Home Linux PiVPN – Simplest OpenVPN Setup And Configuration, Designed For Raspberry Pi

PiVPN – Simplest OpenVPN Setup And Configuration, Designed For Raspberry Pi

By sk
24.8K views

A while ago, we have published a guide that described the easiest way to install and configure OpenVPN using a script called openvpn-install. Using this script, anyone, even the beginners, can implement an working OpenVPN setup within few minutes in DEB-based and RPM-based systems. The other day one of our reader has suggested that there is yet another similar script called "PiVPN", which is used setup OpenVPN in Raspberry Pi. It is primarily designed for Raspberry Pi, however it will work on Debian and Ubuntu. Currently, it supports only Ubuntu 14.04 LTS.

How secure is PiVPN?

Before going to the installation part, let us discuss some of its security features. Even though the installation is so trivial, it doesn't mean that PiVPN is not secure enough to use in production. Everything has been upgraded right out of the box beyond the default settings to harden the security of the server and client. It gives you the ability to enable unattended-upgrades which will automatically patch your server with security updates. Also, the server configuration will only use the latest TLS 1.2 protocol. Both the data and control channels use upgraded AES and SHA256 encryption and hash algorithms.

I'd like to give it a try and see how it works in my Ubuntu 14.04 LTS server edition. So here we go.

PiVPN - Simplest OpenVPN Setup And Configuration

Install OpenVPN

Installation is extremely simple. Open Terminal and run the following command:

curl -L https://install.pivpn.io | bash

Yes, it is that simple. After a few seconds, enter the sudo user password. The above command will download and install latest OpenVPN along with all required dependencies in your system. PiVPN will ask you a series of questions along the way. Just go with defaults as it is just enough to setup the working OpenVPN server.

Click OK to continue.

PiVPN1

PiVPN needs a STATIC IP ADDRESS to function properly.

PiVPN2

If you have more than one network interface, Choose any one to configure it.

PiVPN3

PiVPN will not configure Static IP address if you're not using Raspberry Pi device. For the purpose of this guide, I use Ubuntu 14.04, so it doesn't configure the static IP.

PiVPN4

Next, choose a local user that will hold your ovpn configurations.

PiVPN5

It is recommended to enable unattended-upgrades to update security updates automatically. Choose Yes to enable unattended-upgrades.

PiVPN6

Choose a protocol.

PiVPN7

Choose OpenVPN port. Default value is enough for most cases.

PiVPN8

Choose your desired level of encryption. I go with the default value.

PiVPN9

Click OK to generate Diffie-Hellman key:

PiVPN10

Next, choose whether the clients use public IP or DNS name to connect to server.

PiVPN11

Choose the DNS Provider for your VPN Clients. To use your own, select Custom.

PiVPN13

Congratulations! OpenVPN has been installed in your server.

PiVPN14

Finally, click Yes to reboot your system.

PiVPN15

To check if OpnVPN service is running, enter the following command:

$ sudo service openvpn status
 * VPN 'server' is running

Check if OpenVPN is listening to the server:

$ ps auxww | grep openvpn
nobody 936 0.0 0.3 28624 2428 ? Ss 16:15 0:00 /usr/sbin/openvpn --writepid /run/openvpn/server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf --script-security 2
sk 1206 0.0 0.1 11740 940 pts/1 S+ 16:15 0:00 grep --color=auto openvpn

As you can see, OpenVPN server is up and running! Let us go ahead and configure the clients.

Create a client ovpn profile

After rebooting the server, run the following command to create a client ovpn profile.

pivpn add

Or,

pivpn -a

Enter a name for your client system and a strong password.

Enter a Name for the Client: client ##ENTER client certificate name
Enter the password for the client: ##ENTER password
Enter the password again to verify: ##ENTER password again 
spawn ./easyrsa build-client-full client

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..................................................+++
.....................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.YlVMZrBWgj'
Enter PEM pass phrase:ubuntu

Verifying - Enter PEM pass phrase:ubuntu

-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'client'
Certificate is to be certified until Jul 9 09:47:17 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
Client's cert found: client.crt
Client's Private Key found: client.key
CA public Key found: ca.crt
tls-auth Private Key found: ta.key

========================================================
Done! client.ovpn successfully created! 
client.ovpn was copied to:
 /home/sk/ovpns
for easy transfer.
========================================================

If you don't want password for the client certificates, you can skip the password option using command:

pivpn add nopass

The client profiles will be stored under /home/username/ovpns. To verify it, run:

$ ls /home/sk/ovpns/
client.ovpn

You need to copy the profiles to your client systems in order to connect with the OpenVPN server.

