[vc_row row_height_percent=”0″ overlay_alpha=”50″ gutter_size=”3″ column_width_percent=”100″ shift_y=”0″ z_index=”0″ row_name=”Intro”][vc_column width=”1/4″][vc_single_image media=”49171″ media_width_percent=”90″ alignment=”center”][/vc_column][vc_column width=”3/4″][vc_column_text]Just last week I was setting up IP cameras at home and connecting the irrigation controller to the network and I was opening my network up to the internet WAY too much. (I was port forwarding all kinds of ports.) So to mitigate opening up to the internet so much I decided to set up a VPN tunnel that I could easily connect to which would allow me access to my local network. In a nutshell, instead of opening numerous ports on my router for every device I wanted remote access from, I opened up 1? singular port for the VPN and used OpenVPN software on my phone to connect back. Once connected it behaves as if I was at home and connected locally.

This post will go through the basics of setting up a simple VPN server on a cheap raspberry pi. This example uses the older RPi 2, which is more than sufficient for accessing a few IP cameras and other devices remotely.[/vc_column_text][/vc_column][/vc_row][vc_row row_height_percent=”0″ override_padding=”yes” h_padding=”2″ top_padding=”2″ bottom_padding=”2″ overlay_alpha=”50″ gutter_size=”3″ column_width_percent=”100″ shift_y=”0″ z_index=”0″ row_name=”What you will need”][vc_column][vc_separator sep_color=”color-iopl”][vc_custom_heading heading_semantic=”h4″ text_size=”h4″]The Hardware you will need to gather[/vc_custom_heading][vc_row_inner][vc_column_inner width=”1/3″][uncode_list larger=”yes” icon=”fa fa-code-outline” icon_color=”color-iopl”]

  • RPi 2 or 3.
  • Ethernet cable
  • HDMI Cable
[/uncode_list][/vc_column_inner][vc_column_inner width=”1/3″][uncode_list larger=”yes” icon=”fa fa-code-outline” icon_color=”color-iopl”]
  • Keyboard/Mouse
  • 8Gb SD Card
[/uncode_list][/vc_column_inner][vc_column_inner width=”1/3″][/vc_column_inner][/vc_row_inner][vc_separator sep_color=”color-iopl”][vc_custom_heading heading_semantic=”h4″ text_size=”h4″]The Software titles you may want to download[/vc_custom_heading][vc_row_inner][vc_column_inner width=”1/1″][uncode_list larger=”yes” icon=”fa fa-code-outline” icon_color=”color-iopl”] [/uncode_list][/vc_column_inner][/vc_row_inner][vc_separator sep_color=”color-iopl”][/vc_column][/vc_row][vc_row row_height_percent=”0″ overlay_alpha=”50″ gutter_size=”3″ column_width_percent=”100″ shift_y=”0″ z_index=”0″ row_name=”Prerequisites”][vc_column column_width_percent=”100″ position_horizontal=”left” position_vertical=”middle” overlay_alpha=”50″ gutter_size=”3″ medium_width=”0″ shift_x=”0″ shift_y=”0″ z_index=”0″ width=”1/1″][vc_custom_heading heading_semantic=”h4″ text_size=”h4″]PREREQUISITE SETUP – Because we need to get ourselves ready![/vc_custom_heading][vc_column_text]The first step is to prepare the SD card for the PI. A 4 or 8Gb SD card will be suitable for the PiVPN installation.

You will first need to download the latest Raspian Lite image (We do not require the GUI for PiVPN) and a copy of Etcher. Etcher will allow you to install and prepare your SD card. It is super easy to use.

