How to turn your Raspberry Pi into a Home VPN Server using PiVPN

Share on Facebook43Share on Google+3Tweet about this on TwitterShare on Reddit34Share on StumbleUpon1Pin on Pinterest29

With all the news about privacy concerns and security threats on the internet recently more people are starting to use a VPN on their home networks and phones. A VPN or a Virtual Private Network allows you to send and receive data across shared or public networks as if their devices were directly connected to the private network. For example if you are connected to the public WiFi network at the mall, everyone can see your data, if you use a VPN all your data is encrypted through a private tunnel and it looks like you are connected directly to your home network. VPN’s are very popular in the business world and most likely you may be using one for work and not even know why. The main reason is security and access of your local files.

You can use your Raspberry Pi as a VPN server for free or you can use a VPN service which will limit the amount of data you can use monthly as well a paying a monthly fee. With your Raspberry Pi VPN server you will be able to connect to public WiFi networks and have all your data encrypted which will prevent you from man-in-the-middle attacks as well as any one else snooping WiFi data on the network. When you are connected to your own VPN server you will be able to access all of your home files. If you have movies or music you will be able to access them with ease.

Objective

To improve our network security by turning our Raspberry Pi into a Home VPN Server using PiVPN

Material

You will need the following:

Instructions

Installation of PiVPN (The software we will be using as our VPN server) is a breeze. You simply have to run just one command to install PiVPN. I will assume you already have the Raspbian OS up and running. You only need the lite version if you will be running headless, that’s how I am installing it since I will have PiVPN running along side PiHole, my network wide ad blocker.

Run the following command in a terminal window or use SSH to install PiVPN:

Just a quick side-note, running a command like this is dangerous. Basically what the command being run is doing is going to http://install.pivpn.io and parsing the data then running it in the command line. If you run a similar command from an untrusted source you can do some damage and it is very dangerous to do so. You can type https://install.pivpn.io in your browser to see the exact commands being run.

After you run the command above you should get the window below after a few minutes, hit enter to continue:

 

You will get a windows asking you to select which network interface you would like to use. I use my Ethernet connection in this example which is labeled eth0. I suggest using an ethernet connection since it will work a lot faster.

 

Once you select your network interface it will ask you if you would like to setup the interface to have a static IP Address. I highly suggest to setup the IP Address to have a static IP Address. This will ensure that your internal IP Address doesn’t change if you restart your Raspberry Pi. 

 

The next step will ask you to pick a user that will have the PiVPN configuration settings. If you created other users you can select them here. The user you pick is not really important. You can see in my image below I have 2 users. One is the original ‘pi’ user and the other is the ‘pihole’ user from my adblocker.

 

The next step is another crucial step. Since we will be opening a port on our router to redirect to our Raspberry Pi we can be vulnerable to attacks since we are exposing our device to the internet. What this step will do is enable unattended upgrade of security patches. Basically your Raspberry Pi will check daily for new security updates and update itself. You should periodically reboot for some updates to apply. I would also suggest strong passwords on your users.

 

After you enable security updates you will get the following screen setting up PiVPN.

 

Simply pick UDP in this screen. There is no need for TCP.

 

The next step we will pick our port for our VPN connections. The default port is 1194. As you can see I chose port 11948. You can leave the default VPN port of 1194 or change it to something else. My suggestion is changing it to enhance security. Changing your port won’t turn your server into Fort Knox but it will not show up in default port scans of your IP Address assuming the attacker is scanning default ports only.

 

The next step is to set the size of your encryption key. I suggest the 2048 bit encryption only because its secure enough. I wouldn’t suggest dropping to 1024 bit encryption unless you are running a old Raspberry Pi. Since I am installing this on a Raspberry Pi 3 then 2048 bit encryption will be sufficient enough and will run with no issues. I have never tried the 4096 bit encryption, the only difference will be that it will take a longer time to create the encryption key and will be more secure if trying to crack it.

 

You will get the following screen when your key is being generated. It will take a few minutes to generate. It took my Raspberry Pi 3 around 3 minutes to generate a 2048 bit encryption key.

 

The next step will be to set up your DNS entry. I blanked out my IP Address since I did not want to expose it. If you have a static IP Address from your internet provider then I would use this IP Address. If you have an IP Address that changes randomly then you can use the DNS Entry screen. You will need to sign up for a DNS website like No-IP that will track your IP Address. You will get a name like xxxx.noip.com which you will put in the DNS Entry screen.

