Raspberry Pi OpenVPN Project
I’ve been wanting to set up a virtual private network (VPN) on my Raspberry Pi (Pi) for for awhile, and I finally took the time (be prepared to set aside an afternoon) to do it last weekend. For those who are unaware, the Pi is a small, credit card-sized computer that is roughly as powerful as a smart phone. You can learn more about them here. The particular model I used for this project is the Raspberry Pi Zero, which is not much larger than a USB flash drive. The Raspberry Pi Zero plus a power supply, case, micro USB hub, a microSD card and wireless dongle will set you back less than fifty dollars. Not bad for such a useful device.
So now you know what the Pi is, but what about OpenVPN? OpenVPN is open source software that encrypts your Internet traffic (i.e., makes it look like gibberish) between the device you are using (e.g., PC, phone, laptop) and the device that is running the OpenVPN server (e.g., a Pi). That’s nice Chris, but why do I care? If you have ever been at a coffee shop or the airport and have connected to a Wi-Fi network that didn’t require a password, you may care. Without encryption, it is trivial for an eavesdropper to see everything you are doing over the Internet (unless the website you are visiting or the app you are using have their own encryption enabled). Note that Internet traffic that does NOT have its own encryption will only be encrypted until it reaches the OpenVPN server. At that point your information goes out over the Internet, just as it would if you were surfing from the network where the VPN server resides. Any information being returned to you will travel to the VPN server first, be encrypted and then forwarded back to you, thereby thwarting the eavesdropper!
First Steps
Note that I do not plan on writing an entire tutorial for setting up OpenVPN, as there is already quite a good one on readwrite here. Part two of the tutorial can be found here. What follows are notes from my installation that provide a couple updates that will leave you with a better setup experience.
- Get a Pi running with Raspbian. You can learn more about how to setup Raspbian via NOOBS at the Pi Foudation’s website.
- Change the default password and username for your Pi. Remember this thing will be receiving data from the internet, let’s not make things easier for an attacker by using the password and username that is the default for every Pi in existence. You can read about how to create a new user via the command line interface (CLI) here.
- Assign your Raspberry Pi a static Internet Protocol (IP) address. Learn how to do that here.
Make sure you can connect to your Pi from another machine via Secure Shell (SSH). It is installed by default, and the syntax is as follows:
ssh <username>@<ip address>;
You will then be asked for the password for the user you are trying to log in to the Pi (e.g., if you used pi@192.168.x.xxx to connect via SSH, type in the password for the pi user account). This default method is okay, but SSH with authentication keys is more secure and convenient, once it is setup. You can learn how to set up authentication keys from this Freedom Penguin article.
- Make sure that you meet all of the Pre-Project requirements noted in the readwrite tutorial.
Setting Up the Certificate Authority directory
If you are running an older version of Raspbian, i.e., if you set up your Raspberry Pi prior to September 29, 2015, ignore this section. The readwrite tutorial will work just fine. For those of you who have the newer version of Raspbian, called Jessie, read on.
So you just finished performing all of the first steps, and you run the first command to create your certificate authority:
cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
Wait, what do you mean the directory can’t be found??!? Do not panic. The structures of OpenVPN and EasyRSA have changed since this tutorial was written. You can achieve the same effect as this command by running the following:
make-cadir /etc/openvpn/easy-rsa/
Got it? Great, time to get back to the readwrite tutorial and move on!
Dynamic Domain Name Service (DDNS)
Is the Internet protocol (IP) address assigned by your Internet service provider static or dynamic? If it is static, you can skip this section. If you are unsure, the answer is most likely dynamic, and you have another side project to complete: setting up DDNS. DDNS allows you to point your devices to a website name that does not change, and it automatically keeps track of your new IP address when it changes. If you skip this step, you will have to type in your new IP address to every device that connects to the VPN every time the address changes. This is something you may not be able to do when you are on the road and are wanting to actually use OpenVPN!
I used No-IP for this project, as I had heard about it from a couple of other sources. So far, so good. readwrite recommends a different service in their article, and you may want to do your own research as well.
Installing Client Software
So you’ve completed both parts of the tutorial, as well as the side projects. Now you have to install the client software on your devices and transfer the appropriate .ovpn file to each device. The readwrite tutorial covers installation on a Mac, so I thought I would go into more detail on the other platforms.
Android/iOS
For Android and iOS devices, you can install OpenVPN Connect from the Play/App Store. This app has a feature that will allow you to easily import a profile from an .ovpn file. Once you have imported the profile, connecting to your OpenVPN server is simply a matter of typing in the correct password and tapping the large “Connect” button.
Linux
You can download OpenVPN from your software center or package manager of choice. You can set up a VPN connection in your network manager, if you would like. You can also connect by running the following command from the command line:
openvpn --config client.ovpn
Windows
On Windows, you can download the OpenVPN software from OpenVPN.net’s download page. After installing the software, you will need to copy the device’s .ovpn file into the config folder of the program (e.g.,C:\Program Files\OpenVPN\config). You can now run start the program (right-click and run as administrator), which creates a new icon down near your clock. Right-clicking that icon reveals options which include Connect. Click it and then enter your password into the prompt to connect.
Creating Additional Keys
If you decide that you need to make more keys, or like me, you forgot to make one for a device you already have, the process is relatively painless. Log back into your Pi via SSH, and then run the following commands (remember that you need to run these as root using sudo):
cd /etc/openvpn/easy-rsa
. ./vars
./build-keys-pass <clientname> #replace clientname with whatever name you wish
cd keys
openssl rsa -in Client1.key -des3 -out Client1.3des.key
./MakeOVPN.sh
You should be ready to go! If the process is still confusing or something does not work, please feel free to leave your questions in the comments below.