To be clear, my goal was to have a Pi VPN server at home that I could connect to as a client while on public wifi networks. Importantly, all of the client's network traffic would be routed through the encrypted VPN connection. The main reason I wanted to post this howto is to make it easier for others who might be facing difficulty trying to do the same thing. I've tried to provide both the rationale behind why something is being done throughout and the relevant citation for those interested in reading more. I've assumed that the starting point is a new version of Raspbian with a strong password and ssh enabled. Also, it is assumed that all commands are entered as root.
- Update and Upgrade:
Enter the following into a terminal:Code: Select all
sudo -s # **rest of the instructions assume you've already done this sudo apt-get update sudo apt-get upgrade
- Install OpenVPN, make a few changes:
Install OpenVPN withOnce installed, move the easy-rsa directory to /etc/openvpn, because,Code: Select all
sudo apt-get install openvpn
it's best to copy this directory to another location such as /etc/openvpn, before any edits, so that future OpenVPN package upgrades won't overwrite your modifications (from OpenVPN's HOWTO).
That can be done with:Then:Code: Select all
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
Find the export EASY_RSA= line and change it toCode: Select all
nano /etc/openvpn/easy-rsa/vars
If you want, you can also change export KEY_SIZE=1024 toCode: Select all
export EASY_RSA=”/etc/openvpn/easy-rsa”
Code: Select all
export KEY_SIZE=2048
- Generate certificate and key:
In the terminal, enter:After ./build-ca you only need to enter something (for example, "VPNserver") for "Common Name". For everything else you can just press Enter. You'll also have to enter 'y' a couple of times at the end.Code: Select all
cd /etc/openvpn/easy-rsa . ./vars ./clean-all ./build-ca
Now generate a certificate and private server key:You can press Enter for everything again, but enter "server" as the common name.Code: Select all
./build-key-server server
Now create a client:Press Enter for everything except enter "client1" as the common name and something for the PEM passphrase (you'll be asked that when you log in).Code: Select all
./build-key-pass client1
Now,Then generate a static preshared HMAC Key as shown below. We do thisCode: Select all
./build-dh
"because a server would immediately drop any packet lacking the authentication code computed from the preshared OpenVPN HMAC Key.
Furthermore, only clients with the preshared OpenVPN HMAC Key would be able to exchange certificates.
Therefore, any attempts at buffer overflow through malicious packet injection or MitM using fake certificates would be defeated as the attacker would be unable to compute a valid authentication code without the OpenVPN HMAC Key." from Jodoin "SOHO Remote Access VPN. Easy as Pie, Raspberry Pi ..."Code: Select all
openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key
- Copy files and make a few system changes:
Once that is all complete, ssh into the client from the Pi and securely transfer the files required by the client:Now copy the text from here and save it as /etc/openvpn/server.conf on the Pi server. Remember to look at the file and change values where appropriate before moving on. Specifically, make sure you enter the Pi's LAN address in the correct spot (see comments) and make sure the dh key size is correct.Code: Select all
scp /etc/openvpn/easy-rsa/keys/client1.key user@123.456.789.101:/home/user/ scp /etc/openvpn/easy-rsa/keys/client1.crt user@123.456.789.101:/home/user/ scp /etc/openvpn/easy-rsa/keys/ca.crt user@123.456.789.101:/home/user/ scp /etc/openvpn/easy-rsa/keys/ta.key user@123.456.789.101:/home/user/
Now go here and copy/past the text into a file called client.conf on the client. Remember again to go through this file and make the appropriate changes (see comments). Make sure to copy/paste the entire contents of /etc/openvpn/easy-rsa/keys/ta.key from the server into the <tls-auth> ... </tls-auth> block.
Now, back on the server:find and uncomment this line:Code: Select all
nano /etc/sysctl.conf
then,Code: Select all
#net.ipv4.ip_forward=1
Now, reboot the Pi.Code: Select all
sysctl -p
Then enter:If the Pi is connected wirelessly, the interface is probably wlan0, not eth0, so change that if necessary in the above commands. Note that these commands will have to be entered each time the Pi reboots. The commands above assume the Pi is connected through an ethernet cable. If you get an error like this:Code: Select all
iptables -A INPUT -i tun+ -j ACCEPT iptables -A OUTPUT -o tun+ -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT service openvpn restart
then see the section below on how to fix it (I had to do this).Code: Select all
"iptables v1.4.14: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.":
Make sure that port forwarding is set up on your router - port 1194 UPD should be forwarded to the Pi's LAN address. - Connect client and verify that traffic is being routed through VPN:
Then go to your client machine and connect:If it was successful, you should see a message sayingCode: Select all
sudo openvpn /home/user/client.conf
On your client make sure your web traffic is being routed through the VPN by doingCode: Select all
Initialization Sequence Completed
The first step should beCode: Select all
traceroute www.google.com
Using this setup, I verified with Wireshark that all web traffic was being routed through the VPN server (except DNS).Code: Select all
1 10.8.0.1 (10.8.0.1)
- That's it! With this basic set up you can do your own customization/security hardening
Code: Select all
sudo apt-get install rpi-update
sudo SKIP_BACKUP=1 rpi-update