 

Next, you’ll be asked to select the DNS provider you’d like to use for your VPN. This can be important if the reason you’re looking to have a VPN is for privacy. The DNS provider converts URL’s into IP Addresses and lets your computer know where to go on the internet. Many DNS providers log this information and can build a data-set about you. If you don’t know which DNS provider to choose simply use Google’s DNS provider.

 

That’s it! You will get the following screens telling you to run the ‘pivpn add’ command as well as rebooting to make sure all the configuration files are applied. Go ahead and reboot.

After the reboot go ahead and run the following command to upgrade and install all our packages. After doing that reboot one more time to make sure everything is applied:

Create your OpenVPN Client File

Once you have rebooted your Raspberry Pi again, run the ‘pivpn add’ command to create a .ovpn file which we will need to transfer to our clients. This file contains a generated key that is used for logging in to our server. You can use this file for every device or you can generate new .ovpn files with the ‘pivpn add’ command.

When creating the .ovpn file, you will be asked for a pass phrase. This pass phrase will need to be entered each time you use your VPN client to connect to your Raspberry Pi VPN server. I suggest you use a strong and long pass phrase since the client .ovpn encrpytion file and the pass phrase are your only weaknesses for someone hacking your Raspberry Pi VPN Server. Keep your configuration/encryption file safe.

OpenVPN Clients

There are many OpenVPN clients to choose from. I use the official OpenVPN software for my Windows computer and my Android phone. I don’t own a Mac or an IPhone so I can not recoomend anything on that end.

The OpenVPN client for Android can be found here. You can download the official client for Windows from the OpenVPN website here.

Options for Transferring your .OVPN file to your OpenVPN Client

You will need to transfer the .ovpn file your created in the previous step to your client. The client is device which you will be using to connect to your Raspberry Pi VPN server. Your computer or phone can both be clients.

If your client will be a PC or Mac computer then the easiest way to transfer your .ovpn file will be over FTP. You can download a FTP client like FileZilla to connect to your VPN server and transfer the .ovpn file. Once you transfer it you will need to import this file into your VPN client.

if your client is a phone like and Android or an IPhone you have two options. You can either email the .ovpn file or you can transfer it using an SD card. If you email the file remember to delete from your email since you want to keep this file a secret. If this file gets compromised then the only thing that’s stopping your Raspberry Pi VPN server from getting hacked is your pass phrase, that is why you need a strong pass phrase as well.

Port Forwarding on your Router

The final step you will want to do is to forward your Raspberry Pi’s VPN port on your router. The default port you need to forward will be 1194 unless you changed this port in the PiVPN setup. Google “port forwarding” and your router name to find out how to do this for your own router.

Conclusion

With PiVPN setting up OpenVPN on the Raspberry Pi couldn’t have been easier. Having your own VPN server on the Raspberry Pi will definitely improve your privacy and online security when you are away from home. Setting up your own VPN server only takes a few minutes and the step by step guide created by PiVPN is great.

The one thing I can not stress enough is locking down your Raspberry Pi because you will be exposing your Pi to the wider internet with the port forwarding. This may increase the attacks to your network and I recommend reading some basic security steps you can do to improve the security on your Raspberry Pi and your network.

Share on Facebook43Share on Google+3Tweet about this on TwitterShare on Reddit34Share on StumbleUpon1Pin on Pinterest29

32 Comments

  • Kaladin

    January 22, 2017

    Great write-up, thanks! I will link to from the pivpn site.
    Note, I notice you are installing with pi-hole. If you want vpn to use pi-hole DNS so you have ad blocking over vpn as well then this should be the only adjustment needed after pointing vpn to the pihole IP.
    https://github.com/pivpn/pivpn/wiki/FAQ#installing-with-pi-hole

    Reply
    • dayz

      January 22, 2017

      Great, I will update the guide with that information. Appreciate you linking to the guide.

      Reply
  • Jbo

    January 29, 2017

    Thanks alot for this understandable guide – appreciate it.

    Reply
  • Geekish

    February 11, 2017

    I can’t seem to get the thing working. My nerd mojo is failing me…

    Reply
    • dayz

      February 11, 2017

      are you getting any errors? What is not exactly working for you?

