Raspberyy Pi B+

OpenVPN Raspberry Pi – split-tunnel with Internet access

Would you like to connect from any place, usually using open WiFi network in town, at friends or airport – with your’re own home network? Virtual Private Network (VPN) is here to allow you to log-in securely to your home network, with additional perk of using it to get secure Internet access.

Raspberyy Pi B+
Raspberyy Pi B+

What will you need?

Hardware:

  • Rapberry Pi (A, A+ or B, B+, 2, Zero)
  • Home Router with Port Forwarding or Virtual Server support – any will do

Software:

  • Raspbian – standard Linux distribution for Raspberry Pi
  • OpenVPN – free OpenVPN server
  • OpenVPN – clients – different for Linux, Android, MS Windows etc.

As you see nothing fancy.

Security

Let’s talk about how we should secure our access:

  • physical access to your Raspberry Pi should be controlled (only you)
  • access to /etc should be restricted to the user that OpenVPN is running under
  • the files with .key are TOTALLY SECRET
  • the certificate .crt or .crs – are to be sent, lost, revoked – could be always renewed.
  • each device connecting to OpenVPN server (PC, tablet, smartphone) has it’s own key/certificate pair

Let’s do it

Well, as always the first thing is to update out RPi – let’s login via ssh or console:

Now, lets install OpenVPN package:

All commands used require root privileges, so I suggest to enter:

Next we should configure the server, first to generate SSL certificates, that allow securing of the connection and also – authentication.
All files should be stored in /etc, let’s create appropriate folder and copy over the example files to create certs, which reside in Raspbianie Wheezy here:

If you’re on the newer Jessie, as noted in comments by Dom/OloX – folder with examples is located in /usr/share:

Examples provided by easy-rsa package default to USA based data. Wait, what ? It’s all about the fact that the certificate has to have identification – who’s the authority that issued it. Since it’s going to be ours – we should put some familiar data here to identify it later.

Let’s edit the file ( or accept the fact that all certificates are from San Francisco…):

The changes are about the folder where we store the certs and keys, length of the asymetrical key – it’s usually1024 – but 2048 might be too much from RPi 1, or even 2 or 3. Let’s use the value of 1024:

Country code – PL,  county/voivodeship: WA and so on – use what you like or don’t, but the KEY_CN – this should be changed.
Let’s prepare to create the keys:

Now we will build a certificate authority::

All you need to do is to confirm values previously entered in vars:

The folder keys will now have ca.key and ca.cert.

Now, important port – generating the key to our system:

We will be asked to provide password. STOP. OK, enter a password – but then you will also have to enter it with each connection. We can remove the password and lower our security – the choice is yours!

Answer yes to remaining questions and you will get in folder keys new files: server.crt and server.key in (/etc/openvpn/easy-rsa/keys/), they will be signed with your root certificate.
Now let’s build the Diffie-Hellmann parameters required for client and server to talk to each other. The process is quite interesting – check out  https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange 

This produces 1024.pem file, change the name to dh1024.pem
Now lets build the pairs – files – for a client:

…along with the password:

That’s nearly the end – now let’s generate common HMAC key for TLS:

Let’s copy all the files /etc/openvpn/mykeys/

It’s time to configure our OpenVPN server using certificates and keys.
First create the /etc/openvpn/openvpn.conf file with following entries:

The configuration of the server will get all the traffic coming from it (apart from static routes on the client – accessing the other LAN) and steer it to tunnel. Thanks to this we will also have Internet access through our tunnel and VPN (but check below!). The resolvers for DNS operation – let’s use Google and our local as secondary. The important line is ‘server’ this creates a network used only for the actual connection – so use private network you don’t use anywhere. The port is 1194 – we will have to reconfigure our home router for connection – see below for Port Forwading options. The protocol used is UDP.

Port forwarding

The forwarding of the public port from your router to private port on Raspberry Pi is quite easy to configure:

Port Forwarding - Linksys
Port Forwarding – Linksys
Port Forwarding - D-Link DIR
Port Forwarding – D-Link DIR
Port Forwarding - Archer VR900
Port Forwarding – Archer VR900
Port Forwarding - TP-Link
Port Forwarding – TP-Link
Port Forwarding - TP-Link
Port Forwarding – TP-Link

Split-tunnel – safe access to Internet by means of VPN

To allow split-tunnel – we need to add configuration at the end of the /etc/rc.local file.
Do mind that you need to change the example RPi address of 192.168.11.11 to yours, and as mentioned above – choose unused VPN – here: 192.168.22.0/24

The file should have following lines:

Client

Let’s configure the client – first mobile devices – Android. Download the OpenVPN (check for fakes!) and after installing – it’s going to ask for .ovpn file. Let’s create it, don’t forget to change the IP_ADDRESS_OR_FQDN_OF_THE_SERVER to your OpenVPN server.

Back to console of your Raspberry Pi:

We got – client.ovpn. Rewiev the file, change: proto to udp, remote – IP address – to our public router address (or name if we have Dynamic DNS service), and enter the IP addresses into server line. Remove any ca cert key references to the files if they exist in imported example. The ready file goes to Android device – import, run connect and there it is!. Do mind that for mobile devices (i.e. Android/iOS- OpenVPN Connect requires the certificates to be embedded in the *.ovpn file!