How to turn your Raspberry Pi into a Home VPN Server using PiVPN
With all the news about privacy concerns and security threats on the internet recently more people are starting to use a VPN on their home networks and phones. A VPN or a Virtual Private Network allows you to send and receive data across shared or public networks as if their devices were directly connected to the private network. For example if you are connected to the public WiFi network at the mall, everyone can see your data, if you use a VPN all your data is encrypted through a private tunnel and it looks like you are connected directly to your home network. VPN’s are very popular in the business world and most likely you may be using one for work and not even know why. The main reason is security and access of your local files.
You can use your Raspberry Pi as a VPN server for free or you can use a VPN service which will limit the amount of data you can use monthly as well a paying a monthly fee. With your Raspberry Pi VPN server you will be able to connect to public WiFi networks and have all your data encrypted which will prevent you from man-in-the-middle attacks as well as any one else snooping WiFi data on the network. When you are connected to your own VPN server you will be able to access all of your home files. If you have movies or music you will be able to access them with ease.
To improve our network security by turning our Raspberry Pi into a Home VPN Server using PiVPN
You will need the following:
Installation of PiVPN (The software we will be using as our VPN server) is a breeze. You simply have to run just one command to install PiVPN. I will assume you already have the Raspbian OS up and running. You only need the lite version if you will be running headless, that’s how I am installing it since I will have PiVPN running along side PiHole, my network wide ad blocker.
Run the following command in a terminal window or use SSH to install PiVPN:
curl -L https://install.pivpn.io | bash
Just a quick side-note, running a command like this is dangerous. Basically what the command being run is doing is going to http://install.pivpn.io and parsing the data then running it in the command line. If you run a similar command from an untrusted source you can do some damage and it is very dangerous to do so. You can type https://install.pivpn.io in your browser to see the exact commands being run.
After you run the command above you should get the window below after a few minutes, hit enter to continue:
You will get a windows asking you to select which network interface you would like to use. I use my Ethernet connection in this example which is labeled eth0. I suggest using an ethernet connection since it will work a lot faster.
Once you select your network interface it will ask you if you would like to setup the interface to have a static IP Address. I highly suggest to setup the IP Address to have a static IP Address. This will ensure that your internal IP Address doesn’t change if you restart your Raspberry Pi.
The next step will ask you to pick a user that will have the PiVPN configuration settings. If you created other users you can select them here. The user you pick is not really important. You can see in my image below I have 2 users. One is the original ‘pi’ user and the other is the ‘pihole’ user from my adblocker.
The next step is another crucial step. Since we will be opening a port on our router to redirect to our Raspberry Pi we can be vulnerable to attacks since we are exposing our device to the internet. What this step will do is enable unattended upgrade of security patches. Basically your Raspberry Pi will check daily for new security updates and update itself. You should periodically reboot for some updates to apply. I would also suggest strong passwords on your users.
The next step we will pick our port for our VPN connections. The default port is 1194. As you can see I chose port 11948. You can leave the default VPN port of 1194 or change it to something else. My suggestion is changing it to enhance security. Changing your port won’t turn your server into Fort Knox but it will not show up in default port scans of your IP Address assuming the attacker is scanning default ports only.
The next step is to set the size of your encryption key. I suggest the 2048 bit encryption only because its secure enough. I wouldn’t suggest dropping to 1024 bit encryption unless you are running a old Raspberry Pi. Since I am installing this on a Raspberry Pi 3 then 2048 bit encryption will be sufficient enough and will run with no issues. I have never tried the 4096 bit encryption, the only difference will be that it will take a longer time to create the encryption key and will be more secure if trying to crack it.
The next step will be to set up your DNS entry. I blanked out my IP Address since I did not want to expose it. If you have a static IP Address from your internet provider then I would use this IP Address. If you have an IP Address that changes randomly then you can use the DNS Entry screen. You will need to sign up for a DNS website like No-IP that will track your IP Address. You will get a name like xxxx.noip.com which you will put in the DNS Entry screen.
Next, you’ll be asked to select the DNS provider you’d like to use for your VPN. This can be important if the reason you’re looking to have a VPN is for privacy. The DNS provider converts URL’s into IP Addresses and lets your computer know where to go on the internet. Many DNS providers log this information and can build a data-set about you. If you don’t know which DNS provider to choose simply use Google’s DNS provider.
After the reboot go ahead and run the following command to upgrade and install all our packages. After doing that reboot one more time to make sure everything is applied:
sudo apt-get upgrade
Create your OpenVPN Client File
Once you have rebooted your Raspberry Pi again, run the ‘pivpn add’ command to create a .ovpn file which we will need to transfer to our clients. This file contains a generated key that is used for logging in to our server. You can use this file for every device or you can generate new .ovpn files with the ‘pivpn add’ command.
When creating the .ovpn file, you will be asked for a pass phrase. This pass phrase will need to be entered each time you use your VPN client to connect to your Raspberry Pi VPN server. I suggest you use a strong and long pass phrase since the client .ovpn encrpytion file and the pass phrase are your only weaknesses for someone hacking your Raspberry Pi VPN Server. Keep your configuration/encryption file safe.
There are many OpenVPN clients to choose from. I use the official OpenVPN software for my Windows computer and my Android phone. I don’t own a Mac or an IPhone so I can not recoomend anything on that end.
Options for Transferring your .OVPN file to your OpenVPN Client
You will need to transfer the .ovpn file your created in the previous step to your client. The client is device which you will be using to connect to your Raspberry Pi VPN server. Your computer or phone can both be clients.
If your client will be a PC or Mac computer then the easiest way to transfer your .ovpn file will be over FTP. You can download a FTP client like FileZilla to connect to your VPN server and transfer the .ovpn file. Once you transfer it you will need to import this file into your VPN client.
if your client is a phone like and Android or an IPhone you have two options. You can either email the .ovpn file or you can transfer it using an SD card. If you email the file remember to delete from your email since you want to keep this file a secret. If this file gets compromised then the only thing that’s stopping your Raspberry Pi VPN server from getting hacked is your pass phrase, that is why you need a strong pass phrase as well.
Port Forwarding on your Router
The final step you will want to do is to forward your Raspberry Pi’s VPN port on your router. The default port you need to forward will be 1194 unless you changed this port in the PiVPN setup. Google “port forwarding” and your router name to find out how to do this for your own router.
With PiVPN setting up OpenVPN on the Raspberry Pi couldn’t have been easier. Having your own VPN server on the Raspberry Pi will definitely improve your privacy and online security when you are away from home. Setting up your own VPN server only takes a few minutes and the step by step guide created by PiVPN is great.
The one thing I can not stress enough is locking down your Raspberry Pi because you will be exposing your Pi to the wider internet with the port forwarding. This may increase the attacks to your network and I recommend reading some basic security steps you can do to improve the security on your Raspberry Pi and your network.