Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Raspberry Pi VPN Router

Raspberry Pi VPN Router

This is a quick-and-dirty guide to setting up a Raspberry Pi as a "router on a stick" to PrivateInternetAccess VPN.

Requirements

Install Raspbian Jessie (2016-05-27-raspbian-jessie.img) to your Pi's sdcard.

Use the Raspberry Pi Configuration tool or sudo raspi-config to:

  • Expand the root filesystem and reboot
  • Boot to commandline, not to GUI
  • Configure the right keyboard map and timezone
  • Configure the Memory Split to give 16Mb (the minimum) to the GPU
  • Consider overclocking to the Medium (900MHz) setting on Pi 1, or High (1000MHz) setting on Pi 2

IP Addressing

My home network is setup as follows:

  • Internet Router: 192.168.1.1
  • Subnet Mask: 255.255.255.0
  • Router gives out DHCP range: 192.168.100-200

If your network range is different, that's fine, use your network range instead of mine.

I'm going to give my Raspberry Pi a static IP address of 192.168.1.2 by configuring /etc/network/interfaces like so:

auto lo
iface lo inet loopback

auto eth0
allow-hotplug eth0
iface eth0 inet static
    address 192.168.1.2
    netmask 255.255.255.0
    gateway 192.168.1.1
    dns-nameservers 8.8.8.8 8.8.4.4

You can use WiFi if you like, there are plenty tutorials around the internet for setting that up, but this should do:

auto lo
iface lo inet loopback

auto eth0
allow-hotplug eth0
iface eth0 inet manual

auto wlan0
allow-hotplug wlan0
iface wlan0 inet static
    wpa-ssid "Your SSID"
    wpa-psk  "Your Password"
    address 192.168.1.2
    netmask 255.255.255.0
    gateway 192.168.1.1
    dns-nameservers 8.8.8.8 8.8.4.4

You only need one connection into your local network, don't connect both Ethernet and WiFi. I recommend Ethernet if possible.

NTP

Accurate time is important for the VPN encryption to work. If the VPN client's clock is too far off, the VPN server will reject the client.

You shouldn't have to do anything to set this up, the ntp service is installed and enabled by default.

Double-check your Pi is getting the correct time from internet time servers with ntpq -p, you should see at least one peer with a + or a * or an o, for example:

$ ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
-0.time.xxxx.com 104.21.137.30    2 u   47   64    3  240.416    0.366   0.239
+node01.jp.xxxxx 226.252.532.9    2 u   39   64    7  241.030   -3.071   0.852
*t.time.xxxx.net 104.1.306.769    2 u   38   64    7  127.126   -2.728   0.514
+node02.jp.xxxxx 250.9.592.830    2 u    8   64   17  241.212   -4.784   1.398

Setup VPN Client

Install the OpenVPN client:

sudo apt-get install openvpn

Download and uncompress the PIA OpenVPN profiles:

wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
sudo apt-get install unzip
unzip openvpn.zip -d openvpn

Copy the PIA OpenVPN certificates and profile to the OpenVPN client:

sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/
sudo cp openvpn/Japan.ovpn /etc/openvpn/Japan.conf

You can use a diffrent VPN endpoint if you like. Note the extension change from ovpn to conf.

Create /etc/openvpn/login containing only your username and password, one per line, for example:

user12345678
MyGreatPassword

Change the permissions on this file so only the root user can read it:

sudo chmod 600 /etc/openvpn/login

Setup OpenVPN to use your stored username and password by editing the the config file for the VPN endpoint:

sudo nano /etc/openvpn/Japan.conf

Change the following lines so they go from this:

ca ca.rsa.2048.crt
auth-user-pass
crl-verify crl.rsa.2048.pem

To this:

ca /etc/openvpn/ca.rsa.2048.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.rsa.2048.pem

Test VPN

At this point you should be able to test the VPN actually works:

sudo openvpn --config /etc/openvpn/Japan.conf

If all is well, you'll see something like:

$ sudo openvpn --config /etc/openvpn/Japan.conf 
Sat Oct 24 12:10:54 2015 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec  5 2014
Sat Oct 24 12:10:54 2015 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Sat Oct 24 12:10:54 2015 UDPv4 link local: [undef]
Sat Oct 24 12:10:54 2015 UDPv4 link remote: [AF_INET]123.123.123.123:1194
Sat Oct 24 12:10:54 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Oct 24 12:10:56 2015 [Private Internet Access] Peer Connection Initiated with [AF_INET]123.123.123.123:1194
Sat Oct 24 12:10:58 2015 TUN/TAP device tun0 opened
Sat Oct 24 12:10:58 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Oct 24 12:10:58 2015 /sbin/ip link set dev tun0 up mtu 1500
Sat Oct 24 12:10:58 2015 /sbin/ip addr add dev tun0 local 10.10.10.6 peer 10.10.10.5
Sat Oct 24 12:10:59 2015 Initialization Sequence Completed

Exit this with Ctrl+c

Enable VPN at boot

sudo systemctl enable openvpn@Japan

Setup Routing and NAT

Enable IP Forwarding:

echo -e '\n#Enable IP Routing\nnet.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Setup NAT fron the local LAN down the VPN tunnel:

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

Make the NAT rules persistent across reboot:

sudo apt-get install iptables-persistent

The installer will ask if you want to save current rules, select Yes

If you don't select yes, that's fine, you can save the rules later with sudo netfilter-persistent save

Make the rules apply at startup:

sudo systemctl enable netfilter-persistent

VPN Kill Switch

This will block outbound traffic from the Pi so that only the VPN and related services are allowed.

Once this is done, the only way the Pi can get to the internet is over the VPN.

This means if the VPN goes down, your traffic will just stop working, rather than end up routing over your regular internet connection where it could become visible.

sudo iptables -A OUTPUT -o tun0 -m comment --comment "vpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p icmp -m comment --comment "icmp" -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment "ssh" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -j DROP

And save so they apply at reboot:

sudo netfilter-persistent save

If you find traffic on your other systems stops, then look on the Pi to see if the VPN is up or not.

You can check the status and logs of the VPN client with:

sudo systemctl status openvpn@Japan
sudo journalctl -u openvpn@Japan

Configure Other Systems on the LAN

Now we're ready to tell other systems to send their traffic through the Raspberry Pi.

Configure other systems' network so they are like:

  • Default Gateway: Pi's static IP address (eg: 192.168.1.2)
  • DNS: Something public like Google DNS (8.8.8.8 and 8.8.4.4)

Don't use your existing internet router (eg: 192.168.1.1) as DNS, or your DNS queries will be visible to your ISP and hence may be visible to organizations who wish to see your internet traffic.

Optional: DNS on the Pi

To ensure all your DNS goes through the VPN, you could install dnsmasq on the Pi to accept DNS requests from the local LAN and forward requests to external DNS servers.

sudo apt-get install dnsmasq

You may now configure the other systems on the LAN to use the Pi (192.168.1.2) as their DNS server as well as their gateway.

@harishpillay

This comment has been minimized.

Show comment
Hide comment
@harishpillay

harishpillay Oct 24, 2015

Thanks for doing this, Jamie.

Thanks for doing this, Jamie.

@vepascal

This comment has been minimized.

Show comment
Hide comment
@vepascal

vepascal Dec 7, 2015

Hi!
Very nice guide thanks.
Is working very well!!!
Thanks a lot.

Pay attention at the step:
sudo cp openvpn/Japan.ovpn /etc/openvpn/Japan.conf

vepascal commented Dec 7, 2015

Hi!
Very nice guide thanks.
Is working very well!!!
Thanks a lot.

Pay attention at the step:
sudo cp openvpn/Japan.ovpn /etc/openvpn/Japan.conf

@danackerson

This comment has been minimized.

Show comment
Hide comment
@danackerson

danackerson Jan 2, 2016

@vepascal due to the order of this howto, you won't be able to connect to any external servers until you get the VPN started (due to the iptables rules). Just reboot your Pi and then install dnsmasq.

@vepascal due to the order of this howto, you won't be able to connect to any external servers until you get the VPN started (due to the iptables rules). Just reboot your Pi and then install dnsmasq.

@jc1121

This comment has been minimized.

Show comment
Hide comment
@jc1121

jc1121 Jan 13, 2016

I really appreciate this walk through. How do I create /etc/openvpn/login file?

jc1121 commented Jan 13, 2016

I really appreciate this walk through. How do I create /etc/openvpn/login file?

@vormworks

This comment has been minimized.

Show comment
Hide comment
@vormworks

vormworks Jan 19, 2016

Very nice instuctions, worked for me, thank you jamie

Very nice instuctions, worked for me, thank you jamie

@sictona

This comment has been minimized.

Show comment
Hide comment
@sictona

sictona Jan 20, 2016

I find this tutorial the best by far to create a vpn setup on the Raspberry Pi.

I do have one strange thing happen to my setup from time to time though.
My setup is:
fiber 100/100 ISP provider into house - Airport extreme as router/dhcp-server/dns (connected to 8.8.8.8/8.8.4.4). 2x appleTV connected by dhcp and a raspberry on dhcp but with reserved IP in the range.

This has worked as a charm from the moment I found this tutorial and I dont have any problems switching the appleTV:s from dhcp to manual, pointing them to the raspberry IP and then access the american Netflix, but then sometimes....

At random times the vpn stops working. I havent found out why and the easiest and most lazy solution has been to just reinstall everything using this tutorial.
Usually this works just fine and everything is back to normal with AppleTV and Netflix.
Sometimes though I get as far as I can list the content of the American Netflix (I know what titles differ between Sweden and USA), but as soon as I try to play any content I get the pesky Netflix error #139.

So what I am wondering is:
1- What would be the best way of error searching once the VPN stops working all together?
2- What on earth could create the strange error that makes me browse the content but not play it?

Any takers?

sictona commented Jan 20, 2016

I find this tutorial the best by far to create a vpn setup on the Raspberry Pi.

I do have one strange thing happen to my setup from time to time though.
My setup is:
fiber 100/100 ISP provider into house - Airport extreme as router/dhcp-server/dns (connected to 8.8.8.8/8.8.4.4). 2x appleTV connected by dhcp and a raspberry on dhcp but with reserved IP in the range.

This has worked as a charm from the moment I found this tutorial and I dont have any problems switching the appleTV:s from dhcp to manual, pointing them to the raspberry IP and then access the american Netflix, but then sometimes....

At random times the vpn stops working. I havent found out why and the easiest and most lazy solution has been to just reinstall everything using this tutorial.
Usually this works just fine and everything is back to normal with AppleTV and Netflix.
Sometimes though I get as far as I can list the content of the American Netflix (I know what titles differ between Sweden and USA), but as soon as I try to play any content I get the pesky Netflix error #139.

So what I am wondering is:
1- What would be the best way of error searching once the VPN stops working all together?
2- What on earth could create the strange error that makes me browse the content but not play it?

Any takers?

@sictona

This comment has been minimized.

Show comment
Hide comment
@sictona

sictona Jan 20, 2016

@jc1121 - Just type sudo nano /etc/openvpn/login and the file will be created by nano. Type your info end then save/exit.

sictona commented Jan 20, 2016

@jc1121 - Just type sudo nano /etc/openvpn/login and the file will be created by nano. Type your info end then save/exit.

@hokidzhao

This comment has been minimized.

Show comment
Hide comment
@hokidzhao

hokidzhao Jan 20, 2016

how to set up purevpn client on Rasberry pi? I saw you used the openvpn.

how to set up purevpn client on Rasberry pi? I saw you used the openvpn.

@sg6

This comment has been minimized.

Show comment
Hide comment
@sg6

sg6 Jan 30, 2016

This is awesome! Thanks for that so much, it was really easy and now even my TV is connected to a VPN network!

sg6 commented Jan 30, 2016

This is awesome! Thanks for that so much, it was really easy and now even my TV is connected to a VPN network!

@MatusP

This comment has been minimized.

Show comment
Hide comment
@MatusP

MatusP Feb 3, 2016

Hi there

I have been trying for a while now, but as soon as I enable the netfilter at startup (sudo systemctl enable netfilter-persistent), my VPN would not connect.

SO I just simply flushed all iptables:
sudo iptables -A

and everything is working just fine.

I do not need the internet to stop if the vpn is down...

MatusP commented Feb 3, 2016

Hi there

I have been trying for a while now, but as soon as I enable the netfilter at startup (sudo systemctl enable netfilter-persistent), my VPN would not connect.

SO I just simply flushed all iptables:
sudo iptables -A

and everything is working just fine.

I do not need the internet to stop if the vpn is down...

@AdrianLThomas

This comment has been minimized.

Show comment
Hide comment
@AdrianLThomas

AdrianLThomas Feb 4, 2016

Fantastic! Very easy and clear to follow. Worked perfectly for IPVanish! - I may well script this in to something more reusable... 👍

Fantastic! Very easy and clear to follow. Worked perfectly for IPVanish! - I may well script this in to something more reusable... 👍

@ididna

This comment has been minimized.

Show comment
Hide comment
@ididna

ididna Mar 2, 2016

Short question: would it be possible to use the wired connection for the tunnel and in parallel the wireless one to share this tunnel? I have a Pi 1 and a wireless dongle and by following another tutorial (http://elinux.org/RPI-Wireless-Hotspot) I was able to make it act as a wireless router (it does what it should); unfortunately as soon as I activated the vpn part as described by you above (minus the kill switch, I omitted for the time being this part) the wireless clients can no longer access the Internet. There was an additional error in the vpn setting-up but in the end this part works (so, from the Pi I can browse the Internet via the tunnel). As I'm not an iptables specialist, I don't know exactly what to do to link the wlan0 and the tun0. Would this be necessary, actually? Should this work without other modifications/additions to your tutorial and something went wrong on my side? Thanks in advance.

ididna commented Mar 2, 2016

Short question: would it be possible to use the wired connection for the tunnel and in parallel the wireless one to share this tunnel? I have a Pi 1 and a wireless dongle and by following another tutorial (http://elinux.org/RPI-Wireless-Hotspot) I was able to make it act as a wireless router (it does what it should); unfortunately as soon as I activated the vpn part as described by you above (minus the kill switch, I omitted for the time being this part) the wireless clients can no longer access the Internet. There was an additional error in the vpn setting-up but in the end this part works (so, from the Pi I can browse the Internet via the tunnel). As I'm not an iptables specialist, I don't know exactly what to do to link the wlan0 and the tun0. Would this be necessary, actually? Should this work without other modifications/additions to your tutorial and something went wrong on my side? Thanks in advance.

@donovision

This comment has been minimized.

Show comment
Hide comment
@donovision

donovision Mar 11, 2016

This was very nice to follow. The one question I have is does the IP address in the following command need to be specific to my home network or exactly as the command is in the tutorial?

sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT

This was very nice to follow. The one question I have is does the IP address in the following command need to be specific to my home network or exactly as the command is in the tutorial?

sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT

@vepascal

This comment has been minimized.

Show comment
Hide comment
@vepascal

vepascal Mar 11, 2016

@donovision
exactly as the command is in the tutorial

@donovision
exactly as the command is in the tutorial

@Jordan00Negative

This comment has been minimized.

Show comment
Hide comment
@Jordan00Negative

Jordan00Negative Mar 15, 2016

Hello thank you for the tutorial. When I get to the part of "testing" the VPN, I get message saying AUTH FAILED. What should I do to correct this problem. Thanks! ps using a RPi 2.

Hello thank you for the tutorial. When I get to the part of "testing" the VPN, I get message saying AUTH FAILED. What should I do to correct this problem. Thanks! ps using a RPi 2.

@mgmsfd

This comment has been minimized.

Show comment
Hide comment
@mgmsfd

mgmsfd Apr 2, 2016

Great document. Quick question, I need to also have inbound traffic so I can access my documents from the outside. Do you have a tutorial similar to this one?

mgmsfd commented Apr 2, 2016

Great document. Quick question, I need to also have inbound traffic so I can access my documents from the outside. Do you have a tutorial similar to this one?

@markfeldman

This comment has been minimized.

Show comment
Hide comment
@markfeldman

markfeldman Apr 4, 2016

I feel REALLY stupid for asking... but the RasPi network capabilities are limited compared to a PC yes?
My PC's on board ethernet adapter reads as 10/100/1000
The specs on my RasPi 2 are 10/100 as in... not gigabit

My question is this: By using a VPN hosted on the Raspi, wouldn't that mean that EVERYTHING would be limited to the 10/100 speed ?

