openvpn server raspberry pi

How to install your own VPN server on Raspberry Pi? (OpenVPN)

Nowadays, we have more and more multimedia devices at home.
In my case, I have: file shares, Raspberry Pi devices for specific projects, home automation and computers.
Did you already ask yourself how to access them while not at home?
It’s possible if you set up a VPN server, even on a Raspberry Pi.

To host a VPN server on Raspberry Pi, the best service is OpenVPN.
It allows using home resources from anywhere via an app.
The app is available on any operating system, even on smartphone.

I’ll explain what a VPN is, how it works and how to install it on a Raspberry Pi step-by-step
If you’re familiar with VPN topics, use the table of contents below to move directly to the step you are interested in.

Warning: There are now easier ways to install OpenVPN on Raspberry Pi, I highly recommend reading this article first.

What’s a VPN?

Before going further, let’s start with a few reminders about VPN

Introduction

VPN stands for Virtual Private Network
And that’s exactly what it is. When connected to a VPN, it’s as if you were on a private network between you and the VPN server

The main goal of a VPN is to encapsulate your data in a secure tunnel between you and the VPN server

Let’s take an example
If you share a web server at home with port forwarding (public_ip:80 => local_ip:80), data could be accessible to hackers, as data flows in clear on the network (man in the middle attacks are possible)
If you use a VPN server on your Raspberry Pi, data flows in the secure tunnel, so nobody can decrypt them

The goal of this tutorial is to create a secure tunnel between you (from anywhere in the world) and your local network at home

vpn network openvpn

How it works

I won’t bother you with details concerning data encryption technology
But here is what you need to know:

Download Your Essential Linux Commands Guide!
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now
  • We need to install a new software on the client computer to encrypt data
  • On this client, we also have keys coming from the server to encrypt data in a way that only the VPN server can understand
  • In the client configuration, we’ll tell the software to connect to the VPN server public IP address
  • When the encrypted data arrives to the VPN server, the server software will decrypt it and know what to do with it
  • Same thing for packets coming from the home network to the VPN client

So we don’t need a lot of things, just to install software on each side of your secure tunnel

Let's Build a School Together
Just $75 can create educational opportunities for a child in need.

OpenVPN

OpenVPN is the free software we’ll use to do this
It provides client and server parts, for all operating systems

More precisely, we need to install:

  • OpenVPN server, on our Raspberry Pi at home
  • OpenVPN client, on our laptop computer or smartphone, to access home resources from anywhere

How to install OpenVPN on Raspberry Pi

You now understand how it works and what we need to do
Let’s go to the technical part!

Install OpenVPN Server on Raspberry Pi

Prerequisites

Here is what you need to start this guide:

  • A Raspberry Pi (tested on Zero, so any model should work)
  • Raspbian installed (Follow this tutorial to install Raspbian if not already done)
  • Administrator access to your Internet router or firewall (for port forwarding)
  • A static public IP address if possible or a dynamic host (I don’t have a static IP, so I’m using No-IP)
    Here is a detailed tutorial on how to use No-IP if you are interested.

Install OpenVPN

Let’s move to the OpenVPN installation procedure:

  • I recommend switching to the root user because you’ll type a lot of commands in this procedure that need root privileges
    sudo su
  • Start by updating your system
    apt update
    apt upgrade
  • Install the OpenVPN package
    apt install openvpn
  • Extract the sample configuration file to the OpenVPN folder
    gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
  • Edit this file
    nano /etc/openvpn/server.conf
  • Make these changes
    • Uncomment this line
      push "redirect-gateway def1 bypass-dhcp"
    • Comment this one (we don’t need TLS authentication for the first try)
      ;tls-auth ta.key 0
    • Edit the DNS server to fit your needs
      push "dhcp-option DNS 8.8.8.8"

      In my case, I’m using the Google DNS Server (8.8.8.8) but set what you want
      Let the default option if you don’t know what it is
      You can also set a second DNS server in the line above

    • Uncomment the user and group options
      user nobody
      group nogroup
  • Save and exit (CTRL+O, CTRL+X)

