Raspberry Pi Powered OpenVPN – Server, Part 4
Time to put it all together
So far we have setup and new Raspberry Pi, install OpenVPN, generated some server keys and at least one user/device key and created a Certificate Authority to sign them. We are still missing something though. OpenVPN doesn’t know any of the yet. We still have to tell it where to find these new files we’ve just create, what IP or port to listen for connections on, what type of connection to make or where to send the resulting traffic.
All these setting are held in OpenVPN’s configuration file, but non is installed with the OpenVPN package so we need to create a new one. Start by creating a file on the Pi
nano /etc/openvpn/server.conf then fill it with this initial template:
# SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS local PI_IP_ADDRESS dev tun proto udp # Some people prefer to use tcp. Don't change it if you don't know. port 1194 ca /etc/openvpn/easy-rsa/keys/ca.crt # SWAP WITH YOUR YOUR SERVER NAME I.E. VPiN.crt cert /etc/openvpn/easy-rsa/keys/Server.crt # SWAP WITH YOUR YOUR SERVER NAME I.E. VPiN.key key /etc/openvpn/easy-rsa/keys/Server.key # You left the encryption level at 1024 change that here dh /etc/openvpn/easy-rsa/keys/dh2048.pem server 10.8.0.0 255.255.255.0 # server and remote endpoints ifconfig 10.8.0.1 10.8.0.2 push "route 10.8.0.1 255.255.255.255" push "route 10.8.0.0 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS, # AND MAKE SURE THE SUBNET IS CORRECT push "route PI_IP_ADDRESS 255.255.255.0" # This should match your router address and not need to be changed. # If your router does not do DNS, you can use Google DNS 126.96.36.199 push "dhcp-option DNS YOUR_DNS_IP_ADDRESS" # Override the Client default gateway by using 0.0.0.0/1 and # 188.8.131.52/1 rather than 0.0.0.0/0. This has the benefit of # overriding but not wiping out the original default gateway. push "redirect-gateway def1" client-to-client duplicate-cn keepalive 10 120 tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 cipher AES-128-CBC comp-lzo user nobody group nogroup persist-key persist-tun status /var/log/openvpn-status.log 20 log /var/log/openvpn.log verb 1
I’ve marked some bits you will need to change yourself most importantly PI_IP_ADDRESS and YOUR_DNS_IP_ADDRESS but read thru the comments to make sure everything else is right for your setup. Once your done just control+x and save the file.
Now that OpenVPN knows what to do we need to tell the Pi to forward internet traffic. By default a Raspbian OS is designed to be a receiving client, internet traffic goes to or from it, but in this case we want it to forward traffic it receives on somewhere else – in this case your router.
To edit the system setting open up the system control file with
nano /etc/sysctl.conf and find the line “#net.ipv4.ip_forward=1” and uncomment it by removing the # leaving “net.ipv4.ip_forward=1”. Once again use control+x to save the file. Lastly we have to tell the system we have changed the file. That’s done with the
sysctl command, just type
sysctl -p and your done.
We’re almost ready to restart the Raspberry Pi and have a functional server, but before we can there is one more thing we have to do. Raspbian comes with a built in firewall called iptables, found on most Linux systems, which is there to protect your computer from the dangers of the internet but we need to poke a hole through it while leaving the rest of it intact. This is done by issuing command directly to iptables, but we want these changes to still be in place next time we reboot the Raspberry Pi so we need to make the command something the Pi will run everything it connects to the router.
This is best done in two steps. First we’ll setup the script we want to run. Make a new file
nano /etc/iptables-openvpn.sh and type in:
#!/bin/sh iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source PI_IP_ADDRESS
Make sure you change PI_IP_ADDRESS to your Raspberry Pi’s IP address. The hit control+x and save the file. We now need to make the file executable, but we also want normal users from changing it.
chmod 700 /etc/iptables-openvpn.sh chown root /etc/iptables-openvpn.sh
The first line means only the file owner can execute the file, no one else can even read it. The second line just makes sure the owner is
Now we have our supporting files we need to tell the Pi to run this file, and so poke the same hole, in our firewall every time a network connection is setup. Network setting for Linux are commonly stored in the /etc/network/interfaces file so we can start there.
You can see a line that says “iface eth0 inet dhcp” that simply tells Linux to ask your router for an IP address for the ethernet plug. We can now inject out iptables-openvpn.sh file here by using the pre-up option.
iface eth0 inet dhcp
iface eth0 inet dhcp pre-up /etc/iptables-openvpn.sh
Now before asking for an IP address from a connected router the Pi will run our iptables command and the firewall will be ready. control+x to save your work.
You can finally reboot your Raspberry Pi
Your Raspberry Pi is now a fully working OpenVPN server, in the next tutorial we’ll get started preparing our clients to connect to it.