How to turn your Raspberry Pi into a Home VPN Server using PiVPN

With all the news about privacy concerns and security threats on the internet recently more people are starting to use a VPN on their home networks and phones. A VPN or a Virtual Private Network allows you to send and receive data across shared or public networks as if their devices were directly connected to the private network. For example if you are connected to the public WiFi network at the mall, everyone can see your data, if you use a VPN all your data is encrypted through a private tunnel and it looks like you are connected directly to your home network. VPN’s are very popular in the business world and most likely you may be using one for work and not even know why. The main reason is security and access of your local files.

You can use your Raspberry Pi as a VPN server for free or you can use a VPN service which will limit the amount of data you can use monthly as well a paying a monthly fee. With your Raspberry Pi VPN server you will be able to connect to public WiFi networks and have all your data encrypted which will prevent you from man-in-the-middle attacks as well as any one else snooping WiFi data on the network. When you are connected to your own VPN server you will be able to access all of your home files. If you have movies or music you will be able to access them with ease.


To improve our network security by turning our Raspberry Pi into a Home VPN Server using PiVPN


You will need the following:


Installation of PiVPN (The software we will be using as our VPN server) is a breeze. You simply have to run just one command to install PiVPN. I will assume you already have the Raspbian OS up and running. You only need the lite version if you will be running headless, that’s how I am installing it since I will have PiVPN running along side PiHole, my network wide ad blocker.

Run the following command in a terminal window or use SSH to install PiVPN:

Just a quick side-note, running a command like this is dangerous. Basically what the command being run is doing is going to and parsing the data then running it in the command line. If you run a similar command from an untrusted source you can do some damage and it is very dangerous to do so. You can type in your browser to see the exact commands being run.

After you run the command above you should get the window below after a few minutes, hit enter to continue:


You will get a windows asking you to select which network interface you would like to use. I use my Ethernet connection in this example which is labeled eth0. I suggest using an ethernet connection since it will work a lot faster.


Once you select your network interface it will ask you if you would like to setup the interface to have a static IP Address. I highly suggest to setup the IP Address to have a static IP Address. This will ensure that your internal IP Address doesn’t change if you restart your Raspberry Pi. 


The next step will ask you to pick a user that will have the PiVPN configuration settings. If you created other users you can select them here. The user you pick is not really important. You can see in my image below I have 2 users. One is the original ‘pi’ user and the other is the ‘pihole’ user from my adblocker.


The next step is another crucial step. Since we will be opening a port on our router to redirect to our Raspberry Pi we can be vulnerable to attacks since we are exposing our device to the internet. What this step will do is enable unattended upgrade of security patches. Basically your Raspberry Pi will check daily for new security updates and update itself. You should periodically reboot for some updates to apply. I would also suggest strong passwords on your users.


After you enable security updates you will get the following screen setting up PiVPN.


Simply pick UDP in this screen. There is no need for TCP.


The next step we will pick our port for our VPN connections. The default port is 1194. As you can see I chose port 11948. You can leave the default VPN port of 1194 or change it to something else. My suggestion is changing it to enhance security. Changing your port won’t turn your server into Fort Knox but it will not show up in default port scans of your IP Address assuming the attacker is scanning default ports only.


The next step is to set the size of your encryption key. I suggest the 2048 bit encryption only because its secure enough. I wouldn’t suggest dropping to 1024 bit encryption unless you are running a old Raspberry Pi. Since I am installing this on a Raspberry Pi 3 then 2048 bit encryption will be sufficient enough and will run with no issues. I have never tried the 4096 bit encryption, the only difference will be that it will take a longer time to create the encryption key and will be more secure if trying to crack it.


You will get the following screen when your key is being generated. It will take a few minutes to generate. It took my Raspberry Pi 3 around 3 minutes to generate a 2048 bit encryption key.


The next step will be to set up your DNS entry. I blanked out my IP Address since I did not want to expose it. If you have a static IP Address from your internet provider then I would use this IP Address. If you have an IP Address that changes randomly then you can use the DNS Entry screen. You will need to sign up for a DNS website like No-IP that will track your IP Address. You will get a name like which you will put in the DNS Entry screen.


Next, you’ll be asked to select the DNS provider you’d like to use for your VPN. This can be important if the reason you’re looking to have a VPN is for privacy. The DNS provider converts URL’s into IP Addresses and lets your computer know where to go on the internet. Many DNS providers log this information and can build a data-set about you. If you don’t know which DNS provider to choose simply use Google’s DNS provider.


