How to set up a Raspberry Pi VPN server

[rmurr]

After a lot of frustration, I've finally set up a working TLS VPN server with the Raspberry Pi. Initially I had set up a Static Key server which worked nicely, but I decided that a TLS server would be better because of the disadvantages associated with the former. There are a lot of tutorials out there on how to do this, but I didn't find one complete solution that worked for me in any once place; in the end, the solution I found came from a few different sources. Among them, [url=hhttp://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing]this[/url] from readwrite, a great paper by Eric Jodoin, and the OpenVPN website's HOWTO.

To be clear, my goal was to have a Pi VPN server at home that I could connect to as a client while on public wifi networks. Importantly, all of the client's network traffic would be routed through the encrypted VPN connection. The main reason I wanted to post this howto is to make it easier for others who might be facing difficulty trying to do the same thing. I've tried to provide both the rationale behind why something is being done throughout and the relevant citation for those interested in reading more. I've assumed that the starting point is a new version of Raspbian with a strong password and ssh enabled. Also, it is assumed that all commands are entered as root.

1. Update and Upgrade:
   
   Enter the following into a terminal:

   Code: Select all

   sudo -s  #  **rest of the instructions assume you've already done this
   sudo apt-get update
   sudo apt-get upgrade

2. Install OpenVPN, make a few changes:
   Install OpenVPN with

   Code: Select all

    sudo apt-get install openvpn 

   Once installed, move the easy-rsa directory to /etc/openvpn, because,

   it's best to copy this directory to another location such as /etc/openvpn, before any edits, so that future OpenVPN package upgrades won't overwrite your modifications (from OpenVPN's HOWTO).

   
   That can be done with:

   Code: Select all

   cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa

   Then:

   Code: Select all

   nano /etc/openvpn/easy-rsa/vars
   

   Find the export EASY_RSA= line and change it to

   Code: Select all

   export EASY_RSA=”/etc/openvpn/easy-rsa” 

   If you want, you can also change export KEY_SIZE=1024 to

   Code: Select all

   export KEY_SIZE=2048

3. Generate certificate and key:
   In the terminal, enter:

   Code: Select all

   cd /etc/openvpn/easy-rsa
   . ./vars
   ./clean-all
   ./build-ca
   

   After ./build-ca you only need to enter something (for example, "VPNserver") for "Common Name". For everything else you can just press Enter. You'll also have to enter 'y' a couple of times at the end.
   Now generate a certificate and private server key:

   Code: Select all

   ./build-key-server server
   

   You can press Enter for everything again, but enter "server" as the common name.
   Now create a client:

   Code: Select all

   ./build-key-pass client1
   

   Press Enter for everything except enter "client1" as the common name and something for the PEM passphrase (you'll be asked that when you log in).
   Now,

   Code: Select all

   ./build-dh
   

   Then generate a static preshared HMAC Key as shown below. We do this

   "because a server would immediately drop any packet lacking the authentication code computed from the preshared OpenVPN HMAC Key.
   Furthermore, only clients with the preshared OpenVPN HMAC Key would be able to exchange certificates.
   Therefore, any attempts at buffer overflow through malicious packet injection or MitM using fake certificates would be defeated as the attacker would be unable to compute a valid authentication code without the OpenVPN HMAC Key." from Jodoin "SOHO Remote Access VPN. Easy as Pie, Raspberry Pi ..."

   Code: Select all

   openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key
   

4. Copy files and make a few system changes:
   Once that is all complete, ssh into the client from the Pi and securely transfer the files required by the client:

   Code: Select all

   scp /etc/openvpn/easy-rsa/keys/client1.key user@123.456.789.101:/home/user/
   scp /etc/openvpn/easy-rsa/keys/client1.crt user@123.456.789.101:/home/user/
   scp /etc/openvpn/easy-rsa/keys/ca.crt user@123.456.789.101:/home/user/
   scp /etc/openvpn/easy-rsa/keys/ta.key user@123.456.789.101:/home/user/
   

   Now copy the text from here and save it as /etc/openvpn/server.conf on the Pi server. Remember to look at the file and change values where appropriate before moving on. Specifically, make sure you enter the Pi's LAN address in the correct spot (see comments) and make sure the dh key size is correct.
   Now go here and copy/past the text into a file called client.conf on the client. Remember again to go through this file and make the appropriate changes (see comments). Make sure to copy/paste the entire contents of /etc/openvpn/easy-rsa/keys/ta.key from the server into the <tls-auth> ... </tls-auth> block.
   Now, back on the server:

   Code: Select all

   nano /etc/sysctl.conf
   

   find and uncomment this line:

   Code: Select all

   #net.ipv4.ip_forward=1
   

   then,

   Code: Select all

   sysctl -p
   

   Now, reboot the Pi.
   Then enter:

   Code: Select all

   iptables -A INPUT -i tun+ -j ACCEPT
   iptables -A OUTPUT -o tun+ -j ACCEPT
   iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
   iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
   iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
   iptables -A FORWARD -i tun+ -j ACCEPT
   iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
   iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
   service openvpn restart
   

   If the Pi is connected wirelessly, the interface is probably wlan0, not eth0, so change that if necessary in the above commands. Note that these commands will have to be entered each time the Pi reboots. The commands above assume the Pi is connected through an ethernet cable. If you get an error like this:

   Code: Select all

   "iptables v1.4.14: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.":
   

   then see the section below on how to fix it (I had to do this).
   Make sure that port forwarding is set up on your router - port 1194 UPD should be forwarded to the Pi's LAN address.
5. Connect client and verify that traffic is being routed through VPN:
   Then go to your client machine and connect:

   Code: Select all

   sudo openvpn /home/user/client.conf
   

   If it was successful, you should see a message saying

   Code: Select all

   Initialization Sequence Completed
   

   On your client make sure your web traffic is being routed through the VPN by doing

   Code: Select all

   traceroute www.google.com
   

   The first step should be

   Code: Select all

   1  10.8.0.1 (10.8.0.1)
   

   Using this setup, I verified with Wireshark that all web traffic was being routed through the VPN server (except DNS).
6. That's it! With this basic set up you can do your own customization/security hardening

If you see that iptables error:

Code: Select all

sudo apt-get install rpi-update
sudo SKIP_BACKUP=1 rpi-update

fixed the problem for me.

[chris48083]

Hey rmurr --

When I do './clean-all' I get -

Code: Select all

Please source the vars script first (i.e. "source ./vars")
Make sure you have edited it to reflect your configuration

Thoughts? I did the '. ./vars' first? I also tried 'source ./vars/' to no avail...

-CW

[rmurr]

Did you do

Code: Select all

 
sudo -s

first?

[chris48083]

Ah ha - right. That whole bit....

Sorry for the silly 'I already answered your question' question..

[gkreidl]

The Heartbleed bug has been fixed in Raspbian. You should fix that in your tutorial (and simplify it).

[rpdom]

The Heartbleed bug has been fixed in Raspbian. You should fix that in your tutorial (and simplify it).

Yes, there is no need to use packages from jessie.

The "e" version currently in Wheezy has had the patches applied to fix the bug. Just look for the "+deb7uXX" (where XX is 10 or later) on the end of the package version.

Code: Select all

pi@raspberrypi:~$ apt-cache policy openssl | grep Installed
  Installed: 1.0.1e-2+rvt+deb7u10

[rmurr]

Thanks - fixed.

[rpdom]

[link redacted] check out this link.hope its usefull!!!

Please stop spamming this link around the forums. It has nothing to do with the subject of this post.

[RiverRat]

Thanks, rmurr, for putting this together.

I'm working my way through things and I think I'm done with the server side of things, but when I use the CanYouSeeMe.org open port check tool, I get a closed port. I think that the server needs to be running and actively accepting connections on that port for it to give me an "open" result, so I want to make sure I have things set up correctly. The main place I can see a potential for a mistake is when editing server.conf, I plug my public IP in in place of -PI-LAN-IP, correct? Not the local LAN IP. That should give me something like:

Code: Select all

push "route xxx.xxx.xxx.xxx 255.255.255.0" 

Unless that leading hyphen needs to be there...

I've rebooted and done the iptables, but still no luck.

If working, port forwarding should get me from point A to point B. I have a feeling that my ISP is playing shenanigans with blocking ports, but I'm not sure.

[rmurr]

Riverrat,

The line in server.conf should look like this:

Code: Select all

 push "route 192.168.1.8 255.255.255.0" 

in this case, 192.168.1.8 would be the PI VPN server's LAN address.

Also, I tested my port 1194 on that tool while the server was running and I got a port closed due to time out message as well. This might be due to the server dropping any packet not containing the authentication code derived from the HMAC key.

