I had an extra raspberry pi b+ laying around and wanted something to do. I had been researching security projects like creating a honeypot when I came across PiVPN, which is built using OpenVPN, and creates an encrypted tunnel to your network. Alternatively, you can set it up on an Amazon web server or a VPS to have an offsite VPN. I set one up to use my home network so I could access SMB shares and the internet.

Here is a link to the project: http://www.pivpn.io/

The process is really simple! All you have to do is setup raspbian on a raspberry pi and run this command:

curl -L https://install.pivpn.io | bash

From there an installer runs and you just make your way through the prompts. I did reference a couple of guides through the process to help me understand the options. A link to those walkthroughs below.

https://www.sitepoint.com/setting-up-a-home-vpn-using-your-raspberry-pi/
https://blog.vigilcode.com/2016/04/pivpn-easiest-quickest-setup-of-openvpn/

Note: Generating an encryption key really does take a while. For me 1 hour + to complete. I was worried it got locked up for a bit after around 45 minutes.

A couple of things worth mentioning: Do not forget to open UDP port 1194 (by default) on your router. Also, if you are interested in accessing network resources such as SMB on a Windows computer you will need to open the ports on Windows Firewall to make that possible. I had to use the below article to figure out how to open Windows firewall to other subnets:

https://forums.openvpn.net/viewtopic.php?t=21887

Once the installation process is complete it is time to create client keys. This is done easily by typing:

pivpn add

You are once again led through a quick form where you type in the name of the client and the password. This creates an .opvn file that can be transferred to the client to allow access to the VPN. I used FTP to transfer the file to my computers.

The last step, which wasn’t as clear to me from the articles was how to allow a client to connect. The best way to do it that I have found is to go to https://openvpn.net/index.php/open-source/downloads.html and check out their clients. It is working pretty well on my Windows 10 laptop. There is also an android app here: https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en. Which is also working great on my android devices.

I have been testing this project for the last day now and really like it. I haven’t run into any issues so far. I really like this project and it really has made running your VPN much less difficult than it ever was. The process was a breeze and I am happy with the results.

Update 1/4/17: I uploaded this on Reddit and got a response from a user that I thought would be useful for some. hammertonail says “One thing I would note, OpenVPN is very sensitive to local time. So be sure to set you localization settings correctly before you start the install!”. Thanks for the tip!

31 thoughts on “PiVPN – Create your own VPN for your home network”

  1. I believe the port forwarding should be 1194 instead of 1149. I’m still in the process of installing pivpn, so correct me if I’m wrong.

  2. After spending about 5 hours trying to get OpenVPN working from another step-by-step-by-step-by-step guide, and having little success, I stumbled upon this one and it worked perfectly within 10 minutes.

    Great for a beginner, thanks!!

  3. Could you go over the steps needed to access local resources using piVPN? Specifically other servers on the same subnet as the RP.

    1. Hi Mike,
      Sure I can do a brief rundown on that. The main thing you have to keep in mind is that the VPN will put you on a different subnet (10.8.0.0 by default). You should be able to access other RPI’s or linux boxes pretty much automatically, unless you have a firewall blocking the connection. For example, I can easily access my other Pi’s by typing ssh pi@192.x.x.x. I can also pretty easily access Plex Server and watch videos through Chrome. All you have to do for that is open a web browser after you are already connected to the VPN and type http://192.x.x.x:32400/web. From mobile you can just use the app and it should be able to detect the server locally.

      However, getting access to SMB (or Samba shares on a Windows machine) can be more difficult due to Windows firewall. You have to allow the connection on the Windows side from that subnet. To be honest, I still run into issues dealing with this all of the time. It was easier for me to setup an FTP server (using FileZilla) and access my data that way. You still have to allow the connection through the firewall but seems to be a more reliable method. I hope this helps. It really all depends on the service you are trying to access. Let me know if there is something specific you are trying to access and I might be able to help you more.

      1. Ok I found a better solution but it means bridging instead of tunneling.
        I started here and made some changes to the script and the conf files.
        http://www.emaculation.com/doku.php/bridged_openvpn_server_setup

        Now we’ll configure the OpenVPN server. First, you must obtain some information about your network’s private IP address numbering.

