VPN on a Raspberry Pi

About

Having a VPN server accessible to you is truly amazing because whenever you browse the web, the traffic cannot be sniffed and analyzed by anyone on the remote network you are working from. All that network traffic is routed out to your home network, and this is all possible because of a VPN service. This article will go over the process for creating a VPN service on the Raspberry Pi. This will prove to be a simple and cost effective approach for implementing a VPN solution.

Another reason to implement a VPN solution in your home/office is to access those resources remotely. Have a file share you would like to access remotely? How about being able to remotely control a desktop? You can do all of this from anywhere with a VPN solution enabled.

Dynamic DNS

If you have a dynamic IP address from your ISP, you should absolutely use dynamic DNS to connect to your VPN

If you would like to take advantage of Dynamic DNS for your VPN, I would recommend you set this up prior to installing the VPN service.

Remote Ad Blocking

One of the coolest features about my VPN setup is that I have an ad blocking DNS service that provides network level ad blocking at my house. That means that anyone connected to my network has ad blocking enabled on their device without any configuration needed! You can implement this by default within your VPN service so that whenever you remotely connect, you’ll have ad blocking enabled on the go!

If you would like to take advantage of remote ad blocking service for your VPN, I would recommend you set this up prior to installing the VPN service.

Configuring the Raspberry Pi

Version of Pi OS: Raspbian GNU/Linux 9 (stretch)

Run this command on the raspberry pi
curl -L https://install.pivpn.io | bash

After running the command above and waiting for a few minutes, you will see the following window. Hit enter to continue:

Click ‘OK’. We definitely want to set a static IP on this Raspberry Pi.

The next window will prompt you to select the network interface you would like to use. In the following example, I use my Ethernet interface over my wireless interface. Why do you ask? Wired Ethernet connections are always faster and more reliable network interfaces than any wireless interface. It is preferred, especially if we want our VPN to be fast and always readily available.

Once you select the network interface, it will prompt you to enter in your static IP information. We definitely want the Raspberry Pi to have a static IP address so that the IP doesn’t ever change. This is especially important for the firewall rules we create to allow the VPN service to reach the outside WAN interface (public IP).

The next screen will prompt you to pick a user that will have the PiVPN configuration settings.  Go ahead and select the default root user ‘pi’. The other user named ‘pihole’ you see on the example image below, is an ad-blocker account for an awesome service called Pi-Hole that allows you to implement network wide ad blocking at the DNS level. Check out my article here for how to set it up on a raspberry pi.

The next steps are extremely critical since they have to do with upgrading a network level service (VPN service) which is going to be visible over the net (prone to attacks and hacking). You need to make sure that unattended security updates are allowed. You should keep in mind that the Raspberry Pi will not reboot after updates automatically, so you will need to manually reboot the Pi device from time to time.

After you enable security updates you will get a command line screen indicating that the VPN service is being installed.

Next screen pick UDP. TCP shouldn’t be used for a VPN service.

The next screen will prompt you to select a port. I recommend you change the default port of 1194 to enhance security. If an attacker is scanning for default VPN ports from all major VPN services, your port won’t show up as open.

The next step is to set the size of the encryption key; 2048-bit encryption is perfect.

You will see a command-line encryption process occur, this may take around 3-5 minutes.

The next step requires you to set up your DNS entry. I removed my IP address from the image since I didn’t want to expose it. If you have a static IP from your ISP then you can use that, but if you have a dynamic IP assignment (many standard consumer internet packages have dynamic assignment) then you want to set up dynamic DNS from an online provider. This service basically runs on your local network and constantly sends IP update requests to an online DNS service. Instead of needing to know your IP to login to your VPN, you can use a domain name (e.g., myvpn.ddns.net).

Learn how to set up dynamic DNS on the Raspberry Pi here

Next you’ll select a DNS provider. If you don’t know much about DNS providers you can just select Google. I set my DNS provider to my Pi-Hole ad blocking server (I had the VPN and ad blocking service running on the same Raspberry Pi so I just used my Pi IP address).

Your VPN service is officially installed on the Pi. We aren’t done yet, we still need to create a VPN account. You will get a couple of screens- one telling you how to add an opvn profile and another screen presenting a recommendation to reboot the Raspberry Pi. Go ahead and reboot and then run an upgrade command before rebooting once more:
sudo apt-get upgrade
sudo reboot

Creating a VPN Profile

After the second reboot, proceed with the following command to create a OpenVPN client file.
pipvn add

You will be prompted to enter a pass phrase when creating the .opvn file. Use a strong and secure password, I recommend creating a long password with high entropy.

OpenVPN Client Connectivity

You basically want to find a client to install on remote devices that would allow you to use the .opvn file we created in the previous steps.
Windows & Linux: https://openvpn.net/index.php/open-source/downloads.html
iOS: https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8
Android: https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en_US

Extracting .opvn File from Raspberry Pi

Use a client like Filezilla and connect to the Rasberry Pi via SFTP.

You could also extract the file via a SCP file transfer, but this only works if you’re connecting from a Linux machine.

Sync OPVN Profile Across Devices

You can easily transfer files across from device to device using a cloud file host with syncing capabilities such as Google Drive and OneDrive.

You could also email the .opvn file to yourself and open/save the file on each device.

Port Forwarding on the Router

You now need to port forward the IP and port of the Raspberry Pi/VPN service port out of the router WAN interface(e.g., 192.168.1.2:11948). If you do not know how to do this, try and research about port forwarding on Google.

Conclusion

The Raspberry Pi VPN isn’t too hard to set up and will offer you a cost effective approach to privacy and online security. When you are accessing sensitive information from another network, you can simply connect to the VPN and have encryption of any data sent over the network since the traffic tunnels back out to your own home network.

Make sure you read up on network security for the Raspberry Pi, it will help you to implement basic security settings on the Raspberry Pi that will prevent hackers from accessing your device and network. This is important because your Rraspberry Pi VPN service is exposed over the internet now. It is imperative to reboot occasionally to allow the OPVN updates to process.

Leave a Reply

Your email address will not be published. Required fields are marked *