[jjbrock7]

For some reason I do not have permission to do anything the /etc folder.. therefore cannot put the .opvn file opr any easy-rsa stuff either.. please help, thanks

[gkreidl]

For some reason I do not have permission to do anything the /etc folder.. therefore cannot put the .opvn file opr any easy-rsa stuff either.. please help, thanks

did you use sudo?

[jjbrock7]

did you use sudo?[/quote]


Yes I used sudo

[joeyboon]

I think I have the same problem.

Iv'e been trying to do this: http://readwrite.com/2014/04/10/raspber ... b-browsing VPN tutorial for my Raspberry Pi. I've only gotten as far as the install command (all preceding steps where successful). After installation with the command

Code: Select all

sudo apt-get install openvp

(which seems to be working fine)it asks me if i want to give up some space on the SD-card for OpenVPN (of course). Also works fine, but then everything goes horribly wrong

The next step is copying a default config file to the correct folder with the command

Code: Select all

cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa

But it returns an error cp: target/etc/openvpn/easy-rsa' is not a directory`. On closer inspection with Fugu the designated folder"/etc/openvpn/easy-rsa" indeed is not there. In fact the openvpn folder is empty except for one file called "update-resolve-conf". I'm fairly new to linux in general and don't know what to do. Hope you guys can help me out.

If you need any further info to be of assistance just ask! Thanks in advance!

[mikecay]

Hi,
I thought this was going to be the missing link to my problems but that does not seem to be the case. I also followed many of the links you quote at the top of your post but in all cases I am able to connect to my VPN server but I am not able to access any of my internal servers, which are on the same subnet as my VPN server. When I saw the routing table entries you had, which others do not have, I thought that was it, but I still cannot access any of my internal machines. I am trying to access my internal network via my cell phone that is running FEAT VPN (http://www.featvpn.com). I have to run FEAT VPN on my cell because I am running an older version of Andoid and the OpenVPN client is not compatible with it. Does anyone know if in fact the above configuration works with a cell over 3G? Give that I can access my VPN server and validate it in the logs, I figure this must be a routing problem but I cannot figure it out for the life of me.

Thank you,

Mike

[AndrewJB]

Going to be following this guide in next few days, I tried to follow the readwrite one but it didn't seem to work.

[john564]

What version of openvpn are you using

Check with

Code: Select all

sudo openvpn --version

I understand we should be using 2.3.4

[Rubicobra]

I had Openvpn up and running for months, however it stopped working recently. I checked and I'm using version 2.2.1 How would I go about updating to the latest version?

Thanks

[asher95]

when i do this step:
cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
it wont copy anything over as it cant find the directory, also when i do these steps it says permission denied
./clean-all
./build-ca

p.s. i manually created this file path using filezilla and copied everything over but no luck.

[pitosporum]

Wear all day with this tutorial, I find very interesting .
What I have almost finished but I've stuck and can not find the solution to this.
Running from the client:

root@VirtualBoxdebian:/home/jmperez# sudo openvpn client.conf
Wed Nov 26 18:17:26 2014 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 19 2013
Wed Nov 26 18:17:26 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Enter Private Key Password:
Wed Nov 26 18:17:43 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Nov 26 18:17:43 2014 WARNING: file '/home/jmperez/client1.key' is group or others accessible
Wed Nov 26 18:17:43 2014 Control Channel Authentication: tls-auth using INLINE static key file
Wed Nov 26 18:17:43 2014 LZO compression initialized
Wed Nov 26 18:17:44 2014 RESOLVE: Cannot resolve host address: <192.168.1.42>: [HOST_NOT_FOUND] The specified host is unknown.
Wed Nov 26 18:17:44 2014 RESOLVE: Cannot resolve host address: <192.168.1.42>: [HOST_NOT_FOUND] The specified host is unknown.
Wed Nov 26 18:17:49 2014 RESOLVE: Cannot resolve host address: <192.168.1.42>: [HOST_NOT_FOUND] The specified host is unknown.
Wed Nov 26 18:17:54 2014 RESOLVE: Cannot resolve host address: <192.168.1.42>: [HOST_NOT_FOUND] The specified host is unknown.

The ping command from client to the direction of raspberry ( 192.168.1.42 ) responds perfectly .
I need help!!