        On an OS X host, open System Preferences and go to Network. On the left, select the active interface (Ethernet), click “Advanced…” and select the “TCP/IP” tab. Look for the values for Subnet Mask (netmask) and Router. On a Windows host, this information can be obtained by running the command “ipconfig” (without quotes) in the Windows command prompt, cmd.exe. “Default Gateway” is the router’s address. You will also need to know your broadcast address, which is simply the first three octets of your subnet plus 255. Finally, decide on a free IP address on your network, which will be assigned to the Linux VM.

        This guide will use the following example private IP address numbering (adjust this to your numbering):

        IP address for RP : 192.168.1. 3
        Netmask: 255.255.255.0
        Broadcast address: 192.168.1.255
        Router’s IP address: 192.168.1.1

        We’ll use the text editor “nano” to create a script called “openvpn-bridge” that performs the Ethernet bridging. Enter

        nano /etc/openvpn/openvpn-bridge
        Copy and paste the following script into that (empty) file.
        #!/bin/sh

        # Define Bridge Interface
        br=”br0″

        # Define list of TAP interfaces to be bridged,
        # for example tap=”tap0 tap1 tap2″.
        tap=”tap0″

        # Define physical ethernet interface to be bridged
        # with TAP interface(s) above.
        eth=”eth0″
        eth_ip=”192.168.1.3″
        eth_netmask=”255.255.255.0″
        eth_broadcast=”192.168.1.255″
        eth_gateway=”192.168.1.1″

        case “$1” in
        start)
        for t in $tap; do
        openvpn –mktun –dev $t
        done

        brctl addbr $br
        brctl addif $br $eth

        for t in $tap; do
        brctl addif $br $t
        done

        for t in $tap; do
        ifconfig $t 0.0.0.0 promisc up
        done

        sleep 10

        ifconfig $eth 0.0.0.0 promisc up

        sleep 5

        ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

        sleep 2

        route add default gw $eth_gateway
        ;;
        stop)
        ifconfig $br down
        brctl delbr $br

        for t in $tap; do
        openvpn –rmtun –dev $t
        done

        ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast

        route add default gw $eth_gateway
        ;;
        *)
        echo “Usage: openvpn-bridge {start|stop}”
        exit 1
        ;;
        esac
        exit 0
        I made the script executable by entering

        chmod 744 /etc/openvpn/openvpn-bridge

        then I edited the server configuration file.

        port 1194
        proto udp
        dev tap0
        ca /etc/openvpn/easy-rsa/pki/ca.crt
        cert /etc/openvpn/easy-rsa/pki/issued/server.crt
        key /etc/openvpn/easy-rsa/pki/private/server.key
        dh /etc/openvpn/easy-rsa/pki/dh2048.pem
        duplicate-cn
        remote-cert-tls client
        server-bridge 192.168.1.3 255.255.255.0 192.168.1.51 192.168.1.61
        push “redirect-gateway def1”
        push “dhcp-option DNS 8.8.8.8”
        client-to-client
        keepalive 10 120
        tls-version-min 1.2
        tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
        cipher AES-256-CBC
        auth SHA256
        user nobody
        group nogroup
        comp-lzo
        persist-key
        persist-tun
        status /var/log/openvpn-status.log
        log-append /var/log/openvpn.log
        verb 3

        then i edited the openpn service

        nano /lib/systemd/system/openvpn@.service
        Copy these two lines:

        ExecStartPre=/etc/openvpn/openvpn-bridge start
        ExecStopPost=/etc/openvpn/openvpn-bridge stop

        Paste the two lines at the bottom of the [Service] section so that its last three lines look like

        WorkingDirectory=/etc/openvpn
        ExecStartPre=/etc/openvpn/openvpn-bridge start
        ExecStopPost=/etc/openvpn/openvpn-bridge stop

        I confirmed that /etc/sysctl.conf had net.ipv4.ip_forward = 1

        and then rebooted

        I edited the OVPN file I created following your tutorial so that dev was set to tap

        dev tap

        and tested everything

        1. This is awesome! Thanks for providing the guide. If I understand correctly this should put the client machine on the same subnet as the rest of the local network? I have not had a chance to try it out yet but will do so when I get a chance.

          1. Gland I could help your tutorial got me most of the way there. You are correct in my case I have my internal DHCP server set to hand out addresses between 100 and 150 and the vpn hands out addresses between 51 and 61.

