Build keys for each user
Your server is now set up and you need to build keys for all the devices you want to be able to connect.
You can cut corners here and just build one key to use on all devices. Only one device can connect using each key at a time though, so if you want simultaneous connections you will need a different key for each one.
To assign a user a key type:
./build-key-pass [UserName]
… substituting the [UserName] with your desired text – for example to make a key to connect my android to the VPN I chose the name KateAndroid
You will get some more prompts now:
Enter PEM pass phrase
… choose a password you will remember! It asks you to input this twice to eliminate errors.
A challenge password? MUST be left blank.
Sign the certificate? [y/n]
Hit “y”
Next type:
cd keys
then (using my example username, which you should change for your own):
openssl rsa -in KateAndroid.key -des3 -out KateAndroid.3des.key
This last line adds an extra layer of encryption to make it harder for hackers to break in.
You will be asked to enter pass phrase for KateAndroid.key – this is the phrase you entered in the previous step.
You will then be asked to enter and repeat a new PEM pass phrase for the des3 key. I used the same pass phrase for both so you only have one to remember. You will need the 3des.key pass phrase at the end of this process when you import your files to your devices.
Repeat these steps for all the usernames you want to build a key for.
You have now created your “client certificates”. Type:
cd ..
Generate the Diffie-Hellman key exchange.
This is the code that lets two entities with no prior knowledge of one another share secret keys over a public server. Type:
./build-dh
The screen will slowly fill with dots as the key is built from random numbers. It will take at least an hour if you upped your encryption to 2048-bit. If you left it at 1024-bit it could take as little as five minutes.
Denial of Service (DoS) attack protection
OpenVPN protects against this kind of attack by generating a static pre-shared hash-based message authentication code (HMAC) key. This means the server will not try to authenticate an access request if it does not detect this key. To generate the static HMAC key type:
openvpn –genkey –secret keys/ta.key
N.B. If you are using copy and paste it probably will not work on this line as the double “-” seems not to translate in the same way if you do not type it in.
Configuring your server
Now you have created all the locks and keys you need to tell your Raspberry Pi where you want to put the doors and who you want to give the keys to – essentially instructing the OpenVPN which keys to use, where you are going to be connecting from and which IP address and port to use.
To do this you must create a server configuration file. At command prompt type:
nano /etc/openvpn/server.conf
This opens an empty file.
Fill it with this text, taking care to change the details where indicated with a comment in # CAPS LOCK. (Placing a “#” in front of a sentence in the code like this tells the system it is a comment and to ignore it when building the program). Also when changing the YOUR SERVER NAME sections I refer to the server name that was given to the ‘build-key-server’ command earlier on.
local 192.168.2.0 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/XX.crt # SWAP XX WITH YOUR SERVER NAME
key /etc/openvpn/easy-rsa/keys/XX.key # SWAP XX WITH YOUR SERVER NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # IF YOU CHANGED YOUR ENCRYPTION TO 2048, CHANGE THAT HERE
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push “route 10.8.0.1 255.255.255.255”
# Add route to Client routing table for the OpenVPN Subnet
push “route 10.8.0.0 255.255.255.0”
# your local subnet
push “route 192.168.0.10 255.255.255.0” # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push “dhcp-option DNS 192.168.0.1” # THIS SHOULD ALREADY MATCH YOUR OWN ROUTER ADDRESS AND SHOULD NOT NEED TO BE CHANGED
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push “redirect-gateway def1”
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
Hit CTRL and X then Y and ENTER to save.
There is one last edit to make in the server configuration files to make sure your Raspberry Pi knows you want it to forward Internet traffic through our new network.
Type:
nano /etc/sysctl.conf
Near the top it says, “Uncomment the next line to enable packet forwarding for IPv4.”
You want to remove the “#” from the start of the next line to inform OpenVPN you want it to take that text into consideration.
The line should then read:
net.ipv4.ip_forward=1
Hit CTRL and X, then Y and ENTER to save.
Finally you need to action the change you just made in the sysctl.conf file. To do this type:
sysctl -p
You have now made a functioning server that can access the internet.
Pass through the firewall
Raspbian has a built-in firewall that will block incoming connections, so we need to tell it to allow traffic from OpenVPN to pass through.
To create a file that will run each time you start up your Raspberry Pi issuing this permission type:
nano /etc/firewall-openvpn-rules.sh
Inside this new file type:
#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT –to-source 192.168.0.10
# SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
CTRL and X then Y and ENTER to save.
Newly created files are not executable by default, so we will need to change the permissions and ownership of this file you just created. To do this type:
chmod 700 /etc/firewall-openvpn-rules.sh
then:
chown root /etc/firewall-openvpn-rules.sh
This script gives OpenVPN permission to breach the firewall and we now need to add it into the interfaces setup code so it runs on boot. Type:
nano /etc/network/interfaces
Find the line that says: “iface eth0 inet static.” We want to add a line below the list of numbers that follow it. This line needs to be added at an indent so hit TAB first:
pre-up /etc/firewall-openvpn-rules.sh
CTRL and X then Y and ENTER to save.
Finally, reboot your Raspberry Pi by typing:
Reboot
N.B. Each time you reboot your Raspberry Pi you will need to relaunch PuTTY to connect to it.
----------
If you liked this article, please subscribe to our YouTube Channel for tech news, reviews and video tutorials. You can also find us on Twitter, Instagram and Facebook.
its work..nice tutorial
I have setup the vpn on raspberry pi 3 by following this article but i am unable to connect to vpn server
internet connected to raspberry via wlan
so where ever eth0 is mentioned i have replace it with wlan0
Contacting xxx.xx.xxx.xx:xxxx via UDP
EVENT:WAIT
Connecting to[dynamidns name]:xxxx (xxx.xx.xxx.xx)via UDPv4
Server pol timeout,trying next remote entry…
EVENT:CONNECTION TIMEOUT
EVENT:DISCONNECTED
when I get to sudo route-n I get command not found