I feel REALLY stupid for asking... but the RasPi network capabilities are limited compared to a PC yes?
My PC's on board ethernet adapter reads as 10/100/1000
The specs on my RasPi 2 are 10/100 as in... not gigabit

My question is this: By using a VPN hosted on the Raspi, wouldn't that mean that EVERYTHING would be limited to the 10/100 speed ?

@pir8s

This comment has been minimized.

Show comment
Hide comment
@pir8s

pir8s Apr 9, 2016

Thanks for the tutorial, almost everything worked for me except for the VPN kill switch. If I stop the vpn service my real IP gets exposed.
I'm not using eth0 for my connection but wlan0 so I was wondering if all instances of eth0 should be replaced with wlan0 when setting up the iptables rules.
Also why would someone use:
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
shouldn't we be using our network specific address range. ex. 192.168.3.0/24 in my case.
thanks for any clarification

pir8s commented Apr 9, 2016

Thanks for the tutorial, almost everything worked for me except for the VPN kill switch. If I stop the vpn service my real IP gets exposed.
I'm not using eth0 for my connection but wlan0 so I was wondering if all instances of eth0 should be replaced with wlan0 when setting up the iptables rules.
Also why would someone use:
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
shouldn't we be using our network specific address range. ex. 192.168.3.0/24 in my case.
thanks for any clarification

@sagarun

This comment has been minimized.

Show comment
Hide comment
@sagarun

sagarun Apr 11, 2016

When tun0 goes down due to openvpn error or RPI is rebooting but tun0 is still not up, It seems to leak. what should be default gateway for the raspberry pi ? It should be itself?

sagarun commented Apr 11, 2016

When tun0 goes down due to openvpn error or RPI is rebooting but tun0 is still not up, It seems to leak. what should be default gateway for the raspberry pi ? It should be itself?

@pir8s

This comment has been minimized.

Show comment
Hide comment
@pir8s

pir8s Apr 12, 2016

the kill switch iptables rules specified here doesnt work for me! if tun0 goes down or I reboot the rpi the dns leaks. as @sagarun said.

pir8s commented Apr 12, 2016

the kill switch iptables rules specified here doesnt work for me! if tun0 goes down or I reboot the rpi the dns leaks. as @sagarun said.

@donovision

This comment has been minimized.

Show comment
Hide comment
@donovision

donovision Apr 20, 2016

The one issues I have ran into is that I can no longer mount a cifs network share once the IPTABLES are in place. Any help would be appreciated. I think I need to add a rule to allow access to the IP address of the NAS so that the cifs share can be mounted.

The one issues I have ran into is that I can no longer mount a cifs network share once the IPTABLES are in place. Any help would be appreciated. I think I need to add a rule to allow access to the IP address of the NAS so that the cifs share can be mounted.

@JvB94

This comment has been minimized.

Show comment
Hide comment
@JvB94

JvB94 May 8, 2016

Î love your turtoial it works very well.
But the kill siwtch is not working...

Can someone post a working killswitch?
I need it very importend and don't find a working one in the internet.

JvB94 commented May 8, 2016

Î love your turtoial it works very well.
But the kill siwtch is not working...

Can someone post a working killswitch?
I need it very importend and don't find a working one in the internet.

@Dedo21

This comment has been minimized.

Show comment
Hide comment
@Dedo21

Dedo21 May 8, 2016

Maybe you can try adding this rule?
sudo iptables -I FORWARD -i eth0 ! -o tun0 -j DROP
I think this would only protect the clients from leaking the real IP, not the Pi itself(?)

Dedo21 commented May 8, 2016

Maybe you can try adding this rule?
sudo iptables -I FORWARD -i eth0 ! -o tun0 -j DROP
I think this would only protect the clients from leaking the real IP, not the Pi itself(?)

@JvB94

This comment has been minimized.

Show comment
Hide comment
@JvB94

JvB94 May 20, 2016

Works for me, thank you!!!

JvB94 commented May 20, 2016

Works for me, thank you!!!

@winedog

This comment has been minimized.

Show comment
Hide comment
@winedog

winedog Jun 3, 2016

One thing that I'm a little confused on. Does this require two network interfaces on the raspberry pi? Or can all of this be performed using the built-in ethernet port on my RPi? My RPi also has a wireless dongle if I need a 2nd interface, in which case do I have the Pi configured to establish the VPN connection through the wifi dongle and then anything connected to the ethernet port is routed through the Pi's VPN connection?

winedog commented Jun 3, 2016

One thing that I'm a little confused on. Does this require two network interfaces on the raspberry pi? Or can all of this be performed using the built-in ethernet port on my RPi? My RPi also has a wireless dongle if I need a 2nd interface, in which case do I have the Pi configured to establish the VPN connection through the wifi dongle and then anything connected to the ethernet port is routed through the Pi's VPN connection?

@branislav-zlatkovic

This comment has been minimized.

Show comment
Hide comment
@branislav-zlatkovic

branislav-zlatkovic Jun 4, 2016

Thanks for this great and simple tutorial!
How to force all NTP traffic to the default gateway instead?
My VPN blocks NTP, and it's needed both by the raspberry server and clients connecting through it

Thanks for this great and simple tutorial!
How to force all NTP traffic to the default gateway instead?
My VPN blocks NTP, and it's needed both by the raspberry server and clients connecting through it

@gomaaz

This comment has been minimized.

Show comment
Hide comment
@gomaaz

gomaaz Jun 6, 2016

only one network device needed.

Killswitch isn't working and still necessary... please give adivce to that.

gomaaz commented Jun 6, 2016

only one network device needed.

Killswitch isn't working and still necessary... please give adivce to that.

@gomaaz

This comment has been minimized.

Show comment
Hide comment
@gomaaz

gomaaz Jun 8, 2016

I just started from the beginning and it works now...

Because my VPN connection also needs UDP 443 I just added (didn't see this...I'm not familar with iptables...):
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 443 -m comment --comment "openvpn2" -j ACCEPT

and the killswitch only works with Dedo21's advice:
sudo iptables -I FORWARD -i eth0 ! -o tun0 -j DROP

BUT after that: Clients now don't have access on homenetwork 192.168.1.0/16
any solution for that?

this setup on my BananaPi 32 Mb/s (4 MB/s) gives throughput. As I have 64 Mb/s of linespeed I'll decide to get one of these odroid devices.

Cheers.

gomaaz commented Jun 8, 2016

I just started from the beginning and it works now...

Because my VPN connection also needs UDP 443 I just added (didn't see this...I'm not familar with iptables...):
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 443 -m comment --comment "openvpn2" -j ACCEPT

and the killswitch only works with Dedo21's advice:
sudo iptables -I FORWARD -i eth0 ! -o tun0 -j DROP

BUT after that: Clients now don't have access on homenetwork 192.168.1.0/16
any solution for that?

this setup on my BananaPi 32 Mb/s (4 MB/s) gives throughput. As I have 64 Mb/s of linespeed I'll decide to get one of these odroid devices.

Cheers.

@gregorst3

This comment has been minimized.

Show comment
Hide comment
@gregorst3

gregorst3 Jun 9, 2016

Hello guys, i want to run my raspberry pi as a router, the first ethernet port make the input for the network, for the output what can i use? and for the ouput have i to make different config in ipttables?
Looking for a response thanks to all!

Hello guys, i want to run my raspberry pi as a router, the first ethernet port make the input for the network, for the output what can i use? and for the ouput have i to make different config in ipttables?
Looking for a response thanks to all!

@gomaaz

This comment has been minimized.

Show comment
Hide comment
@gomaaz

gomaaz Jun 9, 2016

there is no second ethernet port. You can have it go through one ethernet port

gomaaz commented Jun 9, 2016

there is no second ethernet port. You can have it go through one ethernet port

@winedog

This comment has been minimized.

Show comment
Hide comment
@winedog

winedog Jun 14, 2016

Is there a way to do this using a PPTP VPN connection instead of OpenVPN? I got this working, but the OpenVPN's encryption taxes the Raspberry Pi processing too much and I only get 3-4Mbps throughput. I think if I could do this with a PPTP connection the Pi would be able handle this better?

winedog commented Jun 14, 2016

Is there a way to do this using a PPTP VPN connection instead of OpenVPN? I got this working, but the OpenVPN's encryption taxes the Raspberry Pi processing too much and I only get 3-4Mbps throughput. I think if I could do this with a PPTP connection the Pi would be able handle this better?

@Aecasorg

This comment has been minimized.

Show comment
Hide comment
@Aecasorg

Aecasorg Jun 15, 2016

Hi,

I have followed this guide to the letter however I cannot get it working. I left out the kill switch and DNS part in order not to complicate things. What I am aiming to do is connect a SKY HD box -> Ethernet cable -> Raspberry Pi -> WiFi -> Router. I can get the VPN up and running fine and it is all connected to internet however when I connect my laptop via ethernet cable to the RPi I cannot access internet. I've even changed the iptables 'eth0' to 'wlan0' to see if that helped. I've set my laptop manually to go to the RPi as Gateway (I use a Macbook Pro and Raspberry Pi 3) but still no access. What am I doing wrong?

Any help on this matter would really be appreciated!

Thanks in advance,
Henrik

Aecasorg commented Jun 15, 2016

Hi,

I have followed this guide to the letter however I cannot get it working. I left out the kill switch and DNS part in order not to complicate things. What I am aiming to do is connect a SKY HD box -> Ethernet cable -> Raspberry Pi -> WiFi -> Router. I can get the VPN up and running fine and it is all connected to internet however when I connect my laptop via ethernet cable to the RPi I cannot access internet. I've even changed the iptables 'eth0' to 'wlan0' to see if that helped. I've set my laptop manually to go to the RPi as Gateway (I use a Macbook Pro and Raspberry Pi 3) but still no access. What am I doing wrong?

Any help on this matter would really be appreciated!

Thanks in advance,
Henrik

@jeroenjota

This comment has been minimized.

Show comment
Hide comment
@jeroenjota

jeroenjota Jul 17, 2016

Thanks for the walkthrough

I changed the iptables rules:
The ip range
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
to to 192.168.2.0 as that is my subnet
sudo iptables -A OUTPUT -d 192.168.2.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
And also the port 1194 in
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
to 1198
as that's what my Netherlands.conf file is saying
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport **1198** -m comment --comment "openvpn" -j ACCEPT
Things seem to be working now ;-)

jeroenjota commented Jul 17, 2016

Thanks for the walkthrough

I changed the iptables rules:
The ip range
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
to to 192.168.2.0 as that is my subnet
sudo iptables -A OUTPUT -d 192.168.2.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
And also the port 1194 in
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
to 1198
as that's what my Netherlands.conf file is saying
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport **1198** -m comment --comment "openvpn" -j ACCEPT
Things seem to be working now ;-)

@Tubbs2u

This comment has been minimized.

Show comment
Hide comment
@Tubbs2u

Tubbs2u Aug 6, 2016

Also here, the above said it should look like this:
ca ca.crt
auth-user-pass
crl-verify crl.pem

However, it looks like this:
ca ca.rsa.2048.crt
auth-user-pass
crl-verify crl.rsa.2048.pem

When I changed it to this:
ca /etc/openvpn/ca.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.pem
I keeping getting errors in those lines, which its asking me to correct.......Any help would be welcome, and thanks in advance.

Tubbs2u commented Aug 6, 2016

Also here, the above said it should look like this:
ca ca.crt
auth-user-pass
crl-verify crl.pem

However, it looks like this:
ca ca.rsa.2048.crt
auth-user-pass
crl-verify crl.rsa.2048.pem

When I changed it to this:
ca /etc/openvpn/ca.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.pem
I keeping getting errors in those lines, which its asking me to correct.......Any help would be welcome, and thanks in advance.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Aug 6, 2016

Also here, the above said it should look like this:
ca ca.crt
auth-user-pass
crl-verify crl.pem

However, it looks like this:
ca ca.rsa.2048.crt
auth-user-pass
crl-verify crl.rsa.2048.pem

When I changed it to this:
ca /etc/openvpn/ca.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.pem
I keeping getting errors in those lines, which its asking me to correct.......Any help would be welcome, and thanks in advance.

Change it to, unless you renamed them:
ca /etc/openvpn/ca.rsa.2048.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.rsa.2048.pem

ghost commented Aug 6, 2016

Also here, the above said it should look like this:
ca ca.crt
auth-user-pass
crl-verify crl.pem

However, it looks like this:
ca ca.rsa.2048.crt
auth-user-pass
crl-verify crl.rsa.2048.pem

When I changed it to this:
ca /etc/openvpn/ca.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.pem
I keeping getting errors in those lines, which its asking me to correct.......Any help would be welcome, and thanks in advance.

Change it to, unless you renamed them:
ca /etc/openvpn/ca.rsa.2048.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.rsa.2048.pem

@Tubbs2u

This comment has been minimized.

Show comment
Hide comment
@Tubbs2u

Tubbs2u Aug 6, 2016

Thanks for your reply sogseal, however this is what I am getting below::: sudo cp openvpn/ca.crt openvpn/crl.pem /etc/openvpn
*Options error: --ca fails with '/etc/openvpn/ca.rsa.2048.crt': No such file or directory
*Options error: --crl-verify fails with '/etc/openvpn/crl.rsa.2048.pem': No such file or directory
*Options error: Please correct these errors.
Use --help for more information.

OK..I now know why I was getting Errors,: (sudo cp openvpn/ca.crt openvpn/crl.pem /etc/openvpn)....Should look like this:::::::
(sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/)

Thanks......Tubbs

Tubbs2u commented Aug 6, 2016

Thanks for your reply sogseal, however this is what I am getting below::: sudo cp openvpn/ca.crt openvpn/crl.pem /etc/openvpn
*Options error: --ca fails with '/etc/openvpn/ca.rsa.2048.crt': No such file or directory
*Options error: --crl-verify fails with '/etc/openvpn/crl.rsa.2048.pem': No such file or directory
*Options error: Please correct these errors.
Use --help for more information.

OK..I now know why I was getting Errors,: (sudo cp openvpn/ca.crt openvpn/crl.pem /etc/openvpn)....Should look like this:::::::
(sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/)

Thanks......Tubbs

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Aug 6, 2016

Thanks for your reply sogseal, however this is what I am getting below::: sudo nano /etc/openvpn/Japan.conf
*Options error: --ca fails with '/etc/openvpn/ca.rsa.2048.crt': No such file or directory
*Options error: --crl-verify fails with '/etc/openvpn/crl.rsa.2048.pem': No such file or directory
*Options error: Please correct these errors.
Use --help for more information.

Also when I put this command line::sudo cp openvpn/ca.crt openvpn/crl.pem /etc/openvpn/........I am getting the below errors
*cp: cannot stat ‘openvpn/ca.crt’: No such file or directory
*cp: cannot stat ‘openvpn/crl.pem’: No such file or directory

Really don't know what i am doing wrong

Thanks for any help in advance..Tubbs

So, when you downloaded wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
you should have this files
ca.rsa.2048.crt
crl.rsa.2048.pem
You need to make sure that both of these files, Japan.conf and your login files are in this directory /etc/openvpn
then

sudo nano /etc/openvpn/Japan.conf And make sure that you have the full path for this 3 lines
ca /etc/openvpn/ca.rsa.2048.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.rsa.2048.pem

Also FYI, PIA changed their port number to 1198. Hope it works
I would also edit this:
sudo vim /etc/default/openvpn
Look for line OPTARGS="" and change it to:
OPTARGS="--auth-nocache"
this should prevent to cache password in memory

ghost commented Aug 6, 2016

Thanks for your reply sogseal, however this is what I am getting below::: sudo nano /etc/openvpn/Japan.conf
*Options error: --ca fails with '/etc/openvpn/ca.rsa.2048.crt': No such file or directory
*Options error: --crl-verify fails with '/etc/openvpn/crl.rsa.2048.pem': No such file or directory
*Options error: Please correct these errors.
Use --help for more information.

Also when I put this command line::sudo cp openvpn/ca.crt openvpn/crl.pem /etc/openvpn/........I am getting the below errors
*cp: cannot stat ‘openvpn/ca.crt’: No such file or directory
*cp: cannot stat ‘openvpn/crl.pem’: No such file or directory

Really don't know what i am doing wrong

Thanks for any help in advance..Tubbs

So, when you downloaded wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
you should have this files
ca.rsa.2048.crt
crl.rsa.2048.pem
You need to make sure that both of these files, Japan.conf and your login files are in this directory /etc/openvpn
then

sudo nano /etc/openvpn/Japan.conf And make sure that you have the full path for this 3 lines
ca /etc/openvpn/ca.rsa.2048.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.rsa.2048.pem

Also FYI, PIA changed their port number to 1198. Hope it works
I would also edit this:
sudo vim /etc/default/openvpn
Look for line OPTARGS="" and change it to:
OPTARGS="--auth-nocache"
this should prevent to cache password in memory

@Tubbs2u

This comment has been minimized.

