How to turn your Raspberry Pi into a Home VPN Server using PiVPN

Share on Facebook29Share on Google+0Tweet about this on TwitterShare on Reddit31Share on StumbleUpon1Pin on Pinterest18

With all the news about privacy concerns and security threats on the internet recently more people are starting to use a VPN on their home networks and phones. A VPN or a Virtual Private Network allows you to send and receive data across shared or public networks as if their devices were directly connected to the private network. For example if you are connected to the public WiFi network at the mall, everyone can see your data, if you use a VPN all your data is encrypted through a private tunnel and it looks like you are connected directly to your home network. VPN’s are very popular in the business world and most likely you may be using one for work and not even know why. The main reason is security and access of your local files.

You can use your Raspberry Pi as a VPN server for free or you can use a VPN service which will limit the amount of data you can use monthly as well a paying a monthly fee. With your Raspberry Pi VPN server you will be able to connect to public WiFi networks and have all your data encrypted which will prevent you from man-in-the-middle attacks as well as any one else snooping WiFi data on the network. When you are connected to your own VPN server you will be able to access all of your home files. If you have movies or music you will be able to access them with ease.

Objective

To improve our network security by turning our Raspberry Pi into a Home VPN Server using PiVPN

Material

You will need the following:

Instructions

Installation of PiVPN (The software we will be using as our VPN server) is a breeze. You simply have to run just one command to install PiVPN. I will assume you already have the Raspbian OS up and running. You only need the lite version if you will be running headless, that’s how I am installing it since I will have PiVPN running along side PiHole, my network wide ad blocker.

Run the following command in a terminal window or use SSH to install PiVPN:

Just a quick side-note, running a command like this is dangerous. Basically what the command being run is doing is going to http://install.pivpn.io and parsing the data then running it in the command line. If you run a similar command from an untrusted source you can do some damage and it is very dangerous to do so. You can type https://install.pivpn.io in your browser to see the exact commands being run.

After you run the command above you should get the window below after a few minutes, hit enter to continue:

 

You will get a windows asking you to select which network interface you would like to use. I use my Ethernet connection in this example which is labeled eth0. I suggest using an ethernet connection since it will work a lot faster.

 

Once you select your network interface it will ask you if you would like to setup the interface to have a static IP Address. I highly suggest to setup the IP Address to have a static IP Address. This will ensure that your internal IP Address doesn’t change if you restart your Raspberry Pi. 

 

The next step will ask you to pick a user that will have the PiVPN configuration settings. If you created other users you can select them here. The user you pick is not really important. You can see in my image below I have 2 users. One is the original ‘pi’ user and the other is the ‘pihole’ user from my adblocker.

 

The next step is another crucial step. Since we will be opening a port on our router to redirect to our Raspberry Pi we can be vulnerable to attacks since we are exposing our device to the internet. What this step will do is enable unattended upgrade of security patches. Basically your Raspberry Pi will check daily for new security updates and update itself. You should periodically reboot for some updates to apply. I would also suggest strong passwords on your users.

 

After you enable security updates you will get the following screen setting up PiVPN.

 

Simply pick UDP in this screen. There is no need for TCP.

 

The next step we will pick our port for our VPN connections. The default port is 1194. As you can see I chose port 11948. You can leave the default VPN port of 1194 or change it to something else. My suggestion is changing it to enhance security. Changing your port won’t turn your server into Fort Knox but it will not show up in default port scans of your IP Address assuming the attacker is scanning default ports only.

 

The next step is to set the size of your encryption key. I suggest the 2048 bit encryption only because its secure enough. I wouldn’t suggest dropping to 1024 bit encryption unless you are running a old Raspberry Pi. Since I am installing this on a Raspberry Pi 3 then 2048 bit encryption will be sufficient enough and will run with no issues. I have never tried the 4096 bit encryption, the only difference will be that it will take a longer time to create the encryption key and will be more secure if trying to crack it.

 

You will get the following screen when your key is being generated. It will take a few minutes to generate. It took my Raspberry Pi 3 around 3 minutes to generate a 2048 bit encryption key.