      Reply
  • Geekish

    February 11, 2017

    I imported the .opvn file.
    My name shows up on the client certificate, but the CA certificate says:
    121 months leftCN=ChangeMe

    Reply
  • Paul Wächter

    February 12, 2017

    Nice tutorial…thanks for this post!!!!
    But i need a another config. The install script take a another dns. Like Google or OpenDNS and so on. But i want to take my internal dns server. I can only reach internal machines only with there ip-address. But i want to reach my internal machines with her NETBIOS name.
    How can i change them? Have you any idea?

    Reply
  • Geekish

    February 12, 2017

    It’s hard to be an old nerd-wanna be.
    6:53 PM TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

    Reply
  • Makis

    February 23, 2017

    i have installed pivpn on raspberry pi3, few days ago and all it’s OK. But since yesterday i can connect to the vpn server from client , but i haven’t internet , and i can’t see my local network!
    Do you have any idea?

    Thanks

    Reply
    • dayz

      February 24, 2017

      Verify that you are still connecting using the same Port that you used when you setup the VPN. Also make sure your router settings have not changed and you have setup your port forwarding correctly.

      Reply
  • Calanish

    February 27, 2017

    Great script! Thanks 🙂

    Any chance of adding v6 ? Specifically thinking of using it here: https://www.mythic-beasts.com/order/rpi which is a RPI v6 only hosting service. They are also the people who host Raspberrypi.org.

    Reply
    • dayz

      February 27, 2017

      Thanks. Checkout the main PiVPN website at pivpn.io for IP6 support.

      I don’t see why it wouldn’t work now with IP6 as the Raspberry Pi is capable of communicating over IP6.

      Reply
  • Serg

    March 3, 2017

    Thanks for the tutorial! One question, can I install the No-IP Dynamic Update Client on the same Raspberry Pi?

    Reply
    • dayz

      March 3, 2017

      You should be able too I don’t see why not. Give it a try and let me know since I don’t have personal experience with No-IP

      Reply
  • Peter

    March 3, 2017

    Is there any way of having an OpenVPN client and server running on a Raspberry Pi at the same time?
    I really want to have my personal VPN running at my house while at the same time make the Raspberry pi act as a VPN gateway (connected to a private vpn provider)

    Thanks

    Reply
    • dayz

      March 3, 2017

      You can most likely do something like this if you connect to another VPN with your router that way your whole network is connected to another VPN but I dont see why you would need to do something like this outside of your network.

      Connecting to the Raspberry Pi VPN should connect you to your home network, if you are outside the house and have another VPN network that you usually connect to why not just connect to that VPN directly?

      Reply
      • Peter

        March 5, 2017

        Connecting my network to another VPN with my router is not what I’m after as I could also do that with two Rpis, one acting as an openvpn client and the other as an openvpn server and Im trying to achieve this with only one RPI. I’d like to have my personal vpn running at my house so I have access to my security cameras and other internal devices when I’m away from home without having them directly exposed to the internet and right now Im using the Rpi as a vpn gateway (with a paid vpn service provider) so when Im at home I can watch US Netflix programing as well as many other US restricted services. Thanks
        Thanks

        Reply
  • Joe

    March 4, 2017

    Thank you for this! I tried using a Linux Mint machine to host OpenVPN and couldn’t get the thing to work. I could connect to the VPN just fine but couldn’t connect to websites or other internet resources.
    I used your method here on a Raspberry Pi 3 and it works perfect! Nice work. I will sharing this method with my students in my Tech Support Classes at the college I teach at.

    Reply
  • Horace

    April 1, 2017

    My open vpn connect app times out connecting. I’ve forwarded the port through my router but it seems my Pi is refusing connections.

    Open port test tool shows:
    Problem! I could not see your service on xxx.xxx.xxx.xxx on port (1194).
    Reason: Connection refused.

    I’m guessing a firewall setting is incorrect here. Any hints appreciated!

    Reply
    • dayz

      April 1, 2017

      Did you happen to use another port during setup?

      Reply
      • Horace

        April 2, 2017

        Hi Dayz

        No I went with 1194 during setup and have gone back to check this. I’m wondering if there’s another firewall or service running but I don’t know how to check.

        Reply
  • Kevin

    April 2, 2017

    Hello. I have followed the steps exactly and yet none of my machines can connect to the VPN. On Android i get an error. Openvpn core: PolarSSL: Error parsing config private key: PK- bad input parameters to function. Am I missing something?

