Running your own VPN server is a great way to increase your mobile security and get access to your LAN from the internet, but they’re notoriously hard to set up. Pi VPN turns your Raspberry Pi into a cheap, effective VPN server using a guided installation that does most of the hard work for you.
You’ll be able to bypass website filters at work or school, and easily connect to devices on your home network like fileservers or printers. And with just a few extra steps, you can also enable end-to-end encryption and run all of your mobile internet through a secure and anonymous tunnel.
- What is Pi VPN?
- Choosing a VPN provider
- Getting ready for Pi VPN
- Installing Pi VPN
- Installing Pi VPN GUI
- Setting up an outbound VPN connection
- Pi VPN router settings
- Managing Pi VPN users
- Installing a mobile Pi VPN client
- Installing a Pi VPN client on your computer
- More ideas for Pi VPN and your network
- Hands on with Pi VPN
What is Pi VPN?
Pi VPN is a lightweight OpenVPN server designed to run on Raspberry Pi 2 or 3. It gives you access to your home network through a secure connection over the internet. By plugging a Raspberry Pi into your router, it acts somewhat like a bridge between mobile devices and your network.
You can use Pi VPN to:
- Access your files, music, and movies from anywhere
- Encrypt your mobile internet connection
- Print on your home printers from your laptop
- Bypass firewalls and website restrictions at work and abroad
- Hide your mobile IP address
- Connect with your home cameras and smart devices
If you find yourself forwarding a lot of services through your router, a home VPN connection is a more secure alternative. Each port you forward is a tunnel that someone, somewhere could use to get into your network. Pi VPN only opens one port, and it uses strong encryption to keep your LAN secure.
Choosing a VPN provider
One of the most important choices before you even begin this project is which VPN provider you’ll use. And when you’re making that choice, the factors you need to keep in mind are security, bandwidth, and latency.
Security is vital, you need to know that your VPN provider won’t keep logs of your connection. But bandwidth and latency are just as important in this case. If you choose a provider with high ping times or not enough bandwidth, your internet connection is going to suffer.
With that in mind, I recommend you use IPVanish for this project. IPVanish has some of the lowest latency times and highest bandwidth of any provider, and we tested many. That will keep your connection snappy and responsive, even when you’re browsing the web through a double-hop VPN connection.
FAST AND RELIABLE:IPVanish has a large network of uncongested servers that hits great speeds. Strong security and privacy features. A favorite for Kodi and Amazon Fire Stick for their apps and streaming capabilities. Family friendly as it can handle up to 10 simultaneously connected devices. Try it risk-free with the 7-day money back guarantee.
Getting ready for Pi VPN
In order to get started, you’re going to need:
- a Raspberry Pi 2 or 3 with Raspbian installed
- an 8GB or larger memory card
For best results, the Raspberry Pi should be connected to a router with an ethernet cable, but a wifi connection will work, too. If you’re using wifi, you’ll need to substitute wlan0 for eth0 throughout this tutorial.
Turn on the SSH service in Raspberry Pi Config by enabling it in the Interfacing options menu. You can launch the configuration tool from the Pi menu or use this command:
Reboot your Pi after you enable the SSH server.
Once your Pi is connected to your home network with SSH turned on, you can disable the X desktop and unplug your monitor if you want. It’s just as easy to connect to your Raspberry Pi remotely using a utility like Putty or your Mac’s terminal as it is to type directly on the Pi.
Connecting to your Raspberry Pi
Most of the time you’ll want to run your Pi VPN server without needing to plug it into a monitor. That’s easy to do as long as you have a secure shell (SSH) client. Using SSH, you can get access to your Raspberry Pi’s command line from another computer.
Before disconnecting your Raspberry Pi from its monitor, run the command ifconfig to show your Pi’s IP address. It’s listed in the inet field as shown above. You’ll need it to connect your SSH client.
If you’re going to be setting up your Pi VPN server in Windows, use Putty to connect to your Raspberry Pi. You can download Putty here for free.
Once Putty is up and running, connect to your Raspberry Pi by typing the IP address you noted earlier. Also make sure that the Connection type is set to SSH. Click the Save button to create a profile for this connection.
If you’re installing Pi VPN using a computer running Mac or Linux, there’s no reason to download an SSH client. Just use your operating system’s terminal; it supports SSH by default.
The first time you connect to your Raspberry Pi, you’ll be prompted to save a security key. Click the Yes button to accept the key as valid and save it on your computer.
Next, enter your password. If you haven’t changed it yet, Raspberry Pi uses raspberry as the default password.
You’ve logged in successfully when you see the pi@hostname prompt.