We’ll come back to this configuration file later, for the moment it’s fine

Allow IP Forwarding

By default, Linux doesn’t allow IP forwarding
As our Raspberry Pi will be the router between VPN clients and the local network, we have to enable it

  • Paste this command to enable it immediately
    echo 1 > /proc/sys/net/ipv4/ip_forward
  • Then open this file to enable it on boot
    nano /etc/sysctl.conf
  • Uncomment this line
    net.ipv4.ip_forward=1
  • Save and exit (CTRL+O, CTRL+X)

Your Raspberry Pi can now act as a router

Configure Easy-RSA

The next step is to generate all the keys on the server side to secure the connection
Easy-RSA will help us for this part

  • Copy Easy-RSA files to the OpenVPN configuration folder
    cp -r /usr/share/easy-rsa/ /etc/openvpn
  • Create a new sub-folder for the keys
    mkdir /etc/openvpn/easy-rsa/keys
  • Edit the vars file to set your preferences
    nano /etc/openvpn/easy-rsa/vars
    • Change or add the KEY_CONFIG option to use this syntax instead
      export KEY_CONFIG=$EASY_RSA/openssl-1.0.0.cnf

      I had issues with this line, this one works with my 1.1.0j OpenSSL version
      If you have another version, check in the easy-vars/ folder if you have a file closer to your version, and edit this line

    • Fill the other KEY options with your own information, for example:
      export KEY_COUNTRY="US"
      export KEY_PROVINCE="CA"
      export KEY_CITY="Los Angeles"
      export KEY_ORG="Raspberry Tips"
      export KEY_EMAIL="email@domain.com"
      export KEY_OU="Raspberry Tips"
    • Then set the KEY_NAME like this
      export KEY_NAME="server"

      This is just for the key file name

  • Save and exit (CTRL+O, CTRL+X)

Once the vars file is properly set, we can start with keys generation

Generate SSL keys

Now we use dhparam to generate the Diffie-Helman file

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

This may take a long time (One hour on Pi Zero!)
Then we move to the last steps with the server keys generation

  • Check you’re always in the easy-rsa folder (and using root)
    cd /etc/openvpn/easy-rsa
  • Run the initialization step
    ./easyrsa init-pki
  • Build CA
    ./easyrsa build-ca
  • If it works, fine, you’re lucky
    In my test, I got errors about files missing in the keys sub-folder
    Copying them from the examples directory fixed this issue

    cp /usr/share/doc/openvpn/examples/sample-keys/sample-ca/index.txt keys/
    cp /usr/share/doc/openvpn/examples/sample-keys/sample-ca/index.txt.attr keys/
    cp /usr/share/doc/openvpn/examples/sample-keys/sample-ca/serial keys/

    Then redo the previous command and it should be fine

  • Generate the server keys with:
    ./easyrsa gen-req hakase-server nopass
  •  And sign it with:
    ./easyrsa sign-req server hakase-server
  • Let all fields by default, and password and company name empty
    Answer yes to both questions

That’s it, the work is almost done
We just need to move the keys to the OpenVPN configuration folder and start the service

  • Copy the keys under the configuration folder
    cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn
    cp /etc/openvpn/easy-rsa/keys/server.crt /etc/openvpn
    cp /etc/openvpn/easy-rsa/keys/server.key /etc/openvpn
  • Start (or restart) the service
    service openvpn start
  • Check if everything seems ok
    service openvpn status

Wow, good work
You finish the server part, we now need to create the client configuration

Install OpenVPN on a Client

The remote client also needs keys to secure the connection with the server
We’ll create them now

Download Your Essential Linux Commands Guide!
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now
  • It’s like what we did for the server, run this command to start:
    cd /etc/openvpn/easy-rsa/
    ./easyrsa gen-req client1 nopass
    

    Keep all the default values (hit enter for each question)
    And answer yes for the two last questions

  • Then copy the sample configuration file
    cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn
  • Edit this file to set your network preferences
    nano /etc/openvpn/easy-rsa/keys/client.ovpn
  • Find this line
    remote your_server_ip 1194
  • Edit with your static public IP address, or your dynamic host name
    For example:

    remote myhost.ddns.net 1194
  • Uncomment user and group
    user nobody
    group nogroup
  • Save and exit

