If you are in a public network, for example at university or the airport, your traffic can be recorded and decrypted. To prevent others from doing that you can send your traffic through a secured VPN-tunnel. The VPN-tunnel leads your traffic encrypted to a server which is processing your requests.
Raspbian or a similar distribution.
To be able to install the latest program versions we should update our packet sources:
sudo apt-get update
Now we are installing OpenVPN and OpenSSL.
sudo apt-get install openvpn openssl
We are switching to the directory of OpenVPN and paste a directory we will be needing later into it.
cd /etc/openvpn sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa
Now we open the file easy-rsa/vars with nano and apply some changes.
nano /easy-rsa/vars export EASY_RSA="`pwd`" export EASY_RSA="/etc/openvpn/easy-rsa"
We change the directory, log in as root user and execute some configurations.
cd easy-rsa sudo su source vars ./clean-all ./pkitool --initca ln -s openssl-1.0.0.cnf openssl.cnf
Now we are able to generate the components for the encryption of OpenVPN. After the first input you will be asked for the abbreviation of your country (US = USA, DE – Germany, AT = Austria, CH – Switzerland). All other inputs can simply be confirmed.
./build-ca OpenVPN ./build-key-server server ./build-key client1
The calculation of the last components can take a few minutes.
We have to switch the directory again and create the file openvpn.conf with the following content:
cd .. sudo touch openvpn.conf sudo nano openvpn.conf dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem user nobody group nogroup server 10.8.0.0 255.255.255.0 persist-key persist-tun status /var/log/openvpn-status.log verb 3 client-to-client push "redirect-gateway def1" #set the dns servers push "dhcp-option DNS 126.96.36.199" push "dhcp-option DNS 188.8.131.52" log-append /var/log/openvpn comp-lzo
You can change the DNS-servers to any DNS you like.
sudo sh -c ‘echo 1 > /proc/sys/net/ipv4/ip_forward’ sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE
One of the final steps will be to delete the “#” before net.ipv4.ip_forward=1 in sysctl.conf.
cd .. sudo nano sysctl.conf
A part of the above settings have to be endorsed as a crontab to work permanently. Insert following line at the end of the crontab file (replace “eth0″ if you did above):
crontab -e @reboot sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE
Again change to the root-user and to the directory /etc/openvpn/easy-rsa/keys in which we will create the fileraspberrypi.ovpn and fill it with the code of the second paragraph. RASPBERRY-PI-IP should be replaced by the IP address of your Pi or, if you are using a DynDNS service, by the given domain.
sudo su cd /etc/openvpn/easy-rsa/keys nano raspberrypi.ovpn dev tun client proto udp remote RASPBERRY-PI-IP 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo verb 3
Now create a packet with all the needed files for the client, which we will place in /home/pi and give the user pi the needed rights to the file.
tar czf openvpn-keys.tgz ca.crt ca.key client1.crt client1.csr client1.key raspberrypi.ovpn mv openvpn-keys.tgz /home/pi chown pi:pi /home/pi/openvpn-keys.tgz exit
Restart the OpenVPN server.
sudo /etc/init.d/openvpn start