 I had an extra raspberry pi b+ laying around and wanted something to do. I had been researching security projects like creating a honeypot when I came across PiVPN, which is built using OpenVPN, and creates an encrypted tunnel to your network. Alternatively, you can set it up on an Amazon web server or a VPS to have an offsite VPN. I set one up to use my home network so I could access SMB shares and the internet.
I had an extra raspberry pi b+ laying around and wanted something to do. I had been researching security projects like creating a honeypot when I came across PiVPN, which is built using OpenVPN, and creates an encrypted tunnel to your network. Alternatively, you can set it up on an Amazon web server or a VPS to have an offsite VPN. I set one up to use my home network so I could access SMB shares and the internet.
Here is a link to the project: http://www.pivpn.io/
The process is really simple! All you have to do is setup raspbian on a raspberry pi and run this command:
curl -L https://install.pivpn.io | bash
From there an installer runs and you just make your way through the prompts. I did reference a couple of guides through the process to help me understand the options. A link to those walkthroughs below.
https://www.sitepoint.com/setting-up-a-home-vpn-using-your-raspberry-pi/
https://blog.vigilcode.com/2016/04/pivpn-easiest-quickest-setup-of-openvpn/
Note: Generating an encryption key really does take a while. For me 1 hour + to complete. I was worried it got locked up for a bit after around 45 minutes.
A couple of things worth mentioning: Do not forget to open UDP port 1194 (by default) on your router. Also, if you are interested in accessing network resources such as SMB on a Windows computer you will need to open the ports on Windows Firewall to make that possible. I had to use the below article to figure out how to open Windows firewall to other subnets:
https://forums.openvpn.net/viewtopic.php?t=21887
Once the installation process is complete it is time to create client keys. This is done easily by typing:
pivpn add
You are once again led through a quick form where you type in the name of the client and the password. This creates an .opvn file that can be transferred to the client to allow access to the VPN. I used FTP to transfer the file to my computers.
The last step, which wasn’t as clear to me from the articles was how to allow a client to connect. The best way to do it that I have found is to go to https://openvpn.net/index.php/open-source/downloads.html and check out their clients. It is working pretty well on my Windows 10 laptop. There is also an android app here: https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en. Which is also working great on my android devices.
I have been testing this project for the last day now and really like it. I haven’t run into any issues so far. I really like this project and it really has made running your VPN much less difficult than it ever was. The process was a breeze and I am happy with the results.
Update 1/4/17: I uploaded this on Reddit and got a response from a user that I thought would be useful for some. hammertonail says “One thing I would note, OpenVPN is very sensitive to local time. So be sure to set you localization settings correctly before you start the install!”. Thanks for the tip!
Update 12/20/17: I previously had a PiHole on another raspberry pi on my network but wanted to install PiHole along side PiVPN. I also believe someone in the comments asked me about this. I was able to successfully get this working using a blog that I found here: https://marcstan.net/blog/2017/06/25/PiVPN-and-Pi-hole/.
I believe the port forwarding should be 1194 instead of 1149. I’m still in the process of installing pivpn, so correct me if I’m wrong.
You are correct. Thanks for the input. I missed that. It is 1194.
My isp has blocked udp ports anyways I can use tcp? Help
I believe I read something that said that you could bind to TCP port 80 or 8080. I’ll see if I can find the post I previously found and add it here if I do.
You can use 443 on tcp
Approved this late but you are absolutely correct. 443 might be better for some users compared to the default.
After spending about 5 hours trying to get OpenVPN working from another step-by-step-by-step-by-step guide, and having little success, I stumbled upon this one and it worked perfectly within 10 minutes.
Great for a beginner, thanks!!
Thanks for the reply! Glad it helped you!!
Could you go over the steps needed to access local resources using piVPN? Specifically other servers on the same subnet as the RP.
