Raspberry PI VPN Server with PiVPN


Last Updated on 2nd September 2023 by peppe8o

In this tutorial, I’m going to show you how to setup a VPN server with a cheap Raspberry PI Zero W using PiVPN and send certificates via email. This guide applies also to newer Raspberry PI boards.

Requests for accessing home or mall office services from remote devices increased in last years as open source self hosted platforms evolved. Also needs to securing with VPN connections (for example from man in the middle attacks). Installing your own vpn server in Raspberry PI with PiVPN make your local network accessible from remote devices in short time

Raspberry PI can provide a number of linux services able to easily solve problems to manage your home network with cheap solutions. Using an OS based on Debian, it can run Open Source software and drastically help you with your home ICT needs as well as small office needs.

A common need for increasing networking security and access to your home services from outside is having a VPN (Virtual Private Network) server which grants secure access from an external network to your internal services.

Raspberry PI Zero WH board

A simple solution to implement an OpenVPN server or WireGuard server (the 2 most widely known VPN open source services) is using the convenient PiVPN setup tool.

What is a Virtual Private Network

As described in Wikipedia VPN definition page, “A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across a VPN may therefore benefit from the functionality, security, and management of the private network.

Before Starting

If you are looking for a VPN, you probably want to reach your VPN server from an external, remote device coming from internet.

For this reason, you need to check if your provider is giving you a public IP address and may be useful getting a DNS record. This topic and how to get a dynamic DNS can be found in my How to configure No-IP DUC service in your Raspberry PI tutorial.

You will also need access in your home router to setup port forwarding.

What We Need

As usual, I suggest adding from now to your favourite e-commerce shopping cart all the needed hardware, so that at the end you will be able to evaluate overall costs and decide if to continue with the project or remove them from the shopping cart. So, hardware will be only:

Check hardware prices with following links:

Amazon raspberry pi boards box
Amazon raspberry pi Zero W box
Amazon Micro SD box
Amazon Raspberry PI Power Supply box

Step-by-Step Procedure

Prepare Operating System

Start installing Raspberry PI OS operating system. I suggest to install Raspberry PI OS Lite to have a light (headless) environment. Otherwise, you can also opt for Raspberry PI OS Desktop, then working from its internal terminal.

Make your OS up to date. From ssh terminal connection, use following command:

sudo apt update -y && sudo apt upgrade -y

Install and Configure PiVPN

PiVPN make VPN installation really easy. In this setup procedure, I’ll show you how to install OpenVPN server. WireGuard server will use the same wizard, opting for this solution in next screens.

Many of following steps during wizard execution will use the default values. Be careful in selecting between UDP and TCP protocol: some router models have issues in managing TLS handshaking at VPN client connection with UDP protocol. For this reason, I suggest to use TCP instead.

From the command line, use following to download the installer and start the setup wizard:

sudo curl -L https://install.pivpn.io | bash

It will start the setup process by installing the required packages. After this operation, an interactive terminal session will start as in the following pictures.

First screen requires a simple confirmation to start installer steps. Press ENTER key.

raspberry pi pivpn server setup 01

The second screen warns to use a static IP for your Raspberry PI. When you’ll setup port forwarding in your home router, this rule will drive traffic for the selected port from the outside (internet) to your RPI IP address. So, it is important that Raspberry PI doesn’t change its IP on reboot. This will be granted with a static IP. To be completely sure, you will need to set static IP assignment also in your home network DHCP service (usually on router). However, many routers are enough smart to identify devices and assign them always the same IP. So, in next screen press enter to confirm.

raspberry pi pivpn server setup 02

In this screen you can see my internal IPs: IP address is my Raspberry PI, Gateway is my router. You should find already your ones. Press ENTER to confirm “no” selection (which will set these IP as static):

raspberry pi pivpn server setup 03

In next screen a confirmation is required for IP configuration. I suggest to configure with static ip address so that you will be sure your RPI will be accessible from same address over reboots. Press ENTER to confirm:

raspberry pi pivpn server setup 04

Next screen is still confirming what was said above and suggests you to arrange same MAC address / static IP address also on router side. This to avoid potential IP conflicts, even if routers are already enough smart (from years) to manage these configurations. Press ENTER to confirm:

raspberry pi pivpn server setup 05

This screen warns that a list of users will be provided to select which one will keep VPN configuration files in its home. Press ENTER to continue:

raspberry pi pivpn server setup 06

Only “pi” user will be available in a fresh Raspberry PI OS installation. Select a different user (if available and if you choose it) or press ENTER to confirm using “pi”:

raspberry pi pivpn server setup 07

In next screen, we need to change selection from default Wireguard to OpenVPN. Use arrow keys from keyboard to move up/down and space bar to select your desired option (OpenVPN to follow this tutorial). Ten press ENTER to confirm:

raspberry pi pivpn server setup 08

In next screen we need to change from default, too. Because of mentioned TLS handshake issues with some routers, select YES (with left arrow key) and confirm pressing ENTER:

raspberry pi pivpn server setup 09_1

OpenVPN packages will be downloaded in this phase. At the end, change default selection to use TCP as in following picture and press ENTER:

raspberry pi pivpn server setup 09_2

In next screen you will be asked to select your VPN port. This will be also the port to configure on router as Port Forwarding. You can leave the default 443, you can also set the OpenVPN default 1194 or choose your favourite port number. I will use 1194. Press ENTER after value insertion:

raspberry pi pivpn server setup 10

In next screen, please confirm port selection by pressing ENTER:

raspberry pi pivpn server setup 11

In next screen, you can select your favourite DNS provider. You can use one of the listed or your custom one. I will use Google, but this choice doesn’t change following steps. After selection, please press ENTER to confirm:

raspberry pi pivpn server setup 12

Now, you are asked to set how clients will contact your VPN server. Using IP address will result in the risk that your Internet Provider could change the IP address your router is visible from internet (unless it is public AND static). Using a free dynamic DNS will enable to refer a more friendly domain name updating itself on IP changes. This dynamic DNS comes from No-IP configuration guide referenced at the start of this tutorial. In next screen change the default selection to YES to add a DNS and press ENTER:

raspberry pi pivpn server setup 12.1

In this screen, please select DNS and press ENTER:

raspberry pi pivpn server setup 13

In next screen, use the registered domain and press ENTER to confirm:

raspberry pi pivpn server setup 14

In next screen, confirm DNS name by pressing ENTER:

raspberry pi pivpn server setup 15

We will use a new OpenVPN client, so confirm YES on next screen:

raspberry pi pivpn server setup 15_1

On the next screen, you can select your favourite certificate size. A longer certificate means improved security, but the default one is a good compromise between performance and security level for home services. Confirm by pressing ENTER:

raspberry pi pivpn server setup 15_2

Also, next screen requires one more confirmation to generate keys:

raspberry pi pivpn server setup 16

In this step an error occurred in my installation:

iptables/1.8.2 Failed to initialize nft: Protocol not supported

However, I continued with installation and everything resulted in being working…

Next screen warns that being your Raspberry PI exposed to the internet, it is safer to setup unattended upgrades. I suggest using it. Confirm by pressing ENTER:

raspberry pi pivpn server setup 17

And choose if enable unattended upgrades. It will confirm yes in my installation:

raspberry pi pivpn server setup 18

Required packages will be downloaded and installed now.

Last two screens will suggest how to create your very first client profile (we’ll see it in a few) and require a reboot. Please confirm both pages:

raspberry pi pivpn server setup 19
raspberry pi pivpn server setup 20

At this point, your OpenVPN is installed. Now, let’s move to configure client profiles sending.

Configure Client Profiles Sending

We’ll send profiles by email. For this purpose, I’ll use Mutt, a text-based email client and I’ll show a basic configuration for using it with a Gmail account. Other email services will require configuring IMAP/SMTP settings according to their provider.

Once Raspberry PI reboot is finished, from terminal type following command:

sudo apt install mutt

You will also need a basic configuration. From your user home, you need to create folders to store cache and an empty file for certificates:

mkdir -p .mutt/cache/headers
mkdir .mutt/cache/bodies

The next step is creating a configuration file for Mutt. From terminal, type:

nano .mutt/muttrc

Use the following lines in this file, caring to change email_username, email_password and User Alias with your ones:

# IMAP settings
set imap_user = [email protected]
set imap_pass = email_password
set spoolfile = imaps://imap.gmail.com/INBOX
set folder = imaps://imap.gmail.com/
set record="imaps://imap.gmail.com/[Gmail]/Sent Mail"
set postponed="imaps://imap.gmail.com/[Gmail]/Drafts"
set mbox="imaps://imap.gmail.com/[Gmail]/All Mail"
set header_cache = "~/.mutt/cache/headers"
set message_cachedir = "~/.mutt/cache/bodies"

# SMTP settings
set smtp_url = "smtp://email_username@smtp.gmail.com:587/"
set smtp_pass = $imap_pass
set ssl_force_tls = yes

# Compose and sending settings
set editor = "nano"
set edit_headers = yes
set charset = UTF-8 # value of $LANG; also fallback for send_charset
unset use_domain
set realname = "User Alias"
set from = "[email protected]"
set use_from = yes

Sending a test email with Mutt client will result in the following terminal command (set [email protected] with your recipient address):

echo "Email test message body" | mutt -s "Subject here" [email protected]

Check your email box and you will find the test message just sent.

Create your First Client Profile

This simple task requires the following terminal command:

pivpn add

Answer questions (keep password set in this step) and complete client profile creation:

raspberry pi pivpn add client

New “.ovpn” files will be created in “/home/pi/ovpns/” folder. These files will be sent to clients to be used in OpenVPN client to connect your server.

You can send it by typing from terminal:

echo "Please find Client Certificate attached" | mutt -s "Client Certificate" [email protected] -a "ovpns/test_Client.ovpn"

Final Checks

Please remember to set your router Port Forwarding rules according to Raspberry PI’s IP address and port number used during PiVPN installation. According to my tutorial variables, you will need to set a port forwarding rule for TCP traffic from external port 1194 to IP port 1194.

Install OpenVPN client on your remote device (it is also available for Android in Google Play Store).

Use sent “.ovpn” file, taking care to use the password set on Client Profile creation.


How useful was this post?

Click on a star to rate it anonymously!

Average rating 4.7 / 5. Vote count: 6

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?