Setting Up OpenVPN on a Raspberry Pi 2 (Part 1/2 Updated!)

Connect to a public WiFi network every day? Don’t let hackers get in your way.

Many people who work on the go have to connect to public WiFi networks every day, but did you know that even amateur hackers can see everything you do online with simple tools like Packet Sniffers, available anywhere? Luckily, we can easily mitigate these threats by setting up a VPN server at your own home or workplace.

A brief note: This post was originally written by myself on OffTheGrid.io. Some portions may have been updated.

Update (5/20/2016): This post has been updated to use the latest version of Raspbian available at the moment, the May 2016 version which can be downloaded here. Commands and files have been updated for the latest compatibility.

What can a VPN do?

Good question! What a VPN does basically, is act as a secure tunnel to the network the server is on. This will make your computer think it’s actually on your home network, even when you may be miles away! All network traffic is encrypted and sent to and from the VPN server, stopping would-be hackers in their tracks. During this process we’ll be setting up our own personal VPN. This tutorial is fairly long, but don’t worry if you don’t understand all of it, we’ve laid out all the commands you’ll need, so feel free to just copy/paste them all. The entire process should only take about 30-45 minutes.

What do I need?

Glad to hear you want to make your connections more secure. Here’s what you’ll need:

  • A Raspberry Pi 2. These cost about $35 from Amazon.
  • A case for your Pi. While not strictly required, these will protect your device from dangers such as short circuiting, which could permanently damage your device. You could get one like this or even just fold one out of cardboard.
  • An SD card, 8 GB or bigger. These can be picked up cheap from retailers like Amazon these days. You could even get an SD card with Noobs preinstalled, so you don’t have to follow the next requirement:
  • Noobs or Raspbian installed on the SD card. This is a simple process, all it does is installs the operating system (Linux) on your Pi, allowing programs like OpenVPN to run.
  • A Cat5e Ethernet cable. Simply to connect your Raspberry Pi to the internet, you plug this into your router.
  • An HDMI cord, keyboard, and monitor. This is only for the initial setup, it won’t need to be plugged in full-time, so feel free to borrow them from another device for a bit.
  • UDP port 1194 forwarded to your Pi’s IP address in your router settings. This process is different for every router, try Googling “[Your router model] port forwarding”

Connecting to your Raspberry Pi with SSH

We’re going to assume you already have Raspbian (or Noobs) installed and running on your Pi. If you don’t, follow this tutorial.

Firstly, we’ll have to setup a static IP address on your Raspberry Pi. ReadWrite has a simple tutorial on this, so go to this link and follow #3, the other ones aren’t necessary.

Alright great, now we can connect to your Raspberry Pi via SSH. After this step that keyboard and monitor won’t be necessary anymore, so you can put that back. On another computer, follow these steps to SSH into your Raspberry Pi.

On Linux and Mac

Open Terminal and enter the following command:

ssh [email protected]

Replace the IP address (after the @) with the static IP address you just set earlier. You’ll need to enter a password, unless you already changed it, it’s raspberry. Don’t worry, we’ll change that later (otherwise using the default password would render this security tutorial rather pointless). You should be connected, so skip to the next section, no need to read about Windows computers.

On Windows

Windows makes SSH a bit trickier, because it isn’t built in by default. Not to worry though, we can use a number of applications to give us the same functionality. My personal favorite is Bitvise, so we’ll be using that, but if you want to go with another client go ahead, the screenshots may vary slightly.

First, download “Bitvise SSH Client” from their official website, here. Run the installer and open the application, usual stuff. Fill out the application window like this:

Replacing Host with the static IP address you filled out earlier, and Password with the default password: raspberry (unless you’ve already changed it). Don’t worry about the password, we’ll change it later. After entering this information, click Login at the bottom. A window looking like this should pop-up, this is how you know it worked!

Getting your Pi ready

Now that you’re in an SSH window, we can begin. Anything you enter in this window will be run on your Raspberry Pi, not your personal computer. In this SSH window, enter the following 2 commands:

sudo apt-get update

This command will update all the software repos on your Pi. Give it a few seconds (depending on your internet connection) and then enter:

sudo-apt-get upgrade

This command actually updates the software itself. Out of the box my Pi had a lot of software to update, so just press Y (for Yes) when it asks and it’ll do that for you. This downloads all the software, so it may take some time to get everything, depending on your internet connection.