It’s a good idea to change your default password the first time you connect over SSH. You can do that using the passwd command.
Updating Raspbian for Pi VPN
Make sure your operating system is up to date before you install Pi VPN.
First, get a list of all of the latest software. You can check for the latest versions of everything you have installed with the command:
sudo apt-get update
Once you have the latest list of software, tell your Raspberry Pi to upgrade itself with the command:
sudo apt-get upgrade
You’ll be prompted to press Y if you want to upgrade, and you should do it. It will take a few minutes for the upgrade process to run, and you can watch the progress on screen.
Setting a static IP address
Since you’re going to be relying on your Raspberry Pi for network services, you’ll need to know where to find it. That means you’ll have to set a static IP address before you begin.
You can also take this chance to change your hostname. Among other things, that will change the prompt you see when you’re logged in. It’s an easy way to tell multiple Pi’s apart, but changing your hostname is optional.
You’ll need to edit /etc/dhcpcd.conf to set a static IP address. Before you open the file, make sure you know your router’s IP address and the DNS servers you’ll be using. If you don’t already have that information, you can get it using ifconfig.
Once you’re ready, use this command to open it in the nano text editor:
sudo nano /etc/dhcpcd.conf
Scroll through the file until you see a line labeled Example static IP configuration. All you’ll need to do is uncomment the example configuration and make a few substitutions with your IP address, router, and gateways.
Uncomment static ip_address and substitute the static IP address you’d like to use. I’ve chosen 192.168.1.2 because it’s close to the router’s IP address and easy to remember.
Uncomment static routers and static domain_name_servers and insert your own values. Once you’ve made your changes, press Ctrl+X to quit, then Y to confirm that you want to save.
If you’re going to change your hostname, open /etc/hostname in nano as root with the following command:
sudo nano /etc/hostname
Change your hostname in the file and then press Ctrl+X in order to exit the editor, and Y to save the file.
You’ll have to do the same thing with the file at /etc/hosts. The command to edit the file is:
sudo nano /etc/hosts
Scroll down until you see 127.0.0.1 and change the hostname to whatever you’ve chosen. In my case, that’s pivpn. When you’re done, tell your Raspberry Pi to restart with the following command:
After your Pi restarts, make sure to update the IP address that you’re connecting to in order to reflect the new static IP address.
Figuring out Raspbian’s firewall
Since Raspbian is a Linux operating system, the firewall is built into the kernel and enabled by default. But on a new installation it’s left wide open.
Raspbian’s firewall (iptables) policy is to allow all inbound and outbound packets, and forward anything that requests it. Later, I’ll show you how to lock down the firewall, but before you begin make sure it’s completely open to connections.
You can use iptables -L to list your current firewall rules and make sure they match the ones above. If you’ve been changing the firewall, you can restore it to default with the following commands:
sudo iptables -F sudo iptables -P INPUT ACCEPT sudo iptables -P OUTPUT ACCEPT sudo iptables -P FORWARD ACCEPT
Choosing an encryption level
When you’re setting up your Pi VPN, you’ll be asked to pick the strength of your encryption. You’ll be able to choose from 1024-bit, 2048-bit, and 4096-bit RSA encryption. Here’s what you have to keep in mind:
- 2048-bit RSA encryption is the standard
- Using weaker encryption allows for higher speed
- 2048-bit is good for downloading, and streaming
- Using stronger encryption provides more protection
- 4096-bit is best used for email and browsing
Enabling 4096-bit RSA is tempting but, if you’re going to be streaming video or playing music through your connection, it will add a lot of overhead and slow things down noticeably. 2048-bit encryption is the standard for a reason, and I recommend you use it in most cases.
Timing out during long operations
SSH has a quirk, and sooner or later you’ll discover it for yourself. During long operations, if you’re connected to your Pi through SSH, the connection will drop when your computer goes to sleep. As soon as the SSH connection drops, the command you were running on your Pi stops being executed and you have to start over.
A utility called screen makes long SSH operations a lot easier to deal with. Using screen, you can start a session that’s tied to a single operation. Then you can connect or disconnect whenever you want, and come back to the session to check on its progress.
Once you install screen, you only need to know a few commands to use it. Get started by using apt to install screen:
sudo apt-get install screen
Once screen is installed, launch it with this command:
It won’t look like anything happened, but now any commands you give won’t stop running if you disconnect.
So if your connection drops, just SSH back into your Raspberry Pi and type:
You’ll automatically be reconnected to the SSH session, as long as it’s the only one active.