  4. Hello, I did the procedure to install the vpn, but at the end of my Rasp does not connect to the internet, making it unable to connect other client devices to the vpn, what can I do?

    1. Hmm…I’m not sure why you wouldn’t be able to connect after setup. Are you wired or wireless? Also during setup did you choose the right adapter, i.e. ETH0 or WLAN0? I have not run into that problem myself. You may want to re-run the setup and see if that fixes the issue.

  5. I have signed up for a vpn service and i’d like to enable that on raspberry pi using openvpn and my username/pass for that service and bind to one of their vpn servers. what is this the right way to do it using rpi so all my devices are behind a vpn?

  6. Hi, I just set this up yesterday and its awesome. But a question about the key generation. I selected 2048 bit for initial setup and the key took seconds on a raspberry pi model B not close to an hour as said by a few people. I added a new user after initial setup and it must default to 2048 bit but again it took seconds. Just wondering if it was done properly or somethings not right. Thoughts?

    1. That does sound a little strange. I have mine setup on a B+ and the initial setup took about an hour for me, mainly due to the time it took for the key generation. I also selected 2048 bit. The user key only took seconds for me as well but the initial setup took much longer. I would probably try to run the setup again and see if the same thing happens.

  7. Hi Chase,

    Thanks for the great article. Is it possible to have OpenVPN routing both UDP and TCP traffic over port 1194? I don’t want to have to settle for one or the other.

    1. I am not positive if there is a way to do it through both. I know that you can choose one or the other during the install process but I can’t remember off the top of my head if you can choose both TCP and UDP. Might be able to modify the config file though to make that happen.

  8. I’m new to the RPi and trying to set up VPN. I went through the tutorial, and created the client keys. After the install, does OpenVPN automatically run on the RPi whenever it’s powered up? Or do I have to start it myself. It does show up with the static IP I set it to. Is there a control panel for OpenVPN on the RPi? I don’t see one.

    1. Hi Jim,

      After install OpenVPN should just run automatically. There is no config panel as far as I know to control this. Everything else is done from the client end. I recommend grabbing a client like the OpenVPN app for android. You can use SCP or FTP to send the client file (OVPN file) to the client. Then all you have to do is load the file in the client app and you can connect to where ever the PiVPN is located.

      1. Thank you for the reply Chase.
        Does SCP or FTP have to be used, or can I simply copy to a USB stick and transfer to the Android phone?
        I installed Open VPN to my Android phone but am unable to connect.

        Also, should I see some sort of OpenVPN reference in the RPi Task Manager?

        1. You should be able to copy it to USB. I don’t see any reason that you couldn’t. When you copy over the ovpn file to your phone, then open OpenVPN app and push import, import from SD and select the file. It should work after that.

  9. Hi. It is a really nice tutorial and it helped me a lot. I would like to add a couple more raspberrys into the equation and have a multi site VPN. My Home(192.168.0.1/24), My Office(192.168.1.1/24), My Brother’s Office(192.168.2.1/24). We all need to have a VPN and every single PC needs the ability to see all the other sites PCs. In every site we have identical network structure with a DSL connection, a TP link router, and a Raspberry that does the OPENVPN.
    Any ideas on how to implement that, please?

  10. Hi,

    I have a question (new with this). I bought a Raspberry Pi 3 to use Pi hole. Works great by the way. Question is can I use it together with PiVPN? Installation is not the problem, but getting it to work.make connection is the problem with the VPN network and my iPhone. How do I install the VPN file on my iPhone? My router is a TimeCapsule. Hope to hear.

    1. You can absolutely do that. All you need to do is go to the server.conf file. It should be under /etc/OpenVPN. Edit it with nano and tell DNS to point to 127.0.0.1. that should point it back to PiHole. I have mine pointing to a separate RPI and it works great for me. Also for your iPhone go to the App Store and download OpenVPN client. Follow the prompts to import a new profile. I hope this helps!

  11. Hello!
    If I have a web server running on my raspberry . Will the installation of pivpn respect my configurations? or it requires a fresh install?

    1. As far as I understand it, the Pi should respect the configurations. I don’t think that it will modify or do anything to your web server config files. I would however suggest that you backup whatever files you modify on the web server prior to installing PiVPN. I can’t think of any conflicting files though.

Leave a Reply

Your email address will not be published. Required fields are marked *