Now we’re going to change the password for the pi user. This prevents people from just logging in with the default. In your SSH window enter:

passwd

First it’ll ask you for the current password. Again, this is raspberry. Then it will ask twice for a new password, just enter it and press Enter when done. You may or may not be kicked out of SSH at this point, but if you are just reconnect with your new password. Now that the Pi is finally all setup, we can get to the good part:

Installing OpenVPN

In your SSH window, enter the following command:

sudo apt-get install openvpn -y

This will begin the install, so just be patient while it downloads everything.

Now we can generate encryption keys for OpenVPN. This is what makes the connection itself safe to use, so don’t skip this step. First, we’re going to switch to a root user, so it allows us to edit the keys. This is simple, just enter this in your SSH window:

sudo -s

You’ll know this works if it switches from [email protected] to [email protected] in the window.

Next we need to download easy-rsa, which is a program that generates keys. This can be done simply using this command:

git clone https://github.com/OpenVPN/easy-rsa.git

Run these 2 commands to get version 2.2.2 of Easy-RSA:

cd easy-rsa
git checkout 2.2.2

You’ll know it worked if it says this at the bottom of the window:

HEAD is now at 19c3186... creating 2.x branch for tracking changes

Now all we need to do is run this command, which will copy easy-rsa to the OpenVPN directory:

cp -r easy-rsa/2.0/ /etc/openvpn/easy-rsa

Setting up your Certificates

Alright, now change directories to the newly created easy-rsa directory. This can be done by running:

cd /etc/openvpn/easy-rsa

Now we need to edit the vars file. This file is the configuration for easy-rsa. We can edit this by running the following command:

nano vars

We are using nano because it comes preinstalled with Raspbian and is simple to use, while providing a lot of functionality.

Now we are going to change the EASY-RSA variable in this file, using your arrow keys navigate down to that (around line 15 on my window) and change

export EASY_RSA="`pwd`"

to

export EASY_RSA="/etc/openvpn/easy-rsa"

Now scroll down (using the arrow keys again) to a section that says:

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

And change

export KEY_SIZE=1024

to

export KEY_SIZE=2048

This will increase security, and I’m a pretty paranoid person, so this is a must for me. And this has no real-world noticeable downsides. You can change other settings in this file too if you know what you’re doing, otherwise press Ctrl+O to save on your keyboard, press Enter, then press Ctrl+X to exit the document.

Now we’re going to actually build our encryption certificates. Enter these commands one by one to start the process:

source ./vars

This sets the configuration to the vars file we just edited.

./clean-all
./build-ca

After this last command, it’ll ask you to enter some information. Fill it out with with your information, or just keep hitting enter for the defaults.

Now we’ll create a certificate for and name the server. I named mine Pi but it really doesn’t matter:

./build-key-server Pi

Again, this will allow you to enter some information. Most of this is optional, but make sure you set the following settings manually:

Common Name must be set to your server name you entered above (for example Pi), it should do this by default but verify it to be safe.

A challenge password must be left blank! Don’t enter anything here.

Sign the certificate?, enter y to sign it.

1 out of 1 certificate requests certified, commit?, again press y of course.

We just made a certificate! This certificate expires in 10 years so I suppose if you’ve been using your Pi VPN for 10 years you’ll have to repeat this process again.

Creating Client Certificates

Now we will create certificates for all our clients (laptops, desktops, phones, whatever else you’ll be using to connect to this server away from home). It is possible to be lazy and only make one, but if you did that only one would be able to connect at a time. Enter this command:

./build-key-pass User1

You can replace User1 with anything you wanted, but it’s simpler to just use a naming scheme like User1, User2, etc…

Now (you guessed it!) more prompts, some are optional but you will need to pay attention to the following:

Enter PEM pass phrase: Enter a password (you will remember). This will be used every time you connect to your server.

A challenge password: Must be left blank!

Sign the certificate?: Enter y to sign it for 10 years.

Now we’re going to change the keys to an encryption scheme called des3. This is mandatory for certain modern clients for OpenVPN:

cd keys
openssl rsa -in User1.key -des3 -out User1.3des.key

It will ask you for some information:

Enter pass phrase for Yoga.key: Enter the same PEM pass phrase here.

Enter PEM pass phrase: Enter the same pass phrase again.

Now change directories back to /etc/openvpn/easy-rsa/:

cd ..

Now we will generate the Diffie-Hellman keys for your server. This will allow your clients and the server to exchange keys. Enter the command:

./build-dh

Give it some time, it’ll take a while because we’re using 2048 bit encryption. In my case it took me about 15 minutes, so sit back and take a break, you’ve earned it.