The client configuration is almost ready

Create a unified configuration file

You can use directly all the files generated (client.ovpn with ca.crt, client.crt, client.key)
But I prefer to have only one file with all the keys inside, it’s easier to import it on the client (especially for smartphones)

To do this, follow this procedure:

  • Open the configuration file again
  • Comment this lines
    ;ca ca.crt
    ;cert client.crt
    ;key client.key
    ;ta ta.key
  • Save and exit
  • Then run these commands to integrate the key inside
    echo '<ca>' >> /etc/openvpn/easy-rsa/keys/client.ovpn
    cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/client.ovpn
    echo '</ca>' >> /etc/openvpn/easy-rsa/keys/client.ovpn
    echo '<cert>' >> /etc/openvpn/easy-rsa/keys/client.ovpn
    cat /etc/openvpn/easy-rsa/keys/client1.crt >> /etc/openvpn/easy-rsa/keys/client.ovpn
    echo '</cert>' >> /etc/openvpn/easy-rsa/keys/client.ovpn
    echo '<key>' >> /etc/openvpn/easy-rsa/keys/client.ovpn
    cat /etc/openvpn/easy-rsa/keys/client1.key >> /etc/openvpn/easy-rsa/keys/client.ovpn
    echo '</key>' >> /etc/openvpn/easy-rsa/keys/client.ovpn

And it’s ready
I’ll show you in the next section how to use this configuration file on any device

Port forwarding

As you may have seen in the server.conf, the OpenVPN server is listening on the port 1194
To access it from another location, you need to enable IP forwarding in your Internet router configuration
That’s to say, redirect <your_public_ip>:1194 to <your_raspberry_ip>:1194

I can’t help you more about this, it all depends on your router software
You’ll often find a NAT configuration page in the advanced options
Ask your Internet provider support if you don’t know how to do this

More details here if it’s unclear for you.

🖋 Love Raspberry Pi & writing?
Combine your passions and get paid. Write for RaspberryTips!

Client installation

OpenVPN is available for all devices with any operating system, even smartphones
Don’t forget, you need to be out of the local network to test the connection
Use a mobile connection while testing

Desktop

On desktop devices, OpenVPN is available for free from the community section of the official website
You’ll find downloads for Linux or Windows

For both operating systems, you need to transfer the client.ovpn file from the Raspberry Pi to the computer (use WinSCP or Filezilla to do this)

For Windows
  • Download the file from the OpenVPN website
  • Install it following the setup wizard
  • Find the OpenVPN GUI in the start menu and launch it
  • Right click on the icon in the notification panel
    vpn gui icon
  • Select “Import file” and select the client.ovpn file
For Linux
  • You have two choices for the installation:
    • With a Debian like distribution: use apt to install OpenVPN
      apt install openvpn

      On a Redhat like distribution, you can use yum the same way

    • For others cases, download the sources from the official website, and follow the documentation
  • Then to connect you have also two choices
    • With desktop distributions, look in your network manager if you have a VPN tab to set the configuration
    • Or use the command line
      sudo openvpn client.ovpn

I don’t have a Mac to give you the procedure on Mac OS
I’ll let you follow this documentation from OpenVPN

Android / iOS

On your smartphone, you can find the “OpenVPN Connect” app in the Android or iOS app store
Install it, then go to “OVPN profile” and import your client configuration file

The easiest way is to send the file to you by email and download it from your email client
Then browse your local storage to the Downloads folder, and import the file

Note about network routing

Once connected from a remote device, you can access the Raspberry Pi hosting the VPN server
But you may not able to access other devices on your local network

Your local network differs from the VPN clients network
In my case, my local network is 192.168.1.0, and my VPN network is 10.8.0.0 (default)

schema vpn

A could see the Raspberry Pi, B too, but A could not see B
In fact, local devices doesn’t know how to talk to VPN clients
You need to create a route between them, to tell that 10.8.0.0 is accessible through the Raspberry Pi

If the main router on your local network can do this, add a static route
If not, you need to add this route on every device in your local network

On Linux/Mac:

route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.18

Change the values to match your server.conf settings

On Windows:

route -p ADD 10.8.0.0 MASK 255.255.255.0 192.168.1.18

This solution is fine if you only have computers or servers to access through the VPN connection
But for other devices I didn’t look for a solution (if you know how to do this in another way, please leave a comment in the community)

Download Your Essential Linux Commands Guide!
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now

Reminder: Remember that all the members of my community get access to this website without ads, exclusive courses and much more. You can become part of this community for as little as $5 per month & get all the benefits immediately.

Related questions

Is it possible to use it in the other way, to secure the outgoing traffic? Not really. There is a way to use your Raspberry Pi as an anonymizer gateway using Tor or any VPN offer in the market. But it has nothing to do with what we did. It’s another project where the Raspberry Pi will be the client, not the server

Is it possible to have multiple clients? Yes absolutely. You just need new configuration file and keys for each client. Repeat the client configuration steps above to generate multiple ovpn files.

Download Your Essential Linux Commands Guide!
It's a free PDF guide containing every Raspberry Pi Linux command you should know!
Download now

Conclusion

Congratulations if you made everything work as expected
It was not an obvious tutorial, but it’s a good achievement in your Raspberry Pi learning 🙂

Ask questions if you get issues somewhere, I’ll try to help you


This tutorial doesn't work anymore? Report the issue here, so that I can update it!

Similar Posts

27 Comments

  1. Hello, I’m having trouble accessing the directory containing the ovpn file. When I try to open the “keys” folder in the raspberry pi file manager I get an error message saying permission denied. Any suggestions? Thank you.

    1. Hi Henry,

      Try to use sudo in commande line : sudo nano filename

      Let me know if it works

  2. root@raspberrypi:/etc/openvpn/easy-rsa# ./build-ca
    grep: /etc/openvpn/easy-rsa/openssl.cnf: No such file or directory
    pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
    version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf
    The correct version should have a comment that says: easy-rsa version 2.x

    No matter how many times I do the fix and that, doesn’t want to play ball 🙁

  3. I can’t connect to my vpn server,It says ”TLS handshake failed”? Please .Any possible answers?Thank you…

  4. Hello,

    Im trying to rund . ./vars and I get the following:

    This is no longer necessary and is disallowed. See the section called
    ‘How to use this file’ near the top comments for more details.

    I read the file but I am a beginner with this and the file doesnt say how to initialise vars
    Thanks

    1. Hi Daniel,

      Thanks for your feedback

      I will try this soon and edit it if I have a solution

      Let us know if you find something
      Patrick

      1. Hello
        I also have the same error message, did you find a solution,
        I can’t find anything on the other sites
        meci

  5. sorry it should be English
    ./clean-all doesn`t work.cp /usr/share/doc/openvpn/examples/sample-keys/ in Raspian Buster looks like this:ca.crt, ca.key, server.key, ta.key etc and zip-file gen-sample-kexs.sh.gz. and other
    sample-ca/index.txt keys/ doesn`t exsist
    what should i copy and where does it go to make ./clean-all and ./build-ca work.
    RPI 3B and Raspian Buster
    Thanks

  6. ok, i found the examples in /usr/share/easy-rsa/ and i copied them.
    still the sme problem ./clean-all folder or file not found.

    1. Hi errut,

      I will try to install it soon, if nobody has the solution before that

      Patrick

  7. Thanks for the article. Just a minor, but important observation: The phrase “comment out” means “to remove so that it takes no effect”. However, you use the phrase in the opposite manner throughout your article.

  8. Hello,
    I have updated the post with the new commands (they have changed with EasyRSA 3)
    Let me know if you still have some issues with this tutorial
    Patrick

  9. Hello, what about using raspberry pi as an openvpn client?I installed an openvpn server on Ubuntu 16.04 server for 3 clients including a raspberry pi.

    The problem is that every day at 5am, I see that openvpn has restarted on all clients (at the same time on all) and two restartedbut pi didn’t start with openvpn, so I need to unplug it from source and reconnect for openvpn to work on it again.

