stetim94
Posts: 4
Joined: Tue Oct 21, 2014 7:23 am

Re: How to set up a Raspberry Pi VPN server

Sun Dec 21, 2014 4:57 pm

@joakimb Thank you so much, now it works. i was struggling so much. Great solution
@PeterBij I don't know if the VPN automatically boots, but maybe you can find that in startup processes? You can reboot your pi, to see if it works, but i believe i came across the note somewhere that the iptables changes are not permanent. i will run some test, and let your know. The pi should automatically switch back on after power is restored

@PeterBij, i manually rebooted the pi, and why i suspected: the iptable changes are permanent, (openvpn did boot). so or make those changes somehow permanent (must be possible) or use ssh to login after power is back online, and run the iptable changes which need to be made

Question: i can now connect from linux computer, is it possible to connect from ipad/windows computer/other mobile devices?

buchnich
Posts: 4
Joined: Tue Jan 06, 2015 12:32 am

Re: How to set up a Raspberry Pi VPN server

Tue Jan 06, 2015 12:35 am

I get this error

Code: Select all

root@raspberrypi:/etc/openvpn/easy-rsa# scp /etc/openvpn/easy-rsa/keys/client1.key user@123.456.789.101:/home/user/
ssh: Could not resolve hostname 123.456.789.101: Name or service not known
lost connection
root@raspberrypi:/etc/openvpn/easy-rsa# scp /etc/openvpn/easy-rsa/keys/client1.crt user@123.456.789.101:/home/user/
ssh: Could not resolve hostname 123.456.789.101: Name or service not known
lost connection
root@raspberrypi:/etc/openvpn/easy-rsa# scp /etc/openvpn/easy-rsa/keys/ca.crt user@123.456.789.101:/home/user/
ssh: Could not resolve hostname 123.456.789.101: Name or service not known
lost connection
root@raspberrypi:/etc/openvpn/easy-rsa# scp /etc/openvpn/easy-rsa/keys/ta.key user@123.456.789.101:/home/user/
ssh: Could not resolve hostname 123.456.789.101: Name or service not known
lost connection
root@raspberrypi:/etc/openvpn/easy-rsa# scp /etc/openvpn/easy-rsa/keys/client1.key user@123.456.789.101:/home/user/
ssh: Could not resolve hostname 123.456.789.101: Name or service not known
lost connection
after trying to do step 4. Can you help?

User avatar
iinnovations
Posts: 621
Joined: Thu Jun 06, 2013 5:17 pm

Re: How to set up a Raspberry Pi VPN server

Tue Jan 06, 2015 3:40 am

Do you see anything wrong with a host name of 123.456.789.101?
CuPID Controls :: Open Source browser-based sensor and device control
interfaceinnovations.org/cupidcontrols.html
cupidcontrols.com

Xenomorph
Posts: 4
Joined: Mon Jan 05, 2015 9:22 pm

Re: How to set up a Raspberry Pi VPN server

Tue Jan 06, 2015 4:50 am

What's the OpenVPN performance on something like the Raspberry Pi?

I run an OpenVPN server on an old Pentium D system (2.8 GHz, dual-core). Just one connection @ 30-80 Mbps can easily bring one of the cores to 100%.

I am using AES-256, though. I'd probably drop it to AES-128 or Blowfish on the Pi.

User avatar
DougieLawson
Posts: 32728
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: How to set up a Raspberry Pi VPN server

Tue Jan 06, 2015 8:20 am

iinnovations wrote:Do you see anything wrong with a host name of 123.456.789.101?
If there's a DNS or /etc/hosts entry for it there's absolutely nothing wrong with that (somewhat odd) string of digits as a domain name. It's definitely not valid as a dotted decimal IPv4 address.
Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

2012-18: 1B*5, 2B*2, B+, A+, Z, ZW, 3Bs*3, 3B+

Any DMs sent on Twitter will be answered next month.

stetim94
Posts: 4
Joined: Tue Oct 21, 2014 7:23 am

Re: How to set up a Raspberry Pi VPN server

Wed Jan 07, 2015 1:35 pm

@buchnich

What are you using, is 123.456.789.101 your routers ip adress or your raspberry's ip adress?
if it is router ip, did you enable port forwarding?
if is raspberry pi ip, are you in the same network?
Did you set up an ssh connection? connect to the correct port? no blocking firewall?