Select Image > Select SD card (Make sure you select Correct Drive) > Click Flash.[/vc_column_text][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49175″ media_lightbox=”yes” media_width_percent=”100″][vc_single_image media=”49176″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]

  1. Select your copy of Raspbian Lite
[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image media=”49177″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]2. Select the correct drive you want to install the image on. Be sure it is the correct drive as all data will be formatted first.[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49178″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]3. Select Flash – You may get a windows prompt to elevate permissions to administrator.[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image media=”49179″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]4. Assuming no errors were found, you can now take the SD card and insert it into the Pi.[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_custom_heading heading_semantic=”h4″ text_size=”h4″]How to setup SSH for remote access from our PC[/vc_custom_heading][vc_column_text]We have chosen to run the Lite version of Raspbian because we do not require the additional overheads of the GUI. The VPN server will sit hidden away and we will connect to is via SSH if we need to. The problem is that SSH is not enabled by default. Thus we require the HDMI cable, a monitor and keyboard to change this first.

Insert the SD card we just made into the Pi and connect the HDMI cable to your monitor. We now need to power up the Pi. You should see the Pi initialize and on first run it may reboot once. The first thing you will have to do is log into the Pi. The default login is:

  • Username: pi
  • Password: raspberry

Viewing the Pi via the HDMI cable and using the connected keyboard and mouse in a PITA, This is why we are setting up SSH, so we can go back to our computer and do all the configuration from the comfort of our home PC.

At this stage we need to enable SSH. To do this type:

Sudo raspi-config[/vc_column_text][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49189″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]

  1. Select “P2 SSH”
[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image media=”49190″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]2. Select “YES” to enable SSH[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49191″ media_lightbox=”yes” media_width_percent=”100″][/vc_column_inner][vc_column_inner width=”1/2″][vc_column_text]3. You will get a confirmation saying SSH is enabled. From this point. All our configuration will be done via Putty. Putty is a SSH/Telnet Client that allows us to connect to the Pi via the SSH protocol. This is common for accessing linux machines. You can get Putty here: http://www.putty.org/[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_custom_heading heading_semantic=”h4″ text_size=”h4″]How to find the IP address of our Pi so that we can SSH to it[/vc_custom_heading][vc_column_text]You should still be logged into the Pi, go back to the command line and type:

ifconfig

[/vc_column_text][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49195″ media_lightbox=”yes” media_width_percent=”100″][/vc_column_inner][vc_column_inner width=”1/2″][vc_column_text]We need this IP address so that we can log into the Pi via SSH. Look for eth0 and browse across until you see ‘inet’ This is the IP address we require. In this case the Pi IP address is: 192.168.1.154 – Write this down or remember it.[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_custom_heading heading_semantic=”h4″ text_size=”h4″]Open Putty and SSH into the Pi[/vc_custom_heading][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49196″ media_lightbox=”yes” media_width_percent=”100″][/vc_column_inner][vc_column_inner width=”1/2″][vc_column_text]Enter the IP address of the Pi from the ‘ifconfig’ command. Then Click OPEN. You may be asked to accept some authentication keys. You only need to do this once. You will now be greeted with a similar login screen to previous.[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49197″ media_lightbox=”yes” media_width_percent=”100″][/vc_column_inner][vc_column_inner width=”1/2″][vc_column_text]Login as per usual.

Username: pi

Password: raspberry

If you find that some of your keyboard strokes are not the same as mine, you may need to go back into Raspi-Config and change the localization settings or Keyboard options. It also can not hurt to Extend the size of the file system. This will allow the Raspbian build to utilize the full size of the SD card.[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_separator sep_color=”color-iopl”][/vc_column][/vc_row][vc_row row_height_percent=”0″ overlay_alpha=”50″ gutter_size=”3″ column_width_percent=”100″ shift_y=”0″ z_index=”0″ row_name=”PiVPN Install”][vc_column width=”1/1″][vc_custom_heading heading_semantic=”h4″ text_size=”h4″]PiVPN INSTALL – Now that we are setup, it’s time to install and setup![/vc_custom_heading][vc_column_text]Now to installing PiVPN. If you are looking at installing PiVPN, then you have probably already been to the website. I just want to make mention that installing software like this could be dangerous if it is not from a trusted source. Basically we are telling the pi to run a heap of commands that are located on the internet. Be sure to check the source first to ensure it is reputable.

