Raspberry Pi Powered OpenVPN – Client Side
This is part two of my series on creating your own, private, VPN server at home using a Raspberry Pi. If you have followed on from my Raspberry Pi Powered OpenVPN – Server post you will have a fully working OpenVPN server. You probably also noticed it took you a good portion of your afternoon, but with bugs and hacks being found in more and more Linux software and libraries it is well worth having a server you can trust.
You’ll have noticed though we’re missing a vital step before we can make use of our new server. In part three of my tutorial we created some access keys to allow our phones and laptops (from here on called clients) to access our server, but we haven’t told the clients.
OpenVPN software gets all the information about where your server is, how to connect, what keys to use and what connections to create from a configuration file called and .ovpn. Since you need a separate OVPN file for each client we’ll use a script to do our heavy lifting.
Eric Jodoin first created this script while at the SANS institute, and with some basic template files, it can create configuration files for all our clients.
As with the Raspberry Pi Powered OpenVPN – Server tutorial the following commands still need executed as root, so remember ether add
sudo infront of them or make sure you still have root from the
sudo -s command.
Setting the defaults
Eric’s script works by combining a default configuration file with the keys specific to client, so we need to create it first.
Create a new blank file:
Then copy and past in this:
<span style="font-family: monospace;">client
remote YOUR_PUBLIC_IP_ADDRESS 1194
Remember to change the line remote to match your setup. Include the public IP address of your OpenVPN server and make sure the port and proto are correct. If in on page four you opted to use TCP or a non standard port, one other than 1194, you need to make sure this is correct here as well.
If you are not sure what your public IP address is you can ask Google.
Some ISPs will rotate your IP address regularly which causes a problem when trying to access your new server. There are however many services that offer dynamic domain names (DDNS). These give you a static domain name but make sure the IP address always points to your home PC. First thing I would do is check your router to see if it supports a DDNS provider. If it doesn’t then you can use a free service like DNS Dynamic, but you will have to setup and run the ddclient on the Pi to keep your IP address updated.
As in the previous tutorials use control+x and save the new file.
Creating the script
Now we’ll create a copy of the script Eric produced, the original PDF download of his research paper can be found online.
First create a new file in
nano -w /etc/openvpn/easy-rsa/keys/ovpn_gen.sh
Get a copy of the script from my gitlab server and past it into this new file. Lastly control+x and save the new script.
By default new files created in
nano are just text files, they do not have permission to execute commands. This command will give only the root user permission to read, write or execute our new file:
chmod 700 /etc/openvpn/easy-rsa/keys/ovpn_gen.sh
We can now run the script, but first make sure we are in the keys folder:
<span style="font-family: monospace;"><span style="color: #ffff00;">cd</span> /etc/openvpn/easy-rsa/keys/;
The first thing we’re asked for is the Client Name. This must be the same as we used in page three of the server side tutorial. I’ll continue using KEYNAME here, but if I was setting up the key for my Nexus 5 I would use stuart.nexus5.
If everything worked as expected you’ll see a message like this:
<span style="font-family: monospace;">Done! KEYNAME.ovpn Successfully Created.
Now just rinse and repeat for as many clients as you have setup, but make sure to only run the command for keys you already created. If you need a new device go back to page three and create a new set of keys first.
Downloading the OVPN files
You now have to download your new OVPN file from the /etc/openvpn/easy-rsa/keys/ folder onto your clients. If you are on a link system I would use the
scp command, but for Windows users WinSCP would work as well.
If you are using WinSCP you will not have permission to access the /etc/openvpn/easy-rsa/keys/, this is by design and adds additional protect to your server. So you can cp the file into the pi home directory first and download it from there, but make sure to delete it once you have it on the client.
cp /etc/openvpn/easy-rsa/keys/KEYNAME.ovpn /home/pi/
In part two of this tutorial we’ll take a look at setting up our client and getting OpenVPN installed and running on your Android phone or tablet.