Install a personal VPN server with OpenVPN.
Last update: 2021.04.10
Having a personal Virtual Private Network server can be useful. When traveling, I connect to my VPN server at home to encrypt communication when browsing from hotel and other public networks or to watch live TV streaming that necessitate a local IP from my country. Setting a VPN server is quite easy. For this project, I am using OpenVPN.
First, update the system
sudo apt-get update && sudo apt-get upgrade -y
Install OpenVPN and OpenSSL
sudo apt-get install openvpn openssl
Then let’s disable OpenVPN
sudo update-rc.d openvpn disable
Copy the easy-rsa scripts in the OpenSSL configuration directory
sudo cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa
Open the following config file for editing
sudo nano /etc/openvpn/easy-rsa/vars
Find
export EASY_RSA="`pwd`
And replace with
export EASY_RSA="/etc/openvpn/easy-rsa"
Set the key size to 2048. That is good enough for a r-pi 3 or 4 (1024 for less security or 4096 for more security)
export KEY_SIZE=2048
Change directory
cd /etc/openvpn/easy-rsa
Type the three commands below
sudo su
source vars
ln -s openssl-1.0.0.cnf openssl.cnf
If you see an error message, it could be that some files are not found. This can be fixed with the following commands
sudo cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
sudo cp /etc/openvpn/easy-rsa/openssl-easyrsa.cnf /etc/openvpn/easy-rsa/openssl.cnf
Now, we can create keys
Note If you intent to connect form multiple device, such as a tablet, a mobile phone and a laptop, it is advised to create a different key for each device.
./clean-all
./build-ca OpenVPN
You will be asked to enter some information. Enter the two letters identifying your country (US=USA; FR=France; DE=Germany; etc.) The other fields are optional. You can fill them in or leave them blank and press the return key.
Now, create a key for the server
./build-key-server server
Then, create a key for the client. Give it a name of your choice
./build-key-pass name_of_your_choice
You will be asked to set a password
Finally, type the command below to generate a certificate
./build-dh
Then
exit
Now, create a configuration file for the server
sudo nano /etc/openvpn/openvpn.conf
With the following (1194 is the default port)
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
# DNS servers provided by OpenDNS
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
log-append /var/log/openvpn
persist-key
persist-tun
user nobody
group nogroup
status /var/log/openvpn-status.log
verb 3
client-to-client
comp-lzo
ifconfig-pool-persist /etc/openvpn/ipp.txt
Change directory with sudo su
sudo su
cd /etc/openvpn/easy-rsa/keys
And create a configuration fole for the client
nano name_of_your_choice
With the following. Make sure you have correctly adjusted remote, cert and key according to your setting
Note After "remote", use an IP or a domain name as needed.
dev tun
client
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert name_of_your_choice.crt
key name_of_your_choice.key
comp-lzo
verb 3
Now you can zip the files you will need to install on your client. Install zip first if you don’t have it already installed
apt-get install zip
Then
zip /home/USER/name_of_your_choice.zip ca.crt name_of_your_choice.crt name_of_your_choice.key name_of_your_choice.ovpn
Change ownership (again, adjust as needed)
chown USER:USER /home/USER/name_of_your_choice.zip
Finally
exit
Almost done. To access your local network from the VPN, we need to redirect traffic. Create a file with
sudo nano /etc/init.d/rpivpn
Add the following
#! /bin/sh
### BEGIN INIT INFO
# Provides: rpivpn
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: VPN initialization script
### END INIT INFO
echo 'echo "1" > /proc/sys/net/ipv4/ip_forward' | sudo -s
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Then
sudo chmod +x /etc/init.d/rpivpn
sudo update-rc.d rpivpn defaults
Now execute and restart
sudo /etc/init.d/rpivpn
sudo /etc/init.d/openvpn restart
That’s it. Now install the files you have generated earlier to your client (laptop, tablet or mobile phone) and try to connect to your VPN server.
Note If you have a firewall such as UFW, make sure you allow port 1194/udp
Last thing, I don’t need my VPN server to be running when I don’t need it. So, I have created three little script that I can run anytime from my device to start or stop the server. The third one gives me the status.
Start script
#!/bin/sh
sudo service openvpn start
Stop script
#!/bin/sh
sudo service openvpn stop
Status script
#!/bin/sh
ifconfig tun0
service openvpn status
Voilà!