User avatar
DougieLawson
Posts: 32728
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: How to set up a Raspberry Pi VPN server

Wed Jan 07, 2015 2:01 pm

It isn't an IP address at all.

The octets in ANY IPv4 address can only be 0 to 255. Values over 255 are NOT valid.
Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

2012-18: 1B*5, 2B*2, B+, A+, Z, ZW, 3Bs*3, 3B+

Any DMs sent on Twitter will be answered next month.

typerighter
Posts: 3
Joined: Wed Jan 07, 2015 9:11 pm

Re: How to set up a Raspberry Pi VPN server

Thu Jan 08, 2015 7:50 pm

For those who are having the TLS error. Please note that the server config file is missing a reference to ta key. I fixed the problem by adding this line in the server config file after the the line "keepalive 10 120"

Code: Select all

tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
After you make the change, make sure to restart openvpn via

Code: Select all

service openvpn restart

tommertom
Posts: 13
Joined: Mon Sep 15, 2014 1:12 pm

Re: How to set up a Raspberry Pi VPN server

Tue Jan 27, 2015 9:25 pm

Hi

The tutorial and subsequent messages have been quite usefull for me to setup my OpenVPN server on the Pi. For my own use and also to share with the community I automated the setup of the server (incl. firewall config) as well as the fully automated ovpn file generation (for mobile devices) in bash scripts. With the OpenVPN app on iPhone it is now really a piece of cake to go private.

Compared to rmurr's tutorial I took a different approach in the iptables and assured these settings remain after reboot (taken from other tutorial).

To be found in this forum and published on SourceForge:
http://www.raspberrypi.org/forums/viewt ... 98#p679198

I only have an issue including the ta.key in the ovpn file to make sure the mobile device uses that for enhanced security (HMAC). To be continued (already Googling a lot).

Regards

Tom

Piroman
Posts: 6
Joined: Sat Feb 07, 2015 11:04 pm

Re: How to set up a Raspberry Pi VPN server

Sat Feb 07, 2015 11:08 pm

@rmurr
does iptables stay saved after reboot ?

natodemon
Posts: 2
Joined: Wed Feb 18, 2015 11:19 pm

Re: How to set up a Raspberry Pi VPN server

Wed Feb 18, 2015 11:32 pm

@rmurr Thank you so much for this guide, I'd have been lost and not have known where to start without it!
The setup worked almost exactly as you explained here with another linux server as client and the same with an android device, my only issue was with apple devices. Due something in latest OpenVPN Connect app the self signed certificates were being rejected. Thankfully after many hours of frustration I found the answer in an app review; adding the line "basicConstraints:CA:TRUE" in the client .ovpn file solves the issue.

@Piroman No the iptables rules are not permanent; they are lost upon reboot. However, you can use a program called iptables-persistent to restore them each reboot.

pxt32846
Posts: 1
Joined: Sun Feb 22, 2015 3:04 am

Re: How to set up a Raspberry Pi VPN server

Sun Feb 22, 2015 3:17 am

First off - great tutorial. It's been a while since I've configured the community builds of OpenVPN rather than the OpenVPN Access Server (which is a lot easier... too bad they don't have an AS package for the ARMv7 architecture) so your tutorial sped things up a lot for me.

I just wanted to leave one additional tip here for other that may find this - I don't like having to enter the iptables commands each time I reboot the device so I found an easy solution to this problem.

Step 1 - Enter the iptables commands from the tutorial.
Step 2 - Run the following command to install the iptables-persistent package which will allow you to save rules to load on system startup to a file.

Code: Select all

sudo apt-get install iptables-persistent
During installation of the package, you will be prompted to save your existing IPv4 rules to the rules file. Select Yes to save your existing rules and the rules you've already entered will be saved to the file automatically and will be loaded on boot from now on. Makes life a lot easier if you'd like everything to happen automatically should you need to reboot or lose power.

I found this solution from the following page if you'd like more information: https://www.thomas-krenn.com/en/wiki/Sa ... ermanently

Again, thanks for writing the tutorial!

ponyhearts
Posts: 5
Joined: Sun Mar 15, 2015 10:15 am

Re: How to set up a Raspberry Pi VPN server

Sun Mar 15, 2015 11:10 am

Does OpenVPN in general exhibit a lot of disk usage? i.e. consume read and write cycles?