The command we are going to run is:

curl -L https://install.pivpn.io | bash

If you have not run an ?apt-get? update today the first thing that the software will do is run this for you. This ensures all packages are up to date before installing. After the install process you will see the following configuration screens:[/vc_column_text][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49214″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]

  1. This will install OpenVPN
[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image media=”49215″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]2. At this stage you should be thinking about making the address the Pi was given static. Or logging into your router and ?binding? the DCHP address it was given to the MAC address of the Pi. This will allow the Pi to hold the lease and never change.[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49202″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]3. This will change the address. Remembering when it commits the change, your SSH session will drop and you will have to re-establish the session on the new IP address. For now I am going to leave it as 192.168.1.154 as I have bound that IP to the MAC of the Pi on my router.[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image media=”49203″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]4. Indicating that you could get IP conflicts if you dont either bind your IP to MAC or exclude that IP from DHCP.[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49204″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]5. This screen is asking you to choose a user to hold your ovpn configs.[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image media=”49205″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]6.?If you had other users setup then you would be able to select them here. It is generally good practice to Change the users away from the default username and password. For now we will stick with the default.[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49206″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]7. Because this is our only open facing port, we really should keep all software up to date including security patches. Why not do this automatically? Unless you have some configs that you don’t want messed with. Automatic patches can have a tendency to mess with the compatibility of software at times.[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image media=”49207″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]8. As per the last screen. Do it! or make sure you keep on top of it manually.[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49208″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]9.?UDP will suffice unless you have any additional configs that require TCP.[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image media=”49209″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]10.?If you don?t want anyone sniffing your VPN out on the default port, feel free to change this default port. However be sure to port forward the new one on your router so that the VPN can be accessed from outside your network. Also remember this port for any config changes that may need to be made.[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49210″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]11. A second confirmation.[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image media=”49211″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]12.?Choose the encryption type for your server. 2048bit encryption will suffice in most instances.[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49212″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]13.?The This screen if indicating the types of keys that will now be generated.[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image media=”49213″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]14.?Because the Pi has very little processing power it can take 30-45 minutes for it to create the 2048 bit certificate/key. Go get a coffee! If you had of chose 4096 encryption then you would get the option to download some assistance files from the internet. Otherwise generating a 4096bit key on a Pi would take a VERY long time.[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49224″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]15. This screen allows you to set your WAN IP address or set a DDNS account. These can be changed after the fact via the config files however because we have a static address at home, I can leave it as the WAN IP. (I have blanked out some of the IP on purpose.)[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image media=”49219″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]16. Here we can set the DNS for our VPN, if you are unsure, just set it to the Google DNS address. (8.8.8.8 Primary, 8.8.4.4 Alternate)[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49220″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]18. Everyone loves a good reboot! No time like the present.[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image media=”49222″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]19. Just in case you were not sure from the previous screen. Remembering that your SSH session will drop during the reboot. Simply Re-connect to the same IP address after a few minutes.[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_column_text]At this stage it can’t hurt to upgrade the Raspbian image. Run this command:

Sudo apt-get upgrade

This is one of those administration tasks that should be done regularly to keep the Pi image in good working order. Unless obviously you are against keeping software up to date, or you have something specific happening in which you cannot afford for it to be affected by updates.[/vc_column_text][vc_separator sep_color=”color-iopl”][/vc_column][/vc_row][vc_row row_height_percent=”0″ overlay_alpha=”50″ gutter_size=”3″ column_width_percent=”100″ shift_y=”0″ z_index=”0″ row_name=”Add a User/Client”][vc_column width=”1/1″][vc_custom_heading heading_semantic=”h4″ text_size=”h4″]CREATE A USER – This is how we add clients/ Users to OpenVPN[/vc_custom_heading][vc_column_text]We now need to configure the server to accept connections from the client devices or computers. To do this we setup a client openvpn configuration file. (.opvn file to be exact) This client file is loaded onto the device that wants to connect to the VPN tunnel. It stores the config and encryption keys to access the VPN.

