The Raspberry Pi device has proven to be a very useful “beginners tool” for aspiring programmers, engineers, and hobbyists who are looking for a low cost, but good quality, piece of hardware with which to experiment.
However, when coupled with the highly capable Raspberry Pi OS (formerly known as Raspbian), this device can do nearly anything that any Linux-enabled computer can do. The focus of this article is to demonstrate how a less-than-$50 Raspberry Pi device can be used as an OpenVPN Server, which will allow for secure remote connections into a private network. The Raspberry Pi device already has all the needed hardware built right in, so hitting the ground running is a quick and metaphorically painless process.
Benefits of Raspberry Pi for Developers
The single greatest benefit of using a Raspberry Pi device for this purpose is the cost. The device used for this article, along with the case, Micro SD card, and a few accessories all came to around US$100 – and even that can be pared down significantly, if needed.
Another major benefit of this setup is leveraging the security that Linux provides. Like all modern distributions of Linux, the Raspberry Pi OS is regularly updated with security-related patches that will mitigate concerns related to security. This allows for the end user to update and patch the software as needed. Contrast this to many routers which offer built-in VPN Server functionality. End users using that functionality are at the mercy of their router manufacturer for these updates, and they may not be timely. On top of that, if there really is a major security problem related to OpenVPN or the Raspberry Pi OS, unplugging it from the network will stop the threat without disrupting other users of the network.
Getting Started with Raspberry Pi OpenVPN Server
The following hardware was used for this demonstration:
- Raspberry Pi 4 with 4GB of RAM
- A 64GB Micro SD Card and a suitable reader/writer for the same
- A router or gateway that allows for port forwarding
The Raspberry PI OS can be written to the Micro SD Card using an installer that is provided by the Raspberry Pi website at https://www.raspberrypi.com/software/. Once the OS is written to the card, it can then be configured on the Raspberry Pi device by inserting the card into the device, powering it on, and then following the on-screen prompts to complete the configuration. The software is not being “installed”, because it runs right off of the Micro SD Card directly. Once the configuration is complete, the software boots right into the Raspberry Pi OS graphical interface. All of the commands are entered using the Terminal.
This demonstration is also built on the assumption that the Internet Service Provider allows for inbound connections on high-numbered ports. Most residential internet providers universally – and many business internet providers by default – block inbound connections on most low-numbered ports, but impose no such restriction on higher numbered ports (typically 50000 and over).
Downloading the OpenVPN Server Installer
The OpenVPN Server is maintained via a public GitHub repository. To download it, use the command:
[email protected]:~ $ wget https://git.io/vpn -O openvpn-install.sh
Note that this file will be downloaded to the Pi user’s home directory and all of the further work will be done from this directory.
Figure 1 – Downloading the Installation Script
Raspberry Pi OpenVPN Server Security Considerations
Before beginning the OpenVPN Server installation, it is critical that some very generous default settings in the installation script be corrected. For instance, the default validation period for both the server and client OpenVPN SSL certificates is ten years. This clearly is not acceptable, even for an experimental endpoint setup, much less a production setup.
As the openvpn-install.sh script has the ten year interval hardcoded as 3650 days, the easiest way to correct this is to open the openvpn-install.sh script in a text editor and search for all instances of “3650” being used as a certificate expiration timeline and change them as encountered. This demonstration will use the following expiration timelines:
- Server – 400 days
- Individual Clients – 30 days
These, of course, can be suited to individual tastes, but it is better to err on the conservative side “just in case.”
Note that the value for EASYRSA_CRL_DAYS is not used for SSL certificate expiration date lengths and it does not need to be modified.
The first two figures below pertain to the initial installation of OpenVPN:
Figure 2 – Before Making Changes – Default Server and First client File Expiry is Ten Years!
Figure 3 – After Making Changes – Default Server and First client File Expiry are more reasonable
These next two figures pertain to the creation of new clients:
Figure 4 – Default Expiry for new clients is also Ten Years!
Figure 5 – Default Expiry for new clients is more reasonable
Other Considerations for OpenVPN
Beyond the SSL Certificate expiration length, it is also critical that the system time be correctly configured on the Raspberry Pi device. This includes the time zone, the time itself, and whether or not the time itself is updated automatically (it should be!). The Raspberry Pi OS does a good job at making sure that the system time is properly configured, but if this demonstration is being used for another Linux distribution, this may not be the case.