That’s it! You will get the following screens telling you to run the ‘pivpn add’ command as well as rebooting to make sure all the configuration files are applied. Go ahead and reboot.

After the reboot go ahead and run the following command to upgrade and install all our packages. After doing that reboot one more time to make sure everything is applied:

Create your OpenVPN Client File

Once you have rebooted your Raspberry Pi again, run the ‘pivpn add’ command to create a .ovpn file which we will need to transfer to our clients. This file contains a generated key that is used for logging in to our server. You can use this file for every device or you can generate new .ovpn files with the ‘pivpn add’ command.

When creating the .ovpn file, you will be asked for a pass phrase. This pass phrase will need to be entered each time you use your VPN client to connect to your Raspberry Pi VPN server. I suggest you use a strong and long pass phrase since the client .ovpn encrpytion file and the pass phrase are your only weaknesses for someone hacking your Raspberry Pi VPN Server. Keep your configuration/encryption file safe.

OpenVPN Clients

There are many OpenVPN clients to choose from. I use the official OpenVPN software for my Windows computer and my Android phone. I don’t own a Mac or an IPhone so I can not recoomend anything on that end.

The OpenVPN client for Android can be found here. You can download the official client for Windows from the OpenVPN website here.

Options for Transferring your .OVPN file to your OpenVPN Client

You will need to transfer the .ovpn file your created in the previous step to your client. The client is device which you will be using to connect to your Raspberry Pi VPN server. Your computer or phone can both be clients.

If your client will be a PC or Mac computer then the easiest way to transfer your .ovpn file will be over FTP. You can download a FTP client like FileZilla to connect to your VPN server and transfer the .ovpn file. Once you transfer it you will need to import this file into your VPN client.

if your client is a phone like and Android or an IPhone you have two options. You can either email the .ovpn file or you can transfer it using an SD card. If you email the file remember to delete from your email since you want to keep this file a secret. If this file gets compromised then the only thing that’s stopping your Raspberry Pi VPN server from getting hacked is your pass phrase, that is why you need a strong pass phrase as well.

Port Forwarding on your Router

The final step you will want to do is to forward your Raspberry Pi’s VPN port on your router. The default port you need to forward will be 1194 unless you changed this port in the PiVPN setup. Google “port forwarding” and your router name to find out how to do this for your own router.


With PiVPN setting up OpenVPN on the Raspberry Pi couldn’t have been easier. Having your own VPN server on the Raspberry Pi will definitely improve your privacy and online security when you are away from home. Setting up your own VPN server only takes a few minutes and the step by step guide created by PiVPN is great.

The one thing I can not stress enough is locking down your Raspberry Pi because you will be exposing your Pi to the wider internet with the port forwarding. This may increase the attacks to your network and I recommend reading some basic security steps you can do to improve the security on your Raspberry Pi and your network.


  • Kaladin

    January 22, 2017

    Great write-up, thanks! I will link to from the pivpn site.
    Note, I notice you are installing with pi-hole. If you want vpn to use pi-hole DNS so you have ad blocking over vpn as well then this should be the only adjustment needed after pointing vpn to the pihole IP.

    • dayz

      January 22, 2017

      Great, I will update the guide with that information. Appreciate you linking to the guide.

    • Rick

      March 7, 2018

      At the select DNS portion you can also set custom and set to your pihole IP.

  • Jbo

    January 29, 2017

    Thanks alot for this understandable guide – appreciate it.

  • Geekish

    February 11, 2017

    I can’t seem to get the thing working. My nerd mojo is failing me…

    • dayz

      February 11, 2017

      are you getting any errors? What is not exactly working for you?

  • Geekish

    February 11, 2017

    I imported the .opvn file.
    My name shows up on the client certificate, but the CA certificate says:
    121 months leftCN=ChangeMe

  • Paul Wächter

    February 12, 2017

    Nice tutorial…thanks for this post!!!!
    But i need a another config. The install script take a another dns. Like Google or OpenDNS and so on. But i want to take my internal dns server. I can only reach internal machines only with there ip-address. But i want to reach my internal machines with her NETBIOS name.
    How can i change them? Have you any idea?

  • Geekish

    February 12, 2017

    It’s hard to be an old nerd-wanna be.
    6:53 PM TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

  • Makis

    February 23, 2017

    i have installed pivpn on raspberry pi3, few days ago and all it’s OK. But since yesterday i can connect to the vpn server from client , but i haven’t internet , and i can’t see my local network!
    Do you have any idea?


