Tutorial

Create a VPN with the Raspberry Pi

Create a
VPN with the
Raspberry Pi

The Raspberry Pi is cheap enough to

leave on a network youd like to connect
to remotely, so lets learn how to set it
up to do just that

Resources
A Raspberry Pi with all necessary
peripherals :
www.raspberrypi.org

An SD card containing the

latest Arch Linux image for the
Raspberry Pi:
www.raspberrypi.org/downloads

A second computer to be used as

a VPN client well assume youre using a
popular Linux distribution that uses
Network Manager, like Debian

52 www.linuxuser.co.uk

One possible scenario for wanting a cheap

server that you can leave somewhere is if
you have recently moved away from home
and would like to be able to easily access all
of the devices on the network at home, in a
secure manner. This will enable you to send
files directly to computers, diagnose problems
and other useful things. Youll also be leaving a
powered USB hub connected to the Pi, so that
you can tell someone to plug in their flash drive,
hard drive etc and put files on it for them. This
way, they can simply come and collect it later
whenever the transfer has finished.
Well be using Arch Linux as the operating
system for our VPN server, since it is lightweight
and has only the minimum packages required
for a working system. If its been a while
since youve used Arch Linux, the distro has
recently moved to a new service management
framework called systemd, so itll be good to get
up to speed on that also.
Our VPN server will be made up of the
following software components:

Advisor

Liam Fraser is the creator

of the RaspberryPi Tutorials
YouTube series and volunteers as
a Linux server administrator for
the Raspberry Pi Foundation

Base Arch Linux system

OpenVPN the software we will use to create a
secure VPN
Netcfg used to easily manage the multiple
network adapters well need
Bridge-utils used to bridge the VPN and
Ethernet adaptors
SSH will provide secure remote access to the
Raspberry Pi and the files on it
A dynamic DNS daemon (No-IP) software
that runs in the background and points a domain
name to your routers IP address, meaning that
you can access your Raspberry Pi from anywhere
using an easy-to-remember web address.
This tutorial assumes that you have flashed
the latest Arch Linux ARM image to an SD card.
If you havent, the instructions for flashing an
image can be found at www.linuxuser.co.uk/
tutorials/how-to-set-up-raspberry-pi/. Youll
only need to go up to the step where you write
the image to the SD card. Youll have to adapt
the instructions slightly for using the Arch Linux
image rather than the Debian one.

Create a VPN with the Raspberry Pi

Configure the Pi as a VPN server that you can access from anywhere

TUTORIal

01

logging into arch linux

02

Run a full system update

Connect the necessary cables to the

Pi and wait for the Arch Linux login prompt.
The login is root, and the password is also
root. Well change the root password from the
default later on.

Arch Linux runs on a rolling release

schedule, meaning that there are no version
numbers and software is continually updated.
The package manager in Arch Linux is called
pacman. Use the command pacman -Syu to
start a full system update. If for some reason
the update fails, try running pacman -Syu
again. Sadly, the Arch Linux ARM servers tend
to be quite busy. There may be a lot of packages
to update so it may take a while, especially
because the Pi runs from an SD card.

03

Install the required packages

Use the command

pacman -S noip netcfg bridge-utils

openvpn
to install the required packages mentioned at
the start of the article. Answer y to any prompts
you may encounter.

04

a word about subnets

One thing to note here is that because

were setting up a client-to-site bridge, well be
connecting the client to the servers network.
This means that the subnet that the server is
on needs to be different from the client subnet.
For example, the subnet at your advisors
home is 192.168.1.0/24, and the subnet here
is 172.17.173.0/24. If the subnet here was
192.168.1.0/24, then there would be a routing
conflict because the machine wont know if
youre referring to a local address or one on the
VPN. Its a good idea to have a non-standard
subnet for this reason. In our case, the client
subnet is non-standard so it doesnt matter
what the server subnet is for now. However,
were still going to change the server subnet at
some point because you may end up needing to
connect from a network such as public Wi-Fi,
which may use a standard subnet. If you need to
change your server subnet, we suggest picking a
/24 subnet (subnet mask 255.255.255.0) in one
of the private address ranges:
10.0.0.0 10.255.255.255
172.16.0.0 172.31.255.255
192.168.0.0 192.168.255.255
You should be able to easily change your
network configuration on your wireless routers
settings page.

