Git Good @ Tech

Raspberry Pi VPN server.

Security, security,,,, privacy, privacy, ipv6 leaks, big brother yada yada yada … Lets build VPN.



PiVPN Project has made setting up VPN server on Raspberry Pi quite straight forward.
But before there are some prerequisites. First you need open ports on your VPN server connection. Static IP is recommended and knowledge how to route ports on your router.
Heads up!!! Part of the tutorial (key generation) may take up to several hours.

  1. We will run bash script from pivpn project homepage:
    curl -L https://install.pivpn.io | bash

    Remember its never safe to run bash scripts from internet 😉 .

  2. Now Just follow the instructions on screen.
    First selection is the network interface.
  3. Next question is if you wish to set up static ip. Select Yes.
    If you have read my previous tutorials you actually know how to manually set up static IP on your Raspberry Pi.
  4. Choose user (default: pi)
  5. Unattended Upgrades: Yes
  6. Protocol: UDP
  7. Now you are prompted the port selection. This will be the port that openVPN starts to listsen for connections and port you need to route to your Pi from router. Default is 1194 but you can choose what you wish. Now sometimes it is better to choose different port because if somebody scan-s default openvpn port on your network they will find the server. So for defence +5 its recommended to use different port,
  8. Next selection is encryption strength.
    Select 2048 or for paranoid 4096. IMPORTANT !!! Key generation step will take long time. For 2048 it is minutes to 3 hours and for 4096 up to 24 hours so choose wisely.
  9. Now you can choose public ip or dns. I chose public IP despite having dynamic IP. Because my service provider changes the IP address of my connection rarely I can choose IP and if my IP will ever change I can change PiVPN IP settings from file: /etc/openvpn/easy-rsa/pki/Default.txt . Remember if you change IP you have to regenerate ovpn files. Now if you have service like noip you can choose DNS Entry and enter your address.
  10. Next select DNS provider: Default: Google
  11. Ok And Done.
  12. Reboot.
  13. Next we will create OpenVPN client file. Run:
    pivpn add

    When creating the .ovpn file, you will be asked for a pass phrase. This pass phrase will need to be entered each time you use your VPN client to connect to your Raspberry Pi VPN server. I suggest you use a strong and long pass phrase since the client .ovpn encryption file and the pass phrase are your only weaknesses for someone hacking your Raspberry Pi VPN Server. Keep your configuration/encryption file safe.

  14. The final step you will want to do is to forward your Raspberry Pi’s VPN port on your router. The default port you need to forward will be 1194 unless you changed this port in the PiVPN setup. Google “port forwarding” and your router name to find out how to do this for your own router.

UPDATE:

In some cases when the ip and/or subnet of your target network is same with your client network you may experience connection and speed issues. Example: Your home router internal IP (router the vpn server is connected to) is 192.168.1.1 and also the remote location you use your VPN client has router with IP 192.168.1.1.
Solutions: Change either the remote location internal IP and if that is not possible change your local network internal IP address. I changed the remote routers IP to 191.168.1.1 and this solved the problem.

2 Comments

  1. John Rose

    Installation went Ok. However, I cannot connect to pivpn. The OpenVPN service (assumong that is the name of the service that PiVPN creates) looks Ok:
    pi@RaspberryPi:~ $ sudo service openvpn status
    ● openvpn.service – OpenVPN service
    Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset:
    Active: active (exited) since Sat 2018-11-17 13:32:16 GMT; 4h 15min ago
    Process: 602 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
    Main PID: 602 (code=exited, status=0/SUCCESS)
    CGroup: /system.slice/openvpn.service

    Nov 17 13:32:16 RaspberryPi systemd[1]: Starting OpenVPN service…
    Nov 17 13:32:16 RaspberryPi systemd[1]: Started OpenVPN service.

    The log shows:
    Nov 17 13:32:14 RaspberryPi ovpn-server[444]: OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
    Nov 17 13:32:14 RaspberryPi ovpn-server[444]: library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
    Nov 17 13:32:14 RaspberryPi ovpn-server[495]: Diffie-Hellman initialized with 2048 bit key
    Nov 17 13:32:14 RaspberryPi ovpn-server[495]: Outgoing Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication
    Nov 17 13:32:15 RaspberryPi ovpn-server[495]: Incoming Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication
    Nov 17 13:32:15 RaspberryPi ovpn-server[495]: TUN/TAP device tun0 opened
    Nov 17 13:32:15 RaspberryPi ovpn-server[495]: TUN/TAP TX queue length set to 100
    Nov 17 13:32:15 RaspberryPi ovpn-server[495]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Nov 17 13:32:15 RaspberryPi ovpn-server[495]: /sbin/ip link set dev tun0 up mtu 1500
    Nov 17 13:32:15 RaspberryPi ovpn-server[495]: /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
    Nov 17 13:32:15 RaspberryPi ovpn-server[495]: Could not determine IPv4/IPv6 protocol. Using AF_INET
    Nov 17 13:32:15 RaspberryPi ovpn-server[495]: Socket Buffers: R=[163840->163840] S=[163840->163840]
    Nov 17 13:32:15 RaspberryPi ovpn-server[495]: UDPv4 link local (bound): [AF_INET][undef]:11948
    Nov 17 13:32:15 RaspberryPi ovpn-server[495]: UDPv4 link remote: [AF_UNSPEC]
    Nov 17 13:32:15 RaspberryPi ovpn-server[495]: GID set to nogroup
    Nov 17 13:32:15 RaspberryPi ovpn-server[495]: UID set to nobody
    Nov 17 13:32:15 RaspberryPi ovpn-server[495]: MULTI: multi_init called, r=256 v=256
    Nov 17 13:32:15 RaspberryPi ovpn-server[495]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
    Nov 17 13:32:15 RaspberryPi ovpn-server[495]: Initialization Sequence Completed

    However, when I run the client on an Android device, I get ‘Waiting for Server Reply’ and its log shows ‘TLS Handshake Fails’.

    Any ideas please?

    • BigJay

      Hi

      Had problems with my Linux laptop and what I had to do is to install PiVpn to older version of raspbian.

      cat /etc/os-release

      VERSION_ID=”8″
      VERSION=”8 (jessie)”

      lsb_release -a

      Distributor ID: Raspbian
      Description: Raspbian GNU/Linux 8.0 (jessie)
      Release: 8.0
      Codename: jessie

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2024 JakeMakes

Theme by Anders NorenUp ↑