Finally, we can implement DDoS protection. OpenVPN has this built in so all you’ll need to do is run this command and you’ll be set:

openvpn --genkey --secret keys/ta.key

Configuring OpenVPN

Alright, most of the process is done, finally we can finish the OpenVPN configuration and then you can get connected!

Run this command to open up the configuration file:

nano /etc/openvpn/server.conf

You may have noticed this file is completely blank. Fill it in with this information:

(https://gist.github.com/JonahAragon/72b7cd73e1d8f5a7c23b)

There are comments in the above Gist telling you what you need to change, so make those changes and press Ctrl+O, Enter, and Ctrl+X when you finish, to leave the document.

Now let’s edit our Pi’s network configuration, to allow network forwarding. Enter the following command to edit the file.

nano /etc/sysctl.conf

Scroll down and you’ll see a section labeled:

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

It shouldn’t be too far down the file. Simply remove the # in front of net.ipv4.ip_forward=1 and you’ll be good to go.

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Press Ctrl+O, Enter, and Ctrl+X when you finish, then apply those changes using:

sysctl -p

Now we’ve made a functioning server, but we can’t use it yet because Raspbian has a built-in firewall, which blocks all incoming connections. We’re not going to completely disable it, as it protects us from outside hackers, but we’ll add some rules that allow OpenVPN users through. Let’s make a simple file to do this for us:

nano /etc/firewall-openvpn-rules.sh

This is blank of course, enter the following information:

Be sure to change 192.168.X.X to your Pi’s IP address.

Exit nano and enter the following commands to change the file’s permissions:

chmod 700 /etc/firewall-openvpn-rules.sh
chown root /etc/firewall-openvpn-rules.sh

Now that we have this file, we need to enter it in the network configuration so the rules stick, run:

nano /etc/network/interfaces

Find the line that is either iface eth0 inet dhcp or iface eth0 inet manual and enter this line below it:

        pre-up /etc/firewall-openvpn-rules.sh

Keep those spaces at the front so it’s indented, it should end up looking like this:

iface eth0 inet manual
        pre-up /etc/firewall-openvpn-rules.sh

Finally, we are done. Run this command to finish the install and reboot your Pi:

sudo reboot

Conclusion

You now have an OpenVPN server you can connect to from anywhere in the world. Click here to see part two, which includes final steps and how to connect.

Was this tutorial helpful? Then please consider sending me some cash to support Sys, servers aren’t cheap you know 🙂

BTC: 1E2SSJCVp5zsp2PcayM6tdFFTSNcj89fCm

I hope you enjoyed this tutorial, check out some of our other ones as well to find out more ways you can keep your online life secure.

54 thoughts on “Setting Up OpenVPN on a Raspberry Pi 2 (Part 1/2 Updated!)”

  1. I think there’s something missing between “You may have noticed this file is completely blank. Fill it in with this information:” and “There are comments in the above Gist” but it’s in the archive.org link.

  2. Hi Jonah,
    Can I use the static IP address instead of (iface eth0 inet dhcp or iface eth0 inet manual)? If it does, then the /etc/network/interface contents would be:

    iface eth0 inet static
    pre-up /etc/firewall-openvpn-rules.sh
    address 192.168.1.xxx
    gateway 192.168.1.1
    netmask 255.255.255.0
    dns-nameserver 0.0.0.0 8.8.4.4

    Thks

    1. Yes you can. Make sure you also update the server.conf with the corresponding IP address you assign to your PI

  3. After many failed attempts to set up an OpenVPN server in my raspberry pi I came across your post. It worked beautifully, so thank you very much for taking the time to write this up. However, in order to make it work, I had to comment out the first line in /etc/openvpn/server.conf. Hopefully this will save some time to someone who has trouble making it work.

  4. Hello.

    The tutorial is perfect and everything works fine! Thank you for your time!
    I would like to ask a question: my home network is 192.168.178.0/24 and my modem assigns specific IP addresses on all the devices by checking the MAC address.
    So, my mobile phone has IP 192.168.178.15 and my laptop has IP 192.168.178.3. All wifi guests (unknown devices) take IP addresses from .150 to .200.

    Is it possible that when I connect through vpn, my modem recognizes the mobile phone’s mac and give the IP .15? I don’t want it to have an IP like 10.8.0.2.

    Thanks in advance!

  5. First of all: thanks for the tutorial! Small remark: in the beginning of the tutorial I think “sudo-apt-get upgrade” should be “sudo apt-get upgrade” 😉

  6. Thanks for the guide. However, please take the time to test it on clean install. You might notice that git is not present and needs to be installed.

