Raspberry PI VPN Server with PiVPN

Check my RPI articles in Best Raspberry PI projects article or peppe8o.com home page. Or subscribe my newsletter (top right in this page) to be notified when new projects are available! Also interested to start 3D printing with a cheap budget? Visit my cheap 3D printers list
5
(1)

Raspberry PI can provide a number of linux services able to easily solve problems to manage your home network with cheap solutions. Using an OS based on Debian, it can run Open Source software and drastically help you with your home ICT needs as well as small office needs.

A common need for increasing networking security and access your home services from outside is having a VPN (Virtual Private Network) server which grants secure access from an external network to your internal services.

Raspberry PI Zero WH board

A simple solution to implement OpenVPN or WireGuard (the 2 most widely known VPN open source serices) is using the convenient PiVPN setup tool.

In this tutorial I’m going to show you how to setup a VPN server with a cheap Raspberry PI Zero Wusing PiVPN and send certificate via email. This guide applies also to newer Raspberry PI boards.

What is a Virtual Private Network

As described in Wikipedia VPN definition page, “A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across a VPN may therefore benefit from the functionality, security, and management of the private network.

Before Starting

If you are looking for a VPN, you probably want to reach your VPN server from an external, remote device coming from internet.

For this reason you need to check if your provider is giving you a public IP address and maybe useful getting a DNS record. This topic and how to get a dynamic DNS can be found in my How to configure No-IP DUC service in your Raspberry PI tutorial.

You will also need access in your home router to setup port forwarding.

What We Need

As usual, I suggest adding from now to your favourite ecommerce shopping chart all needed hardware, so that at the end you will be able to evaluate overall costs and decide if continuing with the project or removing them from shopping chart. So, hardware will be only:

Check hardware prices with following links:

Amazon raspberry pi boards box
Amazon raspberry pi Zero W box
Amazon Micro SD box
Amazon Raspberry PI Power Supply box

Step-by-Step Procedure

Prepare Operating System

Start installing raspberry PI OS operating system. I suggest to install Raspberry PI OS Lite to have a light (headless) environment. Otherwise, you can also opt for Raspberry PI OS Desktop, then working from its internal terminal.

Make your OS up to date. From terminal:

sudo apt update -y && sudo apt upgrade -y

Install and Configure PiVPN

PiVPN make VPN installation really easy. In this setup procedure I’ll show you how to install OpenVPN server. WireGuard will uses the same wizard, opting for this solution in next screens.

Many of following steps during wizard execution will use the default values. Be carefully in selecting between UDP and TCP protocol: some router models have issues in managing TLS handshaking at VPN client connection with UDP protocol. For this reason I suggest to use TCP instead.

From command line, use following to download installer and start setup wizard:

sudo curl -L https://install.pivpn.io | bash

It will start setup process installing required packages. After this operation, an interactive terminal session will start as in following pictures.

First screen requires a simple confirmation to start installer steps. Press ENTER key.

raspberry pi pivpn server setup 01

Second screen warns to use a static IP for your Raspberry PI. When you’ll setup port forwarding in your home router, this rule will drive traffic for selected port from outside (internet) to your RPI IP address. So, it is importanto that Raspberry PI doesn’t change it’s IP on reboot. This will be granted with a static IP. To be completely sure, you will need to set static IP assignment also in your home network DHCP service (usually on router). However, many routers are enough smart to identify devices and assign them always the same IP. So, in next screen press enter to confirm.

raspberry pi pivpn server setup 02

Inthis screen you can see my internal IPs: IP address is my Raspberry PI, Gateway is my router. You should find already your ones. Press ENTER to confirm “no” selection (which will set these IP as static):

raspberry pi pivpn server setup 03

In next screen a confirmation is required for IP configuration. Press ENTER to confirm:

raspberry pi pivpn server setup 04

Next screen is still confirming what said above. Press ENTER to confirm:

raspberry pi pivpn server setup 05

This screens warns that a list of users will be provided to select which one will keep VPN configuration files in its home. Press ENTER to continue:

raspberry pi pivpn server setup 06

Only “pi” user will be available in a fresh Raspberry PI OS installation. Select a different user (if available and if you choose it) or press ENTER to confirm using “pi”:

raspberry pi pivpn server setup 07

In next screen we need to change selection from default Wireguard to OpenVPN. Use arrow keys from keyboard to move up/down and space bar to select your desider option (OpenVPN to follow this tutorial). Ten press ENTER to confirm:

raspberry pi pivpn server setup 08

In next sreen we need to change from default, too. Because of mentioned TLS handshake issues with some routers, select YES (with left arrow key) and confirm pressing ENTER:

raspberry pi pivpn server setup 09_1

OpenVPN packages will be downloaded in this phase. At the end, change default selection to use TCP as in following picture and press ENTER:

raspberry pi pivpn server setup 09_2

In next screen you will be asked to select your VPN port. This will be also the port to configure on router as Port Forwarding. You can leave the default 443, you can also set the OpenVPN default 1194 or choose your favourite port number. I will use 1194. Press ENTER after value insertion:

raspberry pi pivpn server setup 10

In next screen, please confirm port selection by pressing ENTER:

raspberry pi pivpn server setup 11

In next screen you can select your favourite DNS provider. You can use one of listed or your custom one. I will use Google, but this choise doesn’t change following steps. After selection, please press ENTER to confirm:

raspberry pi pivpn server setup 12

Now, you are asked to set how clients will contact your VPN server. Using IP address will result in risk that your Internet Provider could change the IP address your router is visible from internet (unless it is public AND static). Using a free dynamic DNS will enable to refer a more friendly domain name updating itself on IP changes. This dynamic DNS comes from No-IP configuration guide referenced at the start of this tutorial. In next screen change default selection to YES to add a DNS and press ENTER:

raspberry pi pivpn server setup 12.1

In this screen, please select DNS and press ENTER:

raspberry pi pivpn server setup 13

In next screen, use the registered domain and press ENTER to confirm:

raspberry pi pivpn server setup 14

In next screen, confirm DNS name by pressing ENTER:

raspberry pi pivpn server setup 15

We will use a new OpenVPN client, so confirm YES in next screen:

raspberry pi pivpn server setup 15_1

In next screen you can select your favourite certificate size. A longer certificate means improved security, but default one is a good compromise between performance and security level for home services. Confirm by pressing ENTER:

raspberry pi pivpn server setup 15_2

Also next screen requires one more confirmation to generate keys:

raspberry pi pivpn server setup 16

In this step an error occurred in my installation:

iptables/1.8.2 Failed to initialize nft: Protocol not supported

However, I continued with installation and everything resulted being working…

Next screen warns that, being your Raspberry PI exposed to internet, it is safer to setup unattended upgrades. I suggest to use it. Confirm by pressing ENTER:

raspberry pi pivpn server setup 17

And choose if enable unattended upgrades. It qill confirm yes in my installation:

raspberry pi pivpn server setup 18

Required packages will be downloaded and installed now.

Last two screens will suggest how to create your very first client profile (we’ll se it in a few) and require a reboot. Please confirm both pages:

raspberry pi pivpn server setup 19
raspberry pi pivpn server setup 20

At this point your OpenVPN is installed. Now, let’s move to configure client profiles sending.

Configure Client Profiles Sending

We’ll send profiles by email. For this purpose, I’ll use Mutt, a text based email client and I’ll show a basic configuration for using it with a Gmail account. Other email services will require configuring IMAP/SMTP settings according to provider.

Once Raspberry PI reboot is finished, from terminal type following command:

sudo apt install mutt

You will also need a basic configuration. From your user home, you need to crete folders to store cache and an empty file for certificates:

mkdir -p .mutt/cache/headers
mkdir .mutt/cache/bodies

next step is creating a configuration file for Mutt. From terminal, type:

nano .mutt/muttrc

Use following lines in this file, caring to change email_username, email_password and User Alias with your ones:

# IMAP settings
set imap_user = email_username@gmail.com
set imap_pass = email_password
set spoolfile = imaps://imap.gmail.com/INBOX
set folder = imaps://imap.gmail.com/
set record="imaps://imap.gmail.com/[Gmail]/Sent Mail"
set postponed="imaps://imap.gmail.com/[Gmail]/Drafts"
set mbox="imaps://imap.gmail.com/[Gmail]/All Mail"
set header_cache = "~/.mutt/cache/headers"
set message_cachedir = "~/.mutt/cache/bodies"

# SMTP settings
set smtp_url = "smtp://email_username@smtp.gmail.com:587/"
set smtp_pass = $imap_pass
set ssl_force_tls = yes

# Compose and sending settings
set editor = "nano"
set edit_headers = yes
set charset = UTF-8 # value of $LANG; also fallback for send_charset
unset use_domain
set realname = "User Alias"
set from = "email_username@gmail.com"
set use_from = yes

Sending a test email with Mutt client will result in following terminal command (set email@example.com with your recipient address):

echo "Email test message body" | mutt -s "Subject here" email@example.com

Check your email box and you will find test message just sent.

Create your First Client Profile

This simple task requires following terminal command:

pivpn add

Answer questions (keep password set in this step) and complete client profile creation:

raspberry pi pivpn add client

New “.ovpn” files will be created in “/home/pi/ovpns/” folder. These file will be sent to clients to be used in OpenVPN client to connect your server.

You can send it by typing from terminal:

echo "Please find Client Certificate attached" | mutt -s "Client Certificate" email@example.com -a "ovpns/test_Client.ovpn"

Final Checks

Please remember to set your router Port Forwarding rules according to Raspberry PI’s IP address and port number used during PiVPN installation. According to my tutorial variables, you will need to set a port formwarding rule for TCP traffic from external port 1194 to IP 192.168.1.78 port 1194.

Install OpenVPN client in your remote device (it is aso available for Android in Google Play Store).

Use sent “.ovpn” file, taking care to use password set on Client Profile creation.

Enjoy!

How useful was this post?

Click on a star to rate it anonymously!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?