    I wonder if the openvpn server by default restarts every day at 5am or I have to configure to be able to do this or not? or if I have to do something so that pi reconnects when openvpn restarts on the server?

    Note: when running openvpn on pi when there is a reboot, I’ve already set it up because whenever I unplug it and plug it back in, everything works normally. The problem for me is the openvpn server shutting down to clients everyday at 5am andpi don’t reconnect alone. Thank you very much

  10. I just tried on Raspbian Buster and the commands no longer work once you get to
    nano /etc/openvpn/easy-rsa/vars
    There is no such file. From then on it is just totally screwed up. None of the other commands are able to be executed or completed. Please either fix this or take it down. I wastes hours trying to figure this out.

    1. Hello Ryan,

      This tutorial is working perfectly on buster

      You create the “/etc/openvpn/easy-rsa/vars” file so it’s normal that it doesn’t exist
      Just create it and fill it with the lines below (those starting by export …)

  11. HI

    ./easyrsa gen-req client1 nopass doesn’t generate client1.crt file.
    only after I run ./easyrsa sign-req client1 I got client1.crt.

    Is that correct?

  12. Hi,

    Sorry for noob’s question 🙂

    On this step:
    ./easyrsa init-pki
    There’s no file easyrsa

    What I see un the folder “easy-rsa” is:
    build-ca build-key-server list-crl sign-req
    build-dh build-req openssl-0.9.6.cnf vars
    build-inter build-req-pass openssl-0.9.8.cnf whichopensslcnf
    build-key clean-all openssl-1.0.0.cnf
    build-key-pass inherit-inter pkitool
    build-key-pkcs12 keys revoke-full

    Can you pls help with it?

  13. Dear Patrick,
    I can;t get any keys generating at …/keys
    I see finally
    Keypair and certificate request completed. Your files are:
    req: /etc/openvpn/easy-rsa/pki/reqs/hakase-server.req
    key: /etc/openvpn/easy-rsa/pki/private/hakase-server.key
    and
    Write out database with 1 new entries
    Data Base Updated
    Certificate created at: /etc/openvpn/easy-rsa/pki/issued/hakase-server.crt
    –that;s all
    So the keys directory is empty

    And at /usr/share/doc/openvpn/examples/sample-keys there are no files you listed…

    raspbian buster, OpenSSL 1.1.1d

    Please help

    1. Hi,

      I will try it again as soon as possible to see if something changed

      Patrick

  14. Hi,

    I have a weird question? why is it not working if I try to do this part

    echo ” >> /etc/openvpn/easy-rsa/keys/client.ovpn
    cat /etc/openvpn/easy-rsa/keys/client1.crt >> /etc/openvpn/easy-rsa/keys/client.ovpn
    echo ” >> /etc/openvpn/easy-rsa/keys/client.ovpn
    echo ” >> /etc/openvpn/easy-rsa/keys/client.ovpn
    cat /etc/openvpn/easy-rsa/keys/client1.key >> /etc/openvpn/easy-rsa/keys/client.ovpn
    echo ” >> /etc/openvpn/easy-rsa/keys/client.ovpn

    like this:

    echo `
    cert $name.crt
    key $name.key
    `>> $name.ovpn

    1. I made it work like this:

      echo ‘key $name.key’ >> $name.ovpn
      echo ‘cert $name.crt’ >> $name.ovpn

    1. Hi Henry,

      ExpressVPN is a VPN client, not a server (ExpressVPN is also a paid service)

      If you just need to hide your IP address, or get a IP address in another country, you can use ExpressVPN or NordVPN for example (I have a post about it)
      If you want to connect to a specific network (your home or business network for example), OpenVPN is one of the most common way to do this for free

      Patrick

  15. Hello, Patrick thank you for clarifying the different setting and, I stress, my intention was and remains to install openvpn as free. I started following your instructions last year and then I was intimidated by the amount of instructions I had to follow. This year I was going to start again as I installed on a raspberry pi 3 b+ Libreelec with kodi. I hope to make it, let’s see a bit.

Comments are closed.