05

Investigate your network

We highly recommend assigning a

static IP to your server Raspberry Pi rather than
being handed one by your router because youll
always know where to find it on the network,
which will be useful for accessing it remotely.
Youll also need a static IP if you want to access
the Raspberry Pi from the internet. Well need
to find out a couple of things about your current
network setup before setting a static IP. You can
use the commands ifconfig eth0 and ip route
show to do this.

06

Set up a static IP address

Now that we have found out things

about your network, such as your current IP
address, the network mask and so on, we can
set up a static IP address. Were going to use
the Arch Linux netcfg framework to manage
our network connections as well need three
different connections eventually: Ethernet,
which is automatically handled by the bridge
adaptor; a VPN tap adaptor; and a bridge
adaptor to combine the two.
Change directory to the /etc/network.d
directory and open a new file called bridge in
nano (or the text editor of your choice):

cd /etc/network.d
nano bridge
Then fill in the bridge configuration to look
as follows and save the changes (swapping our
network values for your own):

INTERFACE=br0
CONNECTION=bridge
DESCRIPTION=VPN Bridge connection
BRIDGE_INTERFACES=eth0
IP=static
ADDR=192.168.1.215
NETMASK=24
GATEWAY=192.168.1.254
DNS=(192.168.1.254)
Once done, save the file using Ctrl+O followed
by Enter, then exit nano using Crl+X. Well add
the VPN adaptor to the bridge later on.
We now need to configure what profiles
netcfg should load by editing /etc/conf.d/netcfg

and configuring the networks array as follows:

NETWORKS=(bridge)
Save the changes, exit nano and then run
the following commands to disable DHCP and
enable the Ethernet interface and the bridge
with a static IP permanently:

systemctl disable dhcpcd@eth0.

service
systemctl enable netcfg.service
You can now restart the Pi for the changes to
take effect.

07

log in with SSH

08

Change the root password

09

Set up the public key

infrastructure variables

Once the Pi has booted back up, open a

terminal on your Linux computer and type ssh
root@[IP of your pi]. Answer yes, to say that you
want to connect, and type in the root password,
which will still be root. You are now logged in
over SSH.

Since we will probably be exposing an

SSH login to the internet, it would be a very good
idea to change the password to something much
more secure. Type passwd, then follow the onscreen instructions to change your password.
Your SSH session will stay logged in, but youll
need to use the new password next time you log
in. You may also want to change the contents of
/etc/hostname to set the hostname to a selfidentifying name, such as vpnserver rather
than the default alarmpi. The change wont take
place until after a restart.

Were going to be using a certificate

infrastructure to authenticate OpenVPN. This
is where a certificate and private key (which

53 www.linuxuser.co.uk

Tutorial

Create a VPN with the Raspberry Pi

must be kept a secret) is generated for each

client, and signed by the certificate authority.
Only clients with signed certificates are allowed
to connect. The key and certificate are used
to encrypt the data sent between the client
and the server. This secure approach means
that additional username and password
authentication on the client is not necessary.
There are a bunch of scripts which make setting
this up easy. Start by copying the scripts to
/etc/openvpn with:

cp -r /usr/share/openvpn/easy-rsa/ /etc/
openvpn
and then change to that directory.
Were going to be making a template to base
our certificates on. Edit the vars file with nano
and change the following lines at the bottom of
the file from something like:

export
export
export
export
export
export
export
export
export

KEY_COUNTRY=US
KEY_PROVINCE=CA
KEY_CITY=SanFrancisco
KEY_ORG=Fort-Funston
[email protected]
[email protected]
KEY_CN=changeme
KEY_NAME=changeme
KEY_OU=changeme

to

export
export
export
export
export
export
export
export

KEY_COUNTRY=UK
KEY_PROVINCE=
KEY_CITY=Ormskirk
KEY_ORG=Home
[email protected]
KEY_CN=liamvpn-ca
KEY_NAME=liamvpn-ca
KEY_OU=None

Once you have saved the changes, export the

variables with:

source ./vars
and then clean any previous configuration with:

./clean-all

10

Create the certificates

Start by generating the certificate

authority certificate, with which we will sign
everything else (press Enter to leave fields set as
they are):

./build-ca
Following that, we want to generate a server
certificate with:

We now need to generate the DiffieHellman

parameters, needed to allow two users to
exchange a secret key over an insecure medium
using the DiffieHellman key exchange protocol
(this may take a couple of minutes):

last two values are the start and end ranges of IP

addresses allocatable to connecting clients.
Finally, uncomment the lines:

./build-dh

to give OpenVPN the least privileges possible

and then save the changes to the file.