Show comment
Hide comment
@Tubbs2u

Tubbs2u Aug 7, 2016

Thanks you Sogseal... Will have another attempted again today....wish me luck lol, I am new to all this, but eager to learn.

Tubbs2u commented Aug 7, 2016

Thanks you Sogseal... Will have another attempted again today....wish me luck lol, I am new to all this, but eager to learn.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Aug 7, 2016

Thanks you Sogseal... Will have another attempted again today....wish me luck lol, I am new to all this, but eager to learn.

let me know, ill help with what i can.

ghost commented Aug 7, 2016

Thanks you Sogseal... Will have another attempted again today....wish me luck lol, I am new to all this, but eager to learn.

let me know, ill help with what i can.

@Tubbs2u

This comment has been minimized.

Show comment
Hide comment
@Tubbs2u

Tubbs2u Aug 7, 2016

Done this, however I don't think its working properly, don't know what I am doing wrong
sudo nano /etc/openvpn/Japan.conf

client
dev tun
proto udp
remote japan.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/login
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ

And done this like this
sudo iptables -A OUTPUT -d 192.168.0.1/24 -o eth0 -m comment --comment "lan" -j ACCEPT
My raspberry Pi address added above 192.168.0.5
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
Also add this port 1198 in

Test VPN

At this point you should be able to test the VPN actually works:
sudo openvpn --config /etc/openvpn/Japan.conf
When I tested I'm getting this:
pi@raspberrypi ~ $ sudo openvpn --config /etc/openvpn/Japan.conf
Sun Aug 7 23:30:43 2016 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Sun Aug 7 23:30:43 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Sun Aug 7 23:30:43 2016 UDPv4 link local: [undef]
Sun Aug 7 23:30:43 2016 UDPv4 link remote: [AF_INET]161.202.72.147:1198
Sun Aug 7 23:30:44 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Aug 7 23:30:45 2016 [a256e14cb98c429b76e86d08cc3856ad] Peer Connection Initiated with [AF_INET]161.202.72.147:1198
Sun Aug 7 23:30:48 2016 AUTH: Received control message: AUTH_FAILED
Sun Aug 7 23:30:48 2016 SIGTERM[soft,auth-failure] received, process exiting

Doesn't look as its working properly tho lol

And
Done this:
sudo vim /etc/default/openvpn
Look for line OPTARGS="" and change it to:
OPTARGS="--auth-nocache"

Tubbs2u commented Aug 7, 2016

Done this, however I don't think its working properly, don't know what I am doing wrong
sudo nano /etc/openvpn/Japan.conf

client
dev tun
proto udp
remote japan.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/login
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ

And done this like this
sudo iptables -A OUTPUT -d 192.168.0.1/24 -o eth0 -m comment --comment "lan" -j ACCEPT
My raspberry Pi address added above 192.168.0.5
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
Also add this port 1198 in

Test VPN

At this point you should be able to test the VPN actually works:
sudo openvpn --config /etc/openvpn/Japan.conf
When I tested I'm getting this:
pi@raspberrypi ~ $ sudo openvpn --config /etc/openvpn/Japan.conf
Sun Aug 7 23:30:43 2016 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Sun Aug 7 23:30:43 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Sun Aug 7 23:30:43 2016 UDPv4 link local: [undef]
Sun Aug 7 23:30:43 2016 UDPv4 link remote: [AF_INET]161.202.72.147:1198
Sun Aug 7 23:30:44 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Aug 7 23:30:45 2016 [a256e14cb98c429b76e86d08cc3856ad] Peer Connection Initiated with [AF_INET]161.202.72.147:1198
Sun Aug 7 23:30:48 2016 AUTH: Received control message: AUTH_FAILED
Sun Aug 7 23:30:48 2016 SIGTERM[soft,auth-failure] received, process exiting

Doesn't look as its working properly tho lol

And
Done this:
sudo vim /etc/default/openvpn
Look for line OPTARGS="" and change it to:
OPTARGS="--auth-nocache"

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Aug 8, 2016

check your username and password are correct and did you do sudo chmod 600 /etc/openvpn/login ?
This guide is good, there is only few changes. Make sure you follow exactly the steps above and chage this in your Japan.conf:

crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
auth-user-pass /etc/openvpn/tmp

and your iptables
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
Here is my ls -alh /etc/openvpn/ output:

total 28K
drwxr-xr-x   2 root root 4.0K Aug  6 20:03 .
drwxr-xr-x 115 root root 4.0K Aug  7 11:54 ..
-rw-r--r--   1 root root 2.0K Aug  6 14:51 ca.rsa.2048.crt
-rw-r--r--   1 root root  869 Aug  6 14:51 crl.rsa.2048.pem
-rw-r--r--   1 root root  422 Aug  6 19:59 East.conf
-rw-------   1 root root   86 Aug  6 14:53 tmp
-rwxr-xr-x   1 root root 1.3K Jan 23  2016 update-resolv-conf

Here is my .conf if it'll helps you:

client
dev tun
proto udp
remote us-east.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/tmp
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

ghost commented Aug 8, 2016

check your username and password are correct and did you do sudo chmod 600 /etc/openvpn/login ?
This guide is good, there is only few changes. Make sure you follow exactly the steps above and chage this in your Japan.conf:

crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
auth-user-pass /etc/openvpn/tmp

and your iptables
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
Here is my ls -alh /etc/openvpn/ output:

total 28K
drwxr-xr-x   2 root root 4.0K Aug  6 20:03 .
drwxr-xr-x 115 root root 4.0K Aug  7 11:54 ..
-rw-r--r--   1 root root 2.0K Aug  6 14:51 ca.rsa.2048.crt
-rw-r--r--   1 root root  869 Aug  6 14:51 crl.rsa.2048.pem
-rw-r--r--   1 root root  422 Aug  6 19:59 East.conf
-rw-------   1 root root   86 Aug  6 14:53 tmp
-rwxr-xr-x   1 root root 1.3K Jan 23  2016 update-resolv-conf

Here is my .conf if it'll helps you:

client
dev tun
proto udp
remote us-east.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/tmp
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
@Tubbs2u

This comment has been minimized.

Show comment
Hide comment
@Tubbs2u

Tubbs2u Aug 8, 2016

Thanks once again for your time and patiant Sogseal.....I can get this ::

pi@raspberrypi ~ $ ls -alh /etc/openvpn/
total 28K
drwxr-xr-x 2 root root 4.0K Aug 7 14:00 .
drwxr-xr-x 112 root root 4.0K Aug 7 14:49 ..
-rw-r--r-- 1 root root 2.0K Aug 8 22:05 ca.rsa.2048.crt
-rw-r--r-- 1 root root 869 Aug 8 22:05 crl.rsa.2048.pem
-rw-r--r-- 1 root root 422 Aug 8 22:10 Japan.conf
-rw------- 1 root root 15 Aug 7 14:00 login
-rwxr-xr-x 1 root root 1.3K Jan 23 2016 update-resolv-conf

What do I do now to check if the vpn is working m8.....trying to get my mobile phone to connect, but its not doing so, I don,t think i am that far away

Tubbs2u commented Aug 8, 2016

Thanks once again for your time and patiant Sogseal.....I can get this ::

pi@raspberrypi ~ $ ls -alh /etc/openvpn/
total 28K
drwxr-xr-x 2 root root 4.0K Aug 7 14:00 .
drwxr-xr-x 112 root root 4.0K Aug 7 14:49 ..
-rw-r--r-- 1 root root 2.0K Aug 8 22:05 ca.rsa.2048.crt
-rw-r--r-- 1 root root 869 Aug 8 22:05 crl.rsa.2048.pem
-rw-r--r-- 1 root root 422 Aug 8 22:10 Japan.conf
-rw------- 1 root root 15 Aug 7 14:00 login
-rwxr-xr-x 1 root root 1.3K Jan 23 2016 update-resolv-conf

What do I do now to check if the vpn is working m8.....trying to get my mobile phone to connect, but its not doing so, I don,t think i am that far away

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Aug 8, 2016

Do a quick check by:
curl ipinfo.io/json
If you see your real public ip thats not good... then run this command:
sudo service openvpn status
and look for "Running" if you see then you are good to go if you see "Existed" then need to troubleshoout.

ghost commented Aug 8, 2016

Do a quick check by:
curl ipinfo.io/json
If you see your real public ip thats not good... then run this command:
sudo service openvpn status
and look for "Running" if you see then you are good to go if you see "Existed" then need to troubleshoout.

@Tubbs2u

This comment has been minimized.

Show comment
Hide comment
@Tubbs2u

Tubbs2u Aug 9, 2016

Sogseal, when I write this command: sudo curl ipinfo.io/json
I get this....:curl: (7) Failed to connect to ipinfo.io port 80: Connection timed out

And when I run this command : sudo service openvpn status

I got this.....
● openvpn.service - OpenVPN service
Loaded: loaded (/lib/systemd/system/openvpn.service; enabled)
Active: active (exited) since Tue 2016-08-09 00:17:17 BST; 17h ago
Main PID: 596 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/openvpn.service

Nothing with the word "Running"....., however I see the word "Exited", which means something is wrong somewhere m8, not sure where to next, other than do a fresh install, have you got any suggestions m8ty.
And thanks once again for your time and effort m8

Tubbs2u commented Aug 9, 2016

Sogseal, when I write this command: sudo curl ipinfo.io/json
I get this....:curl: (7) Failed to connect to ipinfo.io port 80: Connection timed out

And when I run this command : sudo service openvpn status

I got this.....
● openvpn.service - OpenVPN service
Loaded: loaded (/lib/systemd/system/openvpn.service; enabled)
Active: active (exited) since Tue 2016-08-09 00:17:17 BST; 17h ago
Main PID: 596 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/openvpn.service

Nothing with the word "Running"....., however I see the word "Exited", which means something is wrong somewhere m8, not sure where to next, other than do a fresh install, have you got any suggestions m8ty.
And thanks once again for your time and effort m8

@scoobyd00

This comment has been minimized.

Show comment
Hide comment
@scoobyd00

scoobyd00 Aug 12, 2016

Excellent tutorial. Got my VPN up and working great.

Does anyone know how to write a small bash file to swap locations?. Im currently using the PIA london node but sometimes wish to use one from the netherlands.
How can I stop the current vpn connection to London and quickly connect it the netherlands one? (I have copied over the correct ovpn to the correct directory etc).

scoobyd00 commented Aug 12, 2016

Excellent tutorial. Got my VPN up and working great.

Does anyone know how to write a small bash file to swap locations?. Im currently using the PIA london node but sometimes wish to use one from the netherlands.
How can I stop the current vpn connection to London and quickly connect it the netherlands one? (I have copied over the correct ovpn to the correct directory etc).

@scoobyd00

This comment has been minimized.

Show comment
Hide comment
@scoobyd00

scoobyd00 Aug 12, 2016

Managed to figure this one out.
I edited openvpn in /etc/default and selected AUTOSTART = "none"
I then created a simple bash script to select different VPN's using
sudo service openvpn@nameofvpn start to select the VPN
and
sudo service openvpn@nameofvpn stop to stop the VPN

scoobyd00 commented Aug 12, 2016

Managed to figure this one out.
I edited openvpn in /etc/default and selected AUTOSTART = "none"
I then created a simple bash script to select different VPN's using
sudo service openvpn@nameofvpn start to select the VPN
and
sudo service openvpn@nameofvpn stop to stop the VPN

@dumpster99

This comment has been minimized.

Show comment
Hide comment
@dumpster99

dumpster99 Aug 13, 2016

Great work and thanks for the effort to publish your results. I started with the vpn gateway running on a raspberry pi. But for better performance I am actually now running a virtualbox debian VM with a similar config. I spent some time to tweak the iptables part of the setup. I created a iptables_vpn.sh file that I can execute to load up the rules. Here is what I am using:

!/bin/bash

start fresh

iptables --flush
iptables --delete-chain
iptables -t nat -F

default drop

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

setup logging chain logs to var log messages

iptables -N LOGGING
iptables -N BADPKT_LOGGING

loopback ok

iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT

traffic that is ok by default

iptables -I INPUT -i eth0 -m comment --comment "In from LAN" -j ACCEPT
iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT

OPENVPN on socket 1198 ok

iptables -A OUTPUT -o eth0 -p udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT

NTP on socket 123 ok

iptables -A OUTPUT -o eth0 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT

DHCP ok

iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT

DNS traffic to bring up tunnel ok

iptables -A OUTPUT -o eth0 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT

allow forwarding if VPN alive

iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT

NAT the gateway

iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE

All TCP sessions should begin with SYN and drop bad packets

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j BADPKT_LOGGING
iptables -A INPUT -m state --state INVALID -j BADPKT_LOGGING
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j BADPKT_LOGGING
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j BADPKT_LOGGING
iptables -A INPUT -f -m comment --comment "Drop FRAGS" -j BADPKT_LOGGING
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j BADPKT_LOGGING
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADPKT_LOGGING
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j BADPKT_LOGGING

Accept inbound VPN initiated traffic

iptables -A INPUT -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT

Accept outbound into the LAN packets on initited traffic

iptables -A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

setup logging for dropped traffic must be the last rules

iptables -A INPUT -m comment --comment "LOG and DROP" -j LOGGING
iptables -A OUTPUT -m comment --comment "LOG and DROP" -j LOGGING

LOGGING chain

iptables -A LOGGING -m limit --limit 2/sec -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

LOGGING BADPACKETS chain

iptables -A BADPKT_LOGGING -m limit --limit 2/sec -j LOG --log-prefix "IPTables- BADPACKETS: " --log-level 4
iptables -A BADPKT_LOGGING -j DROP

Great work and thanks for the effort to publish your results. I started with the vpn gateway running on a raspberry pi. But for better performance I am actually now running a virtualbox debian VM with a similar config. I spent some time to tweak the iptables part of the setup. I created a iptables_vpn.sh file that I can execute to load up the rules. Here is what I am using:

!/bin/bash

start fresh

iptables --flush
iptables --delete-chain
iptables -t nat -F

default drop

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

setup logging chain logs to var log messages

iptables -N LOGGING
iptables -N BADPKT_LOGGING

loopback ok

iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT

traffic that is ok by default

iptables -I INPUT -i eth0 -m comment --comment "In from LAN" -j ACCEPT
iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT

OPENVPN on socket 1198 ok

iptables -A OUTPUT -o eth0 -p udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT

NTP on socket 123 ok

iptables -A OUTPUT -o eth0 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT

DHCP ok

iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT

DNS traffic to bring up tunnel ok

iptables -A OUTPUT -o eth0 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT

allow forwarding if VPN alive

iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT

NAT the gateway

iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE

All TCP sessions should begin with SYN and drop bad packets

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j BADPKT_LOGGING
iptables -A INPUT -m state --state INVALID -j BADPKT_LOGGING
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j BADPKT_LOGGING
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j BADPKT_LOGGING
iptables -A INPUT -f -m comment --comment "Drop FRAGS" -j BADPKT_LOGGING
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j BADPKT_LOGGING
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADPKT_LOGGING
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j BADPKT_LOGGING

Accept inbound VPN initiated traffic

iptables -A INPUT -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT

Accept outbound into the LAN packets on initited traffic

iptables -A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

setup logging for dropped traffic must be the last rules

iptables -A INPUT -m comment --comment "LOG and DROP" -j LOGGING
iptables -A OUTPUT -m comment --comment "LOG and DROP" -j LOGGING

LOGGING chain

iptables -A LOGGING -m limit --limit 2/sec -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

LOGGING BADPACKETS chain

iptables -A BADPKT_LOGGING -m limit --limit 2/sec -j LOG --log-prefix "IPTables- BADPACKETS: " --log-level 4
iptables -A BADPKT_LOGGING -j DROP

@scoobyd00

This comment has been minimized.

Show comment
Hide comment
@scoobyd00

scoobyd00 Aug 23, 2016

Has anyone tried this on a raspberry pi 3?

Im running it on my raspberry pi 2 at the moment, pi overclocked to maxium and on my 200mb internet connection im getting a throughput of about 23mb via the vpn sometimes peaking to 27mb.

Does anyone whose using this on a PI3 get better performance?.
I know openvpn takes a hit on speed and its also affected by cpu so just wondering if the PI3 would gain any better throughput.

scoobyd00 commented Aug 23, 2016

Has anyone tried this on a raspberry pi 3?

Im running it on my raspberry pi 2 at the moment, pi overclocked to maxium and on my 200mb internet connection im getting a throughput of about 23mb via the vpn sometimes peaking to 27mb.