 

The next step will be to set up your DNS entry. I blanked out my IP Address since I did not want to expose it. If you have a static IP Address from your internet provider then I would use this IP Address. If you have an IP Address that changes randomly then you can use the DNS Entry screen. You will need to sign up for a DNS website like No-IP that will track your IP Address. You will get a name like xxxx.noip.com which you will put in the DNS Entry screen.

 

Next, you’ll be asked to select the DNS provider you’d like to use for your VPN. This can be important if the reason you’re looking to have a VPN is for privacy. The DNS provider converts URL’s into IP Addresses and lets your computer know where to go on the internet. Many DNS providers log this information and can build a data-set about you. If you don’t know which DNS provider to choose simply use Google’s DNS provider.

 

That’s it! You will get the following screens telling you to run the ‘pivpn add’ command as well as rebooting to make sure all the configuration files are applied. Go ahead and reboot.

After the reboot go ahead and run the following command to upgrade and install all our packages. After doing that reboot one more time to make sure everything is applied:

Create your OpenVPN Client File

Once you have rebooted your Raspberry Pi again, run the ‘pivpn add’ command to create a .ovpn file which we will need to transfer to our clients. This file contains a generated key that is used for logging in to our server. You can use this file for every device or you can generate new .ovpn files with the ‘pivpn add’ command.

When creating the .ovpn file, you will be asked for a pass phrase. This pass phrase will need to be entered each time you use your VPN client to connect to your Raspberry Pi VPN server. I suggest you use a strong and long pass phrase since the client .ovpn encrpytion file and the pass phrase are your only weaknesses for someone hacking your Raspberry Pi VPN Server. Keep your configuration/encryption file safe.

OpenVPN Clients

There are many OpenVPN clients to choose from. I use the official OpenVPN software for my Windows computer and my Android phone. I don’t own a Mac or an IPhone so I can not recoomend anything on that end.

The OpenVPN client for Android can be found here. You can download the official client for Windows from the OpenVPN website here.

Options for Transferring your .OVPN file to your OpenVPN Client

You will need to transfer the .ovpn file your created in the previous step to your client. The client is device which you will be using to connect to your Raspberry Pi VPN server. Your computer or phone can both be clients.

If your client will be a PC or Mac computer then the easiest way to transfer your .ovpn file will be over FTP. You can download a FTP client like FileZilla to connect to your VPN server and transfer the .ovpn file. Once you transfer it you will need to import this file into your VPN client.

if your client is a phone like and Android or an IPhone you have two options. You can either email the .ovpn file or you can transfer it using an SD card. If you email the file remember to delete from your email since you want to keep this file a secret. If this file gets compromised then the only thing that’s stopping your Raspberry Pi VPN server from getting hacked is your pass phrase, that is why you need a strong pass phrase as well.

Port Forwarding on your Router

The final step you will want to do is to forward your Raspberry Pi’s VPN port on your router. The default port you need to forward will be 1194 unless you changed this port in the PiVPN setup. Google “port forwarding” and your router name to find out how to do this for your own router.

Conclusion

With PiVPN setting up OpenVPN on the Raspberry Pi couldn’t have been easier. Having your own VPN server on the Raspberry Pi will definitely improve your privacy and online security when you are away from home. Setting up your own VPN server only takes a few minutes and the step by step guide created by PiVPN is great.

The one thing I can not stress enough is locking down your Raspberry Pi because you will be exposing your Pi to the wider internet with the port forwarding. This may increase the attacks to your network and I recommend reading some basic security steps you can do to improve the security on your Raspberry Pi and your network.

Share on Facebook29Share on Google+0Tweet about this on TwitterShare on Reddit31Share on StumbleUpon1Pin on Pinterest18

18 Comments

  • Kaladin

    January 22, 2017

    Great write-up, thanks! I will link to from the pivpn site.
    Note, I notice you are installing with pi-hole. If you want vpn to use pi-hole DNS so you have ad blocking over vpn as well then this should be the only adjustment needed after pointing vpn to the pihole IP.
    https://github.com/pivpn/pivpn/wiki/FAQ#installing-with-pi-hole

    Reply
    • dayz

      January 22, 2017

      Great, I will update the guide with that information. Appreciate you linking to the guide.

      Reply
  • Jbo

    January 29, 2017

    Thanks alot for this understandable guide – appreciate it.

    Reply
  • Geekish

    February 11, 2017

    I can’t seem to get the thing working. My nerd mojo is failing me…

    Reply
    • dayz

      February 11, 2017

      are you getting any errors? What is not exactly working for you?

      Reply
  • Geekish

    February 11, 2017

    I imported the .opvn file.
    My name shows up on the client certificate, but the CA certificate says:
    121 months leftCN=ChangeMe

    Reply
  • Paul Wächter

    February 12, 2017

    Nice tutorial…thanks for this post!!!!
    But i need a another config. The install script take a another dns. Like Google or OpenDNS and so on. But i want to take my internal dns server. I can only reach internal machines only with there ip-address. But i want to reach my internal machines with her NETBIOS name.
    How can i change them? Have you any idea?

    Reply
  • Geekish

    February 12, 2017

    It’s hard to be an old nerd-wanna be.
    6:53 PM TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

    Reply
  • Makis

    February 23, 2017

    i have installed pivpn on raspberry pi3, few days ago and all it’s OK. But since yesterday i can connect to the vpn server from client , but i haven’t internet , and i can’t see my local network!
    Do you have any idea?

    Thanks

    Reply
    • dayz

      February 24, 2017

      Verify that you are still connecting using the same Port that you used when you setup the VPN. Also make sure your router settings have not changed and you have setup your port forwarding correctly.

      Reply
  • Calanish

    February 27, 2017

    Great script! Thanks 🙂

    Any chance of adding v6 ? Specifically thinking of using it here: https://www.mythic-beasts.com/order/rpi which is a RPI v6 only hosting service. They are also the people who host Raspberrypi.org.

    Reply
    • dayz

      February 27, 2017

      Thanks. Checkout the main PiVPN website at pivpn.io for IP6 support.

      I don’t see why it wouldn’t work now with IP6 as the Raspberry Pi is capable of communicating over IP6.

      Reply
  • Serg

    March 3, 2017

    Thanks for the tutorial! One question, can I install the No-IP Dynamic Update Client on the same Raspberry Pi?

    Reply
    • dayz

      March 3, 2017

      You should be able too I don’t see why not. Give it a try and let me know since I don’t have personal experience with No-IP

      Reply
  • Peter

    March 3, 2017

    Is there any way of having an OpenVPN client and server running on a Raspberry Pi at the same time?
    I really want to have my personal VPN running at my house while at the same time make the Raspberry pi act as a VPN gateway (connected to a private vpn provider)

    Thanks

    Reply
    • dayz

      March 3, 2017

      You can most likely do something like this if you connect to another VPN with your router that way your whole network is connected to another VPN but I dont see why you would need to do something like this outside of your network.

      Connecting to the Raspberry Pi VPN should connect you to your home network, if you are outside the house and have another VPN network that you usually connect to why not just connect to that VPN directly?

      Reply
      • Peter

        March 5, 2017

        Connecting my network to another VPN with my router is not what I’m after as I could also do that with two Rpis, one acting as an openvpn client and the other as an openvpn server and Im trying to achieve this with only one RPI. I’d like to have my personal vpn running at my house so I have access to my security cameras and other internal devices when I’m away from home without having them directly exposed to the internet and right now Im using the Rpi as a vpn gateway (with a paid vpn service provider) so when Im at home I can watch US Netflix programing as well as many other US restricted services. Thanks
        Thanks

        Reply
  • Joe

    March 4, 2017

    Thank you for this! I tried using a Linux Mint machine to host OpenVPN and couldn’t get the thing to work. I could connect to the VPN just fine but couldn’t connect to websites or other internet resources.
    I used your method here on a Raspberry Pi 3 and it works perfect! Nice work. I will sharing this method with my students in my Tech Support Classes at the college I teach at.

    Reply

Leave a Reply