How to set up your own VPN using Raspberry Pi

Ensure you have a static public IP address

We have created locks and keys for devices to use to connect to your VPN, but before we hand those keys out we need to tell them where to find the front door. This is your public IP address, which should be kept a secret as it identifies your location on the internet.

You can find out your public IP by asking Google. Just type “what’s my IP address?” into the search box.

If this address changes each time you log on you do not have a static IP address so will need to use a dynamic domain name system (DDNS) service to give yourself a domain name to put in place of the IP address.

There is a free service at https://www.changeip.com Then on your Raspberry Pi, you need to run something called DDclient to update your DDNS registry automatically.

At the command prompt type:

sudo apt-get install ddclient

This will launch a wizard for configuring ddclient. Don’t worry too much about what you enter here as we will be entering the config file straight away.

To edit the DDClient configuration with the correct setting type:

sudo nano /etc/ddclient.conf

Every service will have slightly different configuration, – if you are using changeip.com this blog post will tell you how to edit your settings successfullyhttps://blogdotmegajasondotcom.wordpress.com/2011/03/14/use-ddclient-with-changeip-com/

CTRL and X then Y and ENTER to save.

Finally, to set this program running type:

sudo ddclient

N.B. If you reboot your Raspberry Pi you’ll need to type “sudo ddclient” to start running it again.

Create profile scripts for the devices you want to connect

We have created keys for clients (computers and devices) to use to connect to your VPN, but we have not told the clients where to find the server, how to connect, or which key to use.

If you created several different client keys for each of the devices you want to grant access, it would be a lot of trouble to generate a new configuration file for each client from scratch.

Luckily Eric Jodoin of the SANS institute has written a script to generate them automatically.

First type:

sudo nano /etc/openvpn/easy-rsa/keys/Default.txt

Fill in the blank text file with the following:

client

dev tun

proto udp

remote [YOUR PUBLIC IP ADDRESS] 1194 #REPLACE YOUR DYNAMIC DNS VALUE FROM CHANGEIP.COM

resolv-retry infinite

nobind

persist-key

persist-tun

mute-replay-warnings

ns-cert-type server

key-direction 1

cipher AES-128-CBC

comp-lzo

verb 1

mute 20

CTRL and X then Y and ENTER to save.

Next, to create the script that makes your profile keys type:

nano /etc/openvpn/easy-rsa/keys/MakeOVPN.sh

In this file you need to add the text that Jodoin wrote to create the script:

#!/bin/bash

# Default Variable Declarations

DEFAULT=”Default.txt”

FILEEXT=”.ovpn”

CRT=”.crt”

KEY=”.3des.key”

CA=”ca.crt”

TA=”ta.key”

#Ask for a Client name

echo “Please enter an existing Client Name:”

read NAME

#1st Verify that client’s Public Key Exists

if [ ! -f $NAME$CRT ]; then

echo “[ERROR]: Client Public Key Certificate not found: $NAME$CRT”

exit

fi

echo “Client’s cert found: $NAME$CR”

#Then, verify that there is a private key for that client

if [ ! -f $NAME$KEY ]; then

echo “[ERROR]: Client 3des Private Key not found: $NAME$KEY”

exit

fi

echo “Client’s Private Key found: $NAME$KEY”

#Confirm the CA public key exists

if [ ! -f $CA ]; then

echo “[ERROR]: CA Public Key not found: $CA”

exit

fi

echo “CA public Key found: $CA”

#Confirm the tls-auth ta key file exists

if [ ! -f $TA ]; then

echo “[ERROR]: tls-auth Key not found: $TA”

exit

fi

echo “tls-auth Private Key found: $TA”

#Ready to make a new .opvn file – Start by populating with the default file

cat $DEFAULT > $NAME$FILEEXT

#Now, append the CA Public Cert

echo “<ca>” >> $NAME$FILEEXT

cat $CA >> $NAME$FILEEXT

echo “</ca>” >> $NAME$FILEEXT

#Next append the client Public Cert

echo “<cert>” >> $NAME$FILEEXT

cat $NAME$CRT | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ >> $NAME$FILEEXT

echo “</cert>” >> $NAME$FILEEXT

#Then, append the client Private Key

echo “<key>” >> $NAME$FILEEXT

cat $NAME$KEY >> $NAME$FILEEXT

echo “</key>” >> $NAME$FILEEXT

#Finally, append the TA Private Key

echo “<tls-auth>” >> $NAME$FILEEXT

cat $TA >> $NAME$FILEEXT

echo “</tls-auth>” >> $NAME$FILEEXT

echo “Done! $NAME$FILEEXT Successfully Created.”

#Script written by Eric Jodoin

\ No newline at end of file

CTRL and X then Y and ENTER to save.

N.B. I was not able to successfully copy and paste the entire script accurately in one go, but taking it one section at a time worked no problem).

Next you need to give this script permission to run. Type:

cd /etc/openvpn/easy-rsa/keys/

The to give it root privileges type:

chmod 700 MakeOVPN.sh

Finally, execute the script with:

./MakeOVPN.sh

As it runs, it will ask you to input the usernames names of the clients for you generated keys for earlier (in my case KateAndroid). Type that when prompted and you should see the line:

Done! KateAndroid.ovpn Successfully Created.

Repeat this step for each additional username you added client.

Export your client keys for use on the connecting devices

You now need to copy those keys onto the devices you want to use them. If you are using PuTTY on a Windows machine you can use a software package called WinSCP to do this. For Mac, try Fugu.

First, to grant yourself read/write access to the folder at the command prompt type:

chmod 777 /etc/openvpn

chmod 777 /etc/openvpn/easy-rsa

chmod 777 /etc/openvpn/easy-rsa/keys

chmod 777 /etc/openvpn/easy-rsa/keys/[ClientName].ovpn

Be sure to undo this when you’re done copying files by typing:

chmod 600 /etc/openvpn

and repeating for each step with the chmod 600 command, which removes read/write access again.

You can now launch the software you are using to copy the files off your Raspberry Pi to navigate to the openvpn folder and copy the files labelled “KateAndroid.ovpn” etc.

You can also open the command prompt on the machine in your network you would like to copy the files to and type:

scp pi@[ip-address-of-your-pi]:/etc/openvpn/easy-rsa/keys/[ClientName].ovpn [ClientName].ovpn

Install the Open VPN Connect app on your device

You are now ready to download and install the OpenVPN Connect app on your Android or iPhone – they are available through the stores as a free download. You will need to import the profile keys you just made as the final piece of the VPN connection puzzle.

When prompted for a pass phrase here it is the 3des.key one you will need to enter.

For iOS

Use iTunes to add the .ovpn file to the OpenVPN Connect app. When you launch the app on your phone you will now get the option of installing that profile and making the connection.

For Android

Connect your android device to your computer with a USB cable. Navigate to the Downloads folder on your handset and paste the .ovpn file there.

When you launch the app on your handset you can now tap the menu dropdown in the top right corner, select Import>Import profile from SD card then navigate to the downloads folder and choose to import the file and make the connection.

One more thing

After all this is done, if your phone still can’t connect to the OpenVPN server you might need to adjust the firewall on your router to do port-forwarding of port 1194 to the Raspberry Pi. You’ll need to follow the instructions from your ISP to access the router and complete this step.

 

IF this worked for you,  Please share on the comment section and if you have issues, please don’t hesitate to drop your comments below.

----------

If you liked this article, please subscribe to our YouTube Channel for tech news, reviews and video tutorials. You can also find us on Twitter, Instagram and Facebook.