OpenVPN on Raspberry Pi

- - posted in Technical | Tagged as Raspberry,PI,OpenVpn | Comments

Everyone loves something Free.

Open and Free wireless is everywhere, but should you be connecting to it. The answer is NO. You shouldn.t be connecting to it, dont connect to your social networks, don't check your bank account on it unless you want somebody else to be able to sneak on it.

The solution? A virtual private network, or VPN. A VPN extends your own private network into public places, so even if you.re using Starbucks. Wi-Fi connection, your Internet browsing stays encrypted and secure. The easiest and cheapest solution to keep your data safe is to just refrain from public Wi-Fi completely. But then some times we don't have a choice and we do require to connnect to insecure network. But we can save ourselves with an inexpensive to build own VPN server at home, and run it off of a tiny, inexpensive Raspberry Pi.

A VPN - or virtual private network - helps you browse the internet more anonymously by routing your traffic and encrypting it through a server that is not your point of origin.

Create a directory for VPN stuff. Ignore if you dont want to.. Install the openvpn package

1
2
$ mkdir VPN && cd VPN
$ sudo apt-get install openvpn

Generating keys

Your VPN needs keys generated to make sure that only authorised devices can connect to it. OpenVPN comes with Easy_RSA, a simple package for using the RSA encryption method to generate your unique keys.

Switch to root.

1
sudo -s

You will now see your command prompt sits at 'root@XXXXX:'
root@XXXX/VPN# cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/update-resolv-conf

Next, create the keys needed by both server and client

1
2
3
4
5
6
7
8
9
10
11
12
13
mkdir /etc/openvpn/easy-rsa    

cp -ai /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa    

cd /etc/openvpn/easy-rsa/2.0   

vi vars   

In the vars file, edit the KEY_* entries at the bottom of the file, such as KEY_COUNTRY, KEY_ORG, KEY_EMAIL, etc. Next, source the vars file and then clean the directory.    

. ./vars    

./clean-all

Build the certifying Authority

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
/etc/openvpn/easy-rsa/2.0# ./build-ca   

Generating a 2048 bit RSA private key    
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:IN
State or Province Name (full name) [CA]:KA
Locality Name (eg, city) [SanFrancisco]:BLR
Organization Name (eg, company) [Fort-Funston]:MyCompany
Organizational Unit Name (eg, section) [changeme]:MyOrg
Common Name (eg, your name or your server's hostname) [changeme]:MyserverName
Name [changeme]:NoName
Email Address [mail@host.domain]:

Build the Server Key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
/etc/openvpn/easy-rsa/2.0# ./build-key-server MyserverName   

Generating a 2048 bit RSA private key
writing new private key to 'MyserverName.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:IN
State or Province Name (full name) [CA]:KA
Locality Name (eg, city) [SanFrancisco]:BLR
Organization Name (eg, company) [Fort-Funston]:MyCompany
Organizational Unit Name (eg, section) [changeme]:MyOrg
Common Name (eg, your name or your server's hostname) [MyserverName]:
Name [changeme]:NoName
Email Address [mail@host.domain]:

Please enter the following 'extra' attributes to be sent with your certificate request

A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'IN'
stateOrProvinceName   :PRINTABLE:'KA'
localityName          :PRINTABLE:'BLR'
organizationName      :PRINTABLE:'MyCompany'
organizationalUnitName:PRINTABLE:'MyOrg'
commonName            :PRINTABLE:'MyserverName'
name                  :PRINTABLE:'NoName'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Mar 21 22:44:06 2025 GMT (3650 days)

Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Build keys for Clients

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
root@ashberrypi:/etc/openvpn/easy-rsa/2.0# ./build-key-pass officelaptop
Generating a 2048 bit RSA private key
writing new private key to 'officelaptop.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:IN
State or Province Name (full name) [CA]:KA
Locality Name (eg, city) [SanFrancisco]:BLR
Organization Name (eg, company) [Fort-Funston]:MyCompany
Organizational Unit Name (eg, section) [changeme]:MyOrg
Common Name (eg, your name or your server's hostname) [officelaptop]:
Name [changeme]:OfficeLappyKey
Email Address [mail@host.domain]:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'IN'
stateOrProvinceName   :PRINTABLE:'KA'
localityName          :PRINTABLE:'BLR'
organizationName      :PRINTABLE:'MyCompany'
organizationalUnitName:PRINTABLE:'MyOrg'
commonName            :PRINTABLE:'officelaptop'
name                  :PRINTABLE:'OfficeLappyKey'
emailAddress          :IA5STRING:'mail@host.domain'

Certificate is to be certified until Mar 21 22:47:52 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

This line adds an extra layer of encryption to make it harder for hackers to break in.