    • dayz

      February 24, 2017

      Verify that you are still connecting using the same Port that you used when you setup the VPN. Also make sure your router settings have not changed and you have setup your port forwarding correctly.

    • Felix Tremblay

      September 16, 2017

      Hi, I am currently experiencing the same issue. Do you know what fixed the issue for you?

  • Calanish

    February 27, 2017

    Great script! Thanks 🙂

    Any chance of adding v6 ? Specifically thinking of using it here: which is a RPI v6 only hosting service. They are also the people who host

    • dayz

      February 27, 2017

      Thanks. Checkout the main PiVPN website at for IP6 support.

      I don’t see why it wouldn’t work now with IP6 as the Raspberry Pi is capable of communicating over IP6.

  • Serg

    March 3, 2017

    Thanks for the tutorial! One question, can I install the No-IP Dynamic Update Client on the same Raspberry Pi?

    • dayz

      March 3, 2017

      You should be able too I don’t see why not. Give it a try and let me know since I don’t have personal experience with No-IP

  • Peter

    March 3, 2017

    Is there any way of having an OpenVPN client and server running on a Raspberry Pi at the same time?
    I really want to have my personal VPN running at my house while at the same time make the Raspberry pi act as a VPN gateway (connected to a private vpn provider)


    • dayz

      March 3, 2017

      You can most likely do something like this if you connect to another VPN with your router that way your whole network is connected to another VPN but I dont see why you would need to do something like this outside of your network.

      Connecting to the Raspberry Pi VPN should connect you to your home network, if you are outside the house and have another VPN network that you usually connect to why not just connect to that VPN directly?

      • Peter

        March 5, 2017

        Connecting my network to another VPN with my router is not what I’m after as I could also do that with two Rpis, one acting as an openvpn client and the other as an openvpn server and Im trying to achieve this with only one RPI. I’d like to have my personal vpn running at my house so I have access to my security cameras and other internal devices when I’m away from home without having them directly exposed to the internet and right now Im using the Rpi as a vpn gateway (with a paid vpn service provider) so when Im at home I can watch US Netflix programing as well as many other US restricted services. Thanks

  • Joe

    March 4, 2017

    Thank you for this! I tried using a Linux Mint machine to host OpenVPN and couldn’t get the thing to work. I could connect to the VPN just fine but couldn’t connect to websites or other internet resources.
    I used your method here on a Raspberry Pi 3 and it works perfect! Nice work. I will sharing this method with my students in my Tech Support Classes at the college I teach at.

  • Horace

    April 1, 2017

    My open vpn connect app times out connecting. I’ve forwarded the port through my router but it seems my Pi is refusing connections.

    Open port test tool shows:
    Problem! I could not see your service on on port (1194).
    Reason: Connection refused.

    I’m guessing a firewall setting is incorrect here. Any hints appreciated!

    • dayz

      April 1, 2017

      Did you happen to use another port during setup?

      • Horace

        April 2, 2017

        Hi Dayz

        No I went with 1194 during setup and have gone back to check this. I’m wondering if there’s another firewall or service running but I don’t know how to check.

  • Kevin

    April 2, 2017

    Hello. I have followed the steps exactly and yet none of my machines can connect to the VPN. On Android i get an error. Openvpn core: PolarSSL: Error parsing config private key: PK- bad input parameters to function. Am I missing something?

    • Partha

      October 25, 2017

      could you find the solution for this? please let me know. i’m facing the same thing

  • szabonandi

    April 4, 2017

    I folllowed your guide during the installation, but when I start up the daemon, it fails:

    pi@raspberrypi /var/log $ sudo service openvpn status
    [FAIL] VPN ‘server’ is not running … failed!
    pi@raspberrypi /var/log $

    The log file contains this line:

    pi@raspberrypi /var/log $ cat daemon.log | grep ovpn-server
    Apr 3 23:58:46 raspberrypi ovpn-server[29870]: Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/server.conf:28: tls-version-min (2.2.1)
    Apr 3 23:58:46 raspberrypi ovpn-server[29870]: Use –help for more information.

    I commented out the “tls-version-min 1.2” line in the “/etc/openvpn/server.conf” file. Then the daemon startup succeeded:

    pi@raspberrypi /var/log $ sudo service openvpn start
    [ ok ] Starting virtual private network daemon: server.