Does anyone whose using this on a PI3 get better performance?.
I know openvpn takes a hit on speed and its also affected by cpu so just wondering if the PI3 would gain any better throughput.

@dumpster99

This comment has been minimized.

Show comment
Hide comment
@dumpster99

dumpster99 Aug 23, 2016

I did try my setup with a RPi2, PRi3 and ODROID C2 before going to my current virtualbox debian setup. My downlink speed maxes out at 60Mb/s. I was able to max the link with the ODROID C2 running as the gateway. However the VPN tunnel kept interrupting and not recovering for some unknown reason. I don't remember the exact thruput I got with the RPi3, but it was somewhere between 30-50Mb/s. I did write down some of the openssl speed benchmark numbers which are not exactly Mb/s but give you some idea of the performance.

Here is the command:
openssl speed -evp AES-128-CBC

This runs a benchmark using openssl which is the main routine for CPU usage in openvpn.

Here is what I got (1024 length):
ASUS RT-AC56 29,202 (my router for comparison)
Rasp Pi 2 21,000
Rasp Pi 3 51,400

I did try my setup with a RPi2, PRi3 and ODROID C2 before going to my current virtualbox debian setup. My downlink speed maxes out at 60Mb/s. I was able to max the link with the ODROID C2 running as the gateway. However the VPN tunnel kept interrupting and not recovering for some unknown reason. I don't remember the exact thruput I got with the RPi3, but it was somewhere between 30-50Mb/s. I did write down some of the openssl speed benchmark numbers which are not exactly Mb/s but give you some idea of the performance.

Here is the command:
openssl speed -evp AES-128-CBC

This runs a benchmark using openssl which is the main routine for CPU usage in openvpn.

Here is what I got (1024 length):
ASUS RT-AC56 29,202 (my router for comparison)
Rasp Pi 2 21,000
Rasp Pi 3 51,400

@scoobyd00

This comment has been minimized.

Show comment
Hide comment
@scoobyd00

scoobyd00 Aug 24, 2016

Thanks for the reply @dumpster99.

It looks like the Pi3 can nearly double the throughput of the PI2.

I'll hold on using my PI2 for the time being, mostly stream HD content through it so its fine at around 20mb at the moment.
I will need to stream some 4k content in the future and they recommend a min of 25mb so will look at upgrading to the PI3 or even the PI4 if it gets released!.

Thanks for the reply @dumpster99.

It looks like the Pi3 can nearly double the throughput of the PI2.

I'll hold on using my PI2 for the time being, mostly stream HD content through it so its fine at around 20mb at the moment.
I will need to stream some 4k content in the future and they recommend a min of 25mb so will look at upgrading to the PI3 or even the PI4 if it gets released!.

@khromov

This comment has been minimized.

Show comment
Hide comment
@khromov

khromov Sep 4, 2016

Getting RTNETLINK answers: File exists error when trying to connect with the openvpn command, here is the log:

Sun Sep  4 06:56:49 2016 TUN/TAP device tun0 opened
Sun Sep  4 06:56:49 2016 TUN/TAP TX queue length set to 100
Sun Sep  4 06:56:49 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Sep  4 06:56:49 2016 /sbin/ip link set dev tun0 up mtu 1500
Sun Sep  4 06:56:49 2016 /sbin/ip addr add dev tun0 10.251.4.68/24 broadcast 10.251.4.255
Sun Sep  4 06:56:49 2016 /sbin/ip route add 155.4.14.28/32 via 192.168.2.1
Sun Sep  4 06:56:49 2016 /sbin/ip route add 0.0.0.0/1 via 10.251.4.1
Sun Sep  4 06:56:49 2016 /sbin/ip route add 128.0.0.0/1 via 10.251.4.1
Sun Sep  4 06:56:49 2016 /sbin/ip route add 155.4.14.28/32 via 192.168.2.1
RTNETLINK answers: File exists
Sun Sep  4 06:56:49 2016 ERROR: Linux route add command failed: external program exited with error status: 2
Sun Sep  4 06:56:49 2016 Initialization Sequence Completed

(Note it's a different VPN provider)

Any ideas? @superjamie ? :)

khromov commented Sep 4, 2016

Getting RTNETLINK answers: File exists error when trying to connect with the openvpn command, here is the log:

Sun Sep  4 06:56:49 2016 TUN/TAP device tun0 opened
Sun Sep  4 06:56:49 2016 TUN/TAP TX queue length set to 100
Sun Sep  4 06:56:49 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Sep  4 06:56:49 2016 /sbin/ip link set dev tun0 up mtu 1500
Sun Sep  4 06:56:49 2016 /sbin/ip addr add dev tun0 10.251.4.68/24 broadcast 10.251.4.255
Sun Sep  4 06:56:49 2016 /sbin/ip route add 155.4.14.28/32 via 192.168.2.1
Sun Sep  4 06:56:49 2016 /sbin/ip route add 0.0.0.0/1 via 10.251.4.1
Sun Sep  4 06:56:49 2016 /sbin/ip route add 128.0.0.0/1 via 10.251.4.1
Sun Sep  4 06:56:49 2016 /sbin/ip route add 155.4.14.28/32 via 192.168.2.1
RTNETLINK answers: File exists
Sun Sep  4 06:56:49 2016 ERROR: Linux route add command failed: external program exited with error status: 2
Sun Sep  4 06:56:49 2016 Initialization Sequence Completed

(Note it's a different VPN provider)

Any ideas? @superjamie ? :)

@superjamie

This comment has been minimized.

Show comment
Hide comment
@superjamie

superjamie Sep 19, 2016

@khromov Your VPN provider sends down the route to the internet endpoint (155.4.14.28/32 via 192.168.2.1) twice. It will have no effect, but you can raise it to their tech support if you like.

Owner

superjamie commented Sep 19, 2016

@khromov Your VPN provider sends down the route to the internet endpoint (155.4.14.28/32 via 192.168.2.1) twice. It will have no effect, but you can raise it to their tech support if you like.

@phenomarc

This comment has been minimized.

Show comment
Hide comment
@phenomarc

phenomarc Sep 22, 2016

It's possible to connect only one PC to the VPN client, and the others to the normal router?

It's possible to connect only one PC to the VPN client, and the others to the normal router?

@klausberberich

This comment has been minimized.

Show comment
Hide comment
@klausberberich

klausberberich Oct 7, 2016

Great instructions, Jamie, thanks a lot! With your help I now have two Wifi networks in my house, one that connects straight to the internet and a second one that connects via the VPN. Depending on what I want to do I can connect my clients to either Wifi.

The setup is:

  • A Wifi router from my internet provider, connected directly to the internet.
  • A Raspberry Pi 3 configured as described here and connected to the Wifi router above via ethernet.
  • A second Wifi router that is connected to the router above via ethernet and uses the Raspberry Pi as default gateway and DNS server.

For a while this setup didn't work until I found that dnsmasq is set to --local-service by default. There are a few workarounds for that, the one that works best for me is to specify the interface for dnsmasq to listen to (eth0 in my case) which will inactivate the --local-service option. See https://techtuts.info/2014/04/dnsmasq-2-69-sudden-timeouts/ for details.

I also had an issue with syslog not providing proper output and instead showing something like

Oct 7 02:03:12 raspberry rsyslogd-2007: action 'action 17' suspended, next retry is Wed Oct 7 02:03:42 2015 [try http://www.rsyslog.com/e/2007 ]

As described here you can fix this by commenting out the last 4 lines of your /etc/rsyslog.conf file like this:

#daemon.*;mail.*;\
#       news.err;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn       |/dev/xconsole

Great instructions, Jamie, thanks a lot! With your help I now have two Wifi networks in my house, one that connects straight to the internet and a second one that connects via the VPN. Depending on what I want to do I can connect my clients to either Wifi.

The setup is:

  • A Wifi router from my internet provider, connected directly to the internet.
  • A Raspberry Pi 3 configured as described here and connected to the Wifi router above via ethernet.
  • A second Wifi router that is connected to the router above via ethernet and uses the Raspberry Pi as default gateway and DNS server.

For a while this setup didn't work until I found that dnsmasq is set to --local-service by default. There are a few workarounds for that, the one that works best for me is to specify the interface for dnsmasq to listen to (eth0 in my case) which will inactivate the --local-service option. See https://techtuts.info/2014/04/dnsmasq-2-69-sudden-timeouts/ for details.

I also had an issue with syslog not providing proper output and instead showing something like

Oct 7 02:03:12 raspberry rsyslogd-2007: action 'action 17' suspended, next retry is Wed Oct 7 02:03:42 2015 [try http://www.rsyslog.com/e/2007 ]

As described here you can fix this by commenting out the last 4 lines of your /etc/rsyslog.conf file like this:

#daemon.*;mail.*;\
#       news.err;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn       |/dev/xconsole
@mvilrokx

This comment has been minimized.

Show comment
Hide comment
@mvilrokx

mvilrokx Oct 8, 2016

Very cool, works like a charm! I added a rule for my VNC as well:

sudo iptables -I INPUT -m state --state NEW -p tcp -m tcp --dport 5901 -m comment --comments "vnc" -j ACCEPT

mvilrokx commented Oct 8, 2016

Very cool, works like a charm! I added a rule for my VNC as well:

sudo iptables -I INPUT -m state --state NEW -p tcp -m tcp --dport 5901 -m comment --comments "vnc" -j ACCEPT

@fferroni

This comment has been minimized.

Show comment
Hide comment
@fferroni

fferroni Oct 23, 2016

Hi. Thank you. I added the RPi as the default gateway and now works for IPv4. What do I do to forward also IPv6?

Hi. Thank you. I added the RPi as the default gateway and now works for IPv4. What do I do to forward also IPv6?

@bhatsu

This comment has been minimized.

Show comment
Hide comment
@bhatsu

bhatsu Nov 13, 2016

`Create /etc/openvpn/login containing only your username and password, one per line, for example:

user12345678
MyGreatPassword`

Which username and password do we need to enter in /etc/openvpn/login file ?

bhatsu commented Nov 13, 2016

`Create /etc/openvpn/login containing only your username and password, one per line, for example:

user12345678
MyGreatPassword`

Which username and password do we need to enter in /etc/openvpn/login file ?

@austinjmorlan

This comment has been minimized.

Show comment
Hide comment
@austinjmorlan

austinjmorlan Nov 15, 2016

@bhatsunny Those would be the username and password of your Private Internet Access account.

@bhatsunny Those would be the username and password of your Private Internet Access account.

@bytemon

This comment has been minimized.

Show comment
Hide comment
@bytemon

bytemon Nov 27, 2016

OK, followed instructions (I believe). Directly from the client, it seems to work ok - if I go to whatsmyip.org, it reports the proper IP address.

But, try as I may (from a Windows 10 machine on the network), if I set up a static IP with a gateway of the OPENVPN machine, it does not work - it says no connection to the internet. If I use the OPENVPN as the DNS reslover, a ping finds the internet ip address, but can not access.

Here is my "status printout:

geoff@rpi-siete:~ $ sudo systemctl -l status openvpn@USWest
● openvpn@USWest.service - OpenVPN connection to USWest
   Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled)
   Active: active (running) since Sun 2016-11-27 07:46:15 MST; 6h ago
  Process: 418 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=0/SUCCESS)
 Main PID: 484 (openvpn)
   CGroup: /system.slice/system-openvpn.slice/openvpn@USWest.service
           └─484 /usr/sbin/openvpn --daemon ovpn-USWest --status /run/openvpn/USWest.status 10 --cd /etc/openvpn --config /etc/openvpn/USWest.conf

Nov 27 07:46:15 rpi-siete ovpn-USWest[418]: OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Nov 27 07:46:15 rpi-siete ovpn-USWest[418]: library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Nov 27 07:46:15 rpi-siete ovpn-USWest[418]: RESOLVE: Cannot resolve host address: us-west.privateinternetaccess.com: Temporary failure in name resolution
Nov 27 07:46:15 rpi-siete ovpn-USWest[484]: RESOLVE: Cannot resolve host address: us-west.privateinternetaccess.com: Temporary failure in name resolution
Nov 27 07:46:15 rpi-siete systemd[1]: Started OpenVPN connection to USWest.
Nov 27 07:46:20 rpi-siete ovpn-USWest[484]: UDPv4 link local: [undef]
Nov 27 07:46:20 rpi-siete ovpn-USWest[484]: UDPv4 link remote: [AF_INET]104.200.151.75:1198
Nov 27 07:46:20 rpi-siete ovpn-USWest[484]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 27 07:46:20 rpi-siete ovpn-USWest[484]: [f328c7b07e90db3b9882f2157dc21269] Peer Connection Initiated with [AF_INET]104.200.151.75:1198
Nov 27 07:46:23 rpi-siete ovpn-USWest[484]: TUN/TAP device tun0 opened
Nov 27 07:46:23 rpi-siete ovpn-USWest[484]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 27 07:46:23 rpi-siete ovpn-USWest[484]: /sbin/ip link set dev tun0 up mtu 1500
Nov 27 07:46:23 rpi-siete ovpn-USWest[484]: /sbin/ip addr add dev tun0 local 10.38.10.6 peer 10.38.10.5
Nov 27 07:46:23 rpi-siete ovpn-USWest[484]: Initialization Sequence Completed
Nov 27 13:00:59 rpi-siete ovpn-USWest[484]: [f328c7b07e90db3b9882f2157dc21269] Inactivity timeout (--ping-restart), restarting
Nov 27 13:00:59 rpi-siete ovpn-USWest[484]: SIGUSR1[soft,ping-restart] received, process restarting
Nov 27 13:01:01 rpi-siete ovpn-USWest[484]: UDPv4 link local: [undef]
Nov 27 13:01:01 rpi-siete ovpn-USWest[484]: UDPv4 link remote: [AF_INET]104.200.151.75:1198
Nov 27 13:01:01 rpi-siete ovpn-USWest[484]: [f328c7b07e90db3b9882f2157dc21269] Peer Connection Initiated with [AF_INET]104.200.151.75:1198
Nov 27 13:01:04 rpi-siete ovpn-USWest[484]: Preserving previous TUN/TAP instance: tun0
Nov 27 13:01:04 rpi-siete ovpn-USWest[484]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Nov 27 13:01:04 rpi-siete ovpn-USWest[484]: /sbin/ip addr del dev tun0 local 10.38.10.6 peer 10.38.10.5
Nov 27 13:01:05 rpi-siete ovpn-USWest[484]: TUN/TAP device tun0 opened
Nov 27 13:01:05 rpi-siete ovpn-USWest[484]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 27 13:01:05 rpi-siete ovpn-USWest[484]: /sbin/ip link set dev tun0 up mtu 1500
Nov 27 13:01:05 rpi-siete ovpn-USWest[484]: /sbin/ip addr add dev tun0 local 10.42.10.6 peer 10.42.10.5
Nov 27 13:01:05 rpi-siete ovpn-USWest[484]: Initialization Sequence Completed
Nov 27 13:04:08 rpi-siete ovpn-USWest[484]: [f328c7b07e90db3b9882f2157dc21269] Inactivity timeout (--ping-restart), restarting
Nov 27 13:04:08 rpi-siete ovpn-USWest[484]: SIGUSR1[soft,ping-restart] received, process restarting
Nov 27 13:04:10 rpi-siete ovpn-USWest[484]: UDPv4 link local: [undef]
Nov 27 13:04:10 rpi-siete ovpn-USWest[484]: UDPv4 link remote: [AF_INET]104.200.151.75:1198
Nov 27 13:04:11 rpi-siete ovpn-USWest[484]: [f328c7b07e90db3b9882f2157dc21269] Peer Connection Initiated with [AF_INET]104.200.151.75:1198
Nov 27 13:04:13 rpi-siete ovpn-USWest[484]: Preserving previous TUN/TAP instance: tun0
Nov 27 13:04:13 rpi-siete ovpn-USWest[484]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Nov 27 13:04:13 rpi-siete ovpn-USWest[484]: /sbin/ip addr del dev tun0 local 10.42.10.6 peer 10.42.10.5
Nov 27 13:04:14 rpi-siete ovpn-USWest[484]: TUN/TAP device tun0 opened
Nov 27 13:04:14 rpi-siete ovpn-USWest[484]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 27 13:04:14 rpi-siete ovpn-USWest[484]: /sbin/ip link set dev tun0 up mtu 1500
Nov 27 13:04:14 rpi-siete ovpn-USWest[484]: /sbin/ip addr add dev tun0 local 10.15.10.6 peer 10.15.10.5
Nov 27 13:04:14 rpi-siete ovpn-USWest[484]: Initialization Sequence Completed

(Not sure why I'm getting the "RESOLVE" message, but again browsing from the OPENVPN client works)

Perhaps I don't know now to either setup the Windows 10 machine, or know how to connect:
For connection, I'm simply using a wired ethernet connection for both the OPENVPN machine and the Windows 10 client.
For the Windows 10 machine, I'm setting up a static ip with the gateway assigned to the OPENVPN machine, and using Google's dns settings.

