Server – Recipe of Pi

OpenVPN was the first project I achieved on my Raspberry Pi. It is, actually, the reason why I bought my Pi. This is also the first tutorial on server application.

First, we need to enter root user and install OpenVPN server:

sudo su
apt-get install openvpn

The reason for using root user instead of sudo is, there are some command we can’t use sudo, e.g. sudo cd /etc would not work.

Then we need to copy EasyRSA sample file to /etc/openvpn:

cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/easy-rsa

And edit setting parameter of EasyRSA:

cd /etc/openvpn/easy-rsa
nano vars

There are a few lines we need to change:

export EASY_RSA=”~~`pwd`~~ /etc/openvpn/easy-rsa”
export KEY_SIZE=~~1024~~ 2048
export CA_EXPIRE=~~3650~~ 730
export KEY_EXPIRE=~~3650~~ 365

The first line is to specify where the keys are stored. Then the length of the key, 2048 bits are a lot safer than initial 1024 bits. The third and fourth lines are the expiration date from issue, initial it’s 3650 days (10 years) but shorter is safer. These two lines can be changed to your preferences.

The next few lines need to be changed to your own information:

export KEY_COUNTRY
export KEY_PROVINCE
export KEY_CITY
export KEY_ORG
export KEY_EMAIL
export KEY_OU (can be blank)

Save and exit nano.

Then we need to configure OpenVPN config file. Download the files below and copy them to /etc/openvpn:

Server Config
Client Config

We need to edit config files to tell OpenVPN some settings and where all the keys are:

nano server.conf client.conf

For server.conf, replace the <Server Name> to your own server name. This can be whatever you like but we need it next step.

For client.conf, replace the <Server Address> to your static IP address or domain name.

If you like to know all the lines are about, visit https://openvpn.net/index.php/open-source/documentation/howto.html#server. If you decide to change the protocol or port number, remember to update both config files.

Save and exit nano.

Next we need to generate some keys. Here are two scripts I use for one click generate.

OpenVPN Server Key
OpenVPN Client Key

Download the two files and copy them to /etc/openvpn/easy-rsa, then change the owner and permission:

chown root:root build-server build-client
chmod 755 build-server build client

Then we can run it and generate the keys in one click:

./build-server <Server Name>
./build-client <Client Name> <Password>

Note we need one client key per client. The same key can be used on multiple devices. Challenge Password must be blank.

Then we need to copy the client file to your client device and connect. The config file ends with ovpn. This can be done via scp, ftp or email. Or, I made a website for downloading config files.

OpenVPN client for can be downloaded at:

Then open the ovpn file on the client and enter your passphase to connect.

Now you should be able to connect to the VPN but you cannot do anything on the internet, because we need to forward VPN connection to ethernet.

We need to enable forwarding in the system first:

nano /etc/sysctl.conf

Find this line and uncomment it (remove the hash at the beginning):

net.ipv4.ip_forward=1

Save, exit and refresh the settings:

sysctl -p /etc/sysctl.conf

Next, we need to specify the forward rules:

nano /etc/openvpn-firewall.sh

Add this line in, replace the interface (eth0 for cable and wlan0 for wifi) and IP address:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o <interface> -j SNAT --to-source <pi's IP address>

Then set to load this config on network card:

nano /etc/network/interfaces

And add this line to the appropriate interface with indent (add a tab or 4 spaces before the line):

pre-up /etc/firewall-network.sh

Restart network card (or reboot pi) and openvpn should now work:

sudo ifdown <interface>
sudo ifup <interface>

That’s done! Now you may try to connect from internet (eg. mobile data) before go out and access your home network from anywhere!

Category: Server

OpenVPN – Securely Access Home Network from Anywhere