Published on 19/03/18 by Tomás Abril
A Virtual Private Network is a very useful tool to secure internet traffic when using a public or untrusted wi-fi. Remember that the administrator of the network you are connected can read all of your information sent through http and possibly even https if you accept any security warning.
It turns out that configuring a vpn is not that simple if you do it by hand. The Wireguard vpn seems to be a good solution thats not too hard to configure, but it's not yet in the current Debian stable. So I decided to go for the traditional OpenVPN, the problem is that if you read the wiki page for it you will see that it's a long process to get it working. Thankfully someone created a script that does everything that's needed, the downside is that it works only for Raspbian, Debian and a few versions of Ubuntu. But a Raspberry Pi is the perfect low power, quiet, not too expensive solution to keep running 24/7.
The Raspberry has to be with:
For the VPN to work we will open it to the internet, so it is very important that everything is always kept up to date. Before doing anything update the system:
$ sudo apt update $ sudo apt full-upgrade $ sudo systemctl rebootNow enable UnattendedUpgrades, this is a Debian package that automatically upgrades essential security upgrades. Even with this enabled periodically update your system to make sure you are secured, a compromised vpn server can be very dangerous as the attacker has access to your complete internal network.
$ apt-get install unattended-upgrades apt-listchangesIn the file
/etc/apt/apt.conf.d/20auto-upgradesmake sure the following lines are as follows:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";Install the openvpn package.
$ sudo apt-get install openvpn
New we are ready to get started. :)
The installation should be very simple and guide you step by step with a terminal user interface.
To get started run the command bellow:
$ curl -L https://install.pivpn.io | bash
After it finished downloading the program will configure your ip
Choose the user to run the server
I you haven't set up unattended upgrades before it will ask you to do so now. If you already have you can skip this step.
Choose the protocol for your VPN, UDP is the default and works faster and better. Only use TCP if you are sure UDP will be blocked.
Choose a port to run your server, keeping the default is fine but if you want to better hide your server the port can be changed. List of TCP and UDP port numbers.
Choose the encryption key size. 1024 is too small, do not choose this option. 4096 is slower and uses more cpu, a 2048 bit key is enough.
Enable Elliptic curve support, only disable this option if you will use an old client software.
If your ISP gives you a static ip address you can use it now, for home networks you will probably need a dynamic dns provider. A good one with a free plan is freedns.afraid.org.
Choose the DNS provider for your connection, you can use the one provided by your ISP or another one from the list provided.
We are done! but not quite.
PiVPN automatically detects and configures ufw (the firewall). Let's check the active rules.
$ sudo ufw status verbose
Now we have to change the port forwarding rules (Port Mapping Configuration) in the router, each model has a different user interface so I won't show these steps here.
This website is a good resource if you don't know how to configure your router.
$ pivpn addThis command will create the configuration file for the client. It will ask for a name and a password
The configuration file is stored on
~/ovpns/
Copy the file to the client and you should be able to connect.
To connect from a linux machine import the .ovpn file on networkmanager vpn interface.
To connect from Android use the official OpenVpn client to import the file. OpenVPN Connect
::: Control all PiVPN specific functions! ::: ::: Usage: pivpn command [option] ::: ::: Options: ::: -a, add [nopass] Create a client ovpn profile, optional nopass ::: -c, clients List any connected clients to the server ::: -d, debug Start a debugging session if having trouble ::: -l, list List all valid and revoked certificates ::: -r, revoke Revoke a client ovpn profile ::: -h, help Show this help dialog ::: -u, uninstall Uninstall PiVPN from your system!