    Reply
  • szabonandi

    April 4, 2017

    I folllowed your guide during the installation, but when I start up the daemon, it fails:

    pi@raspberrypi /var/log $ sudo service openvpn status
    [FAIL] VPN ‘server’ is not running … failed!
    pi@raspberrypi /var/log $

    The log file contains this line:

    pi@raspberrypi /var/log $ cat daemon.log | grep ovpn-server
    Apr 3 23:58:46 raspberrypi ovpn-server[29870]: Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/server.conf:28: tls-version-min (2.2.1)
    Apr 3 23:58:46 raspberrypi ovpn-server[29870]: Use –help for more information.

    I commented out the “tls-version-min 1.2” line in the “/etc/openvpn/server.conf” file. Then the daemon startup succeeded:

    pi@raspberrypi /var/log $ sudo service openvpn start
    [ ok ] Starting virtual private network daemon: server.

    According the logfile the startup seems ok:

    pi@raspberrypi /var/log $ sudo cat openvpn.log
    Tue Apr 4 07:44:39 2017 OpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
    Tue Apr 4 07:44:39 2017 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
    Tue Apr 4 07:44:39 2017 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
    Tue Apr 4 07:44:39 2017 Control Channel Authentication: using ‘/etc/openvpn/easy-rsa/pki/ta.key’ as a OpenVPN static key file
    Tue Apr 4 07:44:39 2017 TUN/TAP device tun0 opened
    Tue Apr 4 07:44:39 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Tue Apr 4 07:44:39 2017 /sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
    Tue Apr 4 07:44:39 2017 GID set to nogroup
    Tue Apr 4 07:44:39 2017 UID set to nobody
    Tue Apr 4 07:44:39 2017 UDPv4 link local (bound): [undef]
    Tue Apr 4 07:44:39 2017 UDPv4 link remote: [undef]
    Tue Apr 4 07:44:39 2017 Initialization Sequence Completed

    But the connection from the client fails:

    Tue Apr 04 07:57:23 2017 OpenSSL: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
    Tue Apr 04 07:57:23 2017 TLS_ERROR: BIO read tls_read_plaintext error
    Tue Apr 04 07:57:23 2017 TLS Error: TLS object -> incoming plaintext read error
    Tue Apr 04 07:57:23 2017 TLS Error: TLS handshake failed
    Tue Apr 04 07:57:23 2017 SIGUSR1[soft,tls-error] received, process restarting

    What is wrong?

    Reply
    • szabonandi

      April 4, 2017

      I found the solution:

      The client config file also have a “tls-version-min 1.2” line.
      By commenting this: everything works fine.
      The connection is established.

      Reply
  • Patrick

    April 4, 2017

    Thanks for your tutorial, it is very well documented !!
    I’ve installed PiVpn without any problem on my RPI3.
    After that, I’ve inserted an entry ‘Port forwarding’ of my router, redirecting the port to my RPI3 IP with the port I’ve defined on the installation (11948).
    Then, I’ve installed OpenVpn on my Laptop (with windows 7). I’ve started it as administrator and get a configuration file (ovpn file) generated by ‘pivpn add’.
    I’ve started the connection to my vpn server (on my RPI3) without errors.
    In order to see if the whole installation is correct, I’ve opened the web page https://www.hostip.fr/ to see if my IP is hidden.
    From home, location of my RPI3, I can see my physical IP instead of the hidden IP.
    From outside, I can see the IP of my home and not the hidden IP.
    I don’t understand…

    Find below the log of the OpenVpn connection (I’ve hidden my IP with for confidentiality) :

    Tue Apr 04 06:01:31 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
    Tue Apr 04 06:01:31 2017 Windows version 6.1 (Windows 7) 64bit
    Tue Apr 04 06:01:31 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
    Enter Management Password:
    Tue Apr 04 06:01:32 2017 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
    Tue Apr 04 06:01:32 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]:11948
    Tue Apr 04 06:01:32 2017 UDP link local: (not bound)
    Tue Apr 04 06:01:32 2017 UDP link remote: [AF_INET]:11948
    Tue Apr 04 06:01:32 2017 [server] Peer Connection Initiated with [AF_INET]:11948
    Tue Apr 04 06:01:33 2017 open_tun
    Tue Apr 04 06:01:33 2017 TAP-WIN32 device [Connexion au réseau local] opened: \\.\Global\{9D233730-585B-4921-A991-3E8D0D49B3DE}.tap
    Tue Apr 04 06:01:33 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]
    Tue Apr 04 06:01:33 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {9D233730-585B-4921-A991-3E8D0D49B3DE} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
    Tue Apr 04 06:01:33 2017 Successful ARP Flush on interface [25] {9D233730-585B-4921-A991-3E8D0D49B3DE}
    Tue Apr 04 06:01:33 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Tue Apr 04 06:01:38 2017 Initialization Sequence Completed

    Do you have an idea ?
    Thanks in advance for your answers.

    Reply
    • dayz

      April 4, 2017

      From home, location of my RPI3, I can see my physical IP instead of the hidden IP.
      From outside, I can see the IP of my home and not the hidden IP.

      This is exactly what I would expect with my guide. Everything is running correctly.

      What you just created is a VPN Server using your Raspberry as a server on your network. What this means is when you are at home on your network everything will look like as if you are at home. Now if you leave your house and VPN to your home network you will not have a secured and encrypted connection back to your house. Everything will appear on your phone as if you are at home, even thou you are not.

      Now if you if want your home network to have a different IP address you would need to connect to a VPN server outside of your house. That is where you would need to pay for a VPN service or you can even setup a Raspberry Pi VPN server at a friends house and you can connect to his Raspberry Pi over an encrypted connection and that would hide your location as well.

      Reply
      • Patrick

        April 4, 2017

        Ok Dayz, I understand…
        I was a little confused because on a forum they said that opening https://www.hostip.fr/, it was expected to have a different IP from the home IP, something like 10.8.0.2.
        But your explanation is very logic.

        I’ve got another question but as it is not related to a bug I will not be offended if you do not answer…
        I’ve got a printer which is connected through wifi to the home network. I know that is possible to print something on it from outside through a VPN.
        Can you tell me how ?
        I’m pretty sure that it’s easy but I cannot succeed…

        Reply
  • Pingback: They Sell Your Browsing History, Now What? |

  • Jack

    April 11, 2017

    Is this supposed to work on a Raspberry Pi 2? I followed all the instructions but keep getting this log when trying to connect:

    Tue Apr 11 18:19:48 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
    Tue Apr 11 18:19:48 2017 Windows version 6.2 (Windows 8 or greater) 64bit
    Tue Apr 11 18:19:48 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
    Tue Apr 11 18:19:48 2017 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
    Tue Apr 11 18:19:49 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]172.56.30.19:11948
    Tue Apr 11 18:19:49 2017 UDP link local: (not bound)
    Tue Apr 11 18:19:49 2017 UDP link remote: [AF_INET]172.56.30.19:11948
    Tue Apr 11 18:20:49 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Tue Apr 11 18:20:49 2017 TLS Error: TLS handshake failed
    Tue Apr 11 18:20:49 2017 SIGUSR1[soft,tls-error] received, process restarting
    Tue Apr 11 18:20:54 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]47.150.2.56:11948
    Tue Apr 11 18:20:54 2017 UDP link local: (not bound)
    Tue Apr 11 18:20:54 2017 UDP link remote: [AF_INET]47.150.2.56:11948
    Tue Apr 11 18:21:54 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Tue Apr 11 18:21:54 2017 TLS Error: TLS handshake failed
    Tue Apr 11 18:21:54 2017 SIGUSR1[soft,tls-error] received, process restarting
    Tue Apr 11 18:21:59 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]47.150.2.56:11948
    Tue Apr 11 18:21:59 2017 UDP link local: (not bound)
    Tue Apr 11 18:21:59 2017 UDP link remote: [AF_INET]47.150.2.56:11948

    Reply
    • dayz

      April 11, 2017

      It looks like you are using port 11948, did you make sure to port forward that port on your router to your Raspberry Pi?

      Reply
      • Jack

        April 12, 2017

        Yes I configured port 11948 to be forwarded to my Pi.

        Reply
        • Joshoua

          July 1, 2017

          Jack, did you try to connect to your VPN from outside your network? I got the same errors and it finally hit me that VPNs work over the Internet. So If you have a smartphone you can use the mobile internet connection to test if your VPN connection is working by downloading the openvpn GUI client and using the profile you made and/or you can test it by using someone else’s Internet connection like a friend or family member and then connect to your server. From my understanding, VPNs work by tunneling through the Internet so it probably won’t work if you are trying to connect to your VPN server from inside your own network.

          Reply

Leave a Reply