The final step is to generate a certificate for

each client that you would like to connect to the
VPN. In this case, our client is a laptop.

./build-key liam-laptop
Simply do what you did during the buildkey-server script and then youll have all the
certificates you need.

11

Configure the OpenVPN server

Were going to base our configuration

file on the example server configuration file
using the command cp /usr/share/openvpn/
examples/server.conf /etc/openvpn/server.conf.
Open /etc/openvpn/server.conf in nano.
Start by changing:

;dev tap
dev tun
to:

dev tap0
;dev tun
because we are using a network tap adaptor
which allows us to bridge the networks, rather
than create a tunnel.
Replace the certificates here with the ones
you created:

ca ca.crt
cert server.crt
key server.key # This file should be
kept secret
dh dh1024.pem

12

Configure the tap interface

Open the file /etc/network.d/tap in nano,

add the following lines, and then save the file:

INTERFACE=tap0
CONNECTION=tuntap
MODE=tap
USER=nobody
GROUP=nobody
We then need to add the tap0 interface to
our bridge, so edit /etc/network.d/bridge and
change the bridge interfaces line to look like:

BRIDGE_INTERFACES=eth0 tap0
Finally, change the networks line in /etc/
conf.d/netcfg to:

NETWORKS=(tap bridge)
Notice that the tap network needs to be
started first, so that it can be added to the
bridge successfully.

13

Enabling OpenVPN

14

Set up dynamic DNS

Now that we have configured OpenVPN,

we want to enable it permanently. Use the
command systemctl enable openvpn@server
and then reboot the Pi to make sure that
everything starts successfully from a clean boot.
Our VPN is now configured, so were going to set
up dynamic DNS and port forwarding so that we
can access it from the internet.

In our case, the configuration looked like:

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/liamvpn.
crt
key /etc/openvpn/easy-rsa/keys/liamvpn.
key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
Comment out the line:

server 10.8.0.0 255.255.255.0

by placing a semicolon in front of it because
we want an Ethernet bridge rather than a
regular server. To enable the Ethernet bridge,
uncomment the line:

./build-key-server [server hostname]

server-bridge 10.8.0.4 255.255.255.0

10.8.0.50 10.8.0.100

Press Enter when asked for any information,

dont fill in a password or company name and
accept the request to sign the certificate.

Then change the values to match your servers

network configuration. The first is the servers
IP address; the second is the subnet mask. The

54 www.linuxuser.co.uk

;user nobody
;group nobody

Head over to www.no-ip.com/personal/

and sign up for the No-IP Free option. Once
you have done that, dont bother downloading
No-IPs client because weve already installed
it. Go to your email inbox and follow the
activation link that was just sent to you by NoIP. You can now sign into your account. Once
you have logged in, select the Add a host
option. Choose a hostname and a domain to
be part of from the drop-down list. Leave the
host type as DNS Host and then click the

Create a VPN with the Raspberry Pi

Congure the Pi as a VPN server that you can access from anywhere

TUTORIAL

Create Host button. For example, we used

the hostname liam-ludtest with the domain
no-ip.org, so we would access that using
liam-ludtest.no-ip.org.

15

Configure No-IP
Run the command

noip2 -C -Y
to be taken through interactive conguration
of the No-IP client. We left the update interval
to the default 30 minutes, meaning the client
will check every 30 minutes for an IP address
change. Once done, start the daemon with:

/etc/rc.d/noip start
After a minute or two, your IP address will be
accessible via your No-IP hostname. However,
its likely that trying it from inside your house
will simply take you to your routers homepage.