    1. I ran a clean install as of June 19, 2016 of Raspbian from a NOOBS install source and did the update/upgrade to prepare it.
      Git worked without a package install.

  7. This tutorial is awesome but I’d like to add some more info.

    I followed this verbatim. I could create the keys and connect to the RaspberryPi OpenVPN server using the port forwarding but couldn’t ping anything on local network or browse the web. Turns out my router has a LAN route setting that once I added 10.8.0.0 to the behind the router LAN, everything just clicked in place instantly while still being safe behind the main router’s firewall.

    I’ve since added some more iptable info to my Pi to filter out tons of sources of ads to reduce some of the wait time for page display.

    Again, awesome tutorial. I’m keeping a copy in my cloud for future use.

    1. I may have the same issue on my LAN Draytek router. How did you add this exactly? LAN -> Static route setup -> 1 – add: Dest address: 10.8.0.0; subnet mask 255.255.255.0; Gateway ; Network interface LAN1?

      Does that look correct?
      Thanks!

      1. Good morning all,

        I did set up a VPN server on a RasPI 3 it went well as far as the commands went, rebooted and was no error doing so.

        I have copied all the files from the KEYS directory to my computer running windows 7 Ultimate, I have alos installed OpenVPN on it too.

        The question is how to configure my windows opne VPN to connect to it please.

        Cheers

        Siamak

  8. I followed the tutorial verbatim, but when i check the status of the application (service openvpn status)
    the output shows

    ● openvpn.service – OpenVPN service
    Loaded: loaded (/lib/systemd/system/openvpn.service; enabled)
    Active: active (exited) since Sat 2016-07-23 16:27:21 UTC; 12min ago
    Process: 452 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
    Main PID: 452 (code=exited, status=0/SUCCESS)
    CGroup: /system.slice/openvpn.service

    The active (exited), makes my VPN not working, but I do not know how to fix it. Any help would be great.

    1. If you have the “local ” statement in your openvpn server.conf, you may have an issue with the startup sequence, during which the interface is not ready yet, when the openvpn service tries to establish the listening socket. This can be overcome by making the openvpn service delay attaching prematurely or by making the service restart on failure (hackish, but a good failsafe)

      To confirm reason for failure:
      systemctl status [email protected]
      [email protected] – OpenVPN connection to server
      Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled)
      Active: active (running) since Sat 2016-07-23 14:22:52 UTC; 2h 58min ago
      Process: 978 ExecStart=/usr/sbin/openvpn –daemon –status /run/openvpn/%i.status 10 –cd /etc/openvpn –config /etc/openvpn/%i.conf (code=exited, status=0/SUCCESS)
      Main PID: 991 (openvpn)
      CGroup: [email protected]
      └─991 /usr/sbin/openvpn –daemon –status /run/openvpn/server.status 10 –cd /etc/openvpn –config /etc…

      Jul 23 14:22:52 raspberrypi systemd[1]: Started OpenVPN connection to server.
      ———-

      Here is my service configuration that works (verify yours is named to match your installation):
      ===========================================================

      cat /lib/systemd/system/openvpn@.service
      [Unit]
      Description=OpenVPN connection to %i
      PartOf=openvpn.service
      ReloadPropagatedFrom=openvpn.service

      [Service]
      Type=forking
      ExecStart=/usr/sbin/openvpn –daemon –status /run/openvpn/%i.status 10 –cd /etc/openvpn –config /etc/openvpn/%i.conf
      ExecReload=/bin/kill -HUP $MAINPID
      WorkingDirectory=/etc/openvpn
      Restart=always
      RestartSec=30

      https://unix.stackexchange.com/questions/88667/openvpn-socket-bind-failed-on-local-address-af-inet-ip1194-cannot-assign-r

      1. systemctl status [email protected]
        [email protected] – OpenVPN connection to server
        Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled)
        Active: active (running) since Sun 2016-07-24 23:37:23 UTC; 3 days ago
        Process: 362 ExecStart=/usr/sbin/openvpn –daemon ovpn-%i –status /run/openvpn/%i.status 10 –cd /etc/openvpn –config /etc/openvpn/%i.conf (code=exited, status=0/SUCCESS)
        Main PID: 400 (openvpn)
        CGroup: [email protected]
        └─400 /usr/sbin/openvpn –daemon ovpn-server –status /run/openvpn/server.status 10 –cd /etc/openvpn –config /etc/openvpn/server.conf

        Server.service seems to be running properly, yet when I check the status of openvpn, even after the changes to openvpn@.service, I still get active(exited).

        service openvpn status
        ● openvpn.service – OpenVPN service
        Loaded: loaded (/lib/systemd/system/openvpn.service; enabled)
        Active: active (exited) since Thu 2016-07-28 17:42:00 UTC; 45s ago
        Process: 565 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
        Main PID: 565 (code=exited, status=0/SUCCESS)
        CGroup: /system.slice/openvpn.service

        Any insights?