I was wondering if it is recommended to use the USB version of Raspbian to install OpenVPN or if all the routing would occur within the RAM.

Thanks.

User avatar
DougieLawson
Posts: 32728
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: How to set up a Raspberry Pi VPN server

Sun Mar 15, 2015 12:10 pm

ponyhearts wrote:Does OpenVPN in general exhibit a lot of disk usage? i.e. consume read and write cycles?
No. It's memory resident, the only open file is the log (if you configure it) but it does drive a lot of network I/O.
Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

2012-18: 1B*5, 2B*2, B+, A+, Z, ZW, 3Bs*3, 3B+

Any DMs sent on Twitter will be answered next month.

mojopie
Posts: 3
Joined: Fri May 22, 2015 2:05 am

Re: How to set up a Raspberry Pi VPN server

Fri May 22, 2015 2:11 am

Hello,

I'm a complete noob with Linux and setting up VPN outside of the windows environment, but I've made it to step where I configure the IP settings. Will somebody please be kind enough to explain, for each IP/subnet address below, which IP i'm supposed to input and where I would get that from? thanks a bunch

Code: Select all

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/server.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh2048.pem # If you kept 1024, change it to dh1024.pem
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route -PI-LAN-IP 255.255.255.0" # Enter PI LAN PI   <--- for this, will it end up looking like '[color=#0000FF]push "route 192.168.1.1 255[/color]..."
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 10.8.0.1" 
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

User avatar
DougieLawson
Posts: 32728
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: How to set up a Raspberry Pi VPN server

Fri May 22, 2015 8:17 am

Make it simpler

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
verb 3
And on the client

Code: Select all

client
dev tun
proto udp
remote dyndns.example.co.uk 1194 # can use a dotted decimal address
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert example_user.client.crt
key example_user.client.key
ns-cert-type server
comp-lzo
verb 3
Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

2012-18: 1B*5, 2B*2, B+, A+, Z, ZW, 3Bs*3, 3B+

Any DMs sent on Twitter will be answered next month.

mojopie
Posts: 3
Joined: Fri May 22, 2015 2:05 am

Re: How to set up a Raspberry Pi VPN server

Fri Jun 05, 2015 6:49 am

Thank you sir, i'll give it a try
just to be sure, where you have 10.8.0.0, this would be the local ip address of my server right? ie. 192.168.1.100

also, for the client it is actually my android phone (OnePlus). Do you have any idea where I'm supposed to put the keys and files on my phone? thanks.

thanks.

User avatar
DougieLawson
Posts: 32728
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: How to set up a Raspberry Pi VPN server

Fri Jun 05, 2015 3:29 pm

No.
The 10.8.0.0/24 subnet is used for the remote clients. OpenVPN fixes up the routing tables on both local and remote systems.
Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

2012-18: 1B*5, 2B*2, B+, A+, Z, ZW, 3Bs*3, 3B+

Any DMs sent on Twitter will be answered next month.

macaan
Posts: 9
Joined: Tue Jun 02, 2015 9:04 am

Re: How to set up a Raspberry Pi VPN server

Wed Jun 10, 2015 9:05 am

Great work and tutorial!

I used the tutorial together with another http://readwrite.com/2014/04/10/raspber ... b-browsing and successfully established the vpn connection.

I have the routing enabled (by using the IPTABLES IN THIS TUTORIAL) however my PC gets 10.8.0.6 ip? which is strange because as per the server.conf file that i configured it should be 10.8.0.1

local 192.168.1.X (MI IP ADDRESS)
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/ABC.crt
key /etc/openvpn/easy-rsa/keys/ABC.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.1.0 255.255.255.0"
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 80.227.x.x" (MY DNS)
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
dev tun
Nonetheless the vpn is working fine and I can access internet and other things from outside network.
I just want to know if this is normal or I made some mistake

Also I would like to know if I have to remove a client form vpn what is the best way to do that?? (as i am deploying this at my work place and maybe some work colleague will leave in future and I have to cancel their access)

mojopie
Posts: 3
Joined: Fri May 22, 2015 2:05 am

Re: How to set up a Raspberry Pi VPN server

Tue Jun 16, 2015 2:13 am

i have another very noob question

i think i've setup everything on the server side, but by the end of the guide I kind of think feel that this is meant for VPN from linux to linux. Is it possible to vpn from my windows machine? is it possible to vpn from my Android phone (OnePlus)?