Where am I going wrong?

bytemon commented Nov 27, 2016

OK, followed instructions (I believe). Directly from the client, it seems to work ok - if I go to whatsmyip.org, it reports the proper IP address.

But, try as I may (from a Windows 10 machine on the network), if I set up a static IP with a gateway of the OPENVPN machine, it does not work - it says no connection to the internet. If I use the OPENVPN as the DNS reslover, a ping finds the internet ip address, but can not access.

Here is my "status printout:

geoff@rpi-siete:~ $ sudo systemctl -l status openvpn@USWest
● openvpn@USWest.service - OpenVPN connection to USWest
   Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled)
   Active: active (running) since Sun 2016-11-27 07:46:15 MST; 6h ago
  Process: 418 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=0/SUCCESS)
 Main PID: 484 (openvpn)
   CGroup: /system.slice/system-openvpn.slice/openvpn@USWest.service
           └─484 /usr/sbin/openvpn --daemon ovpn-USWest --status /run/openvpn/USWest.status 10 --cd /etc/openvpn --config /etc/openvpn/USWest.conf

Nov 27 07:46:15 rpi-siete ovpn-USWest[418]: OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Nov 27 07:46:15 rpi-siete ovpn-USWest[418]: library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Nov 27 07:46:15 rpi-siete ovpn-USWest[418]: RESOLVE: Cannot resolve host address: us-west.privateinternetaccess.com: Temporary failure in name resolution
Nov 27 07:46:15 rpi-siete ovpn-USWest[484]: RESOLVE: Cannot resolve host address: us-west.privateinternetaccess.com: Temporary failure in name resolution
Nov 27 07:46:15 rpi-siete systemd[1]: Started OpenVPN connection to USWest.
Nov 27 07:46:20 rpi-siete ovpn-USWest[484]: UDPv4 link local: [undef]
Nov 27 07:46:20 rpi-siete ovpn-USWest[484]: UDPv4 link remote: [AF_INET]104.200.151.75:1198
Nov 27 07:46:20 rpi-siete ovpn-USWest[484]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 27 07:46:20 rpi-siete ovpn-USWest[484]: [f328c7b07e90db3b9882f2157dc21269] Peer Connection Initiated with [AF_INET]104.200.151.75:1198
Nov 27 07:46:23 rpi-siete ovpn-USWest[484]: TUN/TAP device tun0 opened
Nov 27 07:46:23 rpi-siete ovpn-USWest[484]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 27 07:46:23 rpi-siete ovpn-USWest[484]: /sbin/ip link set dev tun0 up mtu 1500
Nov 27 07:46:23 rpi-siete ovpn-USWest[484]: /sbin/ip addr add dev tun0 local 10.38.10.6 peer 10.38.10.5
Nov 27 07:46:23 rpi-siete ovpn-USWest[484]: Initialization Sequence Completed
Nov 27 13:00:59 rpi-siete ovpn-USWest[484]: [f328c7b07e90db3b9882f2157dc21269] Inactivity timeout (--ping-restart), restarting
Nov 27 13:00:59 rpi-siete ovpn-USWest[484]: SIGUSR1[soft,ping-restart] received, process restarting
Nov 27 13:01:01 rpi-siete ovpn-USWest[484]: UDPv4 link local: [undef]
Nov 27 13:01:01 rpi-siete ovpn-USWest[484]: UDPv4 link remote: [AF_INET]104.200.151.75:1198
Nov 27 13:01:01 rpi-siete ovpn-USWest[484]: [f328c7b07e90db3b9882f2157dc21269] Peer Connection Initiated with [AF_INET]104.200.151.75:1198
Nov 27 13:01:04 rpi-siete ovpn-USWest[484]: Preserving previous TUN/TAP instance: tun0
Nov 27 13:01:04 rpi-siete ovpn-USWest[484]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Nov 27 13:01:04 rpi-siete ovpn-USWest[484]: /sbin/ip addr del dev tun0 local 10.38.10.6 peer 10.38.10.5
Nov 27 13:01:05 rpi-siete ovpn-USWest[484]: TUN/TAP device tun0 opened
Nov 27 13:01:05 rpi-siete ovpn-USWest[484]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 27 13:01:05 rpi-siete ovpn-USWest[484]: /sbin/ip link set dev tun0 up mtu 1500
Nov 27 13:01:05 rpi-siete ovpn-USWest[484]: /sbin/ip addr add dev tun0 local 10.42.10.6 peer 10.42.10.5
Nov 27 13:01:05 rpi-siete ovpn-USWest[484]: Initialization Sequence Completed
Nov 27 13:04:08 rpi-siete ovpn-USWest[484]: [f328c7b07e90db3b9882f2157dc21269] Inactivity timeout (--ping-restart), restarting
Nov 27 13:04:08 rpi-siete ovpn-USWest[484]: SIGUSR1[soft,ping-restart] received, process restarting
Nov 27 13:04:10 rpi-siete ovpn-USWest[484]: UDPv4 link local: [undef]
Nov 27 13:04:10 rpi-siete ovpn-USWest[484]: UDPv4 link remote: [AF_INET]104.200.151.75:1198
Nov 27 13:04:11 rpi-siete ovpn-USWest[484]: [f328c7b07e90db3b9882f2157dc21269] Peer Connection Initiated with [AF_INET]104.200.151.75:1198
Nov 27 13:04:13 rpi-siete ovpn-USWest[484]: Preserving previous TUN/TAP instance: tun0
Nov 27 13:04:13 rpi-siete ovpn-USWest[484]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Nov 27 13:04:13 rpi-siete ovpn-USWest[484]: /sbin/ip addr del dev tun0 local 10.42.10.6 peer 10.42.10.5
Nov 27 13:04:14 rpi-siete ovpn-USWest[484]: TUN/TAP device tun0 opened
Nov 27 13:04:14 rpi-siete ovpn-USWest[484]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 27 13:04:14 rpi-siete ovpn-USWest[484]: /sbin/ip link set dev tun0 up mtu 1500
Nov 27 13:04:14 rpi-siete ovpn-USWest[484]: /sbin/ip addr add dev tun0 local 10.15.10.6 peer 10.15.10.5
Nov 27 13:04:14 rpi-siete ovpn-USWest[484]: Initialization Sequence Completed

(Not sure why I'm getting the "RESOLVE" message, but again browsing from the OPENVPN client works)

Perhaps I don't know now to either setup the Windows 10 machine, or know how to connect:
For connection, I'm simply using a wired ethernet connection for both the OPENVPN machine and the Windows 10 client.
For the Windows 10 machine, I'm setting up a static ip with the gateway assigned to the OPENVPN machine, and using Google's dns settings.

Where am I going wrong?

@reillychase

This comment has been minimized.

Show comment
Hide comment
@reillychase

reillychase Dec 20, 2016

It works on my Raspberry Pi 1 B. Thanks!

It works on my Raspberry Pi 1 B. Thanks!

@mdestagnol

This comment has been minimized.

Show comment
Hide comment
@mdestagnol

mdestagnol Dec 30, 2016

I'm trying to find a clean way to enable/disable the traffic to go through the VPN tunnel, without having to change anything on the client side. With the current tutorial, when I stop openvpn the traffic isn't going through anymore (since tun0 isn't used anymore).

I'm not super familiar with iptable configs. Do you know what should I do in order to let the traffic flow through the raspberry pi gateway (when it doesn't go through the VPN)?

mdestagnol commented Dec 30, 2016

I'm trying to find a clean way to enable/disable the traffic to go through the VPN tunnel, without having to change anything on the client side. With the current tutorial, when I stop openvpn the traffic isn't going through anymore (since tun0 isn't used anymore).

I'm not super familiar with iptable configs. Do you know what should I do in order to let the traffic flow through the raspberry pi gateway (when it doesn't go through the VPN)?

@DropbearNinja

This comment has been minimized.

Show comment
Hide comment
@DropbearNinja

DropbearNinja Jan 3, 2017

Hi, thanks for the guide! How do I direct certain traffic to NOT use the VPN?

For example I'd like outbound SMTP traffic to just not use the VPN since SMTP is blocked by my VPN by default ( I can request for it to not be blocked, but this is jsut an example).

I'm assuming some iptables rules are needed?

Thanks,

Hi, thanks for the guide! How do I direct certain traffic to NOT use the VPN?

For example I'd like outbound SMTP traffic to just not use the VPN since SMTP is blocked by my VPN by default ( I can request for it to not be blocked, but this is jsut an example).

I'm assuming some iptables rules are needed?

Thanks,

@winedog

This comment has been minimized.

Show comment
Hide comment
@winedog

winedog Jan 16, 2017

Is there any possibility this setup could allow information from ISPs IP address to be leaking through?

Everything is working fine for me, but when I set my windows 10 machine to route through the PI some sites detect that I'm using a proxy/vpn. I've confirmed that my external IP address and routing looks like it is coming out of my VPN servers destination location.

However, if I login to the exact same VPN server that the Pi is configured to connect to with a VPN client from Windows 10 (i.e. Viscosity), I don't get any proxy/vpn detection errors. All I can think is I'm leaking some sort of data that is tripping off the proxy/VPN detection.

EDIT: Further evaluation shows that the problem looks like DNS leaking. And it seems OpenVPN for the PI is really outdated at version 2.3.4. Struggling to figure out how I can upgrade to 2.4.0 OpenVPN on the Pi

winedog commented Jan 16, 2017

Is there any possibility this setup could allow information from ISPs IP address to be leaking through?

Everything is working fine for me, but when I set my windows 10 machine to route through the PI some sites detect that I'm using a proxy/vpn. I've confirmed that my external IP address and routing looks like it is coming out of my VPN servers destination location.

However, if I login to the exact same VPN server that the Pi is configured to connect to with a VPN client from Windows 10 (i.e. Viscosity), I don't get any proxy/vpn detection errors. All I can think is I'm leaking some sort of data that is tripping off the proxy/VPN detection.

EDIT: Further evaluation shows that the problem looks like DNS leaking. And it seems OpenVPN for the PI is really outdated at version 2.3.4. Struggling to figure out how I can upgrade to 2.4.0 OpenVPN on the Pi

@winedog

This comment has been minimized.

Show comment
Hide comment
@winedog

winedog Jan 17, 2017

even after getting OpenVPN brought up to 2.4.0 and using the block-outside-dns command in the .conf files or adding this:

script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf

I still can't manage to stop the DNS from leaking. I'm using the DNSMasq option and have my pi

winedog commented Jan 17, 2017

even after getting OpenVPN brought up to 2.4.0 and using the block-outside-dns command in the .conf files or adding this:

script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf

I still can't manage to stop the DNS from leaking. I'm using the DNSMasq option and have my pi

@winedog

This comment has been minimized.

Show comment
Hide comment
@winedog

winedog Jan 17, 2017

So I've tried adding the killswitch, which I wasn't using before, and it doesn't work for me. When adding the tables everything works fine until I add the last line at which case clients routing through the pi lose connection.

sudo iptables -A OUTPUT -o eth0 -j DROP

Also, if I hardcode my client DNS to something like an opendns server or google DNS, my DNS leak stops. So maybe it is some problem with DNSMasq allowing the leak as well?

winedog commented Jan 17, 2017

So I've tried adding the killswitch, which I wasn't using before, and it doesn't work for me. When adding the tables everything works fine until I add the last line at which case clients routing through the pi lose connection.

sudo iptables -A OUTPUT -o eth0 -j DROP

Also, if I hardcode my client DNS to something like an opendns server or google DNS, my DNS leak stops. So maybe it is some problem with DNSMasq allowing the leak as well?

@chrish619

This comment has been minimized.

Show comment
Hide comment
@chrish619

chrish619 Jan 17, 2017

I'm leaving this here for posterity, in case it helps anyone:
Please note: My Raspberry Pi is currently configured purely as a VPN Client / Router, and is not used for browsing:

My IpTables rules are as follows:

Chain INPUT (policy ACCEPT 4027K packets, 5310M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 124K packets, 8718K bytes)
 pkts bytes target     prot opt in     out     source               destination
3594K 4391M ACCEPT     all  --  tun0   eth0    anywhere             anywhere             state RELATED,ESTABLISHED
3262K  254M ACCEPT     all  --  eth0   tun0    anywhere             anywhere             /* LAN out to VPN */

Chain OUTPUT (policy ACCEPT 2302K packets, 509M bytes)
 pkts bytes target     prot opt in     out     source               destination

I've not applied any OUTPUT rules, but primarily what worked for forwarding to VPN, and only VPN was
sudo iptables -P FORWARD DROP which sets up the default rule for FORWARDing to DROP (unless matched by another rule)

If the vpn connection is down, then no routed clients can connect. But the Raspberry Pi can still connect for updates, browsing, problem solving, etc

Hope this helps.

chrish619 commented Jan 17, 2017

I'm leaving this here for posterity, in case it helps anyone:
Please note: My Raspberry Pi is currently configured purely as a VPN Client / Router, and is not used for browsing:

My IpTables rules are as follows:

Chain INPUT (policy ACCEPT 4027K packets, 5310M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 124K packets, 8718K bytes)
 pkts bytes target     prot opt in     out     source               destination
3594K 4391M ACCEPT     all  --  tun0   eth0    anywhere             anywhere             state RELATED,ESTABLISHED
3262K  254M ACCEPT     all  --  eth0   tun0    anywhere             anywhere             /* LAN out to VPN */

Chain OUTPUT (policy ACCEPT 2302K packets, 509M bytes)
 pkts bytes target     prot opt in     out     source               destination

I've not applied any OUTPUT rules, but primarily what worked for forwarding to VPN, and only VPN was
sudo iptables -P FORWARD DROP which sets up the default rule for FORWARDing to DROP (unless matched by another rule)

If the vpn connection is down, then no routed clients can connect. But the Raspberry Pi can still connect for updates, browsing, problem solving, etc

Hope this helps.

@maartenjd

This comment has been minimized.

Show comment
Hide comment
@maartenjd

maartenjd Jan 18, 2017

Excellent guide!

I have been struggeling for hours to get it working for PureVPN, until I found out that this provider uses port 80 for openvpn via tcp. So I changed

sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT

into

sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m comment --comment "openvpn" -j ACCEPT

(so tcp instead of udp and port 80 instead of 1198) to enable openvpn to contact the vpn-server.

maartenjd commented Jan 18, 2017

Excellent guide!

I have been struggeling for hours to get it working for PureVPN, until I found out that this provider uses port 80 for openvpn via tcp. So I changed

sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT

into

sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m comment --comment "openvpn" -j ACCEPT

(so tcp instead of udp and port 80 instead of 1198) to enable openvpn to contact the vpn-server.

@winedog

This comment has been minimized.

Show comment
Hide comment
@winedog

winedog Jan 20, 2017

I still cannot figure out anyway to stop DNS leaking when using the DNSMasq with the Pi and setting clients to the Pi's IP address for DNS. I'm using Ironsocket rather than PIA, but don't see how that should make any difference.

winedog commented Jan 20, 2017

I still cannot figure out anyway to stop DNS leaking when using the DNSMasq with the Pi and setting clients to the Pi's IP address for DNS. I'm using Ironsocket rather than PIA, but don't see how that should make any difference.

@ab77

This comment has been minimized.

Show comment
Hide comment
@ab77

ab77 Jan 23, 2017

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1 will re-write any DNS request made by the clients behind the router to the locally running DNS server (e.g. dnsmasq) on the router.

Once the request is there, you can handle it appropriately. No more DNS leaks.

-- ab1

ab77 commented Jan 23, 2017

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1 will re-write any DNS request made by the clients behind the router to the locally running DNS server (e.g. dnsmasq) on the router.

Once the request is there, you can handle it appropriately. No more DNS leaks.

-- ab1

@jakky567

This comment has been minimized.

Show comment
Hide comment
@jakky567

jakky567 Jan 24, 2017

When I got to installing iptables-persistent in the guide, it would show an error that netfilter-persistent was not configured yet.

When I got to installing iptables-persistent in the guide, it would show an error that netfilter-persistent was not configured yet.

@sivaarja

This comment has been minimized.