          1. Hi Mike, did you get the solution for your problem? I have the same thing and it is driving me crazy! I looked at a lot of sites and did not get the solution yet.

          2. I made a few changes to the config to get this working as I wanted (associated with this problem, the iptables rules were not getting loaded!)

            * Remove the pre-up command from /etc/network/interfaces

            * Move /etc/firewall-openvpn-rules.sh to /etc/openvpn/up.sh (make sure it’s executable!)

            * Alter the contents of the /etc/openvpn/up.sh so the MASQUERADE rule is the only one …
            iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

            * Add the following to /etc/openvpn/server.conf …
            script-security 2
            up “/etc/openvpn/up.sh”

            * Disable the openvpn service from starting at boot ….
            sudo systemctl disable openvpn.service

            * Create a timer to start the service after 60 seconds (you may be able to fine tune this, but 60 secs works for me!) For an idea how to create a timer to kick off a service have a look at Steps 8 & 9 of this how-to on my website for another software package …
            https://g0wfv.wordpress.com/how-to-auto-start-mmdvmhost-as-a-service-on-boot-in-raspbian-jessie/
            (You will need to substitute ‘mmdvmhost’ with ‘openvpn’)

            Now when you reboot, openvpn will start after 60 seconds well after the network is up avoiding this problem and the MASQUERADE rule will allow you to access the internet via your own network – If you only require local access, replace the MASQUERADE rule with the original rule above!

  9. Thanks for the guide, I just have had one major problem. I set up everything and installed openvpn connect on my android device, along with the appropriate certificate, but I can never connect. According to the log it attempts to connect to [my public IP] via UDPv4. Next it says Server poll timeout, trying next remote entry…. then it eventually just times out. It asks for my password, and seems to check it but I get stuck.
    Thanks for any help

  10. Hi,
    I followed part 1 tutorial and all went according to the documentation but when I rebooted and tried to SSH back into the PI to complete part 2, the connection was refused with a “Windows 10061 error, connection actively refused by the target”. I now can’t connect to the pi to find out what might have happened. Has anyone come across this before? I can ping the ip address of the pi and that is all fine and I can access a local page on the pi through another port. Just can’t ssh or remote desktop either. HELP

  11. Thanks for the guide 🙂 But there is one thing: In the part with “openssl rsa -in User1.key -des3 -out User1.3des.key” you say to use 3DES, but isn’t it a bit outdated? The security of 3DES is only 112 bit. I would change it to AES128 or AES256 because it is more secure and also faster than 3DES.

    I also had to delete the first line of the server.conf, because the openvpn service didnt load at boot.

  12. HI all,

    can anybody help.. when I try to connect with openVPN Connection on Windows I get: “Cannot resolve host address. No such host is known”

    Is that because may openvpn status is “active(exited)”?

    Thanks in advance!

  13. Hi,

    I finally managed to set up OpenVPN that is working on my Windows 10. But I still have problem with the iPhone. I can connect to VPN but cannot access internet (server stopped responding). Here is my log file from iPhone.. any ideas? Thanks for the help… I did the MASQUERADE rule

    2016-10-29 14:15:52 PROTOCOL OPTIONS.
    chipher: AES-128-CBC
    digest: SHA1
    compress: LZO
    peer ID: -1
    2016-10-29 14:15:52 EVENT: ASSIGN_IP
    2016-10-29-14:15:52 Error parsing IPv4 route:
    [route][192.168. . ][255.255.255.0] :
    tun_prop_error: route is not canonical
    2016-10-29 14:15:52 Connected via tun
    2016-10-29 14:15:52 EVENT: CONNECSTED
    @ my static IP:1194 (my static IP) via /
    UDPv4 on tun/10.8.0.6/
    2016-10-29 14:15:52 LZO-ASYM init swap=0
    asym=0
    2016-10-29 14:15:52 SetStatus Connected

    1. Ok i found one more thing.. i had in server.conf route 192.168._._ 255.255.255.0 and that is wrong it suppose to be 255.255.255.255. Changed that and is still not connecting via iPhone..

