Connect easily to your home network over a secure OpenVPN connection.
- Raspberry Pi with Raspbian OS installed (In this guide I'm using a Raspberry Pi 3)
I'm assuming you've already installed Raspbian OS on your Raspberry pi, if you haven't you can find the instructions on how to do this at raspberrypi.org.
Note: Username and password
For Raspbian the default username is
pi and the default password is
Enabling SSH access
You can enable ssh access to your raspberry pi (if installed with Raspbian OS) with the following steps:
- Go to "Interfacing options"
- Select P2 SSH
- Select to enable the SSH server if not already enabled
Make sure to change your
pi user password with the
sudo raspi-config command before or directly after walking through this guide as you are exposing the Raspberry Pi to the internet when opening up a port for the OpenVPN server. And use a strong password that you can remember.
Install your Raspberry pi
To run and manage a PiVPN server (OpenVPN) is a really simple and easy experience. Installing and setting up is just running the install script and following the instructions.
To install PiVPN run the following command (The command will download the script located at install.pivpn.io and run it, to check out what command is run go to install.pivpn.io).
curl -L https://install.pivpn.io | bash
This will run you through a setup guide.
First is two confirmation windows where you'll only have to accept the information being displayed.
Next up is setting up the local IP configuration for your PiVPN server. Here you can select to set the current IP address as a static address for the Pi.
Thera are a few different roads you may choose to go here, I've chosen to go with the easiest one by setting a static IP (managed by the Pi itself) and set my router to reserve this IP for the Pi given the Pi's network address (MAC).
Next you'll select which user on the Pi that the created OVPN profiles will be saves to. In my case I only have the original
pi visible in the list as I've not created another user since installing the Pi.
Here you can go on and just select the
pi user or quit the setup guide and create a custom user to use as profile storage.
The next step is where you'll be selecting whether to turn on unattended updates or not. As your Pi will be exposed to the internet I strongly suggest, as does the setup gide, to turn on unattended updates as otherwise you will probably forget to update your Pi.
As a precaution I've also setup a cronjob that automatically reboots my Pi every month at midnight to ensure that all updates are installed and active.
Next up is selecting UDP or TCP protocol for when you connect to the VPN. This step affects which type of port forwarding you should be opening up for in your router.
A super short description about the main difference is:
- TCP - More reliable, usually slower speeds
- UDP - Less reliable, usually faster speeds
For a more detailed explanation of which protocol you should use you can head over to a short article by BestVPN.
I went ahead and selected UDP.
Next is selecting which port you want to open up for the VPN connection. I suggest selecting a different port than the standard port as standard ports are easier to find for a third-party and can easily be detected with a targeted port scan. Changing the port makes it a little bit harder to be noticed in a port scan but will still show up on a wide-range port scan.
I went ahead and selected a non-standard port for my VPN connection. I also suggest checking out the Wikipedia list of TCP and UDP port numbers to check that you are not selecting a reserved port. Usually anything above 10000 is mostly safe to select from but I'd usually go above 30000 if selecting a port at random.
Confirm the selected port
If you are using the desktop OpenVPN client and/or the OpenVPN client for Android/iOS you can go ahead and select "Yes" here to enable the new 2.4 features.
Otherwise choose "No"
Selecting the security level depends on your paranoid level. I'd go for the recommended one but if you feel you need to bump it higher you can do so. Higher bit-count means slower but stronger encryption.
For the next step I'd suggest going with "DNS Entry" if you do not have a static IP facing the internet. I would recommend using a free dynamic DNS service such as DuckDNS as it's easy to setup and manage.
If you have a static IP or no way of setting up a dynamic DNS service you can go with the IP choice.
If you did as I did and selected the "DNS Entry" as your choice you'll enter the domain name that you want the end user, probably yourself, to connect to.
Confirm your settings and make sure that they are correct.
Here you may select a DNS provider for your clients. I went ahead and selected "Custom" and entered "126.96.36.199, 188.8.131.52" as DNS endpoints which is a privacy-first DNS endpoint.
If you are just looking for a quick way of setting up and you like the Google DNS service you can just go ahead with the default option or select one of the other pre-defined ones in the list.
A short information window about how to add your first user.
Select to reboot your Pi before adding your first user.
Confirmation window after selecting "Yes" to reboot.
Now we'll be adding your first user! Run the previously mentioned
pivpn add command, enter the name of your new user (this will be your username). And then enter and confirm a strong password for your new user.
The connection configuration for your new user, which also contains all certificates, will be generated and put into the
/home/pi/ovpns folder (if you've selected to store the configurations in the pi user folder).
Download generated certificate
I use FileZilla to make an ssh over FTP connection to download the file from the
ovpn folder. Below is example settings for connecting to your Pi through SFTP.
Protocol: SFTP Host: <ip of your Pi> User: pi Password: <your pi password>
Install OpenVPN Client
Head over to OpenVPN.net to download and install your client. If you need to install the client on the phone you can download it either from the App store for either Android or iOS.
Copy the certificate for desktop
You should copy your certificate to the
%userprofile%\openvpn\config path (usually something like c:\users\myusername\openvpn\config).