Fig 1 NAT port mapping

16

NAT port forwarding

It is likely that there are multiple devices

behind your router that all use the same external
IP address. This is because of the shortage of
IPv4 addresses, and also because it is more
secure to segregate the internet from your
internal home network. NAT (network address
translation) forwards a port from the routers
external IP address to a computer on the LAN
(local area network). In this case, well want to
forward any trafc for TCP port 22 that comes
to your routers external IP address to the IP
address of your Raspberry Pi. TCP port 22 is
the port used for SSH. SSH will provide remote
access to your Raspberry Pi, and also access
to any les on it via SCP (Secure Copy Protocol).
Youll also want to forward UDP port 1194, as
thats what OpenVPN uses.
The conguration of port forwarding really
depends on the router that you are using, so
you may have to look it up. The chances are

that it will be hidden away in the Advanced

section of your wireless router. You should be
able to access your router by typing your No-IP
hostname into your web browser. If not, it should
be at the address of your default gateway that
we used earlier on.
On our router, we had to go to Advanced>NAT>
Port Mapping, and add a mapping (Fig 1). We
then had to add a second mapping for OpenVPN,
using port 1194 specifying UDP rather than TCP
as the protocol.

17

Install an OpenVPN client

Well use a virtual machine running

Ubuntu 12.04 as our example VPN client. There
are simply too many possible combinations to
show them all. There are a couple of options that
must be used on every client, however:
Use a TAP device
Use LZO data compression
Do not use the default gateway on the
remote network (on Ubuntu, this is called
Use this connection only for resources on its
network). This basically means dont tunnel
my internet through this VPN. If this option is
disabled, then the clients internet connection
wouldnt work because we havent congured
our VPN to deal with internet.
Ubuntu uses Network Manager to congure
its networks, so the instructions we give
here should be almost identical to any other
distribution that uses the same thing. Ubuntu
doesnt come with the OpenVPN plug-in for
Network Manager by default, so well need to
start by installing it. From a terminal, run:

sudo apt-get update

sudo apt-get install network-manageropenvpn-gnome

18

Note that we use chmod to add read

permissions because the les need to be
readable by all users. We need to do this because
the Network Manager GUI doesnt run as root.

19

Create the VPN connection

20

Advanced settings

21

Route settings

22

Test your connection

Note that youll probably want to be on a

different subnet to your server otherwise its likely
youll run into connectivity issues on the client
because of the aforementioned routing problem.
We worked around this problem while at home
by using a virtual machine thats connected with
NAT. As far as the virtual machine is concerned,
its on the 10.0.2.0/24 subnet.
Click on the Network icon in the top menu
bar and click on the Edit connections option.
You will then be shown a window that has
multiple tabs at the top. Go to the VPN tab and
click add. Select OpenVPN as the connection
type and then click on Create. Now ll in the
appropriate information.
We need to set the advanced settings
that we mentioned before:
Use a TAP device
Use LZO data compression
The nal thing we need to set is
the option to Use this connection only for
resources on its network. To do this, go to the
IPv4 Settings tab and click the Routes button.
Tick the box for the aforementioned option
and then click Okay. Once you have done this,
you can Save your connection and close the
Network Connections window.

Copy the required certicates

to the client

We need three les from the Raspberry Pi to be

able to connect successfully:
The certicate authority certicate
The client certicate
The client key
Well be using SCP to copy the les into the
/etc/openvpn/keys directory:

cd /etc/openvpn
sudo mkdir keys
cd keys
sudo scp root@[Pis IP address]:/etc/
openvpn/easy-rsa/keys/ca.crt .
sudo scp root@[Pis IP address]:/etc/
openvpn/easy-rsa/keys/[client].crt .
sudo scp root@[Pis IP address]:/etc/
openvpn/easy-rsa/keys/[client].key .
sudo chmod +r *

Click on the Network icon in the menu,

hover over the VPN Connections option and
then click on the VPN that you just created. You
should see a success message and a padlock
as part of the Network icon. Open up a terminal
and run ifcong to check that the tap device has
been corrected with an appropriate IP address,
and that you can ping a device behind the VPN.

55 www.linuxuser.co.uk