Show comment
Hide comment
@sivaarja

sivaarja Jan 26, 2017

what is the need to make a vpn server on raspberry pi , can't we install that server and use it in a same pc laptop?please help me out of this..

what is the need to make a vpn server on raspberry pi , can't we install that server and use it in a same pc laptop?please help me out of this..

@NP726

This comment has been minimized.

Show comment
Hide comment
@NP726

NP726 Feb 9, 2017

@sivaarja this doesn't install a VPN server. This basically turns the pi into a portable router that routes all traffic through a VPN. It assumes you already have a VPN/VPN service to connect to.

NP726 commented Feb 9, 2017

@sivaarja this doesn't install a VPN server. This basically turns the pi into a portable router that routes all traffic through a VPN. It assumes you already have a VPN/VPN service to connect to.

@Mubbya

This comment has been minimized.

Show comment
Hide comment
@Mubbya

Mubbya Feb 10, 2017

Hi,

Thanks for the useful guide. After solving the Jessie static IP issue, I'm now stuck, I think in part due to the presence of a space in the title of the PIA VPN I want to use.

I got as far as

Copy the PIA OpenVPN certificates and profile to the OpenVPN client:
Now if I take the stock code

sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/ sudo cp openvpn/Japan.ovpn /etc/openvpn/Japan.conf

And change it to reflect the name of the server I want to hit, UK Southampton.
sudo cp openvpn/UK Southampton.ovpn /etc/openvpn/UK Southampton.conf

The I get
cp: cannot stat ‘openvpn/UK’: No such file or directory cp: cannot stat ‘Southampton.ovpn’: No such file or directory cp: omitting directory ‘/etc/openvpn/UK’

I get the impression it is because of the spaces. If I try

sudo cp openvpn/UK Southampton.ovpn /etc/openvpn/UK\ Southampton.conf

Then I get

cp: cannot stat ‘openvpn/UK’: No such file or directory cp: cannot stat ‘Southampton.ovpn’: No such file or directory

Can anyone help me out on this one? I'm fairly new to terminal and it's commands.

Mubbya commented Feb 10, 2017

Hi,

Thanks for the useful guide. After solving the Jessie static IP issue, I'm now stuck, I think in part due to the presence of a space in the title of the PIA VPN I want to use.

I got as far as

Copy the PIA OpenVPN certificates and profile to the OpenVPN client:
Now if I take the stock code

sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/ sudo cp openvpn/Japan.ovpn /etc/openvpn/Japan.conf

And change it to reflect the name of the server I want to hit, UK Southampton.
sudo cp openvpn/UK Southampton.ovpn /etc/openvpn/UK Southampton.conf

The I get
cp: cannot stat ‘openvpn/UK’: No such file or directory cp: cannot stat ‘Southampton.ovpn’: No such file or directory cp: omitting directory ‘/etc/openvpn/UK’

I get the impression it is because of the spaces. If I try

sudo cp openvpn/UK Southampton.ovpn /etc/openvpn/UK\ Southampton.conf

Then I get

cp: cannot stat ‘openvpn/UK’: No such file or directory cp: cannot stat ‘Southampton.ovpn’: No such file or directory

Can anyone help me out on this one? I'm fairly new to terminal and it's commands.

@Mubbya

This comment has been minimized.

Show comment
Hide comment
@Mubbya

Mubbya Feb 11, 2017

No worries: Started from scratch and using the '' command to denote spaces all worked well.

Also had to manually create the vpn conf file before copying the data over from the ovpn file.

Thanks.

Mubbya commented Feb 11, 2017

No worries: Started from scratch and using the '' command to denote spaces all worked well.

Also had to manually create the vpn conf file before copying the data over from the ovpn file.

Thanks.

@lowviz

This comment has been minimized.

Show comment
Hide comment
@lowviz

lowviz Feb 14, 2017

I have a few questions. How can we stop the DNS leak? How can we connect android phones as clients ? Is it necessary to create the certificates ?

lowviz commented Feb 14, 2017

I have a few questions. How can we stop the DNS leak? How can we connect android phones as clients ? Is it necessary to create the certificates ?

@colintdf

This comment has been minimized.

Show comment
Hide comment
@colintdf

colintdf Feb 19, 2017

Is there any way to force OpenVPN to reconnect if it gets disconnected?

Is there any way to force OpenVPN to reconnect if it gets disconnected?

@limerick11

This comment has been minimized.

Show comment
Hide comment
@limerick11

limerick11 Feb 21, 2017

Hi all,
When i'm editing the iptables, everything works fine if I don't add the last line (DROP). Once I add it, I have no access to the internet. I assume the iptables is blocking access. Does anyone know how to fix this?
Removing the last line connects me to the internet via VPN. I'm connected using my Raspbian Raspberry via Router. I've hardcoded my IP to be 192.168.0.15

sudo iptables -A OUTPUT -o tun0 -m comment --comment "vpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p icmp -m comment --comment "icmp" -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment "ssh" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -j DROP

limerick11 commented Feb 21, 2017

Hi all,
When i'm editing the iptables, everything works fine if I don't add the last line (DROP). Once I add it, I have no access to the internet. I assume the iptables is blocking access. Does anyone know how to fix this?
Removing the last line connects me to the internet via VPN. I'm connected using my Raspbian Raspberry via Router. I've hardcoded my IP to be 192.168.0.15

sudo iptables -A OUTPUT -o tun0 -m comment --comment "vpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p icmp -m comment --comment "icmp" -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment "ssh" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -j DROP

@siamak06

This comment has been minimized.

Show comment
Hide comment
@siamak06

siamak06 Feb 22, 2017

Hi Guys,

I just have one question, I already have my own VPN Server set-up at home and have the .ovpn file that is working fine under Windows 7.
Where do I copy the .ovpn file in my RasPI to make it act as Client please, do I have to rename the .ovpn file to .conf file as well?

Thanks for guiding me in this it does my head-in. There are many suggestions out there and all are a bit contradictory in a way, just a simple guide would be really appreciated.

Cheers
Siamak

siafix@free.fr

Hi Guys,

I just have one question, I already have my own VPN Server set-up at home and have the .ovpn file that is working fine under Windows 7.
Where do I copy the .ovpn file in my RasPI to make it act as Client please, do I have to rename the .ovpn file to .conf file as well?

Thanks for guiding me in this it does my head-in. There are many suggestions out there and all are a bit contradictory in a way, just a simple guide would be really appreciated.

Cheers
Siamak

siafix@free.fr

@winedog

This comment has been minimized.

Show comment
Hide comment
@winedog

winedog Feb 25, 2017

I have a strange issue that is happening. After using my Pi for 2 months or so the VPN connection starts slowing down unexplainably and rebooting does nothing to resolve it. Fortunately, the last time I rebuilt my VPN router from scratch and had had it working I created an image of the SD card so I can simply reflash the SD card and I'm up and running in minutes. Here is what happens.

I start with my clean installation and I get about 50mbps reliable performance from my VPN provider using the Rpi3 as the router / gateway. Then, inexplicably, about 8 weeks later I will notice that I can't get much more than about 4-10mbps. I can login to my VPN provider on my Win10 desktop machine and get the normal 50mbps so I know it's not a performance issue with my ISP or my VPN provider. If I reboot the Rpi3 there is no difference. If I then pull the SD card and reflash it with my backup image and then reboot, my performance instantly goes back up to the 50mbps I expect.

So what is happening overtime that causes the performance to degrade? Is there some sort of cache / buffer that is filling up that needs purging or cleanup? The Rpi3 is just standard Raspbian with nothing else installed or running on it.

winedog commented Feb 25, 2017

I have a strange issue that is happening. After using my Pi for 2 months or so the VPN connection starts slowing down unexplainably and rebooting does nothing to resolve it. Fortunately, the last time I rebuilt my VPN router from scratch and had had it working I created an image of the SD card so I can simply reflash the SD card and I'm up and running in minutes. Here is what happens.

I start with my clean installation and I get about 50mbps reliable performance from my VPN provider using the Rpi3 as the router / gateway. Then, inexplicably, about 8 weeks later I will notice that I can't get much more than about 4-10mbps. I can login to my VPN provider on my Win10 desktop machine and get the normal 50mbps so I know it's not a performance issue with my ISP or my VPN provider. If I reboot the Rpi3 there is no difference. If I then pull the SD card and reflash it with my backup image and then reboot, my performance instantly goes back up to the 50mbps I expect.

So what is happening overtime that causes the performance to degrade? Is there some sort of cache / buffer that is filling up that needs purging or cleanup? The Rpi3 is just standard Raspbian with nothing else installed or running on it.

@siamak06

This comment has been minimized.

Show comment
Hide comment
@siamak06

siamak06 Feb 28, 2017

Hi Guys,
I have posted a question earlier but had no answer, so I will elaborate a bit more:
I have configured a RasPi as a Router using this site tutorial, just the router part:

http://blogs.arcsoftwareconsultancy.com/pi/2013/07/17/georestrictions/?replytocom=2161

I don't have any account but have my own VPN server set-up using again one of the tutorials on Internet and it is working fine under windoze.

I would like to know how to configure my Router above to connect to the VPN server PLEASE.

I am not a professional just a novice trying to do things and learn at the same time

Many thanks

Siamak

Hi Guys,
I have posted a question earlier but had no answer, so I will elaborate a bit more:
I have configured a RasPi as a Router using this site tutorial, just the router part:

http://blogs.arcsoftwareconsultancy.com/pi/2013/07/17/georestrictions/?replytocom=2161

I don't have any account but have my own VPN server set-up using again one of the tutorials on Internet and it is working fine under windoze.

I would like to know how to configure my Router above to connect to the VPN server PLEASE.

I am not a professional just a novice trying to do things and learn at the same time

Many thanks

Siamak

@siamak06

This comment has been minimized.

Show comment
Hide comment
@siamak06

siamak06 Mar 1, 2017

Hi Everyone,

I have managed to get this message after having looked on many tutorials:

sudo openvpn --config /etc/openvpn/siamak.conf
Wed Mar 1 11:48:20 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL )] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Wed Mar 1 11:48:20 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Enter Private Key Password: **********
Wed Mar 1 11:48:26 2017 WARNING: this configuration may cache passwords in memo ry -- use the auth-nocache option to prevent this
Wed Mar 1 11:48:26 2017 Control Channel Authentication: tls-auth using INLINE s tatic key file
Wed Mar 1 11:48:26 2017 Attempting to establish TCP connection with [AF_INET]xxx .xxx.xxx.xxx:443 [nonblock]
Wed Mar 1 11:48:27 2017 TCP connection established with [AF_INET]xx.xxx.xxx.xxx :443
Wed Mar 1 11:48:27 2017 TCPv4_CLIENT link local: [undef]
Wed Mar 1 11:48:27 2017 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Wed Mar 1 11:48:28 2017 [server] Peer Connection Initiated with [AF_INET]xxx.xxx .xxx.xxx:443
Wed Mar 1 11:48:30 2017 TUN/TAP device tun0 opened
Wed Mar 1 11:48:30 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Mar 1 11:48:30 2017 /sbin/ip link set dev tun0 up mtu 1500
Wed Mar 1 11:48:30 2017 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0 .255
RTNETLINK answers: File exists
Wed Mar 1 11:48:30 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Any suggestions?

Cheers

Siamak

siamak06 commented Mar 1, 2017

Hi Everyone,

I have managed to get this message after having looked on many tutorials:

sudo openvpn --config /etc/openvpn/siamak.conf
Wed Mar 1 11:48:20 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL )] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Wed Mar 1 11:48:20 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Enter Private Key Password: **********
Wed Mar 1 11:48:26 2017 WARNING: this configuration may cache passwords in memo ry -- use the auth-nocache option to prevent this
Wed Mar 1 11:48:26 2017 Control Channel Authentication: tls-auth using INLINE s tatic key file
Wed Mar 1 11:48:26 2017 Attempting to establish TCP connection with [AF_INET]xxx .xxx.xxx.xxx:443 [nonblock]
Wed Mar 1 11:48:27 2017 TCP connection established with [AF_INET]xx.xxx.xxx.xxx :443
Wed Mar 1 11:48:27 2017 TCPv4_CLIENT link local: [undef]
Wed Mar 1 11:48:27 2017 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Wed Mar 1 11:48:28 2017 [server] Peer Connection Initiated with [AF_INET]xxx.xxx .xxx.xxx:443
Wed Mar 1 11:48:30 2017 TUN/TAP device tun0 opened
Wed Mar 1 11:48:30 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Mar 1 11:48:30 2017 /sbin/ip link set dev tun0 up mtu 1500
Wed Mar 1 11:48:30 2017 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0 .255
RTNETLINK answers: File exists
Wed Mar 1 11:48:30 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Any suggestions?

Cheers

Siamak

@siamak06

This comment has been minimized.

Show comment
Hide comment
@siamak06

siamak06 Mar 1, 2017

Hi winedog,

I have read your misfortune, and I think of the followings;
a-If you are using the same SD card it may have lived its life therefore get a new one, and bigger one if possible;
b-May be the SD card gets saturated with temp files, so you can try to use USB 3 Flash key in parallel to the SD card, I am using 64Gb USB3 and it is very fast.

Good luck.

Samak

siamak06 commented Mar 1, 2017

Hi winedog,

I have read your misfortune, and I think of the followings;
a-If you are using the same SD card it may have lived its life therefore get a new one, and bigger one if possible;
b-May be the SD card gets saturated with temp files, so you can try to use USB 3 Flash key in parallel to the SD card, I am using 64Gb USB3 and it is very fast.

Good luck.

Samak

@rgstephens

This comment has been minimized.

Show comment
Hide comment
@rgstephens

rgstephens Mar 6, 2017

I've run into the same issue as @limerick11, when I execute the sudo iptables -A OUTPUT -o eth0 -j DROP command all external connections drop.

I've run into the same issue as @limerick11, when I execute the sudo iptables -A OUTPUT -o eth0 -j DROP command all external connections drop.

@henry74

This comment has been minimized.

Show comment
Hide comment
@henry74

henry74 Mar 8, 2017

Has anyone got this working in conjuction with pi-hole to block ads through DNS? pi-hole

It looks like DNS request directly on the pi are being properly screened, but devices which are using the raspberry pi as the gateway/DNS are skipping the pi-hole filter. I'm guessing all inbound requests are being funneled through the VPN tunnel (tun0) which is doing the DNS resolution on the VPN server side and those ignoring the pi-hole. Thoughts and comments appreciated! Thank you!

henry74 commented Mar 8, 2017

Has anyone got this working in conjuction with pi-hole to block ads through DNS? pi-hole

It looks like DNS request directly on the pi are being properly screened, but devices which are using the raspberry pi as the gateway/DNS are skipping the pi-hole filter. I'm guessing all inbound requests are being funneled through the VPN tunnel (tun0) which is doing the DNS resolution on the VPN server side and those ignoring the pi-hole. Thoughts and comments appreciated! Thank you!

@andrewpmiller

This comment has been minimized.

Show comment
Hide comment
@andrewpmiller

andrewpmiller Mar 21, 2017

This is a brilliant guide — thank you!

I didn't set up the kill switch (either), and for now I may just send some sort of notification when the VPN status changes. Now, I don't know if this is a valuable tip... or if I'm just showing my fundamental cluelessness, but:

When you copy the PIA certificate and VPN profile, make sure to omit all spaces in the target .conf filename. Remove them, don't escape them. Like this, for example: sudo cp US\ New\ York\ City.ovpn /etc/openvpn/nyc.conf

I can't be the only person who assumed the resulting .conf name had to match... right??? ;-)

This is a brilliant guide — thank you!

I didn't set up the kill switch (either), and for now I may just send some sort of notification when the VPN status changes. Now, I don't know if this is a valuable tip... or if I'm just showing my fundamental cluelessness, but:

When you copy the PIA certificate and VPN profile, make sure to omit all spaces in the target .conf filename. Remove them, don't escape them. Like this, for example: sudo cp US\ New\ York\ City.ovpn /etc/openvpn/nyc.conf

I can't be the only person who assumed the resulting .conf name had to match... right??? ;-)

@skylarmb

This comment has been minimized.

Show comment
Hide comment
@skylarmb

skylarmb Mar 26, 2017

This is awesome. Thanks!

This is awesome. Thanks!

@ShVerni

This comment has been minimized.

