box.matto.nl

home/

OpenVPN On Raspbian Debian Wheezy with username and password authentication

Last edited

Run your own OpenVPN server on a Raspberry Pi

Raspberry Pi

The Raspberry Pi is a very cheap small board with a 700 MHz Arm11 SoC. The B-model has a network interface and can thus be used as a small Linux server. The low power consumption of a Raspberry Pi makes it a great target for your private OpenVPN server.

Raspbian

Raspbian is a free operating system based on Debian optimized for the Raspberry Pi hardware. It will run from a SD-card.

OpenVPN

OpenVPN is a very flexible full-featured SSL VPN. It is completely open source. OpenVPN can be set up in many different ways. In this page we concentrate on setting up a VPN with username and password authentication.

Server

Install openvpn

apt-get install openvpn

Create certificates and keys

cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/
cd /etc/openvpn/2.0

Edit the file vars:

export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_EMAIL=mail@host.domain
export KEY_CN=somecn
export KEY_NAME=somename
export KEY_OU=someorganisationunion
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234

Now generate the the cerficates and keys

. ./vars
./build-ca
./build-da
./build-key-server my_server 

Make a symlink to the keys directory in /etc/openvpn

cd /etc/openvpn
ln -s easy-rsa/2.0/keys .

/etc/openvpn/server.conf

dev tun0
ifconfig 10.9.8.1 10.9.8.2
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
username-as-common-name
mode server
tls-server
dh /etc/openvpn/keys/dh1024.pem
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/my_server.crt
key /etc/openvpn/keys/my_server.key
client-cert-not-required
server 10.9.8.0 255.255.255.0
keepalive 10 120

Restart OpenVPN

/etc/init.d/openvpn restart

/etc/sysctl.conf

Uncomment the following line:

net.ipv4.ip_forward=1

iptables

Create /etc/network/if-pre-up.d/iptables

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules

To create the file /etc/iptables.up.rules issue the following commands:

iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A FORWARD -s 10.9.8.0/24 -o eth0 -j ACCEPT                               
iptables -t nat -A POSTROUTING -s 10.9.8.0/24 -o eth0 -j MASQUERADE                

Save the rules with the command:

iptables-save > /etc/iptables.up.rules

Client

Install openvpn

apt-get install openvpn

Copy keys

mkdir /etc/openvpn/keys

Copy the file ca.crt from the server to /etc/openvpn/keys directory

/etc/openvpn/client.conf

client
auth-user-pass
dev tun0
remote SERVER-IP-ADDRESS 1194
resolv-retry infinite
nobind
ca /etc/openvpn/keys/ca.crt
ns-cert-type server
persist-key

/etc/network/interfaces

Add some lines for the vpn network interface

config interface vpn
  option ifname tun0
  option proto none

Restart OpenVPN

/etc/init.d/openvpn restart

Resources