Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How To Set up OpenVPN on a Raspberry PI 3
#1
This how to will take you through the steps necessary to build an OpenVPN server on a Raspberry PI 3.  I wrote these as I built the server today.

Need to fill out the hyperlinks, posting quickly to maybe assist IVB. 

Caveats:
  • I'm not a OpenVPN expert
  • I'm not a linux expert, my linux skills are pretty rusty
  1. Parts purchased  (I'll update later with links to what I purchased)
    1. Pi 3
    2. PI 3 case
    3. PI 3 Power Supply
    4. Micro SD card
    5. Remember to purchase an analog video adapter if you don't have an easily accessible HDMI connection to work with
  2. Additional hardware required for initial setup
    1. USB Keyboard
    2. HDMI cable (if you don't have the video adapter)
    3. Monitor
    4. Ethernet cable
  3. Software required
    1. Download Rasbian Jessie Lite
    2. Download iso image utility Etcher from Etcher.io 
    3. Download MobaXterm from here http://mobaxterm.mobatek.net/
      1. I choose the portable version for download
    4. OpenVPN for target clients
    5. Android - I use the paid version OpenVPN Client from colucci-web.it as it doesn't require root and is actively kept current
  4. Important Note - linux is case sensitive for everything, don't forget this!!!

  1. Steps to build
    1. Assemble the PI
    2. Install image utility on windows PC that has a  microsd  or sd (micro SD carrier) card slot available
    3. Install MobaXterm
    4. using Etcher load micro SD card with ISO
    5. insert the micro sd card in the PI (make sure power is off)
    6. Boot
    7. Assign IP address - I prefer to assign from DHCP instead of assigning a static address
      1. Go to your router and identify the PI and the PI's MAC address
      2. Assign a static address based on MAC address
      3. Note the IP address you assigned
    8. log in for the first time
      1. user: pi
      2. password: raspberry
    9. Reboot the PI (to get the new "static" IP address assigned)
      1. sudo shutdown - r now  (reboot now)
    10. log in again and change the pi password
      1. from $ type password, you will be prompted for the old password and then will be asked for your new password
      2. Note the new password in your password
        1. I store the IP address, user ID and password in my password vault software for future reference
    11. Enable SSH for remote access
      1. from the $ prompt type sudo raspi-config
      2. select Interfacing options
      3. then select ssh, press Enter and select Enable or disable ssh server
      4. exit the utility
    12. Test SSH connection from windows PC
      1. Launch MobaXterm
      2. configure a session
        1. Select Session Icon (upper Light)
        2. Select SSH Icon (upper Left)
        3. Under Basic SSH settings
          1. Remote host: enter your PI's IP address
          2. Select checkbox for Specify username and enter pi
          3. Select the Bookmark settings tab
            1. The IP address you assigned should be in Session name field add OpenVPN - PI (personal preference on my part for ease of use)
              1. should look like 192.168.1.100 OpenVPN - PI
          4. click OK
      3. Double click on your newly created session, it should connect to your pi and prompt you for a password
        1. You will have the option to have MobaXterm remember your password.  It's stored in the MobaXterm config file and is portable.
    13. With SSH running you no longer need to have the PI connected to a monitor and keyboard.
      1. If you want to put your PI in it's permanent home and go headless then shut the PI down
        1. from $ type sudo shutdown now
        2. relocate PI to it's new home and power back up
    14. Restart your SSH session in MobaXterm
    15. Update OS and packages to the latest
        from the $ type sudo apt-get update
      1. Once 1 is done, 
        from the $ type sudo apt-get dist-upgrade

  1. Using SAMBA set up a directory to share with your windows machines to use to copy your OpenVPN certificates
    1. Note - For security reasons I choose to make the connection from my Windows machines instead of the other way around. Limits access. I also choose to require a user ID and password for access. Call me paranoid
    2. from $ type sudo apt-get install samba samba-common-bin
    3. sudo bash (puts is in root mode)
    4. from # prompt type vi /etc/samba/smb.conf  (I use vi, you can use nano too)
    5. find the following parameters and ensure they are set properly
      1. workgroup = WORKGROUP  (make sure this matches your network work group)
      2. wins support = yes
      3. save and exit
    6. at the # type exit (takes out of root mode so that share is created with the user pi permissions)
    7. at the $ type mkdir ~/share (or whatever you want to call it)
    8. at the $ type sudo bash (back to root)
    9. at the # type vi /etc/samba/smb.conf (we're going to create a share called PiShare
    10. Scroll to the bottom of the file and add (without the line #s)
    11. [PiShare]
    12.  comment=Raspberry Pi Share
    13.  path=/home/pi/share
    14.  browseable=Yes
    15.  writeable=Yes
    16.  only guest=no
    17.  create mask=0777
    18.  directory mask=0777
    19.  public=no 
    20. Save and exit
    21. lets set up a user ID and password for the samba share
      1. at the # type smbpasswd -a <username> where <username> is the name you want to use for access
      2. you will then be prompted to enter a password and then confirm said password
      3. so for the user pi it would be
        1. smbpasswd -a pi
    22. reboot
      1. at the # type sudo shutdown -r now
    23. Lets test our Samba share
      1. from your windows PC in a dos window type net use x: \\192.168.1.100\PiShare
      2. you will be prompted for the user ID and password you set above
      3. If all went well during the SAMBA install it will connect and you can type dir X: and it should show you an empty directory.  At a later step this is where all of the OpenVPN certificates will be copied for retrieval.
  2. restart your MobaXterm session

