OpenVPN on Raspbian (Raspberry Pi)

This weekend I heard a friend say that he wants to turn his Raspberry Pi into a VPN server. Since I still had an old Raspberry Pi laying around I decided to install the latest version of Raspbian on it (April 2018 release) and also install OpenVPN on it, record how I did this, and show my friend how he can easily do the same on his Raspberry Pi. I listed all the commands I use in the video on this page here below.

I chose to enable the root account first, so I don’t have to type my sudo password with every command. To enable the root account open a console and type ‘sudo su’, and then ‘passwd root’, and enter a new password for the root account. Once that is done you can start following the instructions below.

Start with updating the kernel by entering the command rpi-update. When that’s done first reboot the Pi and then we can start commenting out all of the IPv6 lines in your hosts file. See example.

nano /etc/hosts

Find and uncomment net.ipv4.ip_forward=1 in the file  /etc/sysctl.d/99-sysctl.conf

nano /etc/sysctl.d/99-sysctl.conf

net.ipv4.ip_forward=1

Add these next lines at the end of the file if you want to disable IPv6 completely.

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1

Save the file and enter

sysctl -p

apt install openvpn easy-rsa

adduser --system --shell /usr/sbin/nologin --no-create-home openvpn
groupadd openvpn
usermod -a -G openvpn openvpn
grep openvpn /etc/group

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

Open the server.conf file and edit a handful of options so they look like the examples below.

nano /etc/openvpn/server.conf

ca /etc/openvpn/certs/keys/ca.crt
cert /etc/openvpn/certs/keys/server.crt
key /etc/openvpn/certs/keys/server.key # This file should be kept secret

dh /etc/openvpn/certs/keys/dh2048.pem

push “route 10.9.8.0 255.255.255.0”

push “dhcp-option DNS 1.1.1.1”
push “dhcp-option DNS 8.8.8.8”

tls-auth /etc/openvpn/certs/keys/ta.key 0 # This file is secret

cipher AES-256-CBC

user openvpn
group openvpn

The options below can be added at the very end of the config file.

# Auth Digest
auth SHA512

# Limit Ciphers
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

make-cadir /etc/openvpn/certs
cd /etc/openvpn/certs
ln -s openssl-1.0.0.cnf openssl.cnf

Edit the vars file and change all the variables that you see between the ” ” sings.

nano vars

export KEY_SIZE=2048
# export KEY_SIZE=4096
export KEY_COUNTRY=”Country”
export KEY_PROVINCE=”Province”
export KEY_CITY=”City”
export KEY_ORG=”Org”
export KEY_EMAIL=”E-mail address”
export KEY_OU=”Hostname”

export KEY_NAME=”UniqueName”

source ./vars
./clean-all
./build-ca
./build-key-server server

openssl dhparam 2048 > /etc/openvpn/certs/keys/dh2048.pem
openvpn --genkey --secret /etc/openvpn/certs/keys/ta.key
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
systemctl start openvpn
systemctl start openvpn@server
systemctl enable openvpn
systemctl enable openvpn@server
systemctl status openvpn*.service

Now your OpenVPN server is running. Next step is to create the config files for your OpenVPN client app. More on how to do that in my next post so make sure you visit again soon.