Monday, September 23, 2013

Have a RaspberryPi? Need a VPN server?

The Raspberry Pi is a credit-card sized computer that costs between $25 and $35 that plugs into your TV and a keyboard. It’s a capable little PC which can be used for many of the things that your desktop PC does, like spreadsheets, word-processing and games. It also plays high-definition video.  The SoC is a Broadcom BCM2835. This contains an ARM1176JZFS, with floating point, running at 700Mhz, and a Videocore 4 GPU. The GPU is capable of BluRay quality playback, using H.264 at 40MBits/s. It has a fast 3D core accessed using the supplied OpenGL ES2.0 and OpenVG libraries.  The GPU provides Open GL ES 2.0, hardware-accelerated OpenVG, and 1080p30 H.264 high-profile decode.
The GPU is capable of 1Gpixel/s, 1.5Gtexel/s or 24 GFLOPs of general purpose compute and features a bunch of texture filtering and DMA infrastructure.  That is, graphics capabilities are roughly equivalent to Xbox 1 level of performance. Overall real world performance is something like a 300MHz Pentium 2, only with much, much swankier graphics.
A VPN (virtual private network) extends a private network across a public network, such as the Internet. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from encryption.
A VPN connection across the Internet is similar to a wide area network (WAN) link between the sites. From a user perspective, the extended network resources are accessed in the same way as resources available from the private network.
VPNs allow employees to securely access their company's intranet while traveling outside the office. Similarly, VPNs securely and cost-effectively connect geographically disparate offices of an organization, creating one cohesive virtual network. VPN technology is also used by ordinary Internet users to connect toproxy servers for the purpose of protecting one's identity.

Let's setup an OpenVPN server using your RaspberryPi


First of all you'll need to ensure you have Raspbian installed and running on your RaspberryPi. If you need to download the latest version you can get that here.  If you need help installing the operating system you can find help here.  Once you have your operating system installed and you have verified it is up and running you can proceed with the steps below.

Step 1
To be able to install the latest program versions we should update our packet sources, open a terminal windows and type:
sudo apt-get update
Step 2
Now we are installing OpenVPN and OpenSSL via the terminal.
sudo apt-get install openvpn openssl
Step 3
We are switching to the directory of OpenVPN and paste a directory we will be needing later into it.
cd /etc/openvpn
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa
Step 4
Now we open the file easy-rsa/vars with nano and apply some changes.
nano /easy-rsa/vars 
export EASY_RSA="`pwd`"
export EASY_RSA="/etc/openvpn/easy-rsa"
Step 5
We change the directory, log in as root user and execute some configurations.
cd easy-rsa
sudo su
source vars
./clean-all
./pkitool --initca
ln -s openssl-1.0.0.cnf openssl.cnf
Step 6
Now we are able to generate the components for the encryption of OpenVPN. After the first input you will be asked for the abbreviation of your country (US = USA, DE – Germany, AT = Austria, CH – Switzerland). All other inputs can simply be confirmed.
./build-ca OpenVPN
./build-key-server server
./build-key client1
Step 7
The calculation of the last components can take a few minutes.
./build-dh
exit
Step 8
We have to switch the directory again and create the file openvpn.conf with the following content:
cd ..
sudo touch openvpn.conf
sudo nano openvpn.conf
Nano is a word processing program that opens within the terminal, type the following:
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push "redirect-gateway def1"
#set the dns servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
log-append /var/log/openvpn
comp-lzo
You can change the DNS-servers to any DNS you like, these are Google's.  After you have finished typing that all in you can press Ctrl + o  to save it to the open file.  After you've saved it you can press Ctrl + x to exit the word processing.  If it asks you to save again just say yes.
Step 9
Now, create the internet-forwarding for the VPN clients. If you are not using an ethernet-cable (e.g. Wifi) you will have to replace “eth0″ with the name of your network device.  Wifi will most likely be "wlan0".
sudo sh -c ‘echo 1 > /proc/sys/net/ipv4/ip_forward’
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE
Step 10
One of the final steps will be to delete the “#” before net.ipv4.ip_forward=1 in sysctl.conf.
cd ..
sudo nano sysctl.conf
Step 11
A part of the above settings have to be endorsed as a crontab to work permanently. Insert following line at the end of the crontab file (replace “eth0″ if you did above):
crontab -e
@reboot sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE
Step 12
Again change to the root-user and to the directory /etc/openvpn/easy-rsa/keys in which we will create the fileraspberrypi.ovpn and fill it with the code of the second paragraph. RASPBERRY-PI-IP should be replaced by the internal IP address of your Pi or, if you are using a DynDNS service,  by the given domain.
sudo su
cd /etc/openvpn/easy-rsa/keys
nano raspberrypi.ovpn
dev tun
client
proto udp
remote
RASPBERRY-PI-IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
Step 13
Now create a packet with all the needed files for the client, which we will place in /home/pi and give the user pi the needed rights to the file.
tar czf openvpn-keys.tgz ca.crt ca.key client1.crt client1.csr client1.key raspberrypi.ovpn
mv openvpn-keys.tgz /home/pi
chown pi:pi /home/pi/openvpn-keys.tgz
exit
Step 14
Restart the OpenVPN server.
sudo /etc/init.d/openvpn start
exit
Finished! Now we are able to download the file die openvpn-keys.tar.gz on the client and extract the files to your OpenVPN client folder.




Creative Commons License
Have a RaspberryPi? Need a VPN server? by Randy Rowland is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.