  1. Install & configure OpenVPN on the Raspberry PI
    1. at the $ type curl -L https://install.pivpn.io | bash
    2. It will start asking you questions, respond appropriately - I am not an expert on OpenVPN so I mostly choose defaults with exceptions noted below.
    3. For IP address go ahead and tell it to make the address static.  The reservation in the router won't hurt
    4. When you reach the Default OpenVPN Port I strongly encourage you to pick some other random port to make it harder for the bad guys to know that you're running a VPN server. Make note of the port # you choose you will need it later to set up port forwarding on your Router
    5. I kept the default 2048-bit encryption
      1. It will spend some time generating the initial keys (~20 minutes)
      2. file will be stored here:  /etc/openvpn/easy-rsa/pki/dh.pem
    6. While you wait open a notepad or some other text editor on your PC and make a list of all of the clients that you want to generate VPN certificates for.  You are strongly encouraged to generate a unique key for each client.  This allows you the ability to revoke a certificate if the device is lost
    7. Once it's done, you will be prompted whether the clients will use a Public IP or DNS Name to connect to the server, choose DNS entry unless your broadband connection has a statically defined IP address.  
    8. type in the dynamic DNS name in "public dns name"
    9. Choose Google for your upstream DNS provider
    10. The install will finish and you will be prompted to reboot, go ahead and do so
  2. While the PI is rebooting set up port forwarding in your router using the port # you noted above



  1. Now we will create client certificates (for help type pivpn help, install log is in /etc/pivpn)
    1. at the $ type pivpn add nopass  (we're not going to password protect the certificates, your choice)
    2. type the name of your client, for this document, I used test
    3. This will be generated: ( and will be located here: /home/pi/ovpns )
      1. Client's cert found: test.crt
      2. Client's Private Key found: test.key
      3. CA public Key found: ca.crt
      4. tls-auth Private Key found: ta.key
      5. packaged up all neat and tidy in a file called test.ovpn 
    4. Before we go any further lets validate the test.ovpn file
      1. For this I'm going to test on my android phone
      2. copy the test.ovpn file from where generated to share
        1. from the $ type cp ovpns/test.ovpn share
        2. to confirm, from the $ type ls share, you should see: test.ovpn
      3. from windows copy from the PiShare to someplace where you can get to the .ovpn file from your device, I put it in my Download directory on my phone
      4. copy to the ovpn file to android device (I'm partial to Solid Explorer)
      5. Turn off your phone's WiFi to force connection through the cellular network (not absolutely neccessary as it should work on the local network as well)
      6. start OpenVPN client and import a new configuration
      7. Toggle the connection, you should connect 
      8. Once you confirm that everything is working proceed to generate the rest of your device certificates
    5. repeat for each device certificate until done
  2. Don't forget to port forward if you have not already done so!
Reply
#2
Thx dude, just read it, will attempt tomorrow morning on my unused Pi3. (Googling shows several folks advise against having Synology do double-duty as VPN server and NAS. No idea if they're right, but since I have that Pi3 sitting here from when I thought I'd land a local client I may as well put it to good use.)
------------------------------------
Devices I can't stand and wish I could replace: SmartThings, Hue, Concerto, VRUSB
My vlogs: https://www.youtube.com/c/IVBsHomeAutomation
Reply
#3
EDIT: I'm a putz, figured out what I was doing wrong. Suggestion:

Between
7. Once it's done, you will be prompted whether the clients will use a Public IP or DNS Name to connect to the server, choose DNS entry unless your broadband connection has a statically defined IP address.
8. Choose Google for your upstream DNS provider

add in 7.5
"type in the dynamic DNS name in "public dns name"

Also, remind folks to port forward the openVPN port in their router at the end.
------------------------------------
Devices I can't stand and wish I could replace: SmartThings, Hue, Concerto, VRUSB
My vlogs: https://www.youtube.com/c/IVBsHomeAutomation
Reply
#4
IVB, updated text above with your suggestions.

Dean, is there any way to force the Forum software not to concatenate consecutive messages from the same person? I'm hosed now on adding more content I can't add any more to the post above even though each block is a separate post because I reached a message size limit. Very very irritating and just plain dumb!
Reply
#5
WooHoo, just tried an internal ip address on the phone and it worked! (stopped last night after getting a connection).

Thanks man!
------------------------------------
Devices I can't stand and wish I could replace: SmartThings, Hue, Concerto, VRUSB
My vlogs: https://www.youtube.com/c/IVBsHomeAutomation
Reply
#6
I dropped the adjacent post concatenation time to 1 minute. That will prevent quick followups from taking up unneeded resources, but will allow longer posts to be separated, since presumably it would take longer than a minute to type any reasonably sized post.
Dean Roddey
Software Geek Extraordinaire
Reply
#7
Thanks Dean!
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)