For example, you copy the client profiles using scp command like below.

cd /home/sk/ovpns/
scp client.ovpn sk@192.168.43.150:/etc/openvpn/

Here, 192.168.43.150 is my openvpn client's IP address.

List all certificates

To list all valid and revoked certificates, run:

pivpn list

Or,

pivpn -l

Sample output:

: NOTE : The first entry should always be your valid server!

::: Certificate Status List :::
 :: Status || Name :: 
 Valid :: server
 Valid :: client

Revoke a client ovpn profile

To revoke a client ovpn profile, run:

pivpn revoke

Or,

pivpn -r

Remove PiVPN

Don't like PiVPN? You can uninstall it by running the following command:

pivpn -u

Or,

pivpn uninstall

And, that's all for now. In the next guide, I will explain how to authenticate OpenVPN clients. Hope this helps. If you find our guides useful, please spend a moment to share them on your social, professional networks and support OSTechNix!

Cheers!

Resource:

Thanks for stopping by!

Help us to help you:

Have a Good day!!

You May Also Like

9 comments

aLilBabyOtter October 15, 2017 - 8:06 am

So I have it all set up, and I have OpenVPN installed on my computer and Android phone, but how do I connect to the Pi?

Reply
RuthlessPragmatic October 22, 2017 - 2:24 am

Pull the .ovpn file from the Pi for the user you want, and send it to each device. Easiest thing to do is email it but there are other ways that the app provides for. Open the file in the Open VPN app and then when put in the details for your server/username and the password you generated during the setup of that user. Device will then connect.
Bear in mind that the combination of the password and the .ovpn file is effectively the keys to your front door – control them carefully.

Reply
Bedananda Gautam November 11, 2018 - 9:58 am

i have configured it correctly and how to view the status of connected client in the raspberrry pi please do mention it.

Reply
Bill Steiner April 15, 2019 - 1:06 am

Installing and using PiVPN was the easiest method of setting up OpenVPN I have come across in the last 3 years of trying to setup a VPN. After setting it up on 3 separate Pi’s at 3 separate locations and importing the ovpn file into the OpenVPN app on my phone it connected right away.
Now if I could just get someone to help me translate the ovpn file settings so I could use the settings to connect my router. The router runs a version of Tomato that has a built in OpenVPN client and server but I have yet to get it to connect to the Pi because I don’t know how to transfer the settings based on the ovpn file created on the PI.

Reply
Betr Magin May 19, 2019 - 1:38 am

I get this error in the OpenVPN client when it tries to connect:
Sat May 18 16:06:08 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May 18 16:06:08 2019 TLS Error: TLS handshake failed
Sat May 18 16:06:08 2019 SIGUSR1[soft,tls-error] received, process restarting
Sat May 18 16:06:08 2019 MANAGEMENT: >STATE:1558209968,RECONNECTING,tls-error,,,,,

Reply
Paul George June 9, 2019 - 6:18 pm

I have my own PiHole DNS server running. So how do I implement my Pihole as choosen DNS Server??

Reply
PiHome September 19, 2019 - 11:20 pm

@Betr Magin
check encryption strength is set to 2048 while installing otherwise you’ll have this error, check your openvpn logs and you will have something like
ovpn-server[1372]: OpenSSL: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small

Reply
Pivpn sockss November 11, 2019 - 3:58 am

remove it from your system fast as you can. It is a complete bug!!!

Reply
Matthew April 7, 2020 - 12:24 am

Thank you for the easy install with PiVPN.

The main issue I am having is that I am not able to access any computers on my local network.
There is no route in any of the config files. I added some (push “routes”) but still no access.
Can someone please add and example config file; Client and or Server; that has local route options configured?

Thank You in advance.

Reply

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More