Raspberry PI & OpenVPN

The majority of these instructions come from : blog.remibergsma.com and have been reproduced with kind permission.

Like most things with Linux my working solution was actually a culmination of information from various places.

sudo apt-get install openvpn

After the install finishes, you need to generate keys for the server and the client(s). OpenVPN ships with the ‘easy-rsa’ tool. It’s easiest to copy the example folder and work from there.

sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
cd /etc/openvpn
sudo chown -R pi:pi *
cd /etc/openvpn/easy-rsa/2.0

The ‘easy-rsa’-tool has a file called ‘vars’ that you can edit to set some defaults. That will save you time later on but it’s not required to do so.

Load the vars like this (note the two dots):

. ./vars
(dot space dot/vars)

Generate the keys:

./clean-all
./build-ca
./build-key-server <server>
./build-key <client-name>
./build-dh

The first line makes sure we start from scratch. The second generates a key for the Certificate Authority. The key for the server itself is generated on the third line. Repeat the forth line for each client that needs to connect. Finally, we need the Diffie Hellman key as well, which is generated on the fifth line and will take a few mins to complete.

Copy the keys to the OpenVPN folder.

sudo cp ca.crt ca.key dh1024.pem <server>.crt <server>.key /etc/openvpn

Last step is to configure the server. You can copy the example config and make sure it points to the certs you just created.

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
sudo gunzip /etc/openvpn/server.conf.gz
sudo nano /etc/openvpn/server.conf

Change any settings (dchp scope, OpenVPN port etc) that are particular to your install in server.conf

When you’re done, start OpenVPN like this:

sudo /etc/init.d/openvpn start

The first time I started OpenVPN it failed with :

/etc/var/log/syslog
<snip>
raspberrypi ovpn-server[22119]: OpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Apr 28 2012
raspberrypi ovpn-server[22119]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
raspberrypi ovpn-server[22119]: Diffie-Hellman initialized with 1024 bit key
raspberrypi ovpn-server[22119]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
raspberrypi ovpn-server[22119]: Socket Buffers: R=[163840->131072] S=[163840->131072]
raspberrypi ovpn-server[22119]: ROUTE default_gateway=192.168.99.1
raspberrypi ovpn-server[22119]: Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
raspberrypi ovpn-server[22119]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
raspberrypi ovpn-server[22119]: /sbin/ifconfig 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
raspberrypi ovpn-server[22119]: Linux ifconfig failed: external program exited with error status: 1
raspberrypi ovpn-server[22119]: Exiting
</snip>

Another VPN app I have which also uses /dev/net/tun failed with the same error.  Reboot fixed this and so far its not come back.

Check the state of the TUN0 interface

ifconfig tun0

All being well you’ll see:

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
 RX packets:49 errors:0 dropped:0 overruns:0 frame:0
 TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:100
 RX bytes:3772 (3.6 KiB) TX bytes:1212 (1.1 KiB)

You should now be able to connect to the OpenVPN server with a client. Which ever client you choose you will need the client.crt, client.key and ca.crt files plus the ip-address of your Raspberry Pi.

I chose TunnelBlick which after a rather convoluted profile setup seems to work well on OSX 10.8.2 (ML)

Have a look at ‘/var/log/syslog’ to access the logfiles. You’d be able to see which client connects:

Jan 5 22:07:56 raspberrypi ovpn-server[14459]: 1.2.3.4:64805 [client-name] Peer Connection Initiated with [AF_INET]1.2.3.4:64805

From the VPN client check that you can ping the LAN IP address of your RPi, assuming that works then you just need to push some routes around and you should be set.

VPN Client----VPN Subnet---RPI---LAN Subnet

To enable traffic from the VPN network to your local subnet you will need routes on each end to tell devices how and where to send traffic. To enable this on the VPN site :

sudo nano /etc/openvpn/server.conf

Find the push routes section and add a 'push route' statement which reflects your local network address.

You will also need to add a route back to the VPN Subnet, probably by adding a static route to your internet edge device.

Finally, enable routing on the Rasperry Pi:

There are a couple of ways suggested for this but what worked for me :

sudo nano /etc/sysctl.conf
uncomment : net.ipv4.ip_formward=1

Reboot your device.  You should now be able to connect to the VPN and ping other devices on your local network and vice-a-versa to VPN clients.