    According the logfile the startup seems ok:

    pi@raspberrypi /var/log $ sudo cat openvpn.log
    Tue Apr 4 07:44:39 2017 OpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
    Tue Apr 4 07:44:39 2017 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
    Tue Apr 4 07:44:39 2017 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
    Tue Apr 4 07:44:39 2017 Control Channel Authentication: using ‘/etc/openvpn/easy-rsa/pki/ta.key’ as a OpenVPN static key file
    Tue Apr 4 07:44:39 2017 TUN/TAP device tun0 opened
    Tue Apr 4 07:44:39 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Tue Apr 4 07:44:39 2017 /sbin/ifconfig tun0 netmask mtu 1500 broadcast
    Tue Apr 4 07:44:39 2017 GID set to nogroup
    Tue Apr 4 07:44:39 2017 UID set to nobody
    Tue Apr 4 07:44:39 2017 UDPv4 link local (bound): [undef]
    Tue Apr 4 07:44:39 2017 UDPv4 link remote: [undef]
    Tue Apr 4 07:44:39 2017 Initialization Sequence Completed

    But the connection from the client fails:

    Tue Apr 04 07:57:23 2017 OpenSSL: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
    Tue Apr 04 07:57:23 2017 TLS_ERROR: BIO read tls_read_plaintext error
    Tue Apr 04 07:57:23 2017 TLS Error: TLS object -> incoming plaintext read error
    Tue Apr 04 07:57:23 2017 TLS Error: TLS handshake failed
    Tue Apr 04 07:57:23 2017 SIGUSR1[soft,tls-error] received, process restarting

    What is wrong?

    • szabonandi

      April 4, 2017

      I found the solution:

      The client config file also have a “tls-version-min 1.2” line.
      By commenting this: everything works fine.
      The connection is established.

  • Patrick

    April 4, 2017

    Thanks for your tutorial, it is very well documented !!
    I’ve installed PiVpn without any problem on my RPI3.
    After that, I’ve inserted an entry ‘Port forwarding’ of my router, redirecting the port to my RPI3 IP with the port I’ve defined on the installation (11948).
    Then, I’ve installed OpenVpn on my Laptop (with windows 7). I’ve started it as administrator and get a configuration file (ovpn file) generated by ‘pivpn add’.
    I’ve started the connection to my vpn server (on my RPI3) without errors.
    In order to see if the whole installation is correct, I’ve opened the web page to see if my IP is hidden.
    From home, location of my RPI3, I can see my physical IP instead of the hidden IP.
    From outside, I can see the IP of my home and not the hidden IP.
    I don’t understand…

    Find below the log of the OpenVpn connection (I’ve hidden my IP with for confidentiality) :

    Tue Apr 04 06:01:31 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
    Tue Apr 04 06:01:31 2017 Windows version 6.1 (Windows 7) 64bit
    Tue Apr 04 06:01:31 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
    Enter Management Password:
    Tue Apr 04 06:01:32 2017 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
    Tue Apr 04 06:01:32 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]:11948
    Tue Apr 04 06:01:32 2017 UDP link local: (not bound)
    Tue Apr 04 06:01:32 2017 UDP link remote: [AF_INET]:11948
    Tue Apr 04 06:01:32 2017 [server] Peer Connection Initiated with [AF_INET]:11948
    Tue Apr 04 06:01:33 2017 open_tun
    Tue Apr 04 06:01:33 2017 TAP-WIN32 device [Connexion au réseau local] opened: \\.\Global\{9D233730-585B-4921-A991-3E8D0D49B3DE}.tap
    Tue Apr 04 06:01:33 2017 Set TAP-Windows TUN subnet mode network/local/netmask = [SUCCEEDED]
    Tue Apr 04 06:01:33 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of on interface {9D233730-585B-4921-A991-3E8D0D49B3DE} [DHCP-serv:, lease-time: 31536000]
    Tue Apr 04 06:01:33 2017 Successful ARP Flush on interface [25] {9D233730-585B-4921-A991-3E8D0D49B3DE}
    Tue Apr 04 06:01:33 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Tue Apr 04 06:01:38 2017 Initialization Sequence Completed

    Do you have an idea ?
    Thanks in advance for your answers.

    • dayz

      April 4, 2017

      From home, location of my RPI3, I can see my physical IP instead of the hidden IP.
      From outside, I can see the IP of my home and not the hidden IP.

      This is exactly what I would expect with my guide. Everything is running correctly.

      What you just created is a VPN Server using your Raspberry as a server on your network. What this means is when you are at home on your network everything will look like as if you are at home. Now if you leave your house and VPN to your home network you will not have a secured and encrypted connection back to your house. Everything will appear on your phone as if you are at home, even thou you are not.

