Lazy command list to install openvpn server on raspberry pi

# Based upon these blogs 
http://wingloon.com/2012/05/25/how-to-install-setup-openvpn-on-debian-6-0-squeeze-with-certificate-authentication/

http://www.serverubuntu.it/openvpn-bridge-configuration

# Using SD card with "2012-08-08-wheezy-armel"
# Remember you gotta do port forwarding, not covered in this post
# Lets get started, start with an updated installation
sudo apt-get update

# Now install openvpn
sudo apt-get install openvpn -y
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown -R $USER /etc/openvpn/easy-rsa/

# You can put whatever you like in the vars file, it does not need to be accurate data
# just don't leave anything blank
# It will work, even if you leave everything as it is, even fields that says "changeme"
nano /etc/openvpn/easy-rsa/vars

# Now build certs and keys for server and client
# TIP: answer yes to Sign the certificate? [y/n]:y
# TIP: 1 out of 1 certificate requests certified, commit? [y/n]y
# leave everything else default, just keep pressing return

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
./build-key clientpi

cd /etc/openvpn/easy-rsa/keys
sudo cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
sudo mkdir $HOME/openvpn-client-files
sudo cp ca.crt clientpi.crt clientpi.key $HOME/openvpn-client-files
sudo mv $HOME/openvpn-client-files/ca.crt $HOME/openvpn-client-files/capi.crt
sudo chmod +r $HOME/openvpn-client-files/clientpi.key
sudo openvpn --genkey --secret /etc/openvpn/tapi.key
sudo cp /etc/openvpn/tapi.key $HOME/openvpn-client-files
sudo chmod +r $HOME/openvpn-client-files/tapi.key

# Now we create the OpenVPN client configuration on the Raspberry PI
# You could create this file in windows client PC if you want, which might be better
# remember files created in linux and transferred to windows will be missing CRLF
# if you want to edit it later on windows, it will appear as one long line
# we just do it on raspberry pi to group the 5 client files together

cd $HOME/openvpn-client-files/
sudo chown -R $USER $HOME/openvpn-client-files/
sudo nano $HOME/openvpn-client-files/raspberry.ovpn

client
dev tun
proto tcp
remote change_this_to_your_server_IP_address 34567
resolv-retry infinite
nobind
persist-key
persist-tun
ca capi.crt
cert clientpi.crt
key clientpi.key
tls-auth tapi.key 1
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3

# Nano editor TIP: CTRL+o writeout, in other words save the file
# CTRL+x exit

# Now, copy the 5 client files in $HOME/openvpn-client-files directory to client PC
# tip, For windows 7 client, using WinSCP, due to write permissions
# I had to copy whole directory to C:\openvpn-client-files
# then in windows, copy the files
#
# clientpi.key
# capi.crt
# clientpi.crt
# tapi.key
# raspberry.ovpn
#
# to C:\Program Files (x86)\OpenVPN\config
# windows 32bit will have a different OpenVPN directory
# C:\Program Files\OpenVPN\config

# Back to Raspberry PI, Now we create file for server config
# Below is my OpenVPN server configuration saved as /etc/openvpn/server.conf
sudo nano /etc/openvpn/server.conf

port 34567
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
tls-auth tapi.key 0
dh dh1024.pem
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1

# Make file for firewall setting
sudo nano /usr/local/bin/firewall.sh

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

# Make firewall script file executable
sudo chmod +x /usr/local/bin/firewall.sh

# run firewall
sudo /usr/local/bin/firewall.sh

# check firewall
sudo iptables --list

# add a new text line /usr/local/bin/firewall.sh into file /etc/rc.local
# before ‘exit 0' to ensure the iptables rules is created every reboot or power up.
sudo nano /etc/rc.local

/usr/local/bin/firewall.sh

# reboot the pi
sudo reboot

# When Finished, for security reasons, make directory $HOME/openvpn-client-files/
# only readable by root
sudo chmod 600 $HOME/openvpn-client-files/
# Later, if you want to copy client files again
sudo chmod +rx $HOME/openvpn-client-files/

# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP

# check VPN is working by checking your IP address
# changes after you connect http://ipchicken.com/


# Extra: If you want to put the certs and keys inline, within the client script
# see http://pastebin.com/TAu3T7JX#

Advertisements

5 thoughts on “Lazy command list to install openvpn server on raspberry pi

  1. Hello

    Without VPN I have connected RDP from Win 7 to RASPI (Wheezy) without problem over 192.168.1.xx.

    Now I have implemented the OPENVPN connection with your nice tutorial and it is connected on IP 10.8.0.6 successfully. When I connect RDP from Win 7 to RASPI over 10.8.0.6 with the active VPN , then I don’t get it connected.

    What might be wrong?
    Kind Regards
    RPI_Beginner

  2. Hi,

    Thanks for this tut/command list.
    I am able to connect to the vpn but I am no longer to connect trough the internet (should be via the vpn tunnel right?). Is this client or server related?

  3. Thanks for this. I have tried about three times to do this using different tutorials but this is the only one I have found which works first time. It might be worth adding instructions as to how to connect to the VPN using ipad/iphone for those of us wanting to receive our home content whilst abroad. I couldn’t get the native VPN setting on my iPhone to work as it a) wouldn’t accept certificates and b) asked for a “secret” which this system doesn’t generate. However if you use the OpenVPN app you can import the certificates via iTunes and this worked a treat with auto configuration.

    My other problem, as a Mac user, is that the folder containing the certificates appeared in the AFP share for my home directory as a Unix executable file rather than a folder and consequently I couldn’t get to the 5 files inside. The workaround was to copy each of the files individually using the Raspberry command line to a USB drive mounted on the Raspberry and shared on my Mac using AFP. For some reason when I tried to copy them to my Raspberry home directory they were invisible on my Mac.

    Might also be worth mentioning that as well as needing port forwarding, if your ISP gives you a dynamic external IP address you’ll need to use something like DNSDynamic and a dynamic update client such as ddclient. I’m sure that’s obvious to all you old hands out there but to a newbie like me it needs pointing out!

    Again many thanks and I look forward to being able to get my favourite BBC iPlayer when abroad now.

    • thanks for the kind comments,
      In a later post https://tryapi.wordpress.com/2014/02/26/howto-openvpn-server-using-easy-rsa3-to-create-keys-and-certs/

      I merge the keys and certs into the client script,
      so its only 1 file, to make it easier to handle.
      would this help you ?
      for phone, I use android myself, and ssh tunnel to the raspberry PI
      I know, I know.. should go apple…

      # Now merge certs and keys into client script, so we only have one file to handle
      cd $HOME/clientside/
      wget http://pastebin.com/raw.php?i=QNdKuPdf -O merge.sh
      sudo chmod +x merge.sh
      sudo ./merge.sh
      sudo chown $USER $HOME/clientside/raspberrypi.ovpn

      #====================================================
      # merge.sh works as long as names of certs, keys, client ovpn script are as follows
      #
      # ca=”ca.crt”
      # cert=”client1.crt”
      # key=”client1.key”
      # tlsauth=”ta.key”
      # ovpndest=”raspberrypi.ovpn”

      • Thanks. I think this could be useful if I change phones but as it all seems to be working perfectly using the OpenVPN apps, now successfully installed on both my iPad and iPhone (bit of an Apple tart here) I think I’ll quit whilst I’m winning!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s