If you have more than one active screen session, you can list them with the command screen -ls. If you want to connect to a session you see in the list, you’ll need the 5-digit ID. So to reconnect to session 11712, I would use this command:
screen -r 11712
Once you get used to using it, screen makes managing your Raspberry Pi with SSH a lot more pleasant. You can learn more about all the different things screen is capable of here.
Installing Pi VPN
Once you’ve got your Raspberry Pi sorted out, you can connect to it and begin installing Pi VPN. This is the first part of a multi-part install, and it will provide the backend VPN functionality you need to connect to Pi VPN. In later steps, we’ll install a management web page and configure an outbound VPN connection for privacy.
Launching the installer
Pi VPN is installed through a script you download from its website using the curl command-line tool. Curl is just a tool for downloading from the internet without needing a browser.
The command you need to run in order to get started installing Pi VPN is:
curl -L https://install.pivpn.io/ | bash
That command will download the installation script at pivpn.io and pipe it to the bash command interpreter for execution.
The installation process begins immediately. It starts by checking apt to see if you have packages you can update. If you’re following this guide, you’ve already updated your system so the script will move on to the next step.
A few necessary packages will be installed, then the Pi VPN installer will launch.
The Pi VPN installer
The Pi VPN installer is a pseudo-graphical setup wizard that’s perfect to run over an SSH connection. When your screen turns blue and you’re shown a message from the installer, you can get started.
To begin, press enter to tell the Pi VPN setup wizard you’re ready.
You’ll be warned that you need to set a static IP address. I recommend you do this before launching the setup wizard, so if you haven’t already set a static IP address exit now and follow the instructions in the previous section.
Pi VPN will show you the IP address it detected. If this is the static IP address you set previously, press the Yes button.
You’ll be warned about IP address conflicts. The safest way to avoid conflicts is to look on your router for the DHCP range, and use a static IP address outside of that range.
In my case, I’m using 192.168.1.2 and my router assigns DHCP addresses between 192.168.1.100 – 192.168.1.200 so there’s no danger of conflict.
Press Ok to move forward.
You’ll want to go with the default pi user in most cases, so make sure it’s selected and press the Ok button.
I recommend you click Yes to allow unattended security updates on your Pi VPN server. Your Pi will be exposed to the internet through port forwarding, so it’s especially important that Pi VPN stays up to date.
If you click No, take care to run regular updates on your own.
It’s normal to be shown the console for a moment after configuring automatic updates. The installer will come back after a few seconds.
In most cases, you’ll want to setup Pi VPN using the UDP protocol. If you’re planning on using a subscription VPN provider to create an ultra-secure double-hop connection, use TCP.
Take note of which port number you’re using for Pi VPN; you’ll need it later.
Port 1194 is the default for UDP, while TCP defaults to port 443. If you’re following instructions to create a double-hop VPN, do not use the default TCP port or it will cause a conflict later. I chose TCP port 4430 instead, because it was easy to remember.
Setting up encryption
Now you’ll be able to choose your encryption level. Earlier I outlined each choice and why you might pick it. if you’re unsure about which to pick, take a look back at my advice.
Select the level of encryption you’d like to use with the space bar, then press Ok. I’m choosing to run 2048-bit encryption so I can stream video over the connection.
Generating these keys can take awhile. If you’re using high-level encryption, it will take even longer. Be patient and let Pi VPN generate your server keys.
Finishing the installation
After the server keys have been generated, the Pi VPN setup wizard is almost complete. Only a few more steps remain until you can connect.
Select Use this public IP unless you have a dynamic DNS account. If you’re using dynamic DNS, choose DNS entry and enter your hostname and settings as usual.
Next, you’ll have to choose a DNS provider for your VPN. I recommend Google for most users, since it’s free and easy. OpenDNS and Norton both provide secure DNS implementations if you’re interested in locking down any potential DNS leaks. You might also choose Custom if you’re going to be handling DNS requests with Pi-hole.
The setup wizard will tell you how to add users on the command line. In the next step, we’ll be installing a web application to help manage users. You can also use pivpn add.
Finally, click the Yes button and reboot your Raspberry Pi.
Installing Pi VPN GUI
Pi VPN GUI is a web tool for Pi VPN. It’s optional, but using it makes managing users and adding new devices a lot easier. I recommend you install it.
Every time you add a user to PiVPN, you’ll generate an *.ovpn profile. You can use Pi VPN GUI to both create the user account and make it easy to download the profile.
If you choose not to use Pi VPN GUI, you’ll need to add and manage users with the pivpn add and pivpn remove commands. You’ll also have to manually copy the *.ovpn profiles that are generated, usually using a command-line tool like scp.