      Now if you if want your home network to have a different IP address you would need to connect to a VPN server outside of your house. That is where you would need to pay for a VPN service or you can even setup a Raspberry Pi VPN server at a friends house and you can connect to his Raspberry Pi over an encrypted connection and that would hide your location as well.

      • Patrick

        April 4, 2017

        Ok Dayz, I understand…
        I was a little confused because on a forum they said that opening, it was expected to have a different IP from the home IP, something like
        But your explanation is very logic.

        I’ve got another question but as it is not related to a bug I will not be offended if you do not answer…
        I’ve got a printer which is connected through wifi to the home network. I know that is possible to print something on it from outside through a VPN.
        Can you tell me how ?
        I’m pretty sure that it’s easy but I cannot succeed…

      • Jon

        October 25, 2017

        Quote “Now if you leave your house and VPN to your home network you will not have a secured and encrypted connection back to your house.”

        Is this correct? I though the whole point was that you would have a secured connection.

  • Pingback: They Sell Your Browsing History, Now What? |

  • Jack

    April 11, 2017

    Is this supposed to work on a Raspberry Pi 2? I followed all the instructions but keep getting this log when trying to connect:

    Tue Apr 11 18:19:48 2017 OpenVPN 2.4.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 22 2017
    Tue Apr 11 18:19:48 2017 Windows version 6.2 (Windows 8 or greater) 64bit
    Tue Apr 11 18:19:48 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
    Tue Apr 11 18:19:48 2017 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
    Tue Apr 11 18:19:49 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]
    Tue Apr 11 18:19:49 2017 UDP link local: (not bound)
    Tue Apr 11 18:19:49 2017 UDP link remote: [AF_INET]
    Tue Apr 11 18:20:49 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Tue Apr 11 18:20:49 2017 TLS Error: TLS handshake failed
    Tue Apr 11 18:20:49 2017 SIGUSR1[soft,tls-error] received, process restarting
    Tue Apr 11 18:20:54 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]
    Tue Apr 11 18:20:54 2017 UDP link local: (not bound)
    Tue Apr 11 18:20:54 2017 UDP link remote: [AF_INET]
    Tue Apr 11 18:21:54 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Tue Apr 11 18:21:54 2017 TLS Error: TLS handshake failed
    Tue Apr 11 18:21:54 2017 SIGUSR1[soft,tls-error] received, process restarting
    Tue Apr 11 18:21:59 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]
    Tue Apr 11 18:21:59 2017 UDP link local: (not bound)
    Tue Apr 11 18:21:59 2017 UDP link remote: [AF_INET]

    • dayz

      April 11, 2017

      It looks like you are using port 11948, did you make sure to port forward that port on your router to your Raspberry Pi?

      • Jack

        April 12, 2017

        Yes I configured port 11948 to be forwarded to my Pi.

        • Joshoua

          July 1, 2017

          Jack, did you try to connect to your VPN from outside your network? I got the same errors and it finally hit me that VPNs work over the Internet. So If you have a smartphone you can use the mobile internet connection to test if your VPN connection is working by downloading the openvpn GUI client and using the profile you made and/or you can test it by using someone else’s Internet connection like a friend or family member and then connect to your server. From my understanding, VPNs work by tunneling through the Internet so it probably won’t work if you are trying to connect to your VPN server from inside your own network.

          • proxy

            May 17, 2018

            Actually, you can test from inside your home network.

            Within the *.ovpn file that you generate for a client there is the line “remote ip-address 1194” its near the top of that file.

            Now if you have given your rpi an static ip address just substitute the rpi’s static ip-address for the ip address.

            So “remote 1194″ would become ” remote 1194″ ( that is if your pi’s ip address is

            Personally I just comment the line out with a # and place a new line with the new info below.

            I would then test with wireshark. But another way I have found is go to a non https site to see if you get a blank or error page. If you do its working.

  • Will

    July 24, 2017

    I got stuck on this step:

    ‘Options for Transferring your .OVPN file to your OpenVPN Client’

    Also what is up with this client….it’s charging $6 a month. What’s the point of having a raspberry pi as the VPN server if I have to pay?

  • John

    July 25, 2017

    Great article, I followed it and it worked (mostly)!

    I successfully installed OpenVPN server on my Raspberry Pi, I then created a user and exported the OVPN file. From my remote/client location, I installed the OVPN on my Mac in Tunnelblick and was able to successfully connect to my home network / OPENVPN server. Success!