Lastly, the Raspberry Pi OS should be updated as per any other Linux distribution:
[email protected]:~ $ sudo apt update && sudo apt upgrade
Installing OpenVPN on Raspberry Pi
It is likely that the installation script itself is not executable, this can be addressed with a chmod invocation:
[email protected]:~ $ chmod +x openvpn-install.sh
Once the proper permissions are set, the installation script can be invoked. It must be run as root:
[email protected]:~ $ sudo ./openvpn-install.sh
Server Remote IP
The first prompt asks to confirm the router’s public IP address. There should be no need to change this, however if the network uses some sort of dynamic addressing for its external address, then using a Dynamic DNS service to map the current IP to a hostname, and then entering that hostname in this prompt, might be a consideration. If one simply wishes to use the current IP address as-is, then just confirm the existing entry.
Figure 6 – Remote IP Entry with Current IP Pixelated Out
For the protocol selection this should almost always be set to UDP (User Datagram Protocol). In some instances, an Internet Service Provider may block inbound UDP, and if so, then TCP will need to be selected. Using TCP over UDP incurs a performance hit.
Figure 7 – Protocol Selection
While it is possible that the default port of 1194 may be open, it is likely that a higher numbered port will need to be chosen. Note the use of 51194 for the port. Additionally, the router or gateway that provides the Internet Connection will need to be configured to forward port 51194 to the internal IP address of the Raspberry Pi device.
Figure 8 – Server Port Selection
If the remote network has its own DNS which resolves internal domain names, then it may be ideal to use the “Current system resolvers” option for this selection. Otherwise, Google or OpenDNS are reliable alternatives.
Figure 9 – DNS Selection
First Client Naming
This is a free-form text entry. It will also be the name of the OVPN file used by the client for connection purposes. This client will be called “Testing4Pi”.
Figure 10 – First Client Naming
Upon entering this and pressing enter, the automated part of the installation will begin and end on its own:
Figure 11 – Prior to start of the automated part of the installation
Once the process completes, the updated lengths for the Server Expiry and Client Expiry can both be verified. The server expiry is in the red circle and the client expiry is in the blue circle:
Figure 12 – The completed process, with expiry dates highlighted.
Accessing the VPN
Once the process is complete, a client OVPN file will be created in the /root directory of the device. It should be moved to your home directory before it is transferred to a client device:
[email protected]:~ $ sudo mv /root/Testing4Pi.ovpn .
Note that the openvpn-install.sh script can be run repeatedly should more OVPN client files are needed or as the existing ones expire.
Once the client OVPN file is accessible, it needs to be transferred to the device which will be using it to connect. One easy way to do this is to copy the file to Google Drive from the Server and then download it from the same using the client. The OVPN file can then be imported into an OpenVPN Client App on the remote device.
OpenVPN Raspberry Pi Server Maintenance
Use the command sudo systemctl status [email protected] to check if the service is running. And, while it may be tempting to substitute the name of the server in “server.service,” this is not correct.
Figure 13 – The Server Status
Stopping the Server
The command sudo systemctl stop [email protected] will stop the server.
Starting the Server
The command sudo systemctl start [email protected] will start the server. To restart the server, use restart in place of start. Note that, in the Raspberry Pi OS, OpenVPN will be enabled at boot as well. This may not be true for other Linux distributions. The startup disposition of this service can be managed like any other systemd-based service.
The openvpn-install.sh script provides an interface to easily revoke access to the server. Simply invoke it as root and the following screen will appear:
Figure 14 – Client Access Revocation
Use the second menu option and then specify the client to revoke. Note that revocation is irreversible and a client will need a new client OVPN file if access is needed once again.
Conclusion to Raspberry Pi OpenVPN Server Tutorial
The Raspberry Pi, along with the Raspberry Pi OS, both show their extensive utility with their support for the OpenVPN Server. A user with introductory level Linux knowledge can leverage this functionality to create a robust and secure OpenVPN Server to obtain access to a private internal network at low cost, but with maximal utility.