PiVPN – Simplest OpenVPN Setup And Configuration, Designed For Raspberry Pi

PiVPN - Simplest OpenVPN Setup And Configuration

A while ago, we have published a guide that described the easiest way to install and configure OpenVPN using a script called openvpn-install. Using this script, anyone, even the beginners, can implement an working OpenVPN setup within few minutes in DEB-based and RPM-based systems. The other day one of our reader has suggested that there is yet another similar script called “PiVPN”, which is used setup OpenVPN in Raspberry Pi. It is primarily designed for Raspberry Pi, however it will work on Debian and Ubuntu. Currently, it supports only Ubuntu 14.04 LTS.

How secure is PiVPN?

Before going to the installation part, let us discuss some of its security features. Even though the installation is so trivial, it doesn’t mean that PiVPN is not secure enough to use in production. Everything has been upgraded right out of the box beyond the default settings to harden the security of the server and client. It gives you the ability to enable unattended-upgrades which will automatically patch your server with security updates. Also, the server configuration will only use the latest TLS 1.2 protocol. Both the data and control channels use upgraded AES and SHA256 encryption and hash algorithms.

I’d like to give it a try and see how it works in my Ubuntu 14.04 LTS server edition. So here we go.

PiVPN – Simplest OpenVPN Setup And Configuration

Install OpenVPN

Installation is extremely simple. Open Terminal and run the following command:

curl -L https://install.pivpn.io | bash

Yes, it is that simple. After a few seconds, enter the sudo user password. The above command will download and install latest OpenVPN along with all required dependencies in your system. PiVPN will ask you a series of questions along the way. Just go with defaults as it is just enough to setup the working OpenVPN server.

Click OK to continue.

PiVPN1

PiVPN needs a STATIC IP ADDRESS to function properly.

PiVPN2

If you have more than one network interface, Choose any one to configure it.

PiVPN3

PiVPN will not configure Static IP address if you’re not using Raspberry Pi device. For the purpose of this guide, I use Ubuntu 14.04, so it doesn’t configure the static IP.

PiVPN4

Next, choose a local user that will hold your ovpn configurations.

PiVPN5

It is recommended to enable unattended-upgrades to update security updates automatically. Choose Yes to enable unattended-upgrades.

PiVPN6

Choose a protocol.

PiVPN7

Choose OpenVPN port. Default value is enough for most cases.

PiVPN8

Choose your desired level of encryption. I go with the default value.

PiVPN9

Click OK to generate Diffie-Hellman key:

PiVPN10

Next, choose whether the clients use public IP or DNS name to connect to server.

PiVPN11

Choose the DNS Provider for your VPN Clients. To use your own, select Custom.

PiVPN13

Congratulations! OpenVPN has been installed in your server.

PiVPN14

Finally, click Yes to reboot your system.

PiVPN15

To check if OpnVPN service is running, enter the following command:

$ sudo service openvpn status
 * VPN 'server' is running

Check if OpenVPN is listening to the server:

$ ps auxww | grep openvpn
nobody 936 0.0 0.3 28624 2428 ? Ss 16:15 0:00 /usr/sbin/openvpn --writepid /run/openvpn/server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf --script-security 2
sk 1206 0.0 0.1 11740 940 pts/1 S+ 16:15 0:00 grep --color=auto openvpn

As you can see, OpenVPN server is up and running! Let us go ahead and configure the clients.

Create a client ovpn profile

After rebooting the server, run the following command to create a client ovpn profile.

pivpn add

Or,

pivpn -a

Enter a name for your client system and a strong password.

Enter a Name for the Client: client ##ENTER client certificate name
Enter the password for the client: ##ENTER password
Enter the password again to verify: ##ENTER password again 
spawn ./easyrsa build-client-full client

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..................................................+++
.....................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.YlVMZrBWgj'
Enter PEM pass phrase:ubuntu

Verifying - Enter PEM pass phrase:ubuntu

-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'client'
Certificate is to be certified until Jul 9 09:47:17 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
Client's cert found: client.crt
Client's Private Key found: client.key
CA public Key found: ca.crt
tls-auth Private Key found: ta.key

========================================================
Done! client.ovpn successfully created! 
client.ovpn was copied to:
 /home/sk/ovpns
for easy transfer.
========================================================

If you don’t want password for the client certificates, you can skip the password option using command:

pivpn add nopass

The client profiles will be stored under /home/username/ovpns. To verify it, run:

$ ls /home/sk/ovpns/
client.ovpn

You need to copy the profiles to your client systems in order to connect with the OpenVPN server.

For example, you copy the client profiles using scp command like below.

cd /home/sk/ovpns/
scp client.ovpn sk@192.168.43.150:/etc/openvpn/

Here, 192.168.43.150 is my openvpn client’s IP address.

List all certificates

To list all valid and revoked certificates, run:

pivpn list

Or,

pivpn -l

Sample output:

: NOTE : The first entry should always be your valid server!

::: Certificate Status List :::
 :: Status || Name :: 
 Valid :: server
 Valid :: client

Revoke a client ovpn profile

To revoke a client ovpn profile, run:

pivpn revoke

Or,

pivpn -r

Remove PiVPN

Don’t like PiVPN? You can uninstall it by running the following command:

pivpn -u

Or,

pivpn uninstall

And, that’s all for now. In the next guide, I will explain how to authenticate OpenVPN clients. Hope this helps. If you find our guides useful, please spend a moment to share them on your social, professional networks and support OSTechNix!

Cheers!

Resource:

Thanks for stopping by!

Help us to help you:

Have a Good day!!

You may also like...

  • aLilBabyOtter

    So I have it all set up, and I have OpenVPN installed on my computer and Android phone, but how do I connect to the Pi?

    • RuthlessPragmatic

      Pull the .ovpn file from the Pi for the user you want, and send it to each device. Easiest thing to do is email it but there are other ways that the app provides for. Open the file in the Open VPN app and then when put in the details for your server/username and the password you generated during the setup of that user. Device will then connect.
      Bear in mind that the combination of the password and the .ovpn file is effectively the keys to your front door – control them carefully.