[/vc_column_text][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49228″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]
  1. If you run the command:

pivpn help

You will be greeted with the list of commands that we can now run on the Pi to configure the clients and do other administration tasks.[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image media=”49231″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]2. Run the command:

pivpn add

This will start the process of creating a client configuration file. You will need to set a password at this point. Ensure you do not forget it, as you will be required to add it on the Client VPN software when we try to connect.[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49229″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]3. That is it for creating the .opvn client config file. It can now be found as indicated at: /home/pi/ovpns[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][/vc_column_inner][/vc_row_inner][vc_separator sep_color=”color-iopl”][/vc_column][/vc_row][vc_row row_height_percent=”0″ overlay_alpha=”50″ gutter_size=”3″ column_width_percent=”100″ shift_y=”0″ z_index=”0″ row_name=”Moving Client Config”][vc_column width=”1/1″][vc_custom_heading heading_semantic=”h4″ text_size=”h4″]MOVING THE CLIENT CONFIG – we need to move this config file to our device[/vc_custom_heading][vc_column_text]In this example we are going to move the configuration file to a windows PC that we want to be able to access the VPN and the local network. We must now use some of the additional software to move or grab this config we just created. In this case we decided to use Filezilla as the Pi image already has SFTP enabled by default.[/vc_column_text][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49236″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]

  1. Open Filezilla FTP client. The configuration details that you need to enter in the top for “Quickconnect” are:

Host: 192.168.1.154 (or put sftp:// it will do this automatically when we select port 22 later)

Username: Pi

Password: raspberry

Port: 22 (SFTP default port)

[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image media=”49237″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]2. When you hit “Quickconnect” you should see a successful directory listing in the right hand navigation pane. Navigate your way to the ovpns folder (Located in the Home directory, if for some reason it did not default to that) Then identify the client1.ovpn config file that was created earlier. Download this file to your desktop by clicking on it and dragging it to the left pane. Ensure you identify the area you are dragging it to as that is your local computer.[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_separator sep_color=”color-iopl”][/vc_column][/vc_row][vc_row row_height_percent=”0″ overlay_alpha=”50″ gutter_size=”3″ column_width_percent=”100″ shift_y=”0″ z_index=”0″ row_name=”Client Config and Setup”][vc_column width=”1/1″][vc_custom_heading heading_semantic=”h4″ text_size=”h4″]CLIENT CONFIG – We need to setup our client now using that file![/vc_custom_heading][vc_column_text]We now have a copy of the OpenVPN config file transferred to our client computer. We will need to go ahead and install the OpenVPN client software located here:?https://openvpn.net/index.php/open-source/downloads.html

Step through the standard hoops for installing a windows application.[/vc_column_text][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49239″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]

  1. After the OpenVPN software has been installed the Client1.opvn config file needs to be copied to the OpenVPN config folder located here:?C:\Program Files\OpenVPN\config (For Windows)
[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image media=”49240″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]2. Run the OpenVPN software. Most likely is will open to your taskbar.[/vc_column_text][/vc_column_inner][/vc_row_inner][vc_row_inner][vc_column_inner width=”1/2″][vc_single_image media=”49241″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]3. Right-Click the icon in the task bar and select “Connect”

Enter your password that we set when we added the client to the Pi VPN server.[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image media=”49243″ media_lightbox=”yes” media_width_percent=”100″][vc_column_text]4. Once connected you should see the OpenVPN client taskbar icon turn green and the status screen should look like the above.

The VPN server should have setup your routing tables now so that you can access anything inside your local network automatically.

Give it a shot, shoot a ping through to your local router.

What you may also notice is that the VPN tunnel has been assigned a 10.0.8.# address. The VPN server runs its own network for the tunnel with its own DHCP. When another client connects they are allocated another address on this same range. The server looks after the bridging of this network to your own local network.[/vc_column_text][/vc_column_inner][/vc_row_inner][/vc_column][/vc_row]