RaspberryPi as OpenVPN Server

When starting to use your RaspberryPi as a server (e.g. Cloud, Wiki, ... further posts under progress) you may be concerned about the security of your local network. Or imagine the case you want to connect to your home computer or NAS over an unsecured connection, e.g. from a smartphone or via an open WiFi in a cafe. The concept of virtual private network (VPN) tunneling may help to decrease your worries.

This post should be a small tutorial on how to install and configure a small VPN scenario with the RaspberryPi working as the VPN server within your local network.

Imagine a setup like shown below, where you want to connect to your RasPi (or any other host within your local network) from your notebook or mobile phone via an Open WiFi Access Point.

Since your ISP probably won't grant you a static IP address you first need to sign up to a dynamic DNS service provider and configure your router appropriately. Check the previous post on how to do so for the FritzBox 7240.

In my setup "Raspbian Wheezy" is installed as operating system on the Pi so it is easy to get the software packages needed for the OpenVPN server

sudo apt-get install openvpn

This package needs to be installed on both, server and client system.

Server configuration
First of all we need to generate all the keys and certificates on the server. To do so, it is comfortable to use the easy-rsa key-management package based on openssl wich is already part of the OpenVPN installation.

So locate your easy-rsa folder an copy it to your openvpn location:
(For this and most of the following steps you root access)

cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

Next, edit the the file /etc/openvpn/easy-rsa/vars and change the following lines at the end of the file to your appropriate values:

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanDiego"
export KEY_ORG="OpenVPN"
export KEY_EMAIL="myemail@mydomain.com"

Now you have to source this file to set the enviroment variables correct:

source /etc/openvpn/easy-rsa/vars

Next, switch to the /etc/openvpn/easy-rsa directory and run the following commands to clean the enviroment and build a new certification-authority:

./clean-all
./build-ca

In the next step, we build the server key, the client key and the Diffie–Hellman key:

./build-key-server server
./build-key client1
./build-dh

This last command may take some few minutes. All generated keys and certificates will be located in /etc/openvpn/easy-ras/keys. You may want to copy them to /etc/openvpn or just leave them there, though they will be removed when running ./clean-all again.

Now it's time for the server configuration file. In /etc/openvpn a basic config file named server.conf should already exist. If not, you can extract it from /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz. Most of the basic settings are already fine, but it's crucial that you set the path for the keys and certificates:

ca ./easy-rsa/keys/ca.crt
cert ./easy-rsa/keys/server.crt
key ./easy-rsa/keys/server.key
dh ./easy-rsa/keys/dh1024.pem

In order to access the full local network (not only the hosts connected to the vpn) you have to insert the following line into the appropriate section in the same file:

push "route 192.168.178.0 255.255.255.0"

(If your local network runs on another IP range you have to change this accordingly)
Furthermore you have to activate IP forwarding by inserting the following line into /etc/sysctl.conf

net.ipv4.ip_forward=1

This is all for the server side. To start the OpenVPN server daemon just run the initialization script:

/etc/init.d/openvpn start   # or 'restart' when it was already running

Router configuration (FritzBox)
Since the RasberryPi is probably not the default gateway of your local network you have to create a static route. To do so, open the FritzBox configuration pages in your browser and navigate to the local network section. Create a static route with the informations given below:

IP-Address 10.8.0.0
Subnetzmaske 255.255.255.0
Gateway 192.168.178.2

(Again, change values appropriate to your setup)
Make also sure that the FritzBox assigns always the same IP address to your RaspberryPi. Last thing you have to do, is to open port 1149 and forward it to 192.168.178.2 (the ip address of the Pi).

Client configuration
Because there are several clients and operating systems out, I will not go into detail here. Basically every client needs the key and certificate files created before:

client1.crt
client1.key
ca.crt

Copy (scp) them from the Pi and configure your client to find them. Every client also needs to know how to reach your local network: Set your dyndns domain or your static IP, if you have one, as the default gateway (domain.dyndns in the above setup).

If Ubuntu is your operating system, you can use the OpenVPN plugin for NetworkManager available in the repositories. Have a look at http://wiki.ubuntuusers.de/OpenVPN for further instructions.

Have fun connecting to your home network in a secure manner!