Hi Mike,
Sure I can do a brief rundown on that. The main thing you have to keep in mind is that the VPN will put you on a different subnet (10.8.0.0 by default). You should be able to access other RPI’s or linux boxes pretty much automatically, unless you have a firewall blocking the connection. For example, I can easily access my other Pi’s by typing ssh pi@192.x.x.x. I can also pretty easily access Plex Server and watch videos through Chrome. All you have to do for that is open a web browser after you are already connected to the VPN and type http://192.x.x.x:32400/web. From mobile you can just use the app and it should be able to detect the server locally.
However, getting access to SMB (or Samba shares on a Windows machine) can be more difficult due to Windows firewall. You have to allow the connection on the Windows side from that subnet. To be honest, I still run into issues dealing with this all of the time. It was easier for me to setup an FTP server (using FileZilla) and access my data that way. You still have to allow the connection through the firewall but seems to be a more reliable method. I hope this helps. It really all depends on the service you are trying to access. Let me know if there is something specific you are trying to access and I might be able to help you more.
also wrote it out here
https://github.com/pivpn/pivpn/issues/45
Ok I found a better solution but it means bridging instead of tunneling.
I started here and made some changes to the script and the conf files.
http://www.emaculation.com/doku.php/bridged_openvpn_server_setup
Now we’ll configure the OpenVPN server. First, you must obtain some information about your network’s private IP address numbering.
On an OS X host, open System Preferences and go to Network. On the left, select the active interface (Ethernet), click “Advanced…” and select the “TCP/IP” tab. Look for the values for Subnet Mask (netmask) and Router. On a Windows host, this information can be obtained by running the command “ipconfig” (without quotes) in the Windows command prompt, cmd.exe. “Default Gateway” is the router’s address. You will also need to know your broadcast address, which is simply the first three octets of your subnet plus 255. Finally, decide on a free IP address on your network, which will be assigned to the Linux VM.
This guide will use the following example private IP address numbering (adjust this to your numbering):
IP address for RP : 192.168.1. 3
Netmask: 255.255.255.0
Broadcast address: 192.168.1.255
Router’s IP address: 192.168.1.1
We’ll use the text editor “nano” to create a script called “openvpn-bridge” that performs the Ethernet bridging. Enter
nano /etc/openvpn/openvpn-bridge
Copy and paste the following script into that (empty) file.
#!/bin/sh
# Define Bridge Interface
br=”br0″
# Define list of TAP interfaces to be bridged,
# for example tap=”tap0 tap1 tap2″.
tap=”tap0″
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth=”eth0″
eth_ip=”192.168.1.3″
eth_netmask=”255.255.255.0″
eth_broadcast=”192.168.1.255″
eth_gateway=”192.168.1.1″
case “$1” in
start)
for t in $tap; do
openvpn –mktun –dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
sleep 10
ifconfig $eth 0.0.0.0 promisc up
sleep 5
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
sleep 2
route add default gw $eth_gateway
;;
stop)
ifconfig $br down
brctl delbr $br
for t in $tap; do
openvpn –rmtun –dev $t
done
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $eth_gateway
;;
*)
echo “Usage: openvpn-bridge {start|stop}”
exit 1
;;
esac
exit 0
I made the script executable by entering
chmod 744 /etc/openvpn/openvpn-bridge
then I edited the server configuration file.
port 1194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
duplicate-cn
remote-cert-tls client
server-bridge 192.168.1.3 255.255.255.0 192.168.1.51 192.168.1.61
push “redirect-gateway def1”
push “dhcp-option DNS 8.8.8.8”
client-to-client
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
then i edited the openpn service
nano /lib/systemd/system/openvpn@.service
Copy these two lines:
ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop
Paste the two lines at the bottom of the [Service] section so that its last three lines look like
WorkingDirectory=/etc/openvpn
ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop
I confirmed that /etc/sysctl.conf had net.ipv4.ip_forward = 1
and then rebooted
I edited the OVPN file I created following your tutorial so that dev was set to tap
dev tap
and tested everything
This is awesome! Thanks for providing the guide. If I understand correctly this should put the client machine on the same subnet as the rest of the local network? I have not had a chance to try it out yet but will do so when I get a chance.
Gland I could help your tutorial got me most of the way there. You are correct in my case I have my internal DHCP server set to hand out addresses between 100 and 150 and the vpn hands out addresses between 51 and 61.
Hello, I did the procedure to install the vpn, but at the end of my Rasp does not connect to the internet, making it unable to connect other client devices to the vpn, what can I do?
Hmm…I’m not sure why you wouldn’t be able to connect after setup. Are you wired or wireless? Also during setup did you choose the right adapter, i.e. ETH0 or WLAN0? I have not run into that problem myself. You may want to re-run the setup and see if that fixes the issue.
I have signed up for a vpn service and i’d like to enable that on raspberry pi using openvpn and my username/pass for that service and bind to one of their vpn servers. what is this the right way to do it using rpi so all my devices are behind a vpn?
Hi, I just set this up yesterday and its awesome. But a question about the key generation. I selected 2048 bit for initial setup and the key took seconds on a raspberry pi model B not close to an hour as said by a few people. I added a new user after initial setup and it must default to 2048 bit but again it took seconds. Just wondering if it was done properly or somethings not right. Thoughts?
That does sound a little strange. I have mine setup on a B+ and the initial setup took about an hour for me, mainly due to the time it took for the key generation. I also selected 2048 bit. The user key only took seconds for me as well but the initial setup took much longer. I would probably try to run the setup again and see if the same thing happens.
Hi Chase,
Thanks for the great article. Is it possible to have OpenVPN routing both UDP and TCP traffic over port 1194? I don’t want to have to settle for one or the other.
I am not positive if there is a way to do it through both. I know that you can choose one or the other during the install process but I can’t remember off the top of my head if you can choose both TCP and UDP. Might be able to modify the config file though to make that happen.
I’m new to the RPi and trying to set up VPN. I went through the tutorial, and created the client keys. After the install, does OpenVPN automatically run on the RPi whenever it’s powered up? Or do I have to start it myself. It does show up with the static IP I set it to. Is there a control panel for OpenVPN on the RPi? I don’t see one.
Hi Jim,
After install OpenVPN should just run automatically. There is no config panel as far as I know to control this. Everything else is done from the client end. I recommend grabbing a client like the OpenVPN app for android. You can use SCP or FTP to send the client file (OVPN file) to the client. Then all you have to do is load the file in the client app and you can connect to where ever the PiVPN is located.
Thank you for the reply Chase.
Does SCP or FTP have to be used, or can I simply copy to a USB stick and transfer to the Android phone?
I installed Open VPN to my Android phone but am unable to connect.
Also, should I see some sort of OpenVPN reference in the RPi Task Manager?
You should be able to copy it to USB. I don’t see any reason that you couldn’t. When you copy over the ovpn file to your phone, then open OpenVPN app and push import, import from SD and select the file. It should work after that.
I can’t remember if I ever saw anything referencing OpenVPN but you should have an OpenVPN folder under /etc which should contain the config files for the VPN.
Hi. It is a really nice tutorial and it helped me a lot. I would like to add a couple more raspberrys into the equation and have a multi site VPN. My Home(192.168.0.1/24), My Office(192.168.1.1/24), My Brother’s Office(192.168.2.1/24). We all need to have a VPN and every single PC needs the ability to see all the other sites PCs. In every site we have identical network structure with a DSL connection, a TP link router, and a Raspberry that does the OPENVPN.
Any ideas on how to implement that, please?
Hi Chase, I want to see if “PIVPN” will work as an internal VPN on my Raspberry PI3 when using KODI ?
Hi,
I have a question (new with this). I bought a Raspberry Pi 3 to use Pi hole. Works great by the way. Question is can I use it together with PiVPN? Installation is not the problem, but getting it to work.make connection is the problem with the VPN network and my iPhone. How do I install the VPN file on my iPhone? My router is a TimeCapsule. Hope to hear.