  14. I have followed this tutorial word-for-word and it seems like everything is working. I have created cert’s and key’s for all users that will be using the VPN that I have created. I am unable to actually tunnel through to the VPN on my computer or phone, any suggestions?

  15. Hi Jonah or Anyone

    if I want to create more than one “users” to use keys, do I start with this process:
    ./build-key-pass User1

    To HERE
    cd keys
    openssl rsa -in User1.key -des3 -out User1.3des.key
    It will ask you for some information:
    Enter pass phrase for Yoga.key: Enter the same PEM pass phrase here.
    Enter PEM pass phrase: Enter the same pass phrase again.
    AND AGAIN REPEAT
    ./build-key-pass User2.3.4 etc
    I am a little confused, as it is my first Pi project

  16. I’ve been trying to get that working properly but after restart firewall-openvpn-rules.sh never get working properly as checking by:
    iptables -L -t nat -v
    I was getting result as:
    [email protected]:/home/pi# iptables -L -t nat -v
    Chain PREROUTING (policy ACCEPT 405 packets, 25296 bytes)
    pkts bytes target prot opt in out source destination

    Chain INPUT (policy ACCEPT 405 packets, 25296 bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 481 packets, 35023 bytes)
    pkts bytes target prot opt in out source destination

    Chain POSTROUTING (policy ACCEPT 481 packets, 35023 bytes)
    pkts bytes target prot opt in out source destination

    But when changed /etc/rc.local
    I men just added those lines:

    echo “Enabling routing for proper VPN operation…”
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo “Remote port mapping for VPN service…”
    iptables -t nat -A INPUT -i eth0 -p udp -m udp –dport 1194 -j ACCEPT
    echo “SNAT of the VPN addresses to allow split-tunneling…”
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT –to-source 192.168.X.X #this should be your Raspberry PI IP address

    I’ve got openvpn finally working after every rpi restarts as you can see there:

    [email protected]:/home/pi# iptables -L -t nat -v
    Chain PREROUTING (policy ACCEPT 90 packets, 5324 bytes)
    pkts bytes target prot opt in out source destination

    Chain INPUT (policy ACCEPT 90 packets, 5324 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT udp — eth0 any anywhere anywhere udp dpt:openvpn

    Chain OUTPUT (policy ACCEPT 106 packets, 7076 bytes)
    pkts bytes target prot opt in out source destination

    Chain POSTROUTING (policy ACCEPT 106 packets, 7076 bytes)
    pkts bytes target prot opt in out source destination
    0 0 SNAT all — any eth0 10.8.0.0/24 anywhere to:192.168.X.X

  17. Hi All,

    I have a question in regards to the UDP protocol, why this is being used? Although it is using IP but still is not reliable, and the default port is 1194, why not using TCP/IP ?

    Many thanks if some one can enlighten me please.

    Siamak

  18. If the second to last step doesn’t work, do the following:
    sudo nano /etc/rc.local/

    and after it says print out the ip address, type in:
    /etc/firewall-openvpn-rules.sh

    then hit ctrl+o, enter, and ctrl+x

    then:
    sudo reboot
    (make sure your script has permissions set!)

    1. I’ve the same issue, I can connect to private network using vpn but I’m not able to enter internet from there. Why?

  19. Great tutorial and clearly a responsive blog! I’m stuck at the point where you edit the vars file. When I type

    nano vars

    Nano opens, but there is NO vars file – nano is showing “new file”.
    I’m searching the entire filesystem from the root and there is no vars file anywhere.

    What am I doing wrong??

    Thanks for a great resource.
    Ronan

    1. I should add that I’ve found a file:
      vars.example
      on the OpenVPN github. I used this as a template for vars and am continuing, but would still love to know why the vars file was absent in the first case!
      Thanks!
      R

  20. Hi Jonah,
    Many thanks for putting this tutorial together. The directions are very clear. Was wondering if you could help with one problem and one question?

    I have the same problem that folks before me have had. I followed the tutorial verbatim then imported the .ovpn file to my OpenVPN app on my iPhone but I can’t connect to the server. Any suggestions on what I might’ve done wrong?

    Also, does the openVPN on the raspberry pi start up each time the pi powers on or must you call it?

    Many thanks again!

  21. Thanks for this artikel
    everything went wel untill Creating Client Certificates”

    when I type: ./build-key-pass

    It says: No such file or directory
    Anybody has a solution so I can continue?

Leave a Reply

Your email address will not be published. Required fields are marked *