1
2
3
4
5
6
/etc/openvpn/easy-rsa/2.0# cd keys
/etc/openvpn/easy-rsa/2.0/keys# openssl rsa -in officelaptop.key -des3 -out officelaptop.3des.key
Enter pass phrase for officelaptop.key:
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Generate the Diffie-Hellman key exchange.

1
2
3
4
5
This is the code that lets two entities with no prior knowledge of one another share secret keys over a public server.
/etc/openvpn/easy-rsa/2.0/keys# cd ..
/etc/openvpn/easy-rsa/2.0# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time

Denial of Service (DoS) attack protection

OpenVPN protects against this kind of attack by generating a static pre-shared hash-based message authentication code (HMAC) key.
This means the server will not try to authenticate an access request if it does not detect this key.
To generate the static HMAC key type:

1
/etc/openvpn/easy-rsa/2.0# openvpn --genkey --secret keys/ta.key

Update the sample configuration file, It should look like following in the most basic form:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
cd /etc/openvpn
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf .
#Sample
port 8443
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server.crt
key server.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 3
management localhost 7213

You will need to enable IP forwarding.

1
echo 1 > /proc/sys/net/ipv4/ip_forward

You can make this a permanent change by uncommenting the line:

1
net.ipv4.ip_forward = 1

in the file /etc/sysctl.conf.

1
2
3
4
5
/etc/openvpn/easy-rsa/2.0# sysctl -p
kernel.printk = 3 4 1 3
net.ipv4.ip_forward = 1
vm.swappiness = 1
vm.min_free_kbytes = 8192

Change the permissions for the firewall script

1
2
/etc/openvpn/easy-rsa/2.0# chmod 700 /etc/firewall-openvpn-rules.sh    
/etc/openvpn/easy-rsa/2.0# chown root  /etc/firewall-openvpn-rules.sh

Find the line that is either iface eth0 inet dhcp or iface eth0 inet manual and enter this line below it:

1
2
3
4
5
6
7
/etc/openvpn/easy-rsa/2.0# vi /etc/network/interfaces    

pre-up /etc/firewall-openvpn-rules.sh    

Keep those spaces at the front so it.s indented, it should end up looking like this:   

iface eth0 inet manual pre-up /etc/firewall-openvpn-rules.sh

You'll also have to allow NAT forwarding through your firewall. This will most likely be accomplished with something like the following rule in iptables:

1
2
3
4
5
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE   

or       

ufw allow portnum

This assumes you have set up your openvpn server with the IP 10.8.0.0 in the server.conf file as described above.

I did not do this, I opened a port on my router. Let me know if thats not right.

Now reboot.

1
# sudo reboot

Configure the Client and connect to your VPN. No Spoofing..

Enjoy...





Gravatar of Ashwani Kumar

Recent posts


Subscribe



Your Feedback encourages me




Learning and Developments

One Month Rails



, AWS AWS, Active Directory, Facebook Flash, Forwarding, GOD,Chat,Coffee Github,Feedback,Repo Google,Search HAProxy, IOT, IP-block JQuery Load MQ MQTT, Messaging Octopress Octopress, OpenVpn PI, Plugin Plugin, Port Raspberry, S3, SSH, Shell,Commands Soapui, Tag Tag, Tree, Tunneling XML XML, XServer, Xming ajax, angular, animated balancing cloud, commenting, connectivity datatables diaspora dropdown geocoding grep, ipaddress, ipv6, java, mysql nokogiri, octopress-migration octopress-plugin openssl powershell proxy rails, repo reviews ruby, script scripts, security, sharepoint shell ssh, telnet, vi, vieditor vim, visualblock, webattacks windows,cleanup windowsxp