    When I used the same OVPN on my GL-AR150 travel router, I get a password error.

    Log Error: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd – can’t ask for ‘Enter Private Key Password:’

    My travelrouter is using a DD-WRT firmware version. Any easy solutions? Perhaps I need to build an OVPN without a password requirement?

    • John

      July 25, 2017

      Answered my own question. Should have googled better.

      If you need to create a client certificate that is not password protected (IE for use on a router), then you can use the ‘pivpn add nopass’ option to generate that.

  • Egon

    August 1, 2017

    This solves my question of how to set up a Pi server, but is there an equally easy solution for a Pi client? I want to connect to my home network with a device incapable of installing OpenVPN and loading keys. Ideally, I’d like to load the client on another Pi that bridges the ethernet and wi-fi to connect my client-side device to the VPN at all times. Is it as simple as installing the Ubuntu based OpenVPN client on a Pi running Raspbian and bridging the ethernet and wi-fi?

  • Gordon

    October 5, 2017

    Can the PiVPN be customized to provide layer-2 connectivity rather than the normal layer-3, I didn’t see this in the install snapshots?

  • Siamak

    October 22, 2017

    Hi All,
    I have used PiVPN to set up my home VPN Server, worked like a charm for few dasy and then stopped.

    Looked into the Router adn there it was not whowing my Raspberry Pi.
    The router is Plusnet HUB One, while installing it the IP was there, when I did the portforwarding was there too, few day later disappeared all together, the stanage thing is that I can use Putty to connect to the PI but not via VPN connection, so is Plusnet stopping the VPN Servers?
    I have ran of options except changing provider????!!!

  • Thomas6

    November 18, 2017


    very nice tutorial, still up-to-date, using Raspberry PI and latest Stretch Lite.
    But I’m stuk for hours on generating key (where you said it should only need 3 minutes),

    Looking at what happened just before on ssh :
    writing new private key to ‘/etc/openvpn/easy-rsa/pki/private/server_Q9FGeb1GhmW7Eujs.key.KiEarj7hze’
    Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
    Can’t open /etc/openvpn/easy-rsa/pki/index.txt.attr for reading, No such file or directory
    1996330400:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen(‘/etc/openvpn/easy-rsa/pki/index.txt.attr’,’r’)
    1996330400:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
    Check that the request matches the signature”…

    Any idea on how to adapt the script ?

    thanks a lot

    • Thomas6

      November 18, 2017

      and obviously generating a client does soemthing erratic :-/

      pi@raspberrypi:~ $ pivpn add
      cat: /etc/pivpn/INSTALL_USER: No such file or directory
      Enter a Name for the Client: pi2
      Enter the password for the client:
      Enter the password again to verify:
      spawn ./easyrsa build-client-full pi2

      Note: using Easy-RSA configuration from: ./vars
      rand: Use -help for summary.
      Generating a 2048 bit RSA private key
      writing new private key to ‘/etc/openvpn/easy-rsa/pki/private/pi2.key.vR4zLlCwA4′
      Enter PEM pass phrase:
      Verifying – Enter PEM pass phrase:
      Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
      Check that the request matches the signature
      Signature ok
      The Subject’s Distinguished Name is as follows
      commonName :ASN.1 12:’pi2’
      Certificate is to be certified until Nov 16 22:42:57 2027 GMT (3650 days)

      Write out database with 1 new entries
      Data Base Updated
      Client’s cert found: pi2.crt
      Client’s Private Key found: pi2.key
      CA public Key found: ca.crt
      tls-auth Private Key found: ta.key
      cat: Default.txt: No such file or directory
      cp: cannot create regular file ‘/home//ovpns/pi2.ovpn’: No such file or directory
      chown: cannot access ‘/home//ovpns/pi2.ovpn’: No such file or directory

      Done! pi2.ovpn successfully created!

  • Stan

    January 6, 2018

    Many thanks for the guide. Really easy enough!
    I have set up all sorts of VPNs but this one was by very fat the easiest.

  • James Horn

    January 14, 2018

    I was wondering if someone might be able to assist. After install pivpn I was trying to create a client ovpn profile and it appears I might have messed up ssl in that when I was trying to create the profile I got the error:
    pi@HornDNS:~ $ sudo pivpn -a nopass
    cat: /etc/pivpn/INSTALL_USER: No such file or directory
    Enter a Name for the Client: HornDell
    /opt/pivpn/ line 165: /etc/openvpn/easy-rsa/pki/index.txt: No such file or directory
    spawn ./easyrsa build-client-full HornDell nopass

    Note: using Easy-RSA configuration from: ./vars

    Easy-RSA error:

    Missing expected directory: private (perhaps you need to run init-pki?)
    Run easyrsa without commands for usage and command help.
    [ERROR]: Client Public Key Certificate not found: HornDell.crt

    Any help will be greatly appreciated.

