How to run an OpenVPN server on a Raspberry Pi

Published on Saturday, May 4, 2019

Connect easily to your home network over a secure OpenVPN connection.

Preqrequisite

  • Raspberry Pi with Raspbian OS installed (In this guide I'm using a Raspberry Pi 3)

Assumptions

I'm assuming you've already installed Raspbian OS on your Raspberry pi, if you haven't you can find the instructions on how to do this at raspberrypi.org.

Note: Username and password

For Raspbian the default username is pi and the default password is raspberry.

Enabling SSH access

You can enable ssh access to your raspberry pi (if installed with Raspbian OS) with the following steps:

  1. Run sudo raspi-config
  2. Go to "Interfacing options"
  3. Select P2 SSH
  4. Select to enable the SSH server if not already enabled

Recommendations

Make sure to change your pi user password with the sudo raspi-config command before or directly after walking through this guide as you are exposing the Raspberry Pi to the internet when opening up a port for the OpenVPN server. And use a strong password that you can remember.

Install your Raspberry pi

To run and manage a PiVPN server (OpenVPN) is a really simple and easy experience. Installing and setting up is just running the install script and following the instructions.

To install PiVPN run the following command (The command will download the script located at install.pivpn.io and run it, to check out what command is run go to install.pivpn.io).

curl -L https://install.pivpn.io | bash

This will run you through a setup guide.

First is two confirmation windows where you'll only have to accept the information being displayed.

Welcome screen displaying information

Second information screen

Next up is setting up the local IP configuration for your PiVPN server. Here you can select to set the current IP address as a static address for the Pi.

Thera are a few different roads you may choose to go here, I've chosen to go with the easiest one by setting a static IP (managed by the Pi itself) and set my router to reserve this IP for the Pi given the Pi's network address (MAC).

Confirmation of IP settings for the VPN server

Confirm that static IP may raise conflicts on the network

Next you'll select which user on the Pi that the created OVPN profiles will be saves to. In my case I only have the original pi visible in the list as I've not created another user since installing the Pi.

Here you can go on and just select the pi user or quit the setup guide and create a custom user to use as profile storage.

Information about ovpn profile storage

Select a user to store profiles in

The next step is where you'll be selecting whether to turn on unattended updates or not. As your Pi will be exposed to the internet I strongly suggest, as does the setup gide, to turn on unattended updates as otherwise you will probably forget to update your Pi.

As a precaution I've also setup a cronjob that automatically reboots my Pi every month at midnight to ensure that all updates are installed and active.

Information about unattended updates

Next up is selecting UDP or TCP protocol for when you connect to the VPN. This step affects which type of port forwarding you should be opening up for in your router.

A super short description about the main difference is:

  • TCP - More reliable, usually slower speeds
  • UDP - Less reliable, usually faster speeds

For a more detailed explanation of which protocol you should use you can head over to a short article by BestVPN.

I went ahead and selected UDP.

Selection of UDP/TCP protocol

Next is selecting which port you want to open up for the VPN connection. I suggest selecting a different port than the standard port as standard ports are easier to find for a third-party and can easily be detected with a targeted port scan. Changing the port makes it a little bit harder to be noticed in a port scan but will still show up on a wide-range port scan.

I went ahead and selected a non-standard port for my VPN connection. I also suggest checking out the Wikipedia list of TCP and UDP port numbers to check that you are not selecting a reserved port. Usually anything above 10000 is mostly safe to select from but I'd usually go above 30000 if selecting a port at random.

Port selection for VPN connection

Confirm the selected port

Confirmation of port

If you are using the desktop OpenVPN client and/or the OpenVPN client for Android/iOS you can go ahead and select "Yes" here to enable the new 2.4 features.

Otherwise choose "No"

Enabling OpenVPN 2.4 features

Selecting the security level depends on your paranoid level. I'd go for the recommended one but if you feel you need to bump it higher you can do so. Higher bit-count means slower but stronger encryption.

Selection of encryption level

For the next step I'd suggest going with "DNS Entry" if you do not have a static IP facing the internet. I would recommend using a free dynamic DNS service such as DuckDNS as it's easy to setup and manage.

If you have a static IP or no way of setting up a dynamic DNS service you can go with the IP choice.

Selecting IP or DNS as connection endpoint

If you did as I did and selected the "DNS Entry" as your choice you'll enter the domain name that you want the end user, probably yourself, to connect to.

Enter domain name for connection window

Confirm your settings and make sure that they are correct.

Confirmation of DNS settings

Here you may select a DNS provider for your clients. I went ahead and selected "Custom" and entered "1.1.1.1, 1.0.0.1" as DNS endpoints which is a privacy-first DNS endpoint.

If you are just looking for a quick way of setting up and you like the Google DNS service you can just go ahead with the default option or select one of the other pre-defined ones in the list.

Selection of DNS

A short information window about how to add your first user.

Information about how to create the first user with the pivpn add command

Select to reboot your Pi before adding your first user.

Selecton to reboot or not

Confirmation window after selecting "Yes" to reboot.

Reboot confirmation window

Second confirmation window

Now we'll be adding your first user! Run the previously mentioned pivpn add command, enter the name of your new user (this will be your username). And then enter and confirm a strong password for your new user.

The connection configuration for your new user, which also contains all certificates, will be generated and put into the /home/pi/ovpns folder (if you've selected to store the configurations in the pi user folder).

Inputs for generating the new user

Screen displaying the information of the newly generated user

Download generated certificate

I use FileZilla to make an ssh over FTP connection to download the file from the ovpn folder. Below is example settings for connecting to your Pi through SFTP.

Protocol: SFTP
Host: <ip of your Pi>
User: pi
Password: <your pi password>

Install OpenVPN Client

Head over to OpenVPN.net to download and install your client. If you need to install the client on the phone you can download it either from the App store for either Android or iOS.

Copy the certificate for desktop

You should copy your certificate to the %userprofile%\openvpn\config path (usually something like c:\users\myusername\openvpn\config).

comments powered by Disqus