Openvpn on Raspberry Pi

2 minute read
Linux , Security
,

So sommar is comming and I planning to be away as mutch as possible.
But I need an door in to my server at home for some work. When Im of i only will have an 3g/4g connections so its mutch nicer to work against my server home at a stabel 100 line.

So for making this possibel I install en openvpn server on my PI sitting in my closet.
THIS CONFIG SEND ALL TRAFFIC TROW THE VPN so be ware 🙂

Installing Openvpn

apt-get install openvpn openssl

Setting up keys used for vpn

cd /etc/openvpn
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rs
cd easy-rsa/

Open the file vars and at the buttom enter your settings

export KEY_COUNTRY="SE"
export KEY_PROVINCE="ST"
export KEY_CITY="Stockholm"
export KEY_ORG="Elino"
export KEY_EMAIL="matte@elino.se"
export KEY_EMAIL=matte@elino.se
export KEY_CN=elino.no-ip.org
export KEY_NAME=mepi
export KEY_OU=mepi
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234

make new synlink to config file

ln -s openssl-1.0.0.cnf openssl.cnf

Ok ready to make som certs first load and clean all certs (Onlye clean the first time you will delete all certs)

source vars
./clean-all
./build-ca openvpn
./build-key-server server
./build-dh
openvpn --genkey --secret ta.key

Installing the certs

cp keyscp server.crt server.key ca.crt ../ta.key dh1024.pem /etc/openvpn/

Set up the openvpn config

make the file /etc/openvpn/server.conf and past the following into the file

dev tun
proto udp
port 1194
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
user nobody
tls-auth ta.key 0
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push "redirect-gateway def1"
#set the dns servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
log-append /var/log/openvpn
comp-lzo

Restart the vpn server

/etc/init./openvpn restart

look in the logfile (/var/log/openvpn) to se that the server started and do a ifconfig to make shoure you have a tun device.

Now we must enabled traffic forwarding.

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to [ipadres rpi]


Make shoure this command is run if you restart your pi.


Making some clients to the server


First lets make som certs to use.


cd /etc/openvpn/easy-rsa/
 source vars
 ./build-key mahe


Copy the certs needed


mkdir /etc/openvpn/clients
mkdir /etc/openvpn/clients/mahe
cd keys
cp mahe.crt mahe.key ca.crt ../ta.key /etc/openvpn/clients/mahe/


make an client config file nane /etc/openvpn/cleints/mahe/client.con (if used on windows call the file client.ovpn)


dev tun
client
proto udp
remote YOUR.RASPBERRYPI.IPADRESS 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert mahe.crt
key mahe.key
tls-auth ta.key 1
comp-lzo
verb 3


Now you can copy the mahe folder to you laptop and for connection run from teh mahe folder. It you make new certs and called them user you must update this hoe to and config to use the correct certs.


sudo openvpn --config client.conf


 


Make shoure you have udp port 1194 open in you firewall to your raspberry pi.


 


When you see this line in the openvpn client you are connected.


Initialization Sequence Completed


And now you are routing all you traffic trow the Raspberry Pi


Go to http://ip-lookup.net/ and se what public ip you are using.