User avatar
DougieLawson
Posts: 32728
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: How to set up a Raspberry Pi VPN server

Tue Jun 16, 2015 8:21 am

Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

2012-18: 1B*5, 2B*2, B+, A+, Z, ZW, 3Bs*3, 3B+

Any DMs sent on Twitter will be answered next month.

drgeoff
Posts: 8094
Joined: Wed Jan 25, 2012 6:39 pm

Re: How to set up a Raspberry Pi VPN server

Tue Jun 16, 2015 1:55 pm

Android devices often have a L2TP/IPSec VPN client already built-in.

macaan
Posts: 9
Joined: Tue Jun 02, 2015 9:04 am

Re: How to set up a Raspberry Pi VPN server

Sat Jun 20, 2015 1:34 pm

I have a routing problem, while connect from outside network I can only use the network sharing and no internet :S

Can someone guide me how to fix my iptables and also if I need to make any changes as per my network?

The tables i am using are from the above post;
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
What changes do I need to make since my network is 192.168.1.x

I used the other post and installed iptables persistent.

apt-get install iptables-persistent

and then manually added below in /etc/iptables/rules.v4

# Generated by iptables-save v1.4.14 on Sat Jun 20 13:36:33 2015
*filter
:INPUT ACCEPT [8225:11167366]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3545:288766]
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -d 192.168.1.0/24 -i tun0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -d 192.168.1.0/24 -i tun0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -d 192.168.0.0/24 -i tun0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
COMMIT
# Completed on Sat Jun 20 13:36:34 2015
# Generated by iptables-save v1.4.14 on Sat Jun 20 13:36:34 2015
*nat
: PREROUTING ACCEPT [36:2765]
:INPUT ACCEPT [18:1636]
:OUTPUT ACCEPT [24:1594]
: POSTROUTING ACCEPT [24:1594]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.115
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.115
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j VPNSIRTI
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j VPNSIRTI
COMMIT
# Completed on Sat Jun 20 13:36:34 2015

Thank you

matteos1
Posts: 23
Joined: Wed Feb 25, 2015 6:39 pm

Re: How to set up a Raspberry Pi VPN server

Thu Jul 09, 2015 9:44 am

Hi, a little question.
Every time that i reboot my raspberry i must digit sudo service openvpn restart to make to start the openvpn on boot.
someone know some solution about restart automatically on the boot?

User avatar
DougieLawson
Posts: 32728
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: How to set up a Raspberry Pi VPN server

Thu Jul 09, 2015 10:24 am

What's in /etc/default/openvpn

Mine has

Code: Select all

# This is the configuration file for /etc/init.d/openvpn

#
# Start only these VPNs automatically via init script.
# Allowed values are "all", "none" or space separated list of
# names of the VPNs. If empty, "all" is assumed.
# The VPN name refers to the VPN configutation file name.
# i.e. "home" would be /etc/openvpn/home.conf
#
#AUTOSTART="all"
AUTOSTART="my.openvpn.server"
#AUTOSTART="none"
#AUTOSTART="home office"
#
# Refresh interval (in seconds) of default status files
# located in /var/run/openvpn.$NAME.status
# Defaults to 10, 0 disables status file generation
#
#STATUSREFRESH=10
#STATUSREFRESH=0
# Optional arguments to openvpn's command line
OPTARGS=""
#
# If you need openvpn running after sendsigs, i.e.
# to let umountnfs work over the vpn, set OMIT_SENDSIGS
# to 1 and include umountnfs as Required-Stop: in openvpn's
# init.d script (remember to run insserv after that)
#
OMIT_SENDSIGS=0
Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

2012-18: 1B*5, 2B*2, B+, A+, Z, ZW, 3Bs*3, 3B+

Any DMs sent on Twitter will be answered next month.

Return to “Networking and servers”

Who is online

Users browsing this forum: No registered users and 19 guests