in ,

How to set up your own VPN using Raspberry Pi

Build keys for each user

Your server is now set up and you need to build keys for all the devices you want to be able to connect.

You can cut corners here and just build one key to use on all devices. Only one device can connect using each key at a time though, so if you want simultaneous connections you will need a different key for each one.

To assign a user a key type:

./build-key-pass [UserName]

… substituting the [UserName] with your desired text – for example to make a key to connect my android to the VPN I chose the name KateAndroid

You will get some more prompts now:

Enter PEM pass phrase

… choose a password you will remember! It asks you to input this twice to eliminate errors.

A challenge password? MUST be left blank.

Sign the certificate? [y/n]

Hit “y”

Next type:

cd keys

then (using my example username, which you should change for your own):

openssl rsa -in KateAndroid.key -des3 -out KateAndroid.3des.key

This last line adds an extra layer of encryption to make it harder for hackers to break in.

You will be asked to enter pass phrase for KateAndroid.key – this is the phrase you entered in the previous step.

You will then be asked to enter and repeat a new PEM pass phrase for the des3 key. I used the same pass phrase for both so you only have one to remember. You will need the 3des.key pass phrase at the end of this process when you import your files to your devices.

Repeat these steps for all the usernames you want to build a key for.

You have now created your “client certificates”. Type:

cd ..

Generate the Diffie-Hellman key exchange.

This is the code that lets two entities with no prior knowledge of one another share secret keys over a public server. Type:

./build-dh

The screen will slowly fill with dots as the key is built from random numbers. It will take at least an hour if you upped your encryption to 2048-bit. If you left it at 1024-bit it could take as little as five minutes.

Denial of Service (DoS) attack protection

OpenVPN protects against this kind of attack by generating a static pre-shared hash-based message authentication code (HMAC) key. This means the server will not try to authenticate an access request if it does not detect this key. To generate the static HMAC key type:

openvpn –genkey –secret keys/ta.key

N.B. If you are using copy and paste it probably will not work on this line as the double “-” seems not to translate in the same way if you do not type it in.

Configuring your server

Now you have created all the locks and keys you need to tell your Raspberry Pi where you want to put the doors and who you want to give the keys to – essentially instructing the OpenVPN which keys to use, where you are going to be connecting from and which IP address and port to use.

To do this you must create a server configuration file. At command prompt type:

nano /etc/openvpn/server.conf

This opens an empty file.

Fill it with this text, taking care to change the details where indicated with a comment in # CAPS LOCK. (Placing a “#” in front of a sentence in the code like this tells the system it is a comment and to ignore it when building the program). Also when changing the YOUR SERVER NAME sections I refer to the server name that was given to the ‘build-key-server’ command earlier on.

local 192.168.2.0 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS

dev tun

proto udp

port 1194

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/XX.crt # SWAP XX WITH YOUR SERVER NAME

key /etc/openvpn/easy-rsa/keys/XX.key # SWAP XX WITH YOUR SERVER NAME

dh /etc/openvpn/easy-rsa/keys/dh1024.pem # IF YOU CHANGED YOUR ENCRYPTION TO 2048, CHANGE THAT HERE

server 10.8.0.0 255.255.255.0

# server and remote endpoints

ifconfig 10.8.0.1 10.8.0.2

# Add route to Client routing table for the OpenVPN Server

push “route 10.8.0.1 255.255.255.255”

# Add route to Client routing table for the OpenVPN Subnet

push “route 10.8.0.0 255.255.255.0”

# your local subnet

push “route 192.168.0.10 255.255.255.0” # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS

# Set primary domain name server address to the SOHO Router

# If your router does not do DNS, you can use Google DNS 8.8.8.8

push “dhcp-option DNS 192.168.0.1” # THIS SHOULD ALREADY MATCH YOUR OWN ROUTER ADDRESS AND SHOULD NOT NEED TO BE CHANGED

# Override the Client default gateway by using 0.0.0.0/1 and

# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of

# overriding but not wiping out the original default gateway.

push “redirect-gateway def1”

client-to-client

duplicate-cn

keepalive 10 120

tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0

cipher AES-128-CBC

comp-lzo

user nobody

group nogroup

persist-key

persist-tun

status /var/log/openvpn-status.log 20

log /var/log/openvpn.log

verb 1

Hit CTRL and X then Y and ENTER to save.

There is one last edit to make in the server configuration files to make sure your Raspberry Pi knows you want it to forward Internet traffic through our new network.

Type:

nano /etc/sysctl.conf

Near the top it says, “Uncomment the next line to enable packet forwarding for IPv4.”

You want to remove the “#” from the start of the next line to inform OpenVPN you want it to take that text into consideration.

The line should then read:

net.ipv4.ip_forward=1

Hit CTRL and X, then Y and ENTER to save.

Finally you need to action the change you just made in the sysctl.conf file. To do this type:

sysctl -p

You have now made a functioning server that can access the internet.

Pass through the firewall

Raspbian has a built-in firewall that will block incoming connections, so we need to tell it to allow traffic from OpenVPN to pass through.

To create a file that will run each time you start up your Raspberry Pi issuing this permission type:

nano /etc/firewall-openvpn-rules.sh

Inside this new file type:

#!/bin/sh

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT –to-source 192.168.0.10

# SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS

CTRL and X then Y and ENTER to save.

Newly created files are not executable by default, so we will need to change the permissions and ownership of this file you just created. To do this type:

chmod 700 /etc/firewall-openvpn-rules.sh

then:

chown root /etc/firewall-openvpn-rules.sh

This script gives OpenVPN permission to breach the firewall and we now need to add it into the interfaces setup code so it runs on boot. Type:

nano /etc/network/interfaces

Find the line that says: “iface eth0 inet static.” We want to add a line below the list of numbers that follow it. This line needs to be added at an indent so hit TAB first:

pre-up /etc/firewall-openvpn-rules.sh

CTRL and X then Y and ENTER to save.

Finally, reboot your Raspberry Pi by typing:

Reboot

N.B. Each time you reboot your Raspberry Pi you will need to relaunch PuTTY to connect to it.

----------

If you liked this article, please subscribe to our YouTube Channel for tech news, reviews and video tutorials. You can also find us on Twitter, Instagram and Facebook.

3 Comments

Leave a Reply
  1. I have setup the vpn on raspberry pi 3 by following this article but i am unable to connect to vpn server
    internet connected to raspberry via wlan
    so where ever eth0 is mentioned i have replace it with wlan0

    Contacting xxx.xx.xxx.xx:xxxx via UDP
    EVENT:WAIT
    Connecting to[dynamidns name]:xxxx (xxx.xx.xxx.xx)via UDPv4
    Server pol timeout,trying next remote entry…
    EVENT:CONNECTION TIMEOUT
    EVENT:DISCONNECTED

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

A Quick Glance into iOS 9 and it’s Coolest Features

‘iOS Crash Warnings’ Popups is a Scam