Show comment
Hide comment
@ShVerni

ShVerni Apr 3, 2017

This is a great guide! I've written a script to help automate this setup process, as well as adding some features like scripts to swap the endpoint, built-in Monit support for monitoring the VPN connection, and compiling/installing the latest OpenVPN. It's still a very rough draft, but check it out if you're interested:

https://github.com/ShVerni/Raspberry-Pi-VPN-Gateway

ShVerni commented Apr 3, 2017

This is a great guide! I've written a script to help automate this setup process, as well as adding some features like scripts to swap the endpoint, built-in Monit support for monitoring the VPN connection, and compiling/installing the latest OpenVPN. It's still a very rough draft, but check it out if you're interested:

https://github.com/ShVerni/Raspberry-Pi-VPN-Gateway

@lachlan-00

This comment has been minimized.

Show comment
Hide comment
@lachlan-00

lachlan-00 Apr 20, 2017

hey @superjamie i've written the steps i took to enable automatic vpn with auto reconnect as another gist. I used your guide but i had to upgrade to stretch to get network-manager working correctly with pia.

Following your guide and with the additional steps i can now expect my vpn to remain on and connected as well as reconnecting when the connection drops without having to do anything manually.

When i pi boots it starts a pia service that will maintain the connection for as long as it's turned on.

https://gist.github.com/lachlan-00/839481c842ad5a11b0963c7ce51b12a2

hey @superjamie i've written the steps i took to enable automatic vpn with auto reconnect as another gist. I used your guide but i had to upgrade to stretch to get network-manager working correctly with pia.

Following your guide and with the additional steps i can now expect my vpn to remain on and connected as well as reconnecting when the connection drops without having to do anything manually.

When i pi boots it starts a pia service that will maintain the connection for as long as it's turned on.

https://gist.github.com/lachlan-00/839481c842ad5a11b0963c7ce51b12a2

@strudo76

This comment has been minimized.

Show comment
Hide comment
@strudo76

strudo76 Apr 22, 2017

@limerick11 If your internal network is using 192.168.0.15, you'll need to change the line

from
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT

to
sudo iptables -A OUTPUT -d 192.168.0.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT

to match the rest of your network.

@rgstephens your problem is probably similar. The IP address in that iptables command needs to match your internal network x.x.x.0/24

@limerick11 If your internal network is using 192.168.0.15, you'll need to change the line

from
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT

to
sudo iptables -A OUTPUT -d 192.168.0.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT

to match the rest of your network.

@rgstephens your problem is probably similar. The IP address in that iptables command needs to match your internal network x.x.x.0/24

@batman84

This comment has been minimized.

Show comment
Hide comment
@batman84

batman84 May 2, 2017

just follow all the instruction.
it works and the config is running on rpi.
but when i check at whatismyipaddress.com the ip is not change.
it still shows my broadband ip

btw, internet just work like normal on my laptop or android devices (wireless)

internet router ip=192.168.1.1
rpi ip =192.168.1.84 (pihole)

Thu May 4 19:21:56 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu May 4 19:21:56 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]
Thu May 4 19:21:56 2017 UDPv4 link local: [undef]
Thu May 4 19:21:56 2017 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XX:1945
Thu May 4 19:21:57 2017 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XX:1945, sid=c4d1b5a746 ee5g6f36
Thu May 4 19:21:57 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu May 4 19:21:57 2017 VERIFY OK: depth=1, C=SG, ST=SG, L=Singapore, O=White-VPS, OU=Provider, CN=sg0-white-vps, name=White-VPS, emailAddress=info@XXXX.com
Thu May 4 19:21:57 2017 VERIFY OK: depth=0, C=SG, ST=SG, L=Singapore, O=White-VPS, OU=Provider, CN=sg0-white-vps, name=White-VPS, emailAddress=mailto:info@XXX.com
Thu May 4 19:21:57 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 4 19:21:57 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 4 19:21:57 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 4 19:21:57 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 4 19:21:57 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu May 4 19:21:57 2017 [sg0-white-vps] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XX:1945
Thu May 4 19:22:00 2017 SENT CONTROL [sg0-white-vps]: 'PUSH_REQUEST' (status=1)
Thu May 4 19:22:00 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.10.6.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.10.6.6 10.10.6.5'
Thu May 4 19:22:00 2017 OPTIONS IMPORT: timers and/or timeouts modified
Thu May 4 19:22:00 2017 OPTIONS IMPORT: --ifconfig/up options modified
Thu May 4 19:22:00 2017 OPTIONS IMPORT: route options modified
Thu May 4 19:22:00 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu May 4 19:22:00 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=C51:22:eC:6e:03:b3
Thu May 4 19:22:00 2017 TUN/TAP device tun0 opened
Thu May 4 19:22:00 2017 TUN/TAP TX queue length set to 100
Thu May 4 19:22:00 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu May 4 19:22:00 2017 /sbin/ip link set dev tun0 up mtu 1500
Thu May 4 19:22:00 2017 /sbin/ip addr add dev tun0 local 10.10.6.6 peer 10.10.6.5
Thu May 4 19:22:00 2017 /sbin/ip route add XXX.XXX.XXX.XX/32 via 192.168.1.1
Thu May 4 19:22:00 2017 /sbin/ip route add 0.0.0.0/1 via 10.10.6.5
Thu May 4 19:22:00 2017 /sbin/ip route add 128.0.0.0/1 via 10.10.6.5
Thu May 4 19:22:00 2017 /sbin/ip route add 10.10.6.0/24 via 10.10.6.5
Thu May 4 19:22:00 2017 Initialization Sequence Completed

batman84 commented May 2, 2017

just follow all the instruction.
it works and the config is running on rpi.
but when i check at whatismyipaddress.com the ip is not change.
it still shows my broadband ip

btw, internet just work like normal on my laptop or android devices (wireless)

internet router ip=192.168.1.1
rpi ip =192.168.1.84 (pihole)

Thu May 4 19:21:56 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu May 4 19:21:56 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]
Thu May 4 19:21:56 2017 UDPv4 link local: [undef]
Thu May 4 19:21:56 2017 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XX:1945
Thu May 4 19:21:57 2017 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XX:1945, sid=c4d1b5a746 ee5g6f36
Thu May 4 19:21:57 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu May 4 19:21:57 2017 VERIFY OK: depth=1, C=SG, ST=SG, L=Singapore, O=White-VPS, OU=Provider, CN=sg0-white-vps, name=White-VPS, emailAddress=info@XXXX.com
Thu May 4 19:21:57 2017 VERIFY OK: depth=0, C=SG, ST=SG, L=Singapore, O=White-VPS, OU=Provider, CN=sg0-white-vps, name=White-VPS, emailAddress=mailto:info@XXX.com
Thu May 4 19:21:57 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 4 19:21:57 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 4 19:21:57 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 4 19:21:57 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 4 19:21:57 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu May 4 19:21:57 2017 [sg0-white-vps] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XX:1945
Thu May 4 19:22:00 2017 SENT CONTROL [sg0-white-vps]: 'PUSH_REQUEST' (status=1)
Thu May 4 19:22:00 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.10.6.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.10.6.6 10.10.6.5'
Thu May 4 19:22:00 2017 OPTIONS IMPORT: timers and/or timeouts modified
Thu May 4 19:22:00 2017 OPTIONS IMPORT: --ifconfig/up options modified
Thu May 4 19:22:00 2017 OPTIONS IMPORT: route options modified
Thu May 4 19:22:00 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu May 4 19:22:00 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=C51:22:eC:6e:03:b3
Thu May 4 19:22:00 2017 TUN/TAP device tun0 opened
Thu May 4 19:22:00 2017 TUN/TAP TX queue length set to 100
Thu May 4 19:22:00 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu May 4 19:22:00 2017 /sbin/ip link set dev tun0 up mtu 1500
Thu May 4 19:22:00 2017 /sbin/ip addr add dev tun0 local 10.10.6.6 peer 10.10.6.5
Thu May 4 19:22:00 2017 /sbin/ip route add XXX.XXX.XXX.XX/32 via 192.168.1.1
Thu May 4 19:22:00 2017 /sbin/ip route add 0.0.0.0/1 via 10.10.6.5
Thu May 4 19:22:00 2017 /sbin/ip route add 128.0.0.0/1 via 10.10.6.5
Thu May 4 19:22:00 2017 /sbin/ip route add 10.10.6.0/24 via 10.10.6.5
Thu May 4 19:22:00 2017 Initialization Sequence Completed

@shanempope

This comment has been minimized.

Show comment
Hide comment
@shanempope

shanempope May 2, 2017

@dumpster99 that bash script is great. Just wondering if you've had to update it any since then. thanks!

Edit: i'm doing the same thing with a debian cli VM on a windows server.

shanempope commented May 2, 2017

@dumpster99 that bash script is great. Just wondering if you've had to update it any since then. thanks!

Edit: i'm doing the same thing with a debian cli VM on a windows server.

@lj1722

This comment has been minimized.

Show comment
Hide comment
@lj1722

lj1722 May 17, 2017

I get this setup and working ok. The tunnel is up. However any client that connects to the AP gets no internet. I saw someone else with the same problem but no answer. Any ideas? Im a linux noob.

I should add that Im trying to set this up so its a VPN service that routes all WiFi traffic out the tunnel over ethernet.

lj1722 commented May 17, 2017

I get this setup and working ok. The tunnel is up. However any client that connects to the AP gets no internet. I saw someone else with the same problem but no answer. Any ideas? Im a linux noob.

I should add that Im trying to set this up so its a VPN service that routes all WiFi traffic out the tunnel over ethernet.

@RDelorier

This comment has been minimized.

Show comment
Hide comment
@RDelorier

RDelorier May 18, 2017

Thanks Jamie 🥇

Thanks Jamie 🥇

@Clpero1

This comment has been minimized.

Show comment
Hide comment
@Clpero1

Clpero1 May 31, 2017

Is port forwarding necessary with this setup? If so, how/what rules do I need to add to IPTables? I believe that my ports are being handled properly but I can't confirm with sites like canyouseeme.

Clpero1 commented May 31, 2017

Is port forwarding necessary with this setup? If so, how/what rules do I need to add to IPTables? I believe that my ports are being handled properly but I can't confirm with sites like canyouseeme.

@cariacou

This comment has been minimized.

Show comment
Hide comment
@cariacou

cariacou Jun 5, 2017

If I were to point my Router to the PI, I am guessing all the devices connected to my router will then go through the VPN, both for DNS & browsing?

cariacou commented Jun 5, 2017

If I were to point my Router to the PI, I am guessing all the devices connected to my router will then go through the VPN, both for DNS & browsing?

@dre3ed

This comment has been minimized.

Show comment
Hide comment
@dre3ed

dre3ed Jun 23, 2017

kill switch does not work.
I tried jamies one and also the one someone suggested with the automated script. That did not work either.
pretty much got VPN to work and it boots on startup but the killswitch does not, I really would like to get that working

Any ideas ?

dre3ed commented Jun 23, 2017

kill switch does not work.
I tried jamies one and also the one someone suggested with the automated script. That did not work either.
pretty much got VPN to work and it boots on startup but the killswitch does not, I really would like to get that working

Any ideas ?

@dre3ed

This comment has been minimized.

Show comment
Hide comment
@dre3ed

dre3ed Jun 23, 2017

So I get DPKG error now.. all messed up :-(
gonna have to reinstall hole thing as I am total noob in linux

dre3ed commented Jun 23, 2017

So I get DPKG error now.. all messed up :-(
gonna have to reinstall hole thing as I am total noob in linux

@dre3ed

This comment has been minimized.

Show comment
Hide comment
@dre3ed

dre3ed Jun 27, 2017

reinstalled and the vpn part works, boot up at start up (takes around 20 seconds for the vpn to boot)
Killswitch not working. Hope we can get one working soon

dre3ed commented Jun 27, 2017

reinstalled and the vpn part works, boot up at start up (takes around 20 seconds for the vpn to boot)
Killswitch not working. Hope we can get one working soon

@lachlan-00

This comment has been minimized.

Show comment
Hide comment
@lachlan-00

lachlan-00 Jul 11, 2017

@dre3ed if you look at the guide I posted in a comment above you can set up an auto reconnect using a script to monitor the connection as a service.

Using the iptables rules that superjamie posted should stop traffic leaving your lan anyway.

The clients can access anything on your lan but the pi is set to force outside traffic through the tunnel.

@dre3ed if you look at the guide I posted in a comment above you can set up an auto reconnect using a script to monitor the connection as a service.

Using the iptables rules that superjamie posted should stop traffic leaving your lan anyway.

The clients can access anything on your lan but the pi is set to force outside traffic through the tunnel.

@glockmane

This comment has been minimized.

Show comment
Hide comment
@glockmane

glockmane Jul 17, 2017

Thanks for the HowTo, got the VPN Gateway up and running with Mullvad VPN but I have a little design question..

I got another Pi with PiHole (Adblocking). There I have set the Mullvad DNS Server as external DNS. For the Clients I changed the LAN Settings for DNS and Gateway in my Internet Router as following: Gateway -> Pi No. 1 (VPN Gateway); DNS -> Pi No. 2 (PiHole)..

Is this a good practice or should the DNS Traffic go through the VPN? The Mullvad DNS Server is a non logging one.. Thanks and regards!

Thanks for the HowTo, got the VPN Gateway up and running with Mullvad VPN but I have a little design question..

I got another Pi with PiHole (Adblocking). There I have set the Mullvad DNS Server as external DNS. For the Clients I changed the LAN Settings for DNS and Gateway in my Internet Router as following: Gateway -> Pi No. 1 (VPN Gateway); DNS -> Pi No. 2 (PiHole)..

Is this a good practice or should the DNS Traffic go through the VPN? The Mullvad DNS Server is a non logging one.. Thanks and regards!

@eledroos

This comment has been minimized.

Show comment
Hide comment
@eledroos

eledroos Jul 17, 2017

Hi everyone, would this be recommended for use with more than 10 computers? Assuming that network bandwidth is not an issue, which I know it will be even with the RP3, does this setup work well in a larger network?

Hi everyone, would this be recommended for use with more than 10 computers? Assuming that network bandwidth is not an issue, which I know it will be even with the RP3, does this setup work well in a larger network?

@pastdue

This comment has been minimized.

Show comment
Hide comment
@pastdue

pastdue Jul 19, 2017

My kill switch - keeping local stuff from leaving outside the tunnel
iptables -I FORWARD -i eth0 -s 192.168.0.0/16 -o eth0 ! -d 192.168.0.0/16 -j REJECT

pastdue commented Jul 19, 2017

My kill switch - keeping local stuff from leaving outside the tunnel
iptables -I FORWARD -i eth0 -s 192.168.0.0/16 -o eth0 ! -d 192.168.0.0/16 -j REJECT

@hombibi

This comment has been minimized.

Show comment
Hide comment
@hombibi

hombibi Jul 25, 2017

Works perfectly!

SuperJamie thanks very much, for your extremely effective instructions! I combined your script with the firewall by Dumpster99 (thanks very much Dumpster99) as that fw was a bit easier to read for me. The whole thing worked from the start!

As per my setup: My VPN provider uses different ports for Openvpn, which is the only change I made to Dumpsters firewall.
I further installed dnsmasqd and only added my local dns server to that config file to ensure local hostnames are still resolved.
To complete the setup I have a local dhcp server that assigns the RPI-Openvpnrouter IP address as gateway and dns server, to every device on the network.

Works like a charm, thanks!

hombibi commented Jul 25, 2017

Works perfectly!

SuperJamie thanks very much, for your extremely effective instructions! I combined your script with the firewall by Dumpster99 (thanks very much Dumpster99) as that fw was a bit easier to read for me. The whole thing worked from the start!

As per my setup: My VPN provider uses different ports for Openvpn, which is the only change I made to Dumpsters firewall.
I further installed dnsmasqd and only added my local dns server to that config file to ensure local hostnames are still resolved.
To complete the setup I have a local dhcp server that assigns the RPI-Openvpnrouter IP address as gateway and dns server, to every device on the network.

Works like a charm, thanks!

@pvepamb1

This comment has been minimized.

Show comment
Hide comment
@pvepamb1

pvepamb1 Jul 30, 2017

Hi, I've installed Openvpn on my Pi using PiVpn. Everything except DNS to resolve local hostnames work. II was just wondering how I'd forward my DNS requests to my router to resolve local hostnames.

I've tried push "dhcp-option DNS 192.168.1.1" [router's ip] .. But that doesn't seem to work. I'd highly appreciate any help!

pvepamb1 commented Jul 30, 2017

Hi, I've installed Openvpn on my Pi using PiVpn. Everything except DNS to resolve local hostnames work. II was just wondering how I'd forward my DNS requests to my router to resolve local hostnames.

I've tried push "dhcp-option DNS 192.168.1.1" [router's ip] .. But that doesn't seem to work. I'd highly appreciate any help!

@korruptcow

This comment has been minimized.

