This weekend, I heard a friend say that he wants to turn his Raspberry Pi into a VPN server. Since I still had an old Raspberry Pi lying around I decided to install the latest version of Raspbian on it (April 2018 release) and also install OpenVPN on it, record how I did this, and show my friend how he can easily do the same on his Raspberry Pi. I listed all the commands I use in the video on this page here below.
I chose to enable the root account first, so I don’t have to type my sudo password with every command. To enable the root account, open a console and type ‘sudo su’, and then ‘passwd root’, and enter a new password for the root account. Once that is done, you can start following the instructions below.
Start with updating the kernel by entering the command rpi-update. When that’s done first reboot the Pi, and then we can start commenting out all the IPv6 lines in your hosts file. See example.
nano /etc/hosts
Find and uncomment net.ipv4.ip_forward=1 in the file /etc/sysctl.d/99-sysctl.conf
nano /etc/sysctl.d/99-sysctl.conf
net.ipv4.ip_forward=1
Add these next lines at the end of the file if you want to disable IPv6 completely.
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
Save the file and enter
sysctl -p
apt install openvpn easy-rsa
adduser --system --shell /usr/sbin/nologin --no-create-home openvpn
groupadd openvpn
usermod -a -G openvpn openvpn
grep openvpn /etc/group
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
Open the server.conf file and edit a handful of options so they look like the examples below.
nano /etc/openvpn/server.conf
ca /etc/openvpn/certs/keys/ca.crt
cert /etc/openvpn/certs/keys/server.crt
key /etc/openvpn/certs/keys/server.key # This file should be kept secret
dh /etc/openvpn/certs/keys/dh2048.pem
push “route 10.9.8.0 255.255.255.0”
push “dhcp-option DNS 1.1.1.1”
push “dhcp-option DNS 8.8.8.8”
tls-auth /etc/openvpn/certs/keys/ta.key 0 # This file is secret
cipher AES-256-CBC
user openvpn
group openvpn
The options below can be added at the very end of the config file.
# Auth Digest
auth SHA512
# Limit Ciphers
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
make-cadir /etc/openvpn/certs
cd /etc/openvpn/certs
ln -s openssl-1.0.0.cnf openssl.cnf
Edit the vars file and change all the variables that you see between the ” ” sings.
nano vars
export KEY_SIZE=2048
# export KEY_SIZE=4096
export KEY_COUNTRY=”Country”
export KEY_PROVINCE=”Province”
export KEY_CITY=”City”
export KEY_ORG=”Org”
export KEY_EMAIL=”E-mail address”
export KEY_OU=”Hostname”
export KEY_NAME=”UniqueName”
source ./vars
./clean-all
./build-ca
./build-key-server server
openssl dhparam 2048 > /etc/openvpn/certs/keys/dh2048.pem
openvpn --genkey --secret /etc/openvpn/certs/keys/ta.key
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
systemctl start openvpn
systemctl start openvpn@server
systemctl enable openvpn
systemctl enable openvpn@server
systemctl status openvpn*.service
Now your OpenVPN server is running. Next step is to create the config files for your OpenVPN client app. More on how to do that in my next post, so make sure you visit again soon.
