AlexNogard: IT HowTo

Linux & Opensource : Monitoring : Centreon, Nagios, Owncloud ..

By

Install OpenVPN on Raspberry PI (Debian Wheezy)

openvpn logo

Some times ago, I bought a Raspberry Pi, so I had the idea to put up a VPN on my RPI to surf safely in public places :). So I tried OpenVPN, which is an open-source tools. It is based on OpenSSL library, the private key is shared among peers, it offers a good security level, and the client is available on multiple platforms. Here’s how to install OpenVPN on a Raspberry PI (Debian Wheezy).

OpenVPN Installation

We will install OpenVPN from sources, version 2.3.0 (only available version for Debian Wheezy is 2.2.1 with apt-get).
Openvpn download and unzip:

# wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.0.tar.gz
# tar xvzf openvpn-2.3.0.tar.gz
# cd openvpn-2.3.0

Downloading of dependencies :

# apt-get install libpam0g-dev git
# apt-get install liblzo2-dev

OpenVPN installation

# ./configure
# make
# make install

We download “easy-rsa”, not available from sources in openvpn 2.3 :

# cd /root
# git clone https://github.com/OpenVPN/easy-rsa

OpenVPN folder creation :

# mkdir /etc/openvpn

We copying required files for key sets generation, and we rename the folder :

# cp -r /root/easy-rsa/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
# cd /etc/openvpn/

OpenVPN Configuration

We modify our vars file that will allow us to save time in keys generation :

# cd easy-rsa
# vi vars

// Use your parameters :
# These are the default values for fields
# which will be placed in the certificate.
# Don’t leave any of these fields blank.
export KEY_COUNTRY=”FR”
export KEY_PROVINCE=”NPDC”
export KEY_CITY=”Lille”
export KEY_ORG=”Alexnogard”
export KEY_EMAIL=”alexnogard@alexnogard.com”

We clean our file and generate new keys set:

# source ./vars
# ./clean-all
# ./build-dh // 15-20 mins waiting time
# ./pkitool –initca
# ./pkitool –server server
# openvpn –genkey –secret keys/ta.key
# cp keys/ca.crt keys/ta.key keys/myvpn.crt keys/myvpn.key keys/dh1024.pem /etc/openvpn/

We return to our /etc/openvpn then create our configuration file:

# cd /etc/openvpn
# mkdir /etc/openvpn/jail
# mkdir /etc/openvpn/clientconf
# vi myvpn.conf

// we add :

mode server
proto tcp
port 443
dev tun

ca ca.crt
cert myvpn.crt
key myvpn.key
dh dh1024.pem
tls-auth ta.key 0
cipher AES-256-CBC

server 10.8.0.0 255.255.255.0
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
keepalive 10 120

user nobody
group nogroup
chroot /etc/openvpn/jail
persist-key
persist-tun
comp-lzo
verb 3
mute 20
status openvpn-status.log
log-append /var/log/openvpn.log

To validate configuration file creation as well as our key, we run the following command:

# openvpn myvpn.conf

Result should be as :

openvpn conf

Once this is done, we need to implement ip forwarding and create an iptables rule:

# sh -c ‘echo 1 > /proc/sys/net/ipv4/ip_forward’
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# sh -c “iptables-save > /etc/iptables.rules”

We now modify the ip_forward in the file /etc/sysctl.conf :

# vi /etc/sysctl.conf

// uncomment the following line :

net.ipv4.ip_forward = 1

Then /etc/network/interfaces :

# vi /etc/network/interfaces

// Add the following line after ” iface eth0 inet dhcp” :

pre-up iptables-restore < /etc/iptables.rules

Our interface and sysctl is reloaded:

# sysctl -p
# /etc/init.d/networking reload

OpenVPN version 2.3.0 is now installed on your Raspberry PI. To use it, we must now create users and their certificates.

Client creation :

Each client needs a certificate to work with OpenVPN.
On one side we have the client-side key on the other side the certificate server.We will create a certificate for our Android phone;):

# cd /etc/openvpn/easy-rsa
# source vars
# ./build-key androalexnogard

We export our three files created with the help of the build-key command:

# mkdir /etc/openvpn/easy-rsa/androalexnogard
# cp /etc/openvpn/ca.crt /etc/openvpn/ta.key /etc/openvpn/keys/androalexnogard.key /etc/openvpn/keys/androalexnogard.crt  /etc/openvpn/clientconf/androalexnogard/

Then create a configuration file that will be loaded by the OpenVPN client. You can either name the extension: *. conf for clients on Linux / Mac or Windows *.ovpn / Android..

# vim /etc/openvpn/clientconf/androalexnogard/myconf.ovpn

// add following lines :

client
dev tun
proto tcp-client
remote 0.0.0.0 443 // votre IP Publique ici
resolv-retry infinite
cipher AES-256-CBC

ca ca.crt
cert androalexnogard.crt
key androalexnogard.key
tls-auth ta.key 1
nobind
persist-key
persist-tun
comp-lzo
verb 3

It’ll just get these configuration files and insert in your OpenVPN Client!
How to use OpenVPN on Android, just click;).
If you liked this article, please share it with the buttons below, and any questions / remarks, comments are there.

4 Responses to Install OpenVPN on Raspberry PI (Debian Wheezy)

  1. Jan says:

    Hi Alexandre,

    thank you for your instructions. I tried to create the OVPN on my raspberry but it failed and I am not sure about some of your steps. Maybe you can help me out here:

    1. When creating the server keys, you do following steps:

    # ./pkitool –initca
    # ./pkitool –server server
    # openvpn –genkey –secret keys/ta.key
    # cp keys/ca.crt keys/ta.key keys/myvpn.crt keys/myvpn.key keys/dh1024.pem /etc/openvpn/

    Where do get the myvpn.crt and myvpn.key from? Are those already client-certificates?

    2. How do I start the ovpn? As far as I understand, we are using tcp over port 443 – but when I execute a netstat -an – there are no connections on that port.

    3. When I would like to add more client certificates – do I have to add them to myvpn.conf? Would this be like:

    mode server
    proto tcp
    port 443
    dev tun

    ca ca.crt
    cert client1.crt
    key client1.key
    cert client2.crt
    key client2.key
    dh dh1024.pem
    tls-auth ta.key 0
    cipher AES-256-CBC

    server 10.8.0.0 255.255.255.0

  2. Matt says:

    Alex,

    Thansk for the great guide.

    Ive followed each of these steps and the server is up and running but when I connect through a client I cannot access the internet. Lan access is no problem but not the internet.

    Any ideas?

    Thanks in advance!
    Mawtt

  3. Hi,

    Thank you for the tip on EasyRSA git repository, it has been helpful.

    To add my little stone, i’ve written a OpenVPN installation guide (in french only at this time):

    https://howto.biapy.com/

    This howto introduce a tool named “openvpn-tools” that automates OpenVPN administration tasks (instance creation, clients addition and removal, bind setup, gateway setup, etc…). It also create client configurations exports for various OS (Windows, Unix, Mac OS X, iOS).

    Thank you for your post. I hope my work helps you.

  4. Anders says:

    Thanks for a great guide!
    In order to install the OpenVPN client on Xbian 2015/06/20 I had to perform these additional steps

    apt-get install build-essential
    apt-get install libssl-dev

    ./configure –enable-password-save <— this extra option allows the client to store credentials in a file which is needed for automatic connection.

Leave a Reply to Anders Cancel reply

Your email address will not be published. Required fields are marked *