    The debug information:
    pi@HornDNS:~ $ cat /tmp/debug.txt
    ::: :::
    :: PiVPN Debug ::
    ::: :::
    :: Latest Commit ::
    ::: :::
    commit 72b3dc24e7959e61e0233f2fde278bfc6498c114
    Merge: 041d410 4e814fc
    Author: redfast00
    Date: Fri Dec 22 12:51:48 2017 +0100

    Merge pull request #432 from pivpn/cfcolaco-Patch

    Updated Issue Template
    ::: :::
    :: Recursive list of files in ::
    :: /etc/openvpn/easy-rsa/pki ::
    ::: :::
    ::: :::
    :: Output of /etc/pivpn/* ::
    ::: :::
    :: START /etc/pivpn/INSTALL_PORT ::
    :: END /etc/pivpn/INSTALL_PORT ::
    :: START /etc/pivpn/INSTALL_PROTO ::
    :: END /etc/pivpn/INSTALL_PROTO ::
    :: START /etc/pivpn/pivpnINTERFACE ::
    :: END /etc/pivpn/pivpnINTERFACE ::
    ::: :::
    :: /etc/openvpn/easy-rsa/pki/Default.txt ::
    ::: :::
    ::: :::
    :: Debug Output Complete ::
    ::: :::

  • Roberto

    May 26, 2018

    Hi I’m happy because I have VPN server ,THANKS so much !
    But have a question… When I’m outside from my network and I connect my phone with VPN client app the connection is ok but what is the internet speed ? Is the upload speed from my home router?

    • dayz

      August 27, 2018

      Might be a little slower depending on your network speeds and data speeds

  • John Rose

    July 3, 2018

    Install Ok. Import of ovpn file Ok. Running OpenVPN Connect on Android 7 phone gave “EVENT WAIT”. Similarly, running OpenVPN for Android om that phone gave “Server waiting for reply”.
    /var/log/ufw.log has repeatedly:
    Jul 3 08:54:44 raspberrypi kernel: [51090.304176] [UFW BLOCK] IN=eth0 OUT= MAC=b8:27:eb:af:16:2f:b0:7f:b9:14:cb:88:08:00:45:00:00:52:16:cc:40:00:3f:11:bc:63 SRC=i.j.k.l DST=a.b.c.d LEN=82 TOS=0x00 PREC=0x00 TTL=63 ID=5836 DF PROTO=UDP SPT=37379 DPT=11948 LEN=62
    where i.j.k.l is correct internet ip address and a.b.c.d is correct NAT address of my PI
    I used 11948 udp as port/protocol as per instructions. I don’t understand where SPT’s value of 37379 comes from. Please explain.
    BTW it took over 30 minutes to generate 2048 key on Pi 3.

  • Evrpidis

    August 3, 2018

    I followed your guide which worked fine but I have alittle problem.
    I can only connect to vpn from one device at a time, if I try to connect from another device it disconnects the first device(it doesnt actually disconnect it but it stop working with the vpn) . If I leave only one device it works great.
    I tried to add another user but it always asks for the passwrd which I am sure I give it correctly.

  • CqC

    August 5, 2018


    Thank you for this very well written, precise documentation and your efforts!

    I am new to VPN I need a couple of more clarifications, I have read thru the whole thread here, perhaps I missed it…

    First, this thread started a long while ago. My current Rpi3 is running:
    Raspbian GNU/Linux 8 (jessie) (with recent update)
    4.14.59-v7+ #1131 SMP armv7l GNU/Linux NOOBIAN

    1. Will this process still work with my above version?

    2. Not quite clear to me the exact use case of this vpn installation. Is it for
    A. Accessing the local network on which rip3 is connected to, or the rpi3 itself, from outside networks securely through vpn?
    B. To access the general internet from my Android phone thru public wifi, but securely through vpn? Just like some of the publicly available free vpn servers, but using my own more secure/private vpn server (vs the public vpn server organization logging or snooping on my usage) .

    My desired use case is B. If it can do both A, and B, is there an optional way of closing off of disabling case A?

    3. After having installed and tried (say successfully or otherwise) is there a way to fully uninstall all the stuff installed thru this process?