Show comment
Hide comment
@korruptcow

korruptcow Aug 11, 2017

Great guide! I was trying to get this and pihole running at the same time. Eventually i got it to work. One question. Is there was way to monitor the vpn and reconnect if the vpn stalls or times out?

Great guide! I was trying to get this and pihole running at the same time. Eventually i got it to work. One question. Is there was way to monitor the vpn and reconnect if the vpn stalls or times out?

@Neilios1337

This comment has been minimized.

Show comment
Hide comment
@Neilios1337

Neilios1337 Aug 22, 2017

Great guide, thanks!

Folks, If you are using Rasbian Stretch, remember to use the new ENX name for your interface in the dhcpcd.conf and in the iptables. Basically replace anything with eth0 with your ENX id from ifconfig!

Hope this helps anyone who is having trouble using Stretch!

Cheers, Neil

Great guide, thanks!

Folks, If you are using Rasbian Stretch, remember to use the new ENX name for your interface in the dhcpcd.conf and in the iptables. Basically replace anything with eth0 with your ENX id from ifconfig!

Hope this helps anyone who is having trouble using Stretch!

Cheers, Neil

@The1nonly1

This comment has been minimized.

Show comment
Hide comment
@The1nonly1

The1nonly1 Aug 29, 2017

Followed this guide apart from VPN at boot and VPN kill switch. When I test the VPN, it will connect fine however if I use the command sudo service openvpn /etc/openvpn/Paris.conf it will ask for a username and password despite me adding my username and password for Purevpn to the login file /etc/openvpn/login and adding this line to my VPN file Paris.conf.

auth-user-pass /etc/openvpn/login

Any ideas?

The1nonly1 commented Aug 29, 2017

Followed this guide apart from VPN at boot and VPN kill switch. When I test the VPN, it will connect fine however if I use the command sudo service openvpn /etc/openvpn/Paris.conf it will ask for a username and password despite me adding my username and password for Purevpn to the login file /etc/openvpn/login and adding this line to my VPN file Paris.conf.

auth-user-pass /etc/openvpn/login

Any ideas?

@rsiesta

This comment has been minimized.

Show comment
Hide comment
@rsiesta

rsiesta Aug 29, 2017

For the VPN lockdown I had to add iptables -A FORWARD -i eth0 -o eth0 -j DROP or when the tunnel was down it would just forward them out the default gateway.

rsiesta commented Aug 29, 2017

For the VPN lockdown I had to add iptables -A FORWARD -i eth0 -o eth0 -j DROP or when the tunnel was down it would just forward them out the default gateway.

@dario-hd

This comment has been minimized.

Show comment
Hide comment
@dario-hd

dario-hd Sep 12, 2017

Cool, it seems very promising. I have a similar setup, but the Raspberry Pi is not used by other systems on the LAN. I was looking for something like this. 👍

Cool, it seems very promising. I have a similar setup, but the Raspberry Pi is not used by other systems on the LAN. I was looking for something like this. 👍

@spants

This comment has been minimized.

Show comment
Hide comment
@spants

spants Oct 4, 2017

I have a different use case - selective routing based on ports, not IP addresses.
I would like to send all traffic to eth0 except for Port 12345 which should go through the vpn.

Has anyone modified the script to do this?

spants commented Oct 4, 2017

I have a different use case - selective routing based on ports, not IP addresses.
I would like to send all traffic to eth0 except for Port 12345 which should go through the vpn.

Has anyone modified the script to do this?

@smcpeck

This comment has been minimized.

Show comment
Hide comment
@smcpeck

smcpeck Nov 4, 2017

This is a great little guide that got my gateway/VPN setup almost a year ago.

As sometimes a VPN server can be a bit slow during peak hours, I've created a complimentary script that cycles through different servers and selects the fastest server.

I thought I'd share it for anyone else out there looking for something similar.
https://gist.github.com/smcpeck/d89c730f7b1a0bc4acdcbf9d1a86d187

smcpeck commented Nov 4, 2017

This is a great little guide that got my gateway/VPN setup almost a year ago.

As sometimes a VPN server can be a bit slow during peak hours, I've created a complimentary script that cycles through different servers and selects the fastest server.

I thought I'd share it for anyone else out there looking for something similar.
https://gist.github.com/smcpeck/d89c730f7b1a0bc4acdcbf9d1a86d187

@p-kos

This comment has been minimized.

Show comment
Hide comment
@p-kos

p-kos Nov 9, 2017

Great tutorial, it works for me!!!!

p-kos commented Nov 9, 2017

Great tutorial, it works for me!!!!

@dhavalsavalia

This comment has been minimized.

Show comment
Hide comment
@dhavalsavalia

dhavalsavalia Nov 11, 2017

I have new Raspberry Pi 3 Model B with inbuilt WiFi. Now I want to use inbuilt wifi to connect to any wifi network i.e. Hotspot and route all VPN encrypted data through Ethernet.
How to achieve that?

I have new Raspberry Pi 3 Model B with inbuilt WiFi. Now I want to use inbuilt wifi to connect to any wifi network i.e. Hotspot and route all VPN encrypted data through Ethernet.
How to achieve that?

@pierre35000

This comment has been minimized.

Show comment
Hide comment
@pierre35000

pierre35000 Dec 17, 2017

Hello

I tried to change network config in etc/

Acces denied ... i dont have the permission

Hello

I tried to change network config in etc/

Acces denied ... i dont have the permission

@SinistrCyborg

This comment has been minimized.

Show comment
Hide comment
@SinistrCyborg

SinistrCyborg Dec 29, 2017

I have to pay for an account at PrivateInternetAccess.com in order for this to work, right?

I have to pay for an account at PrivateInternetAccess.com in order for this to work, right?

@mckenziec

This comment has been minimized.

Show comment
Hide comment
@mckenziec

mckenziec Jan 4, 2018

Super helpful but I don't think you can add openvpn as a start up service as you've described. After adding the service "sudo systemctl enable openvpn" I get the following when starting the service:

$ sudo systemctl status -l openvpn@working
* openvpn@working.service - OpenVPN connection to working
   Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled)
   Active: failed (Result: exit-code) since Thu 2018-01-04 21:51:03 UTC; 2min 31s ago
  Process: 23090 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=1/FAILURE)

Jan 04 21:51:03 pihole systemd[1]: openvpn@working.service: control process exited, code=exited status=1
Jan 04 21:51:03 pihole systemd[1]: Failed to start OpenVPN connection to working.
Jan 04 21:51:03 pihole systemd[1]: Unit openvpn@working.service entered failed state.

I switched my /etc/openvpn/working.config and login permissions to 777 just to be sure it's not a permission issue.

When I run openvpn manually with just --config it works fine. Is anyone else having this problem?

Here's a more complete journey -xe output from the systemctl start attempt. Note that USER is root so it shouldn't have any file permission issues. Also that it's complaining about opening the configuration file /etc/openvpn/working.conf, which is clearly (to me) there and works fine with a manual test.

Jan 04 21:51:03 pihole sudo[23084]: pi : TTY=pts/0 ; PWD=/etc/openvpn ; USER=root ; COMMAND=/bin/systemctl start openvpn@working
Jan 04 21:51:03 pihole sudo[23084]: pam_unix(sudo:session): session opened for user root by pi(uid=0)
Jan 04 21:51:03 pihole systemd[1]: Starting OpenVPN connection to working...
-- Subject: Unit openvpn@working.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit openvpn@working.service has begun starting up.
Jan 04 21:51:03 pihole ovpn-working[23090]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/working.conf
Jan 04 21:51:03 pihole ovpn-working[23090]: Use --help for more information.
Jan 04 21:51:03 pihole systemd[1]: openvpn@working.service: control process exited, code=exited status=1
Jan 04 21:51:03 pihole systemd[1]: Failed to start OpenVPN connection to working.
-- Subject: Unit openvpn@working.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit openvpn@working.service has failed.
-- 
-- The result is failed.
Jan 04 21:51:03 pihole systemd[1]: Unit openvpn@working.service entered failed state.

mckenziec commented Jan 4, 2018

Super helpful but I don't think you can add openvpn as a start up service as you've described. After adding the service "sudo systemctl enable openvpn" I get the following when starting the service:

$ sudo systemctl status -l openvpn@working
* openvpn@working.service - OpenVPN connection to working
   Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled)
   Active: failed (Result: exit-code) since Thu 2018-01-04 21:51:03 UTC; 2min 31s ago
  Process: 23090 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=1/FAILURE)

Jan 04 21:51:03 pihole systemd[1]: openvpn@working.service: control process exited, code=exited status=1
Jan 04 21:51:03 pihole systemd[1]: Failed to start OpenVPN connection to working.
Jan 04 21:51:03 pihole systemd[1]: Unit openvpn@working.service entered failed state.

I switched my /etc/openvpn/working.config and login permissions to 777 just to be sure it's not a permission issue.

When I run openvpn manually with just --config it works fine. Is anyone else having this problem?

Here's a more complete journey -xe output from the systemctl start attempt. Note that USER is root so it shouldn't have any file permission issues. Also that it's complaining about opening the configuration file /etc/openvpn/working.conf, which is clearly (to me) there and works fine with a manual test.

Jan 04 21:51:03 pihole sudo[23084]: pi : TTY=pts/0 ; PWD=/etc/openvpn ; USER=root ; COMMAND=/bin/systemctl start openvpn@working
Jan 04 21:51:03 pihole sudo[23084]: pam_unix(sudo:session): session opened for user root by pi(uid=0)
Jan 04 21:51:03 pihole systemd[1]: Starting OpenVPN connection to working...
-- Subject: Unit openvpn@working.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit openvpn@working.service has begun starting up.
Jan 04 21:51:03 pihole ovpn-working[23090]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/working.conf
Jan 04 21:51:03 pihole ovpn-working[23090]: Use --help for more information.
Jan 04 21:51:03 pihole systemd[1]: openvpn@working.service: control process exited, code=exited status=1
Jan 04 21:51:03 pihole systemd[1]: Failed to start OpenVPN connection to working.
-- Subject: Unit openvpn@working.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit openvpn@working.service has failed.
-- 
-- The result is failed.
Jan 04 21:51:03 pihole systemd[1]: Unit openvpn@working.service entered failed state.
@mckenziec

This comment has been minimized.

Show comment
Hide comment
@mckenziec

mckenziec Jan 4, 2018

Ah got it. My mistake! My config should be named as .conf, not .config. I'll leave my posts up in case someone else makes the same blunder.

Ah got it. My mistake! My config should be named as .conf, not .config. I'll leave my posts up in case someone else makes the same blunder.

@Kofoedsan

This comment has been minimized.

Show comment
Hide comment
@Kofoedsan

Kofoedsan Feb 6, 2018

Hi.
I'm very new to Linux and raspberry in particular, having done all the steps and the initial VPN test working fine.
However, after rebooting my network adapter is "missing" as well as the ethernet.

I plugged a monitor into the PI and its just a red line and 2 smaller crosses ontop of the internet icon.
Any advice on where to go from here?
Raspberry PI 3 model b
OS: Raspbian stretch with desktop

Thanks in advance!

Hi.
I'm very new to Linux and raspberry in particular, having done all the steps and the initial VPN test working fine.
However, after rebooting my network adapter is "missing" as well as the ethernet.

I plugged a monitor into the PI and its just a red line and 2 smaller crosses ontop of the internet icon.
Any advice on where to go from here?
Raspberry PI 3 model b
OS: Raspbian stretch with desktop

Thanks in advance!

@Anjerlaan

This comment has been minimized.

Show comment
Hide comment
@Anjerlaan

Anjerlaan Feb 9, 2018

What if my vpn provider provides ovpn files with pem and crt included? Can i skip those steps?

What if my vpn provider provides ovpn files with pem and crt included? Can i skip those steps?

@kendalja

This comment has been minimized.

Show comment
Hide comment
@kendalja

kendalja Feb 12, 2018

I know this sounds goofy but I currently use my dad-wrt router for my VPN connection. I thought I would give this a try as I’m only seeing 30Mbps through the router when connected to the VPN. I configured my pi but how do I add it to the main router so that all my other devices connect to the vpn?

I know this sounds goofy but I currently use my dad-wrt router for my VPN connection. I thought I would give this a try as I’m only seeing 30Mbps through the router when connected to the VPN. I configured my pi but how do I add it to the main router so that all my other devices connect to the vpn?

@MoonshineSG

This comment has been minimized.

Show comment
Hide comment
@MoonshineSG

MoonshineSG Feb 14, 2018

managed to get this working quite easily. great explanation.

only one thing didn't work as I wanted... I have an additional network cart connected to the RPi (over USB) and I was thinking to have the VPN connection over one and the client(s) over the second one.

Firstly no matter how I changed the routing rules it didn't work.

Secondly, does this actually make sense. Would it make any difference in terms of throughput ?

In any case, this gist helped tons!!!! many, many thanks!

Using this I managed to get my AppleTV to access restricted content (UK BBC iPlayer) which previously was only working as AirPlay from another device. See for https://github.com/MoonshineSG/vpn.tv for a short "how to"

MoonshineSG commented Feb 14, 2018

managed to get this working quite easily. great explanation.

only one thing didn't work as I wanted... I have an additional network cart connected to the RPi (over USB) and I was thinking to have the VPN connection over one and the client(s) over the second one.

Firstly no matter how I changed the routing rules it didn't work.

Secondly, does this actually make sense. Would it make any difference in terms of throughput ?

In any case, this gist helped tons!!!! many, many thanks!

Using this I managed to get my AppleTV to access restricted content (UK BBC iPlayer) which previously was only working as AirPlay from another device. See for https://github.com/MoonshineSG/vpn.tv for a short "how to"

@JISHNU4

This comment has been minimized.

Show comment
Hide comment
@JISHNU4

JISHNU4 Mar 7, 2018

hi,
i am new in this field and now i am trying to install vpn client in my raspberry pi. I installed openvpn and when i tested my vpn it is showing AUTH_FAILED

udo openvpn --config /etc/openvpn/Japan.conf
Wed Mar 7 18:37:42 2018 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017
Wed Mar 7 18:37:42 2018 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Wed Mar 7 18:37:42 2018 UDPv4 link local: [undef]
Wed Mar 7 18:37:42 2018 UDPv4 link remote: [AF_INET]103.208.220.132:1198
Wed Mar 7 18:37:42 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Mar 7 18:37:43 2018 [da65d2c93480811cbd4d09100a739c58] Peer Connection Initiated with [AF_INET]103.208.220.132:1198
Wed Mar 7 18:37:45 2018 AUTH: Received control message: AUTH_FAILED
Wed Mar 7 18:37:45 2018 SIGTERM[soft,auth-failure] received, process exiting

why it is coming like this......
can anyone help me....

JISHNU4 commented Mar 7, 2018

hi,
i am new in this field and now i am trying to install vpn client in my raspberry pi. I installed openvpn and when i tested my vpn it is showing AUTH_FAILED

udo openvpn --config /etc/openvpn/Japan.conf
Wed Mar 7 18:37:42 2018 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017
Wed Mar 7 18:37:42 2018 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Wed Mar 7 18:37:42 2018 UDPv4 link local: [undef]
Wed Mar 7 18:37:42 2018 UDPv4 link remote: [AF_INET]103.208.220.132:1198
Wed Mar 7 18:37:42 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Mar 7 18:37:43 2018 [da65d2c93480811cbd4d09100a739c58] Peer Connection Initiated with [AF_INET]103.208.220.132:1198
Wed Mar 7 18:37:45 2018 AUTH: Received control message: AUTH_FAILED
Wed Mar 7 18:37:45 2018 SIGTERM[soft,auth-failure] received, process exiting

why it is coming like this......
can anyone help me....

@rickylford

This comment has been minimized.

Show comment
Hide comment
@rickylford

rickylford May 12, 2018

I have created a script that goes hand-in-hand with this write-up. You can check it out at https://github.com/rickylford/check-vpn-speeds

My script will basically allow you to check all of the OpenVPN .conf files to see which one has the fastest download speed, and then connect to the fastest one when it has finished running. I run it as a cron every morning at 4am to automatically select the best server.

I have created a script that goes hand-in-hand with this write-up. You can check it out at https://github.com/rickylford/check-vpn-speeds

My script will basically allow you to check all of the OpenVPN .conf files to see which one has the fastest download speed, and then connect to the fastest one when it has finished running. I run it as a cron every morning at 4am to automatically select the best server.

@kenpachizrk

This comment has been minimized.

Show comment
Hide comment
@kenpachizrk

kenpachizrk Jun 28, 2018

Thank you dude! Your the best!.

Thank you dude! Your the best!.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment