A VPN server is a great way to provide secure, encrypted remote access to your home. VPN servers are built-in to many pro grade firewalls and home router appliance. pfSense for example is a great open source home firewall that includes both OpenVPN and IPSEC services out of the box. However, many home users don’t have much choice as their ISP dictates which firewall or router they use. A Raspberry Pi VPN server is a great way to get VPN remote access in these situations.
Since the Raspberry Pi is a very low power device, its also a great appliance to leave running 24/7 as it won’t break the bank from a utility billing perspective. In fact, about the only downside to using the Raspberry Pi as a VPN server is that it can only handle a small number of connections. This again should be fine for remote access of a couple of people to your home network.
In addition to providing remote access, a VPN provides encryption for your data. This can be great when accessing your home network from a public or untrusted Wi-Fi network when traveling. All data sent between your device or laptop will be secured with an encryption key that only you know keeping snooping eyes out of your sensitive data!
Parts List for this Project
If you don’t already have everything you need, here’s a handy parts list for this project:
- Raspberry Pi 3
- Raspberry Pi power supply
- Raspberry Pi case (case with fan)
- 32GB microSD card
- HDMI cable
- Wireless keyboard
Setting up a Raspberry Pi VPN Server
Before we begin setting up our Raspberry Pi VPN server I highly recommend that you download and install the latest version of Raspbian. Almost every problem we hear about is because of running an older version of Raspbian that has not been updated. Software changes and things stop working. We keep these tutorials updated with info about the latest versions. So make sure you update! You’ll be glad you did.
RELATED: How to Download and Install Raspbian
Some Words of Caution for VPN Servers
Setting up a VPN means there is a way to access literally everything on your home network. There are some precautions you should take before doing this project.
- VPN username and password – We highly recommend you use a different username and password on your VPN than you use on anything else. If a nefarious individual gets your Facebook credentials, you don’t want them to be able to VPN to your home using them!
- Home Devices – Make sure everything on your home network is secured via a password. If you have a NAS, XBOX, network printer, etc., make sure each of them is secured via a complex password. Don’t use the same credentials for your VPN server as you do for your firewall!
These words of caution are not meant to scare you. They’re meant to help you understand some simple best practices that will help you keep your network safe and secure from attackers.
To change the password of the default “pi” user on your Raspberry Pi VPN server enter the following command in the terminal window:
Setting up Your Firewall
The next task we need to tackle is your Firewall or Router. By default your home firewall will not be aware of your Raspberry Pi VPN server and will simple ignore (or “drop”) all VPN traffic it sees coming in from the outside. To correct this you’ll need to tell your firewall to forward all VPN traffic to the IP address of your Raspberry Pi.
The default port for OpenVPN is 1194. In your firewall, create a port forwarding rule for port 1194 to the IP address of your RPi.
If you don’t know the IP address of your RPi you can get it by typing hostname -I (capital i) at the command line of your RPi. If you don’t know how to port forward a port on your router, just google the name of your router, its model number, and “port forward”. For example “Linksys AC1750 port forward”. You’ll quickly find an article on how to do it. In most cases it is quite simple. If your router is leased from your ISP, their tech support can probably do it for you.
Beginning the Raspberry Pi VPN Server Installation
It’s now time to begin the installation of our Raspberry Pi VPN server! We’re going to use a super handy script created by the PiVPN project team. This script makes installing your VPN server super painless and quick. To begin using this script we’ll need to enter the following at the command line:
curl -L https://install.pivpn.io | bash
The PiVPN script will immediately begin updating the tools and software needed to create your VPN server.
You’ll quickly be presented with the installer startup screen. Just press enter to begin the setup process.
Your RPi VPN server needs a static IP address in order to operate correctly. Press enter to begin the configuration of your IP address.
By default the PiVPN script will ask you to use the existing IP address and convert it to a static address. This is probably OK for most users. If you don’t want to use this address (or already have a defined range of static addresses on your network) you can choose to change that address here. For most users just select yes and press enter.
If you have any problems, in most routers you can reserve this address on the DHCP server settings screen. Most modern routers however are smart enough to detect that an address is in use and do so automatically.
Now we’ll select a user for OpenVPN’s configurations. Just press enter.
Unless you’ve created additional users on your Raspberry Pi VPN server, then you should only see one user “pi” in the list. Unless you’ve created another user specifically for this purpose, select pi and press enter.
You’re now going to be asked if you’d like to enable unattended upgrades. We highly recommend that you do this! Your Raspberry Pi will be connected to the internet 24/7 allowing remote access to your network. If a remote code execution bug or other attack vector is found in Raspbian or OpenVPN, you’ll want that to be patched automatically so that you don’t have to worry about it. Press enter to continue.
Select yes to enable automatic updates, and then press enter.
You’ll now be asked whether or not you would like to use the UDP or TCP protocol for your OpenVPN connections. We recommend you use UDP for VPN services unless you have a specific requirement for the TCP protocol. TCP introduces additional re-transmit overhead that can cause issues with VPN connections if configured improperly.
You’ll now be prompted to select the VPN’s port. This should be 1194 unless you plan to use a non-standard port. It is important to note that if you change this here, you will need to change this in your firewalll’s port forwarding configuration and on the client device connecting to the VPN server. There are basically two reasons to change this. One is if your ISP blocks port 1194. The second is if you’d like to make your VPN port a little harder to find (a smart hacker is going to find it no matter what port you select).
For most all users, keep port 1194 in place and press enter.
Next up the PiVPN script is going to ask you to select an encryption strength. This is the size of the RSA certificate key you’ll be using in your project. The default should be good enough for most people, which is 2048-bit key. If you’re over the top paranoid, you can go with 4096 bit, but remember this will add additional packet and CPU overhead on your RPi and client device which will affect performance.
We recommend you select 2048 and press enter.
The PiVPN script will spend just a minute creating a new certificate for your VPN server and then prompt you again to create the “Diffie-Hellman Parameters”. Just press enter.
The PiVPN script will initiate the process of generating the key. This will take a quite a few minutes of chugging on most Pis! Be patient.
On this next screen you’ll be asked whether or not you want to use a Public IP address or a DNS name. Most of you will want to use your Public IP address provided by your ISP.
Some more advanced users may wish to use a dynamic DNS service such as No-IP.org if your IP address changes regularly. That’s outside the scope of this tutorial however.
Select Public IP address and press enter.
You’ll now be offered the option of using a specific DNS provider. This is an important step if you run DNS or have DNS overrides configured on your home firewall or router. Some more advanced users will want to select the custom and choose the IP address of your home router for this. For most everyone else just choose Google DNS and press enter.
You’ll then be greeted by the completion screen! Congratulations, we’re almost done.
Finally, PiVPN will ask you to reboot your Raspberry Pi VPN server. We recommend you do this to make sure everything is fresh for the next steps.
Setting up Your Raspberry Pi VPN Clients
We now need to begin the process of setting up VPN clients to connect to our Raspberry Pi VPN service. This is a fairly simple process thanks to the PiVPN script. To add your first user, run the following command:
sudo pivpn add
Enter the name of your VPN client. This is a unique identifier for a device. You might choose something like MikesMacBook or DavidsIPAD. Something you’ll recognize when you see it. Next you’ll be asked for a password for this client. Select a password that you’ve not ever used anywhere else. Remember, this password gives access to your home network.
Note, your password will be displayed. I’ve blanked it in my screenshot for security purposes.
Using FTP or SMB, move the file to your Windows PC. That’s beyond the scope of this tutorial, but we recommend FileZilla for FTP transfers. Its free and open source!
RELATED: Setting up SMB on your Raspberry Pi
Importing the OVPN File on Windows
On your Windows PC, you’ll need to import the OpenVPN .OVPN file in your Open VPN client. If you don’t already have the OpenVPN client installed, you can download it from here. Look for the Windows client and install it on your PC.
Once installed and you’ve rebooted your PC, you’ll find an OpenVPN client in your system tray. Right click the tray icon and select import file.
You’ll be shown an OpenVPN dialog box. Browse to the location of the .ovpn file and import it into your VPN client by clicking open.
You’ve now successfully created your Raspberry Pi VPN server and setup your Raspberry Pi VPN client! All you need to do now is connect to it!
Right click the OpenVPN icon in the system tray, but this time select and click connect.
You’ll see a dialog box showing the connection process (I’ve again removed my personal information) and finally a popup showing you’ve connected successfully.
If you run into any problems at this point go back and verify all of your information:
- Did you properly configure port forwarding?
- Verify your username
- Double check your password
- Did you select UDP?
- Did you change the port number from the default 1194?
I’ve helped a lot of people through troubleshooting Raspberry Pi VPN server configuration problems, and I would say 99% of the time the problem is that they did not correctly configure port forwarding. Make sure you did this right!
Some firewalls will need you to forward the port and create an allow rule, while other firewalls will do that for you. Check your documentation.
Also, another important thing to know. Some routers do not forward traffic back to the inside interface. Since you are connecting to port 1194 on the external IP address of your firewall, you may have to test your VPN from another network such as a friend of the local starbucks, as it may not work internally. This is completely dependent on your firewall, and its configuration or capabilities.
If you have any issues or need any help, leave us a comment below and we will do our best to help you out!