OpenVPN: Raspberry Pi
If you are in a public network, for example at university or the airport, your traffic can be recorded and decrypted. To prevent others from doing that you can send your traffic through a secured VPN-tunnel. The VPN-tunnel leads your traffic encrypted to a server which is processing your requests.
In the following tutorial you will learn how to run OpenVPN Server on your Raspberry Pi:
Raspbian or a similar distribution.
To be able to install the latest program versions we should update our packet sources:
sudo apt-get update
Now we are installing Open VPN and OpenSSL.
sudo apt-get install openvpn openssl
We are switching to the directory and paste a directory we will be needing later into it.
cd /etc/openvpn sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa
Now we open the file easy-rsa/vars with nano and apply some changes.
nano /easy-rsa/vars export EASY_RSA="`pwd`" export EASY_RSA="/etc/openvpn/easy-rsa"
We change the directory, log in as root user and execute some configurations.
cd easy-rsa sudo su source vars ./clean-all ./pkitool --initca ln -s openssl-1.0.0.cnf openssl.cnf
Now we are able to generate the components for the encryption of Open VPN. After the first input you will be asked for the abbreviation of your country (US = USA, DE – Germany, AT = Austria, CH – Switzerland). All other inputs can simply be confirmed.
./build-ca OpenVPN ./build-key-server server ./build-key client1
The calculation of the last components can take a few minutes.
We have to switch the directory again and create the file openvpn.conf with the following content:
cd .. sudo touch openvpn.conf sudo nano openvpn.conf dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem user nobody group nogroup server 10.8.0.0 255.255.255.0 persist-key persist-tun status /var/log/openvpn-status.log verb 3 client-to-client push "redirect-gateway def1" #set the dns servers push "dhcp-option DNS 220.127.116.11" push "dhcp-option DNS 18.104.22.168" log-append /var/log/openvpn comp-lzo
You can change the DNS-servers to any DNS you like.
Now, create the internet-forwarding for the CPN clients. If you are not using an ethernet-cable (e.g. Wifi) you will have to replace “eth0″ with the name of your network device.
sudo sh -c ‘echo 1 > /proc/sys/net/ipv4/ip_forward’ sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE
One of the final steps will be to delete the “#” before net.ipv4.ip_forward=1 in sysctl.conf.
cd .. sudo nano sysctl.conf
A part of the above settings have to be endorsed as a crontab to work permanently. Insert following line at the end of the crontab file (replace “eth0″ if you did above):
crontab -e @reboot sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE
Again change to the root-user and to the directory /etc/openvpn/easy-rsa/keys in which we will create the fileraspberrypi.ovpn and fill it with the code of the second paragraph. RASPBERRY-PI-IP should be replaced by the IP address of your Pi or, if you are using a DynDNS service, by the given domain.
sudo su cd /etc/openvpn/easy-rsa/keys nano raspberrypi.ovpn dev tun client proto udp remote RASPBERRY-PI-IP 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo verb 3
Now create a packet with all the needed files for the client, which we will place in /home/pi and give the user pi the needed rights to the file.
tar czf openvpn-keys.tgz ca.crt ca.key client1.crt client1.csr client1.key raspberrypi.ovpn mv openvpn-keys.tgz /home/pi chown pi:pi /home/pi/openvpn-keys.tgz exit
Restart the server.
sudo /etc/init.d/openvpn start
An Open VPN Client for Windows is: http://openvpn.se/
for Mac: https://code.google.com/p/tunnelblick/
Linux users simply install the packet openvpn