Getting ready to install Pi VPN GUI
Before installing Pi VPN GUI, you need to update apt. You’ll have to add a repository in order to download all of the software that Pi VPN GUI requires. Here’s how to do it.
Use nano to edit apt’s list of sources. The command is:
sudo nano /etc/apt/sources.list
Add the following line to sources.list wherever you can find a spot:
deb http://mirrordirector.raspbian.org/raspbian jessie main contrib non-free rpi
That will tell apt that it’s okay to install packages from Debian Jessie, a previous release. That’s necessary because some of the software that Pi VPN GUI relies on hasn’t been added to the Debian stretch repositories yet.
Unfortunately, having a link to an old release in your sources.list file isn’t a best practice, even though we need it at the moment. It can cause conflicts later if you choose to install other software. It’s a good idea to remove the line you just added after installing these software packages.
Next, save and quit nano. Update apt with the command:
sudo apt-get update
Once the check is complete, install any updated packages with the command:
sudo apt-get upgrade
That’s all you need to do in order to add the necessary repository to apt. Now, install the prerequisites for Pi VPN GUI with the following command:
sudo apt-get install git apache2 php5 libapache2-mod-php5 php5-mcrypt expect geoip-bin
Press Y when prompted, and let the installer run. When you’re finished installing software, you’ll have to update some configuration files before you can install Pi VPN GUI.
Now that the prerequisite software is installed, you should remove the line you added from /etc/apt/sources.list and run sudo apt update again.
Updating the web configuration
Pi VPN GUI is a web app, and it needs an apache web server to run properly. We installed apache in the previous step, but now a few changes have to be made before Pi VPN GUI can run on your apache server.
First, you’ll need to change the user account that apache runs under. It defaults to an unsupported account, and we need to make it run as the user pi instead. Edit the apache config file using the command:
sudo nano /etc/apache2/apache2.conf
Scroll down until you see the line that says User $(APACHE_RUN_USER) followed by Group.
Change the values for User and Group to pi for both. Then press Ctrl+X to quit, and Y to save.
Next change the owner for the /var/www directory that apache uses to store websites in. You can give the user pi ownership of the web directory using this command:
sudo chown pi:pi -R /var/www
When you’re finished, change into the /var/www/html directory with this command:
You should complete the Pi VPN GUI installation from that directory.
Downloading and installing Pi VPN GUI
After all that work setting things up, it’s actually very easy to download and install Pi VPN GUI. All you need to do is check the project out using git. If you’ve followed along, we installed the git utility in a previous step.
Make sure you’re still in the /var/www/html directory and run the command:
The command will use git to clone Pi VPN GUI’s project directory in the root of your webserver, making it available as a web page. You can check to see if the installation was successful using your browser.
Connecting to Pi VPN GUI
Now that Pi VPN GUI is installed, you can open it in your browser and use it to manage Pi VPN users. I installed Pi VPN to my Raspberry Pi with an IP address of 192.168.1.2, so I can find Pi VPN GUI at http://192.168.1.2/pivpn-gui.
You should use the IP address that corresponds with your installation and open Pi VPN GUI in your browser.
You’ll be able to tell if you’ve connected successfully when you see a login prompt. If you’re unable to login, you’ll need to restart your Raspberry Pi.
For now, just bookmark a link to Pi VPN GUI so you can come back to it easily. The next step is setting up an outbound VPN connection in order to encrypt your internet connection. If you’d rather not sign up for a service like IPVanish, you can skip ahead to setting up your router and adding users.
Setting up an outbound VPN connection
If you don’t set up an outbound VPN connection, all of the traffic from devices connected to your VPN will connect to the internet using your LAN’s public IP address. Wherever you connect from, websites will think you’re connecting from home. That isn’t always a bad thing; for instance you might want to watch Netflix when you travel abroad.
But to get the most out of Pi VPN, I recommend you use an outbound VPN provider and create what’s called a ‘double-hop’ connection.
The advantage of a double-hop VPN connection is complete end-to-end encryption for your mobile internet when you connect to a site over HTTPS. The added security goes beyond just having two tunnels, since the outbound VPN server never sees the originating request.
In practical terms, that means any logs your VPN provider keeps won’t be able to identify the device that any individual request came from–everything resolves back to your Pi VPN server. It’s another layer of anonymity for everything you do online.
If you’re setting up Pi VPN just to connect to your home network remotely, you can skip this step and move on. But if you’re interested in creating a secure and anonymous internet connection for your phones, laptops, tablets, and other devices, you should use an outbound VPN connection along with Pi VPN.
READER DEAL: IPVanish offers a free 7-day trial for Comparitech customers if you don’t already have a VPN provider.
