files.<\/p>\n<h2><span id=\"Conclusion\" class=\"ez-toc-section\">Conclusion<\/span><\/h2>\n<p>Congratulations if you made everything work as expected<br \/>\nIt was not an obvious tutorial, but it\u2019s a good achievement in your Raspberry Pi learning\u00a0\ud83d\ude42<\/p>\n<p>Ask questions if you get issues somewhere, I\u2019ll try to help you<\/p>\n<\/div>\n<\/div>\n<\/article>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>HOW TO INSTALL YOUR OWN VPN SERVER ON RASPBERRY PI? (OPENVPN) Nowadays we have more and more multimedia devices at home In my case I have: file shares, Raspberry Pi devices for specific\u00a0projects, home automation and computers Did you already ask yourself how to access them while not at home? It\u2019s possible if you set&#8230;<\/p>\n","protected":false},"author":1,"featured_media":538,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-532","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-how-to-s"],"_links":{"self":[{"href":"https:\/\/notiz.comanet.xyz\/index.php?rest_route=\/wp\/v2\/posts\/532","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/notiz.comanet.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/notiz.comanet.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/notiz.comanet.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/notiz.comanet.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=532"}],"version-history":[{"count":5,"href":"https:\/\/notiz.comanet.xyz\/index.php?rest_route=\/wp\/v2\/posts\/532\/revisions"}],"predecessor-version":[{"id":539,"href":"https:\/\/notiz.comanet.xyz\/index.php?rest_route=\/wp\/v2\/posts\/532\/revisions\/539"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/notiz.comanet.xyz\/index.php?rest_route=\/wp\/v2\/media\/538"}],"wp:attachment":[{"href":"https:\/\/notiz.comanet.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=532"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/notiz.comanet.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=532"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/notiz.comanet.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=532"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}