Tuesday, November 22, 2016

OpenVPN on a Raspberry Pi

Sorry if lately I'm publishing really few posts, but this year I've been quite busy planning my weddings, so I have almost no time for everything else...

Anyway in these days I created a simple VPN server on one of my Raspberry Pi (a model 2 B). This small project has been realized for the honeymoon. Let me explain why, before looking at the procedure.

Think about connecting to internet with your smartphone (but it's the same for a tablet or a laptop). When you are at home, the smartphone connects to your lan using wi-fi, then through the router/modem and the provider connection you can access to the web.

If you are away from your lan, you can connect using the mobile phone network and your subscription, or use a free wi-fi hotspot.

With the subscription you are almost in the same situation as in your home, but using a wi-fi hotspot is a quite different thing.

In a wi-fi hotspot you are actually connecting to a lan managed by others and where every kind of user can be connected at the same time of you. This means that an hacker could easily find your device and analyze your internet traffic, discovering also your passwords... Not a good thing!

The solution is a VPN. Using this kind of software, your are creating a protected and cripted connection to the VPN server, so every data that is passing through this channel cannot be read by others. You are still accessing the web through an unprotected lan, but the data is actually protected an thus quite safe. The unencripted data start flowing from the VPN server and if this is located in your house it's like you are connecting from home!

A RPi is a good solution for a VPN server unless you need an high data flowrate. Remember that even a model 3 has a 100Mb ethernet and the processing power is limited. This is a project for those that wish to use Whatsapp, Facebook or emails, not for online gaming or HD streaming, nor for those who need many connections at the same time, like a company.

For few people on a trip, like me and my future wife, instead it's a perfect device as we do not need to connect often, we do not have many devices and on a trip there is a very little time to stay on the web.

Let's see how to make our VPN server on the Raspberry Pi.

After some unsuccesful tries installing OpenVPN manually on a RPi, I searched the web for some help and finally I found a simple script that can do all the hard work: PiVPN.
Using this script, installing and configuring OpenVPN on a RPi is incredibly easy.

Just a couple of notes... The best OS choice is Debian Jessie lite, but you can of course use the script also with the full Jessie version.
Even if you could use this RPi also for other tasks, this is unvisable as this could reduce the processing power dedicated to the VPN management or even create unwanted security issues.

Furthermore, you could connect the RPi to the lan using wi-fi, but this would slow down the connections and thus it would not be a good solution.

Finally you must configure your router to foward the udp port used by OpenVPN to the RPi (default port is 1194, but can be changed when asked by the script).

For these reasons I started with a new Jessie lite image. After the usual update/upgrade (actually not really needed as the script can do this for you) I started the script as stated in the website:

curl -L https://install.pivpn.io | bash

After the downloading, the script is started automatically:

You will be presented with several different screens, some are for information and some for configuration.

When there is an info screen, you can just go on pressing ENTER. Anyway please read carefully everything to save you from troubles!
First thing is to select the interface: eth0 is the wired network and wlan0 is the wi-fi. Then you should set a static address. You can specify on the screen and the script will do the changes in the system for you.

Next it will be asked the user that will manage the OpenVPN server. You can just use the default pi user, but remember to change the password before using this server.

After the user selection you will be asked for downloading and installing the latest security upgrades. Even if this is not mandatory, it's advisable to say yes.

Now some downloading and installation of upgrades (if you said yes in the step before), dependecies and of course OpenVPN.
This step may take a while, depending on the number of upgrades available.

If no errors have been found, the script proceed with OpenVPN configuration. It will start by asking the default port to be used. The default is 1194, but you can change if you wish. This is the port that needs to be forwarded by your router.

On the next step you have to specify the encryption level. The default (2048) is the best choice for a RPi.

Before generating the server key, you can change the info record of the key. You can select what to change from the screen (spacebar will select/deselect the items and after hitting enter you can change them). As said, these are just information data and you can use the defaults if you wish.

The key generation will take some time (several minutes), so be prepared to wait for this task to end.

After the key is ready, the script will ask you if you wish to use the actual public ip of the RPi, or use a dns name. This choice depends on your lan of course. As I have a static address for my internet connection, I choose the dns name and put my public ip on the next screen. This step is important to be able to reach your VPN server from other devices.

Finally you need to specify the dns provider. I used Google, but there are other choices. You can also set to use custom servers if you need.

The last step of the server configuration is a reboot. Now your Raspberry Pi is ready to be used as a VPN server.

To be able to connect with your smartphone or the other devices, you need to create the client certificates by typing:

pivpn add

You will be asked for a client name and for a password. This is a critical step as the password is used to login to the server. If you choose a trivial one, it could be discovered by other people, so it's better to choose a really strong password.

The script will then create a file with .ovpn extension in the ovpns folder on the RPi. You will need to send this file to your smartphone.

To use the client certificate you need to install the OpenVPN connect app on the device. Then you need to act differently depending on you system.

If you are using an Android device, copy the .ovpn file in a folder on the phone, then import it in the OpenVPN app.

With iOS devices you can just send the .ovpn file by email, then open the email on your device and open the attached file with OpenVPN app.

Below you can see my iPhone connected to the OpenVPN server that I created. During the trip we connected with two smartphones and two tablets (both iOS and Android) without any issue.

No comments:

Post a Comment