How to Turn A Raspberry Pi Into a VPN

Do you want to know how to turn a Raspberry Pi into a VPN? There are plenty of reasons that you’d want to access your home network remotely, and the best way to do that is with a VPN server. Some routers actually let you set up a VPN server directly within the router, but in a lot of cases, you’re going to need to set one up yourself.

A Raspberry Pi is a great way to accomplish this. They don’t require a lot of energy to run, and they have enough power to run a VPN server. You can set one up next to your router and basically forget about it.

When you have access to your home network remotely, you can get to your files from anywhere. You can run your home computers remotely. You can even use your home’s VPN connection from the road. A setup like this lets your phone, tablet, or laptop act just like it was at home from anywhere.

How to Turn A Raspberry Pi Into a VPN

Set Up The Pi

Before you can start setting up the VPN, you’re going to need to set up your Raspberry Pi. It’s best to set up the Pi with a case and decent size memory card, 16GB should be more than enough. If possible, connect your Pi to your router with an Ethernet cable. It’ll minimize any network delays.

Install Raspbian

The best operating system to use on your Pi is Raspbian. It’s the default choice put out by the Raspberry Pi foundation, and it’s based on Debian, one of the most secure and stable Linux versions available.

Go to the Rasbian download page, and grab the latest version. You can use the “Lite” version here, because you don’t actually need a graphical desktop.

While that’s downloading, get the latest version of Etcher for your operating system. After the download completes, extract the Raspbian image. Then, open Etcher. Select the Raspbian image from where you extracted it. Select your SD card(Insert it first). Finally, write the image to the card.

Leave the SD card in your computer when it’s done. Open up a file manager and browse to the card. You should see a couple of different partitions. Look for the “boot” partition. It’s the one with a “kernel.img” file in it. Create an empty text file on the “boot” partition, and call it “ssh” with no file extension.

You can finally connect up your Pi. Make sure that you plug it in last. You’re not going to need a screen, keyboard, or mouse. You’re going to remotely access the Raspberry Pi over your network.

Give the Pi a few minutes to set itself up. Then, open a web browser and navigate to your router’s management screen. Find the Raspberry Pi and note its IP address.

Whether you’re on Windows, Linux, or Mac, open up OpenSSH. Connect to the Raspberry Pi with SSH.

$ ssh pi@192.168.1.110

Obviously, use the actual IP address of the Pi. The username is always pi, and the password is raspberry.

Set Up OpenVPN

OpenVPN isn’t exactly simple to set up as a server. The good news is, you only need to do it once. So, before you dig in, make sure that Raspbian is completely up to date.

$ sudo apt update
$ sudo apt upgrade

After the update finishes, you can install OpenVPN and the certificate utility that you need.

$ sudo apt install openvpn easy-rsa

Certificate Authority

In order to authenticate your devices when they try to connect to the server, you need to set up a certificate authority to create sigining keys. These keys will ensure that only your devices will be able to connect to your home network.

First, create a directory for your certificates. Move into that directory.

$ sudo make-cadir /etc/openvpn/certs
$ cd /etc/openvpn/certs

Look around for OpenSSL configuration files. Then, link the latest one with openssl.cnf.

$ ls | grep -i openssl
$ sudo ln -s openssl-1.0.0.cnf openssl.cnf

In that same “certs” folder is a file called “vars.” Open that file up with your text editor. Nano is the default, but feel free to install Vim, if you’re more comfortable with it.

Find the KEY_SIZE variable first. It’s set to 2048 by default. Change it to 4096.

export KEY_SIZE=4096

The main block that you need to deal with establishes information about your certificate authority. It helps if this info is accurate, but anything that you can remember is fine.

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
export KEY_NAME="HomeVPN"

When you have everything, save and exit.

That Easy-RSA package that you installed before contains a lot of scripts that help to set up everything that you need. You just need to run them. Start by adding the “vars” file as a source. That’ll load all of the variables that you just set.

$ sudo source ./vars

Next, clean up the keys. You don’t have any, so don’t worry about the message telling you that your keys will be deleted.

$ sudo ./clean-install

Finally, build your certificate authority. You already set the defaults, so you can just accept the defaults that it presents. Remember to set a strong password and answer “yes” to the last two questions, following the password.

$ sudo ./build-ca

Make Some Keys

You went through all that trouble to set up a certificate authority so you can sign keys. Now, it’s time to make some. Start by building the key for your server.

$ sudo ./build-key-server server

Next, build the Diffie-Hellman PEM. It’s what OpenVPN uses to secure your client connections to the server.

$ sudo openssl dhparam 4096 > /etc/openvpn/dh4096.pem

The last key that you need from now is called an HMAC key. OpenVPN uses this key to sign each individual packet of information exchanged between the client and the server. It helps to prevent certain kinds of attacks on the connection.

$ sudo openvpn --genkey --secret /etc/openvpn/certs/keys/ta.key

Server Configuration

You have the keys. The next piece in setting up OpenVPN is the server configuration itself. Thankfully, there isn’t all that much that you need to do here. Debian provides a base configuration that you can use to get started. So, begin by getting that configuration file.