    Any help is highly appreciated!

  • Eulalia

    November 5, 2018


    Just trying to install the PiVPN onto a RPi3 running already Pi-Hole. When installing the PiVPN with

    curl -L | bash

    things are ok until it comes to encryption. Here I have an important difference:

    Choose your desired level of encryption (press space to select):
    This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA.

    │ ( ) 256 Use 256-bit encryption (recommended level) │
    │ ( ) 384 Use 384-bit encryption │
    │ ( ) 521 Use 521-bit encryption (paranoid level) │

    Weird figures, and so incredibly low. Everywhere I read it takes quite some time to get the keys, but it takes only seconds on my RaspberryPi 3 to get the 521-bit keys. Is this really secure or am I missing something?

  • John

    April 23, 2019

    Great post that following various issues i got working (Router based). Only Question, now i have configured port forwarding and aligned my public IP to a address i am now able to access my router GUI through the open web, without VPN enabled. This makes it open to ANYONE navigating to the address.

    Less a very strong Admin password is there anyway i am able to safeguard this and prevent access completely through the WWW to my router?

  • josh

    August 25, 2019

    Just want to understand one thing. Did you run this on the same Raspberry Pi that you run Pi-Hole on? not sure that the security of running your internal DNS and possibly DHCP server with VPN open to the internet is safe.

  • James

    September 9, 2019

    I’ve been trying to install openvpn on my ancient Pi for years and have finally succeeded using your script! Thank you.

    The only difficulty I encountered stems from the fact I have a dynamic IP address from my internet service provider and have to use NOIP to create a static one. However your script does not allow you to use the NOIP fixed address in the fixed domain option (doesn’t recognise it as a valid domain) and if you use the various ddns options (I wasn’t sure which to use as NOIP was not an option) the OVPN certificate instructs the client to use the IP address as of the date of installation, which works initially then stops when the IP address changes. I have found a work around which is to edit the OVPN client file to point it to the NOIP fixed address rather than the old IP address but this feels like cheating. Any suggestions for a more elegant solution?

  • Andy

    October 3, 2019

    Is it fast enough to use a single GbE port RPi 3B+ as vpn server at home? I am assuming if I wanna connect from anywhere to Pi VPN at home, the network will tunnel through my Router via LAN to Pi VPN, then from Pi VPN to go back to Router via LAN to go to internet, am I correct?

    • dayz

      December 15, 2019

      Yes its fast enough

  • Christopher Bedford

    December 2, 2019

    Hey – Well done on a good write-up.

    I’d add that at the step “Select the DNS Provider for your VPN Clients” it is important to note that if your VPN clients need to access the LAN that the Pi is on, you *must* select “Custom” and enter your LAN’s DNS server IP (for most home users, this is going to be their DSL or fibre router).

    (Incidentally, why would anyone *not* want to access the local LAN? To my mind, what other reason is there to have a VPN linking into your home LAN? Your client PCs are *already on* the Internet, so what value is there in only provide them with Internet connectivity from the VPN… I just don’t get it.)

    OK, so I have everything working, after spending some time fiddling with my router firewall & NAT (port redirection) settings, and my OpenVPN client PC connects quickly and I’m on line. I can ping the LAN, I can NSLookup (it tells me it is correctly using the LAN DNS server as described in para 1), I can access Internet web sites.

    But I can’t browse the LAN and the whole point of getting connected (in my case) is to be able to access local PCs as file and application servers; when I try that I get “Windows cannot access \\{servername} – Check the spelling of the name, Otherwise, there might be a problem […blah blah blah]”. I then click the [Diagnose] button and after a few seconds of “Detecting problems”, “Troubleshooting couldn’t identify the problem”.

    Since DNS is obviously passing fine over the VPN connection, can it be that other protocols (like NETBIOS) are not? Do I defs not need TCP? Or am I barking up the wrong tree?

  • Robbert

    February 26, 2020

    Great read! Thanks for sharing.
    However I have one comment, I’d stick to the ‘VPN Defaults’, since public spaces often block all ports except for known ones (like HTTP(S), VPN, (S)FTP etc).

  • thewhiteoak

    July 26, 2020

    Hi, thanks for such a great guide. I need some help making my Pi run under just home network only. My ISP providers use double Cg-NAT so, port forwarding is not an option. I need it to work just inside my home network anyway. So please help me set up!

    I edited the line remote and set it to RPi’s local ip address. OpenVPN on windows successfully connected it, but I couldnt access the internet


Leave a Reply