Using a VPN-enabled gateway router
If you already have a gateway router that supports an outbound VPN connection, your work is done. Since all traffic will leave your home network encrypted by the router, you’ve effectively got a double-hop VPN. In which case, you can stop and connect your clients.
If you’re interested in learning how to build a VPN-enabled router, or you have one that you’d like to set up, we have guides for that. If you already have a VPN-enabled router and need to set it up as a VPN client, take a look at how to choose a VPN provider and set up your router.
The rest of us will have to use our Pi to handle the encrypted outbound connection and routing required to create a second VPN hop.
Using IPVanish as an outbound VPN
IPVanish’s low latency makes it a great choice if you’re setting up a double-hop VPN connection like this, since your connection is waiting on two VPN servers to handle traffic. The process will be the same for any VPN provider that publishes OpenVPN profiles for their servers.
You’ll need to download an autologin profile and the digital certificate for your VPN provider. If you’re using IPVanish, those files are available to download here.
One easy way to get the files you need on your Pi VPN server is to connect via SSH and use the wget command to download them from the web. Make sure your Pi VPN server is connected to the internet, then change to the proper directory and download the files you need with these commands:
cd /etc/openvpn sudo wget http://www.ipvanish.com/software/configs/ca.ipvanish.com.crt sudo wget http://www.ipvanish.com/software/configs/ipvanish-US-Chicago-chi-a01.ovpn
Note that you should change the second URL to match the IPVanish server you’d like to connect with. In my case, I’m using an IPVanish server in Chicago.
Since you’ll connect to IPVanish automatically using the OpenVPN service, it’s important to rename the *.ovpn autologin profile you just downloaded. The OpenVPN service will only connect to profiles with the *.conf file extension. Use this command to rename the file to outgoing.conf:
sudo mv /etc/openvpn/ipvanish-US-Chicago-chi-a01.ovpn /etc/openvpn/outgoing.conf
Now that the files have been downloaded and prepared, you’re ready to setup the connection to your outgoing VPN provider.
Setting up the IPVanish connection
It’s easier to keep track of two simultaneous VPN connections if you rename each interface to reflect what it does. I like to use /dev/tun-incoming and /dev/tun-outgoing to refer to the different network interfaces.
Renaming the interfaces also ensures the connections won’t flip back and forth between being named /dev/tun0 and /dev/tun1, depending on which one comes online first. The device names are important to know if you want to be able to configure your firewall properly.
You can change the name of each interface by editing the connection settings. Each OpenVPN connection has a *.config file associated with it. Changing the first lines in each file renames the network interface.
Start by editing Pi VPN’s settings, located in /etc/openvpn/server.conf, with the following command:
sudo nano /etc/openvpn/server.conf
Change the first line from:
To the following, inserting a new line:
dev tun-incoming dev-type tun
Press Ctrl+X and then Y to save your changes. The next time Pi VPN comes online, it will create a device called /dev/tun-incoming.
You’ll need to edit the incoming config file at /etc/openvpn/outgoing.conf in the same way. Open it with this command:
sudo nano /etc/openvpn/outgoing.config
Like before, change the first line and insert a second at the top of the config file. This one should read:
dev tun-outgoing dev-type tun
But the outgoing VPN connection needs other changes, too. You’ll need to point it to the server certificate you downloaded in a previous step, and provide your username and password so the VPN can automatically connect.
Edit your outgoing.conf file to use the IPVanish server certificate. Change the line that starts with ca to read:
Then update or add auth-user-pass to point IPVanish at your password file, which we’ll create soon:
Your outgoing VPN connection also has to be told not to forward LAN traffic. You’ll need to add this line to the end of your outgoing.conf file to be able to access your local network through Pi VPN:
route 192.168.1.0 255.255.255.0 192.168.1.1
Remember to use the proper IP address for your LAN if it’s different than mine above. Save your changes to /etc/openvpn/outgoing.conf in nano by pressing Ctrl+X, then Y.
Now, create a password file that OpenVPN can use to login to IPVanish with your credentials. The format of this file couldn’t be simpler, it’s just your username on the first line and your password on the second. Use this command to create the file and open it for editing:
sudo nano /etc/openvpn/passwd
Enter your email address on the first line and your password on the second, then press Ctrl+X, Y to save the file. Since /etc/openvpn/passwd contains your credentials in plaintext, it’s important that you secure the file. You can lock down access to /etc/openvpn/passwd using chmod like this:
sudo chmod +600 /etc/openvpn/passwd
That will ensure only the root user can read or write the passwd file, which is the minimum level of security you need when storing your credentials in plaintext.
Updating your Raspberry Pi’s routing table
Before you can bring the outbound VPN online to secure your internet connection, you need to set your Raspberry Pi to route the traffic properly. Please remember to substitute your Pi’s static IP address if it’s different than mine below.
You’ll need to create or edit /lib/dhcpcd/dhcpcd-hooks/40-routes and add a few lines. Here’s the command:
sudo nano /lib/dhcpcd/dhcpcd-hooks/40-routes
Add these two lines to the script:
ip rule add from 192.168.1.2 lookup 101 ip route add default via 192.168.1.1 table 101
Then press Ctrl+X, Y to save your changes.
That’s the only change you’ll need to make to your Raspberry Pi’s routing table. After you’ve saved the changes and restarted your Pi, you’ll be able to run incoming and outgoing VPN connections at the same time.
Securing your DNS requests
In order to make your connection truly secure, you need to make sure to stop DNS leaks. A DNS leak occurs when your secure VPN connection looks up websites using a DNS server outside of the encrypted network. That exposes your VPN clients to dangers like DNS logging and man-in-the-middle attacks.
The solution is to force all incoming VPN clients to use the secure DNS server of your outgoing VPN provider. In this case, I’ll force my clients to use IPVanish’s DNS servers.
In order to change your DNS servers without having to reinstall Pi VPN, you’ll need to update /etc/openvpn/server.conf. Open it for editing using this command:
sudo nano /etc/openvpn/server.conf
Scroll through the file until you see the two lines that push DNS settings to your VPN clients. I installed Pi VPN using Google’s DNS servers initially, so the two lines that need to be changed in my server.conf look like this:
push “dhcp-option DNS 220.127.116.11” push “dhcp-option DNS 18.104.22.168”
If you’re using IPVanish, change these lines to read:
push “dhcp-option DNS 198.18.0.1” push “dhcp-option DNS 198.18.0.2”
If you’re using a different VPN provider, you’ll need to look online to find their DNS servers.
Once you’ve edited the file, save it with Ctrl+X, Y. Your changes will take effect the next time the OpenVPN service is restarted, and your VPN clients will use IPVanish’s secure servers automatically.
Connecting to IPVanish
Before you set OpenVPN to automatically connect to your outgoing VPN provider, you should test the connection. From the command line, type:
sudo service openvpn@outgoing start
The screen will fill with text showing you the state of the VPN connection. Double check /etc/openvpn/outgoing.conf if you have problems connecting, and make sure your username and password are correct and on separate lines in /etc/openvpn/passwd.
When you’ve connected successfully, disconnect from the VPN by pressing Ctrl + C. The last step in creating an outgoing VPN connection is setting it to autostart.
Starting the VPN connections automatically
Once your connection has tested okay, you should set both of your VPN connections to start automatically. OpenVPN makes it easy by letting you refer to each connection according to the name of the configuration file.
To get started, you’ll need to edit OpenVPN’s global configuration file with this command:
sudo nano /etc/default/openvpn
Then uncomment this line:
And change it to read:
Once you’ve finished, save your changes with Ctrl+X, Y and restart your Pi VPN server with the following command:
When your Raspberry Pi reboots, your Pi VPN server will be connected to the outgoing VPN provider and ready to start handling incoming connections.
Pi VPN router settings
The whole idea of a VPN is that it’s a tunnel from outside of your network to the inside. That means you’ll need to setup your router to allow certain connections through. We do this using port forwarding, and it can be very easy or a little more difficult depending on your router.
I’m using an entry model Linksys router for this guide, but every consumer router supports port forwarding. Your procedure might be a little different, but most router manufacturers offer port forwarding guides on the web.
Forwarding the VPN port
No VPN clients can connect to your network unless you forward the port you specified earlier. Normally all of these requests are blocked by your router for security reasons, but we have to make a special exception. In this case, it’s because we need to let VPN clients connect to Pi VPN through the internet.
Once you’ve logged in, click through the menus until you find port forwarding. In my case, it’s in Apps and Gaming — Firewall Settings.
Click to add a new port. You’ll need to know the port number, which you selected earlier. You’ll also need the static IP address of your Pi VPN server. In my case, that’s port 1134 and 192.168.1.2.
Click Save when you’ve setup port forwarding. Now VPN clients will be able to login when they’re outside of the local network.
Comcast Xfinity customers note
I wasn’t able to get my Comcast Xfinity router to forward ports properly. The problem was my router has a built-in intrusion detection system (IDS), which gets used a bit like a firewall to stop malicious attacks on your home network. The IDS can’t be turned off, and connecting to a VPN through your Comcast router triggers it, blocking the connection.
My solution was to put the Xfinity router in bridge mode and connect a wireless router to it. Then I was able to use the wireless router to turn on port forwarding and allow connections to my VPN. If you’re a Comcast user having trouble with port forwarding, leave a comment below for help.
Managing Pi VPN users
Every device that connects to your VPN needs to have a user account associated with it. When you create each account, Pi VPN will generate an OpenVPN profile. Later, you’ll use those *.ovpn profiles on your devices to set them up automatically.
Creating profiles with Pi VPN GUI
Here’s how to add users to Pi VPN. When you’re finished, you’ll be able to download the profile needed to connect to your private network.
Click the Create VPN profile button to add a new user.
Then type a username and click the Create profile button. I recommend naming each user after the device you plan to connecting with. Later on, it makes it easy to tell at a glance which devices are connected to the VPN.
A status window opens so you can follow along with the profile creation process. Generating cryptographic keys can take a long time, especially if you’re using 4096-bit encryption.
Pi VPN GUI will sometimes take you to a 404 message after successfully creating a profile. Click the pivpn link in the upper-left corner to return to the profile browser.
You’ll see a path to your OpenVPN client profile, and a button to Download it. You can click the Revoke client button to remove a user account. Revoking an account will cause the client to disconnect immediately.
Click the Create VPN profile button until you have a client profile for each device you want to be able to connect to your VPN. For instance, I had profiles for my phone and tablet, along with a Raspberry Pi that I use to stream TV.
Once you have profiles for each device, you can move to the next step and connect to your VPN.
Removing profiles with Pi VPN GUI
Sometimes you’ll have a problem with a profile, or want to remove it from your VPN. You can do that by revoking the client in Pi VPN GUI.
Open Pi VPN GUI and sign in. You can see a list of active profiles on the main screen.
Click the Revoke profile button for the device you want to remove and the profile will be deleted.
When you refresh Pi VPN GUI, you can see the profile has been removed. Keep in mind that this doesn’t delete the old *.ovpn file from your hard drive. You’ll need to remove the file manually using this command:
Be sure to substitute profile_name.conf with the name of your OpenVPN autologin profile.
Even if you don’t delete revoked profiles, there is no security risk. You’ll never be able to log in using a revoked profile, but I recommend you delete them to keep things clean.
Installing a mobile Pi VPN client
If you’re going to be connecting to Pi VPN on a mobile device, I recommend OpenVPN Connect, the official client. It’s completely free and integrates really well with iOS and Android.
Importing the Pi VPN autologin profile
You’ll need to make sure you’re connected to your home network over wifi, then open Pi VPN GUI in a browser. Remember that the path was set much earlier, and includes the local IP address of your Pi VPN server. In my case, it’s http://192.168.1.2/pivpn-gui/.
Log in with the username pi and the proper password.
iOS users: Note that Pi VPN GUI only works properly in Safari. Android users can connect with the browser of their choice.
Find the profile you made for your mobile device and click the Download button.
Use OpenVPN connect to import the *.ovpn file. When OpenVPN Connect launches, click the green plus. Your Pi VPN connection is ready to connect.
Connecting to Pi VPN
All that’s left is to open the tunnel to Pi VPN using the OpenVPN Connect app.
In the app, click the toggle button to initiate the connection. It should turn green, and your phone will display a VPN badge in the notification area.
You can check to make sure your VPN connection is working by visiting a site like http://www.ipaddress.com. If you’re not adding a computer to your VPN, you’re finished and can skip to the next section.
Installing a Pi VPN client on your computer
A lot of different VPN clients are available for Windows and Mac, but I recommend the official OpenVPN client. It’s free and easy to install, and lets you import your Pi VPN connection with just a few clicks.
Download the official client here, and install it as you would any other program.
Importing the Pi VPN autologin profile
If the computer you’re adding to the VPN is on your LAN, you can download the autologin profile from Pi VPN GUI. Browse to the path where you installed Pi VPN GUI earlier, in my case that is http://192.168.1.2/pivpn-gui/.
If the computer you’re adding Pi VPN is in a remote location, you won’t be able to connect directly to Pi VPN GUI. In that case, you’ll need to download the autologin profile using a device on the LAN. Once it’s downloaded, attach it to an email and send it to your remote computer. You can download the profile from your email and continue on as usual.
Once you have the autologin profile downloaded, right-click the OpenVPN icon in the system tray and click Import.
Connecting to Pi VPN
After the Pi VPN connection has been added, right-click the OpenVPN icon in the system tray and click the profile name to connect.
You’ll see a status window appear with the connection log. If your computer doesn’t connect properly, you can copy and paste the error code to figure out what went wrong. In most cases, if you can’t connect to your VPN, it’s because port forwarding wasn’t properly enabled.
Once connected, make sure the VPN is working by visiting a website like http://www.ipaddress.com.
More ideas for Pi VPN and your network
Having a server that’s accessible from anywhere makes it the perfect candidate for a lot of different projects. Here are some ideas for your Raspberry Pi now that you’re completely finished setting up your Pi VPN server.
Lock down the firewall
Raspberry Pi ships with a very permissive firewall by design, but it’s a good idea to be more restrictive when you’re running a VPN server.
Here are some sample rules to get you started. Remember to replace the PROTOCOL and PORT with what you’ve chosen for your Pi VPN server. Lines beginning with # are comments and don’t need to be typed.
#Accept incoming traffic on all interfaces, but limit eth0 to VPN only sudo iptables -A INPUT -i eth0 -m state --state NEW -p PROTOCOL --dport PORT -j ACCEPT sudo iptables -A INPUT -i tun-incoming -j ACCEPT sudo iptables -A INPUT -i tun-outgoing -j ACCEPT #Allow forwarding traffic between subnets sudo iptables -A FORWARD -i tun-incoming -j ACCEPT sudo iptables -A FORWARD -i tun-outgoing -j ACCEPT #Forward traffic through eth0 sudo iptables -A FORWARD -i tun-incoming -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i tun-outgoing -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT #Forward traffic through tun-incoming sudo iptables -A FORWARD -i eth0 -o tun-incoming -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i tun-outgoing -o tun-incoming -m state --state RELATED,ESTABLISHED -j ACCEPT #Forward traffic through tun-outgoing sudo iptables -A FORWARD -i eth0 -o tun-outgoing -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i eth0 -o tun-outgoing -m state --state RELATED,ESTABLISHED -j ACCEPT #MASQ tun-incoming as eth0 sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Once you’ve finished, use this command to save your changes:
sudo iptables-persistent save
Remember you can list currently active iptables rules with the command:
sudo iptables -L
Switch to dynamic DNS
Dynamic DNS adds lets you use a hostname instead of an IP address to connect to your Pi VPN server, even if you don’t have a static address from your ISP. For instance, you might use dynamic DNS to redirect vpn.websitename.com to your VPN server. If you’re thinking about hosting web services or email, in many cases you can run everything from the same Pi.
It’s best to re-run the Pi VPN installer if you’re going to switch to dynamic DNS. But once you’ve updated your settings, you’ll be able to access your Pi VPN server at the custom URL you selected.
Switching to dynamic DNS eliminates the need to reissue Pi VPN client profiles every time your public IP address changes.
Set up a fileserver
Your Raspberry Pi makes a great Samba fileserver. You can plug in a few USB drives, install lvm2 to create one giant filesystem spanning all of the disks, and share out your files to VPN clients.
Enabling Samba across your VPN takes a little work, but it’s extremely useful to be able to access your files, music, and movies from your mobile devices.
When you set the DNS provider during the Pi VPN installation, you could easily install Pi-hole, change your Custom DNS provider to 127.0.0.1, and block mobile ads automatically over your VPN.
Running Pi-hole on a VPN connection is the best way to block mobile ads without rooting your phone. You can even turn off Youtube pre-roll ads and stop seeing sponsored products on Amazon. Take a look at Comparitech’s guide to Pi-hole for more.
Run a seedbox
If you’ve got an outbound VPN up and running, your internet connection is completely encrypted. Having an anonymous internet connection is great for torrenting, and turning your Pi VPN server into a seedbox with Transmission is really easy.
Since the connection is already encrypted, all you have to do is install Transmission and the web client. You’ll be able to add torrents from your phone or laptop, and they’ll download at home.
Hands on with Pi VPN
I don’t think I’m telling any secrets when I say that I’m a huge nerd. My home network is full of smart devices like Hue lights, a Nest thermostat, and a couple of Sonos speakers. I’ve got a fileserver with Transmission, a Plex server, devices running Kodi, and a bunch of odds and ends like a network printer and DNS server running Pi-hole to block mobile ads.
If your home network is anything at all like mine, I’d tell you that Pi VPN is a game-changer. Not only have I managed to shut off every port save one on my firewall, but my mobile internet is completely encrypted and I can access my LAN from anywhere. My network security has dramatically improved, and I don’t have to configure port forwarding on my router every time I add a new device.
Once you’ve spent an afternoon setting things up, Pi VPN is almost unbelievably good. So many projects for Raspberry Pi are flashy and fun, but ultimately pretty useless. I’m happy to report that Pi VPN is a huge exception.