$ sudo gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

Use you’re text editor again to open up /etc/openvpn/server.conf. The first things you need to find are the ca, cert, and key files. You need to set them to match the actual locations of the files that you created, which are all in /etc/openvpn/certs/keys.

ca /etc/openvpn/certs/keys/ca.crt
cert /etc/openvpn/certs/keys/server.crt
key /etc/openvpn/certs/keys/server.key  # This file should be kept secret

Find the dh setting, and change it to match the Diffie-Hellman .pem that you created.

dh dh4096.pem

Set the path for your HMAC key too.

tls-auth /etc/openvpn/certs/keys/ta.key 0

Find the cipher and make sure it matches the example below.

cipher AES-256-CBC

The next couple of options are there, but they’re commented out with a ;. Remove the semicolons in front of each option to enable them.

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

Look for the user and group options. Uncomment them, and change the user to “openvpn.”

user openvpn
group nogroup

Finally, these last two lines aren’t in the default configuration. You’ll need to add them at the end of the file.

Set the authentication digest to specify stronger encryption for user authentication.

# Authentication Digest
auth SHA512

Then, limit the cipers that OpenVPN can use to only stronger ones. This helps limit possible attacks on weak ciphers.

# Limit Ciphers
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

That’s all for configuration. Save the file and exit.

Start The Server

Before you can start up the server, you need to make that openvpn user that you specified.

$ sudo adduser --system --shell /usr/sbin/nologin --no-create-home openvpn

It’s a special user just for running OpenVPN, and it won’t do anything else.

Now, start up the server.

$ sudo systemctl start openvpn
$ sudo systemctl start openvpn@server

Check that they’re both running

$ sudo systemctl status openvpn*.service

If everything looks good, enable them at startup.

$ sudo systemctl enable openvpn
$ sudo systemctl enable openvpn@server

Client Setup

You server is now set up and running. Next, you need to set up your client configuration. This is the configuration that you’ll use to connect your devices to your server. Return to the certs folder and prepare to build the client key(s). You can choose to build separate keys for each client or one key for all clients. For home use, one key should be fine.

$ cd /etc/openvpn/certs
$ sudo source ./vars
$ sudo ./build-key client

The process is almost identical to the server one, so follow the same procedure.

Client Configuration

The configuration for clients is very similar to the one for the server. Again, you have a pre-made template to base your configuration on. You only need to modify it to match the server.

Change into the client directory. Then, unpack the sample configuration.

$ cd /etc/openvpn/client
$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client/client.ovpn

Open up the client.ovpn file with your text editor. Then, find the remote option. Assuming you’re not already using a VPN, Google search “What is my IP.” Take the address that it displays, and set the remote IP address to it. Leave the port number.

remote 107.150.28.83 1194 #That IP ironically is a VPN

Change the certs to reflect the ones you created, just like you did with the server.

ca ca.crt
cert client.crt
key client.key

Find the user options, and uncomment them. It’s fine to run the clients as nobody.

user nobody
group nogroup

Uncomment the tls-auth option for HMAC.

tls-auth ta.key 1

Next, look for the cipher option and make sure that it matches the server.

cipher AES-256-CBC

Then, just add the authentication digest and cipher restrictions at the bottom of the file.

# Authentication Digest
auth SHA512

# Cipher Restrictions
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

When everything looks right, save the file and exit. Use tar to pack up the configuration and the certs, so you can send them over to the client.

$ sudo tar cJf /etc/openvpn/clients/client.tar.xz -C /etc/openvpn/certs/keys ca.crt client.crt client.key ta.key -C /etc/openvpn/clients/client.ovpn

Transfer that package to the client however you choose. SFTP, FTP, and a USB drive are all great options.

Port Forwarding

In order for any of this to work, you need to configure your router to forward incoming VPN traffic to the Pi. If you’re already using a VPN, you need to make sure that you aren’t connecting on the same port. If you are, change the port on your client and server configurations.

Connect to your router’s web interface by typing in its IP address on your browser.

Every router is different. Even still, they all have should have some form of this functionality. Find it on your router.

The setup is basically the same on every router. Enter the start and end ports. They should be the same as each other and the one that you set in your configurations. Then, for the IP address, set that to your Raspberry Pi’s IP. Save your changes.

Connect To The Client

Every client is different, so there isn’t a universal solution. If you’re on Windows, you’ll need the Windows OpenVPN client.

On Android, you can open up your tarball, and transfer the keys onto your phone. Then, install the OpenVPN app. Open up the app, and plug in the information from your configuration file. Then select your keys.

On Linux, you need to install OpenVPN a lot like you did for the server.

$ sudo apt install openvpn

Then, change into /etc/openvpn, and unpack the tarball that you sent over.

$ cd /etc/openvpn
$ sudo tar xJf /path/to/client.tar.xz

Rename the client file.

$ sudo mv client.ovpn client.conf

Do not start the client yet. It will fail. You need to enable port forwarding on your router first.

Final Thoughts on How to Turn a Raspberry Pi Into a VPN

After knowing how to turn a Raspberry Pi into a VPN, you should now have a working setup. Your client will connect directly through your router to the Pi. From there, you can share and connect over your virtual network, as long as all devices are connected to the VPN. There’s no limit, so you can always connect all of your computers to the Pi VPN.