You can absolutely do that. All you need to do is go to the server.conf file. It should be under /etc/OpenVPN. Edit it with nano and tell DNS to point to 127.0.0.1. that should point it back to PiHole. I have mine pointing to a separate RPI and it works great for me. Also for your iPhone go to the App Store and download OpenVPN client. Follow the prompts to import a new profile. I hope this helps!
Hello!
If I have a web server running on my raspberry . Will the installation of pivpn respect my configurations? or it requires a fresh install?
As far as I understand it, the Pi should respect the configurations. I don’t think that it will modify or do anything to your web server config files. I would however suggest that you backup whatever files you modify on the web server prior to installing PiVPN. I can’t think of any conflicting files though.
Hello,
what do i have to do that my vnp clients can connect to the internet?
it’s running perfect on the internal network, but the vpn clients can’t connect to the internet
i don’t get it. It works an my mobile phone, my other raspberry and on windows 7. But with windows 10 i can’t connect to the internet. so its not a problem with my configs.
Well it’s gotta be an issue with your Windows setup then since the other 3 are working. I mean it sounds like a firewall issue but that’s really me guessing without knowing anything else. I’ll see if I can find some further information on common issues.
I am having problems connecting to the net also. The VPN tunnel is created perfectly and i can even open a VNC desktop to the Raspian, but when trying to use a browser to the internet, it fails.
I tried this on my iPad, on my Android phone and a Windows Laptop. They all connect, but fail accessing internet.
I am using UDP 443 for VPN. Can this be a problem?
Hmm…that’s a difficult one but I have seen other in the comments mentioning similar issues. Right now I am using the default 1194 port so I would need to test and see if I can reproduce the same issue. My best guess though as of now is either an issue with DNS or a port that is still being blocked. I will try to reproduce this myself when I get a chance and let you know if I find a solution.
Maybe try running PiVPN on the same raspberry pi with PiHole. I was previously having some connection issues of my own but using this tutorial I have it running great now. https://marcstan.net/blog/2017/06/25/PiVPN-and-Pi-hole/. Another option would be to try after switching back to the default port to see if it allows you to access the internet that way.
I have solved my problem!!
I am using UFW and I found out that I needed to change one file:
/etc/ufw/sysctl.conf
I think that PIVPN scripts only changes the default “/etc/sysctl.conf”, right?
I had to remove “#” for this next line in both those “sysctl.conf” files:
net.ipv4.ip_forward = 1
After that, UFW started forwarding communications to internet as expected.
Hope it helps.
Would the instructions given for Raspbian also work on the Mint distro?
I believe that it should work. Isn’t Mint a Debian distro? If so all the commands should work fine. I also think that it is close enough that it should work anyways. I haven’t tried it though so some modifications may be needed.
Chase, I just now saw your reply to my June 10, 2018 message (47 days ago (I must’ve missed the e-mail about the reply being posted)). I’ve decided to stick with Raspbian Stretch on the Pi 3B+. Right now, I plan to install PiVPN, Pi-Hole, and Plex Media Server on said Pi 3B+. Do you foresee any issues at all (speed-related or otherwise) with this plan? I could buy a separate Pi 3B+ for Plex Media Server in the future, however, thus making that Pi 3B+ a dedicated device just for Plex Media Server and nothing else.
I love the various applications/projects/uses/etc. this little single-board computer (SBC) has!
Mark, I absolutely love these little boards too! Pi-Hole is an excellent project as well as motion eye OS. I even have one connected to an old school USB printer with CUPS basically making it a wireless printer.
One thing I will mention is that even with the 3B+ the Pi struggles on 1080p encoding, or at least that is what I have read on a few forums. If your main goal is to build a decent media center I would suggest building a debian box on a standard desktop/laptop machine and then using your 3B+ for PiVPN and Pi-Hole. You will likely get a lot better performance out of even a 5 year old desktop when compared to the Pi. Hope this helps!