[joakimb]

Hi. I have followed the tutorial, had a failed connecting and after that remade the entire tutorial. I still get the same error. when trying to connect to the vpn I get this log on the client:

Code: Select all

2014-12-10 13:39:41 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2014-12-10 13:39:41 Control Channel Authentication: tls-auth using INLINE static key file
2014-12-10 13:39:41 UDPv4 link local: [undef]
2014-12-10 13:39:41 UDPv4 link remote: [AF_INET]<my raspi IP>
2014-12-10 13:39:41 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<my raspi IP>
2014-12-10 13:39:43 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<my raspi IP>
2014-12-10 13:39:47 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<my raspi IP>
2014-12-10 13:39:55 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<my raspi IP>
2014-12-10 13:40:11 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<my raspi IP>
2014-12-10 13:40:41 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2014-12-10 13:40:41 TLS Error: TLS handshake failed

And this log on the server:

Code: Select all

Wed Dec 10 13:38:27 2014 OpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec  1 2014
Wed Dec 10 13:38:27 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 10 13:38:27 2014 TUN/TAP device tun0 opened
Wed Dec 10 13:38:27 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Dec 10 13:38:27 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Wed Dec 10 13:38:27 2014 GID set to nogroup
Wed Dec 10 13:38:27 2014 UID set to nobody
Wed Dec 10 13:38:27 2014 UDPv4 link local (bound): [undef]
Wed Dec 10 13:38:27 2014 UDPv4 link remote: [undef]
Wed Dec 10 13:38:27 2014 Initialization Sequence Completed
Wed Dec 10 13:39:41 2014 130.235.136.24:62045 Re-using SSL/TLS context
Wed Dec 10 13:39:41 2014 130.235.136.24:62045 LZO compression initialized
Wed Dec 10 13:39:41 2014 130.235.136.24:62045 TLS Error: reading acknowledgement record from packet
Wed Dec 10 13:39:43 2014 130.235.136.24:62045 TLS Error: reading acknowledgement record from packet
Wed Dec 10 13:39:47 2014 130.235.136.24:62045 TLS Error: reading acknowledgement record from packet
Wed Dec 10 13:39:55 2014 130.235.136.24:62045 TLS Error: reading acknowledgement record from packet
Wed Dec 10 13:40:11 2014 130.235.136.24:62045 TLS Error: reading acknowledgement record from packet
Wed Dec 10 13:40:41 2014 130.235.136.24:54681 Re-using SSL/TLS context
Wed Dec 10 13:40:41 2014 130.235.136.24:54681 LZO compression initialized
Wed Dec 10 13:40:41 2014 130.235.136.24:54681 TLS Error: reading acknowledgement record from packet
Wed Dec 10 13:40:41 2014 130.235.136.24:62045 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Dec 10 13:40:41 2014 130.235.136.24:62045 TLS Error: TLS handshake failed
Wed Dec 10 13:40:43 2014 130.235.136.24:54681 TLS Error: reading acknowledgement record from packet
Wed Dec 10 13:40:47 2014 130.235.136.24:54681 TLS Error: reading acknowledgement record from packet
Wed Dec 10 13:40:55 2014 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Dec 10 13:41:11 2014 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Dec 10 13:41:41 2014 130.235.136.24:54681 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Dec 10 13:41:41 2014 130.235.136.24:54681 TLS Error: TLS handshake failed

Can someone tell me what I am doing wrong?

[stetim94]

@joakimb which version of openvpn are you using?

Code: Select all

openvpn --version

i am having the exact same problem, maybe we can figure it out together?

this error you have:
2014-12-10 13:39:41 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<my raspi IP>

i have there the IP adress of my router (http://www.whatismyip.com) instead of <my raspi IP> because i had the impression that the 4th line of client.conf should have your routers public ip adress not your pi's.

Where is the openvpn.conf (the file with the error messages) on the raspberry pi? i can't find it

[coder36]

I've created a scripted install of an OpenVPN server. For added security, I've enabled 2 factor authentication using google authenticator:

http://coder36.blogspot.co.uk/2014/12/r ... oogle.html

The scripted install uses ansible (which is big in the devops world) to automate the install and configuration. If you look through the corresponding github project https://github.com/coder36/raspi-ansible, you can see the openvpn config files. There is also a working set of x509 certificates and private keys which you can use as a reference.

[PeterBij]

Maybe off-topic, but I have a question:
after installation and working device, how will the raspbery + VPN server react after an unexpected power-down situation?

does the Rasp auto-reboot and startup the VPN server automatically?
Or if not, what should I do to make that happen.
Is very useful of course when your on holidays, and you have had a general power failure in the neighbourhood.

[joakimb]

@stetim94

the logs are at /var/log/openvpn.log. I managed to solve the problem this way: http://superuser.com/questions/850865/t ... -on-debian