This weekend I heard a friend say that he wants to turn his Raspberry Pi into a VPN server. Since I still had an old Raspberry Pi laying around I decided to install the latest version of Raspbian on it (April 2018 release) and also install OpenVPN on it, record how I did this, and show my friend how he can easily do the same on his Raspberry Pi. I listed all the commands I use in the video on this page here below.
I chose to enable the root account first, so I don’t have to type my sudo password with every command. To enable the root account open a console and type ‘sudo su’, and then ‘passwd root’, and enter a new password for the root account. Once that is done you can start following the instructions below.
Start with updating the kernel by entering the command
rpi-update. When that’s done first reboot the Pi and then we can start commenting out all of the IPv6 lines in your hosts file. See example.
Find and uncomment net.ipv4.ip_forward=1 in the file /etc/sysctl.d/99-sysctl.conf
Add these next lines at the end of the file if you want to disable IPv6 completely.
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
Save the file and enter
apt install openvpn easy-rsa
adduser --system --shell /usr/sbin/nologin --no-create-home openvpn
usermod -a -G openvpn openvpn
grep openvpn /etc/group
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
Open the server.conf file and edit a handful of options so they look like the examples below.
key /etc/openvpn/certs/keys/server.key # This file should be kept secret
push “route 10.9.8.0 255.255.255.0”
push “dhcp-option DNS 22.214.171.124”
push “dhcp-option DNS 126.96.36.199”
tls-auth /etc/openvpn/certs/keys/ta.key 0 # This file is secret
The options below can be added at the very end of the config file.
# Auth Digest
# Limit Ciphers
ln -s openssl-1.0.0.cnf openssl.cnf
Edit the vars file and change all the variables that you see between the ” ” sings.
# export KEY_SIZE=4096
export KEY_EMAIL=”E-mail address”
openssl dhparam 2048 > /etc/openvpn/certs/keys/dh2048.pem
openvpn --genkey --secret /etc/openvpn/certs/keys/ta.key
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
systemctl start openvpn
systemctl start openvpn@server
systemctl enable openvpn
systemctl enable openvpn@server
systemctl status openvpn*.service
Now your OpenVPN server is running. Next step is to create the config files for your OpenVPN client app. More on how to do that in my next post so make sure you visit again soon.