Chase,
Thanks again for the reply; the desktop I’m running Linux Mint 19 Xfce on used to have Windows 10 Home running on it with 2GB RAM. Due to an error on my part, I messed up Win 10 completely, so I thought it was a good time to move to Linux, so I did. I upgraded the RAM from 2GB to 4GB.
But here’s the issue: the computer is a 2007 (yes – 2007!) Dell Dimension E521 with an AMD Sempron 3400+ processor running @ 1.8GHz. On videos, anything in any variety of HD skips severely. I’m currently using the Dell for email/LibreOffice/web browsing, as well as “VNCing” into my RCA 10.1” tablet/laptop hybrid running Windows 10 Home. The Dell has a 20” monitor connected to it, so my extreme nearsightedness prefers seeing output on a 20” screen over a 10.1” any day. My eyesight is so bad that 3 eye doctors have said that the most-advanced procedures (LASIK, etc.) can’t correct it.
Could I put PiVPN & Pi-Hole on the Dell & still use it as I currently am, then only use the Pi 3B+ for Plex Media Server? Most of the videos are from an 8mm Sony video camera & various iPhone models over the past 4 years, the majority of which would be 720p quality. I’m trying to make it to where all computers/tablets/devices/iPhones can access photos/music/videos (via Plex Media Server) on an external USB HDD connected to a USB hub connected to the Pi both within our house (via WiFi) and outside of our house via a VPN connection.
Answer, anybody? Please?
Thanks!
Hi Mark, yes you can absolutely run PiVPN and Pi-Hole on the Linux Mint box. Process should basically be the same. Since Mint is based on Debian it should work almost exactly the same as it would on the Pi. I have not tested this myself but have been able to install both on a Ubuntu box in the past and didn’t have any issues. Installation was exactly the same as it was on the Pi.
Chase, that’s very good to hear; I hope to install PiVPN & Pi-Hole this weekend on the “refitted” Dell, along with Plex Media Server on the Pi 3B+.
How many simultaneous connections can be made when any device (whether while logged into our house WiFi or while away from the house) wants to access Plex “things”? I wouldn’t foresee any more than 2-3 simultaneously, but one never knows for sure.
I’ll post the results of how the PiVPN & Pi-Hole setups go; I’ve used Linux for about a month now, so I’m still learning and using Timeshift frequently to create system snapshots in case something goes awry.
Thanks for a great site & helpful advice.
Hi Chase;
many thanks for the tips.
Everythings work perfectly for me.
I’m using a RPI B+ model with Raspbian Jessie lite installed. I believe generating 4096-bit key in my RPI would take more than an hour. Is it possible to generate that 4096-bit keys in my Intel i7 PC, and later transfer it to my RPI? Can some one please elaborate the steps? Thanks.
Hi after installing all I cant connect to the VPN. It’s just trying but connection fail. I have open port on router and can get in the pi thru the ssh but cant connect to the VPN. Try on my phone and computer. What can I do?
What network are you trying to connect from? It is possible that the network your client is on is blocking the connection. At my school, I have this issue. Have you tried it from a mobile network? Can you pass along the log from the client software that you are using? OpenVPN usually has a log that you can copy.
Great tutorial and easy install. I am able to connect and receive handshakes, but can surf the net. Any ideas?
Great tutorial and easy install. I am able to connect and receive handshakes, but can’t surf the net. Any ideas?
Unfortunately, this tutorial is outdated. Recently been having a lot of issues with PiVPN myself. I know this is a very belated response but I will look into this and see if I can find an answer. I am going to try reinstalling over the weekend and will try to replicate the issue.
I have created the PiVPN Tunnel using the tutorial. the wireguard client is also activated using the new created profile. Now i wish to access a windows machine connected to other end of the pi froma remote machine. How do i do it. Can you help ??