This is something I have been using for awhile now, thought i would show you the entire process, This is a tutorial for setting up a Raspberry Pi VPN router.
Requirements for Raspberry Pi VPN Router
Raspberry Pi 3 ► Amazon | Ebay
Private Internet Access ► https://goo.gl/StVNEU
Install Raspbian Pixel to your Pi’s sdcard. Use the Raspberry Pi Configuration tool or
sudo raspi-config to:
- Boot to console
- Configure the right keyboard map and timezone
- Configure the Memory Split to give 16Mb (the minimum) to the GPU
Static IP Address
/etc/network/interfaces like so:
auto lo
iface lo inet loopback
auto eth0
allow-hotplug eth0
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 8.8.8.8 8.8.4.4
Setup VPN Client
installing openvpn client
sudo apt-get install openvpnDownloading and uncompressing PIA OpenVPN profiles
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip openvpn.zip -d openvpnCopy the profile and certificates to OpenVPN Folder
sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/
sudo cp openvpn/US New York.ovpn /etc/openvpn/US.confnotice that the extension has changed from ovpn to conf create a login file with username and password for PIA
sudo nano /etc/openvpn/loginadd your username and password per line
username1234
password1234now we need to change the config file to point to correct file locations
sudo nano /etc/openvpn/US.confchange the following from this:
auth-user-pass
ca ca.rsa.2048.crt
crl-verif crl.rsa.2048.pemto:
auth-user-pass /etc/openvpn/login
ca /etc/openvpn/ca.rsa.2048.crt
crl-verif /etc/openvpn/crl.rsa.2048.pemremember to reboot
Testing the VPN
before moving forward with forwarding traffic, lets test out the connection
sudo openvpn --config /etc/openvpn/US.confto Exit use Ctrl + c Enable VPN at boot
sudo systemctl enable openvpn@USSetup Forwarding and IPTables (routes)
to enable forwarding
sudo nano /etc/sysctl.confuncomment the # to allow forwarding
net.ipv4.ip_forward = 1you can enable the service by typing this command
sudo sysctl -pIPTables this is best to just copy and past this to your ssh session. If you want to know more details about these rules, check out the video
sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -I INPUT -i eth0 -m comment --comment "In from LAN" -j ACCEPT
sudo iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
let make sure to keep the rules persistent across reboots
sudo apt-get install iptables-persistentthe installer will ask to save the rules, select YES now if you have new rules you want to add, do
sudo netfilter-persistent savenow lets apply this to startup
sudo systemctl enable netfilter-persistentALMOST DONE At this point you can now point your computer gateway to your Raspberry Pi IP address. Now you got a fully functional Raspberry Pi VPN Router. Check the video for more info -Don
View Comments (62)
Great guide. Got abit stuck, when copying openvpn newyork says there is no file /etc/openvpn/
I don't think it has created that folder when it unzipped?
Great guide. Got abit stuck, when copying openvpn newyork says there is no file /etc/openvpn/
I don't think it has created that folder when it unzipped?
-- Found solution there is a typo in the code. \New \york**\**.ovpn -- remove this backslash as there is no space between york.opvn
It is always a good idea to eliminate blank spaces from your directory and file names so that the use of "\ " doesn't make a huge mess of things. It can get really ugly in config files and scripts.
Hi Don, great guide!!
I'm trying to do the same thing but with a headless pi through ssh, andI use VNC as well. After typing the iptables I lose connection. What is the iptables rule that I need to define in this case for ssh and vnc??
Thanks so much and keep going with this amazing work!!!
Hi Don, great guide! Same here. I lose connection each time I type this iptable rule:
sudo iptables -P OUTPUT DROP
I am using ssh and VNC with a headless PI. Is this the reason?
You lose the connection because you are not allowing any outgoing traffic on the Pi. You would need to set up rules to allow established traffic out. Something like
sudo iptables -A OUTPUT -p tcp -m state --state ESTABLISHED -m comment --comment outgoing-established -j ACCEPT
Hi Don, one further query:
When I check if VPN is working (sudo openvpn --config /etc/openvpn/US.conf), it shows everything is fine.
However, when I change gateway in my computer to point to my PI Router, I have Internet connection but my IP address is not changing. It stays the same.
I am using the France.opvn file which I changed to France.conf. To enable VPN at boot, would this sentence be OK?:
sudo systemctl enable openvpn@France ;OR it should be:
sudo systemctl enable openvpn@France.conf
Many thanks!
openvpn@France.service
I know is an old post.. but maybe it will help someone! (I had a similar issue and solved it that way)
Hi Don,
I am still not able to get to the Internet through my Raspberry PIA router.
If I start the VPN service in my raspberry PI through a VNC connection, I successfully change my IP address and all traffic goes through my VPN. However, computers connected to the Raspberry gateway address do not get internet connection.
Looks like the issue is with the IP Tables or the rules in the aforesaid Tables.
Any ideas?
Many thanks!
hey . I got an issue.
sudo openvpn --config India.conf
when i try the above code i m getting this error message . what do i do.
Wed Jun 28 15:24:58 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Wed Jun 28 15:24:58 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Enter Auth Username: ************
Enter Auth Password: ************
Wed Jun 28 15:25:10 2017 UDPv4 link local: [undef]
Wed Jun 28 15:25:10 2017 UDPv4 link remote: [AF_INET]138.128.180.122:1198
Wed Jun 28 15:25:11 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jun 28 15:25:14 2017 [477b1af7610251c72dd1748718b8634f] Peer Connection Initiated with [AF_INET]138.128.180.122:1198
Wed Jun 28 15:25:17 2017 AUTH: Received control message: AUTH_FAILED
Wed Jun 28 15:25:17 2017 SIGTERM[soft,auth-failure] received, process exiting
Hello, I have the same problem ...... Can anyone help, please!
same I dont know what to do
I had the same issue. You need to use your PPTP/L2TP/SOCKS Username and Password, not your normal PIA username/password. You can find it on your "Client Control Panel" when you log in to PIA on their website. https://www.privateinternetaccess.com/pages/client-control-panel
What is your opinion doing it this way verses making a DD-WRT Box with OpenVPN?
Thank you for doing this. I find it very useful.
Terrific guide. I was using AirVPN initially so config was slightly different but easy to implement.
As AirVPN subscription is expiring this week, I have switched to PIA based on your recommendation.
Service is fine and appears ever so slightly faster. I am in central Texas and both have servers in the Dallas area, so a good comparison.
Thanks for the guide, I'm curious to know how the RPi 3 handles the openVPN overhead with 5+ devices using the VPN simultaneously. Is the internet speed adversely affected or can the RPi3 processor keep up.
Hey Don, great stuff as always.
Would be awesome if you could do a tutorial on how to setup a VPN hotspot using a combination of the Raspberry Pi 3's on-board wifi and ethernet port. I've seen a few tutorials touching on this elsewhere but they're not very newbie friendly like yours, and they also fail to include a killswitch, DNS leak protection, reconnection/persistence after reboot etc.
Being able to just plug the Pi into my router's ethernet port and within seconds having a dedicated VPN hotspot ready to go would be awesome.
what's the link? i would like to see that tutorial.