Raspberry Pi Powered OpenVPN – Client Side

This is part two of my series on creating your own, private, VPN server at home using a Raspberry Pi. If you have followed on from my Raspberry Pi Powered OpenVPN – Server post you will have a fully working OpenVPN server. You probably also noticed it took you a good portion of your afternoon, but with bugs and hacks being found in more and more Linux software and libraries it is well worth having a server you can trust.

You’ll have noticed though we’re missing a vital step before we can make use of our new server. In part three of my tutorial we created some access keys to allow our phones and laptops (from here on called clients) to access our server, but we haven’t told the clients.

OpenVPN software gets all the information about where your server is, how to connect, what keys to use and what connections to create from a configuration file called and .ovpn. Since you need a separate OVPN file for each client we’ll use a script to do our heavy lifting.

Eric Jodoin first created this script while at the SANS institute, and with some basic template files, it can create configuration files for all our clients.

As with the Raspberry Pi Powered OpenVPN – Server tutorial the following commands still need executed as root, so remember ether add sudo infront of them or make sure you still have root from the sudo -s command.

Setting the defaults

Eric’s script works by combining a default configuration file with the keys specific to client, so we need to create it first.

Create a new blank file:

nano /etc/openvpn/easy-rsa/keys/Default.txt

Then copy and past in this:

Remember to change the line remote to match your setup. Include the public IP address of your OpenVPN server and make sure the port and proto are correct. If in on page four you opted to use TCP or a non standard port, one other than 1194, you need to make sure this is correct here as well.

If you are not sure what your public IP address is you can ask Google.

Some ISPs will rotate your IP address regularly which causes a problem when trying to access your new server. There are however many services that offer dynamic domain names (DDNS). These give you a static domain name but make sure the IP address always points to your home PC. First thing I would do is check your router to see if it supports a DDNS provider. If it doesn’t then you can use a free service like DNS Dynamic, but you will have to setup and run the ddclient on the Pi to keep your IP address updated.

As in the previous tutorials use control+x and save the new file.

Creating the script

Now we’ll create a copy of the script Eric produced, the original PDF download of his research paper can be found online.

First create a new file in nano:

nano -w /etc/openvpn/easy-rsa/keys/

Get a copy of the script from my gitlab server and past it into this new file. Lastly control+x and save the new script.

By default new files created in nano are just text files, they do not have permission to execute commands. This command will give only the root user permission to read, write or execute our new file:

chmod 700 /etc/openvpn/easy-rsa/keys/

We can now run the script, but first make sure we are in the keys folder:

The first thing we’re asked for is the Client Name. This must be the same as we used in page three of the server side tutorial. I’ll continue using KEYNAME here, but if I was setting up the key for my Nexus 5 I would use stuart.nexus5.

If everything worked as expected you’ll see a message like this:

Now just rinse and repeat for as many clients as you have setup, but make sure to only run the command for keys you already created. If you need a new device go back to page three and create a new set of keys first.

Downloading the OVPN files

You now have to download your new OVPN file from the /etc/openvpn/easy-rsa/keys/ folder onto your clients. If you are on a link system I would use the scp command, but for Windows users WinSCP would work as well.

If you are using WinSCP you will not have permission to access the /etc/openvpn/easy-rsa/keys/, this is by design and adds additional protect to your server. So you can cp the file into the pi home directory first and download it from there, but make sure to delete it once you have it on the client.

cp /etc/openvpn/easy-rsa/keys/KEYNAME.ovpn /home/pi/

and then

rm /home/pi/KEYNAME.ovpn

In part two of this tutorial we’ll take a look at setting up our client and getting OpenVPN installed and running on your Android phone or tablet.

Stuart McCulloch Anderson

For over a decade and a half Stuart has been in love with all things science fiction or technology and for almost fourteen of those years his operating system of choice has been one breed of Linux or another and despite some brief trips back into the world of Windows Stuart has never found him self wanting anything else.

You may also like...

19 Responses

  1. Tayo Adewale says:

    Nice tutorials for both Server and Client, thanks

  2. Jhon Albert says:

    Beautiful tutorial about vpn and servers.. Same kind of steps i have learned few months back on vpnranks a platform for learning about vpn industries..

  3. Interested guy says:

    very good until here, but…
    how do i use this? I follow you to here, what’s next? do i need some vpn client? or what?

  4. Nico Verduin says:

    Sofar all is installed. How do I get a windows client to connect?

    • Sorry for the late reply. I’m not a windows user but I found this video on YouTube which seems to be what your looking for, also shows you how to make use of the OPVN config file – – If its not right let me know and I’ll see if I can fire up a windows machine and write a proper how-to

      • Nico Verduin says:

        I found a couple of other related tutorials. Seems to work now. The biggest problem I had was eventually the DNS. I could ping to but no DNS translation. Then I changed it to the DNS IP in my router (I have ZIGGO in the Netherlands). Seems to work like a charm now.

  5. Daniel says:

    Great article, got my VPN set up quickly, although I had a bit of a problem with an additional USB NIC causing internet connection losses – apart from that, quick and easy.

  6. Scott Hather says:

    Great, got right to the end and does not exist. 🙁

  7. devnull says:

    great tutorials Stuart having setup openvpnas server before…couldn’t see the part2 for adding the *.ovpn file to and android device, but worked it out once I had it on my phone with the client!!

  8. Jackal Hunter says:

    Marvellous, thanx for the info.
    Is there any way to add to the generated .ovpn the PEM password, so that the OpenVPNClient does not always ask for the password? Android OpenVPN asks for saving, but Win10 64bit does not.. I have to always type the password..

    • Jackal Hunter says:

      Well. The OpenVPN Server works, but all trafic is not redirected through raspberry pi.. I added “redirect-gateway” to the .ovpn client file but it did not do the efect.

  9. Jackal Hunter says:

    Your OpenVPN server tutorial in great and system in working. This raises the question on how to use it from another Raspberry PI as client as well? tls_auth is probably the thing that prevents, because user needs to give this password and with raspberry Pi openVPN client there is no way. This needs to be automated.. Can this be done?

  10. skele says:

    after running the script to create ovpn files for my keynames I get: tls-auth Key not found: ta.key

  11. Dominic Luther says:

    The gitlab server link has vanished again!

    • I’m sorry Dominic, I’ve updated the link –

      • Dominic Luther says:

        Thank you so much. That worked for me. Now just 2 things.
        1. For some reason the iptable didn’t stick, so it would stay at ‘waiting for server’. I resolved that by using iptables-persistent and then it worked.
        2. The OpenVPN service doesn’t automatically start either. On boot, if I SSH in it says..

        root@raspberrypi:/home/pi# systemctl status openvpn@server.service -l
        ● openvpn@server.service - OpenVPN connection to server
        Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled)
        Active: failed (Result: exit-code) since Tue 2016-07-26 00:00:11 BST; 54s ago
        Process: 456 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=1/FAILURE)
        Jul 26 00:00:11 raspberrypi systemd[1]: openvpn@server.service: control process exited, code=exited status=1
        Jul 26 00:00:11 raspberrypi systemd[1]: Failed to start OpenVPN connection to server.
        Jul 26 00:00:11 raspberrypi systemd[1]: Unit openvpn@server.service entered failed state.

        If I manually use systemctl start, then it works. But doesn’t persist and I can’t work out how to make it do so.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: