Install and Configure OpenVPN on Raspberry Pi

-
This is a supplement post on setting and configuring OpenVPN. However, we are going to configure OpenVPN on a Raspberry Pi.

Download and Install Raspbian OS

Download the latest Raspbian OS and burn the image to a SD card using the software Etcher. Once we booted up the Raspberry Pi, we can follow the wizard to set password, enable wifi and update the software. We can also choose to enable ssh and vnc using Raspberry Pi Configuration software. We can also run the configuration software from command line using raspi-config.

Install OpenVPN and Easy-Rsa

Once the system is updated, we can proceed to install OpenVPN using the command:


sudo apt-get install -y openvpn

The repository for Raspberry Pi do not have version 3 of easy-rsa. Version 3 of easy-rsa is more easier to use without the need to perform many configuration. To use Easy-RSA version 3, we can download the package from github at the location https://github.com/OpenVPN/easy-rsa. Once we downloaded and unzipped the software, we can copy the content to /etc/openvpn folder.


Preparing Easy-RSA Folder

In this section we will show you how to prepare for Easy-RSA. First, go to Github site on Easy-RSA and download the latest package here.  

Next, we extract the archive to the Downloads folder. Then we make new directory using the command below:

# make a direcotry for easy-rsa
sudo mkdir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
sudo cp -rv <download folder of easy-rsa>/* ./

The rest of the configuration is the same as our post "Configuring OpenVPN on AWS EC2 (Update: Aug 2018)". Please proceed to follow with the rest of the configuration.

Configure Router

If you are placing the Raspberry Pi behind your router, we need to configure the router tp perform port forwarding on TCP 1194 to the Raspberry Pi. Please consult the manual of your particular router on performing port forwarding.

Testing and Troubleshooting

Listed below are some tips on troubleshooting OpenVPN:

Server Configuration

  1. Check if the server is running using systemctl command. 
  2. Use journalctl -xe to check for error message.
  3. Please note that every time we change something of the conf file, we MUST restart the service.
  4. A common error on the server configuration file is the setting of user nobody and group nobody. Commented it out for the server to run smoothly.
  5. We have to eliminate every error so that the server is up and running.
  6. Common error are location of the key file, so check the path carefully. As software getting updates and changes are made. The path of the key may not be the same.

Client Configuration

  1. Similarly, we must make sure that client configuration file is loaded without any issue.
  2. Common problem is the client could not find the location of the key.
  3. Eliminate each problem until the profile is loaded to the client software.


Connection Problem

  1. If both the server and client is running without error, but we still could not  establish connection. Then we need to troubleshoot from client to server. First make sure that the client do not have firewall. Or at least the firewall is disabled for troubleshooting.
  2. Next, check the router that is in front of the Raspberry Pi. Change the setting such that the router can response to ping. Also make sure that you got the correct public IP address of your router. If you can ping the router proceed to next step.
  3. For next step, we need to check if the port forwarding is done correctly. You can perform the same port forwarding for TCP port 22. This port is for ssh server. Try to connect to the Pi using ssh. If you can perform ssh to the Pi behind the firewall, then it confirm that the method of port forwarding is correct.
  4. Next, we need to check if the correct port number is used as per server and client configuration file. Also make sure the router is forwarding the correct port number.
  5. Please also make sure that the correct protocol (tcp or udp) is configure on the server and client. Also check if the router is forward the correct protocol.
  6. Finally, disable tls-auth first and try connecting. If connection is successful without tls-auth but connection failed when tls-auth is turn on, then we know that the problem lies with tls-auth. 
  7. Change tls-auth to tls-crypt. Also make sure that server got 0 and client got 1 in the configuration. 
  8. If tls is configured correctly, we can also make sure that we have download and use the correct key files. You can download them again. 

Client Firewall

  1. If you can make connection to the VPN server with client firewall down, but you could not make connection on client firewall; then the problem is with client firewall.
  2. Usually, client firewall do not have any problem , because usually we block incoming but allow outgoing. Please make sure that your client firewall allow the vpn port for outgoing traffic.

Internet Problem

  1. If the connection is successful, but you could not browse the Internet; then the problem definitely lies with IP routing. 
  2. First make sure the script is running. Also make sure that when the system reboot it will automatically run the script.
  3. If the script is running, check the IP routing command. For some system, they do not use eth0 as default, so we need to change the interface name to the correct one. 
  4. If you are using wifi, then you should replace eth0 with wlan0.

Please search the web or ask in the forum when all else failed.


***



Comments

Post a Comment

Popular posts from this blog

Revive Old Mac Mini (2009) with Linux

-
Image
We have an old Mac Mini (late 2009 version) lying around. The latest Mac OS X it could support was Mac OS X El Capitan. The machine is still good although the DVD drive does not worked anymore.  Apple will drop security update for El Capitan very soon. Running OS X El Capitan without any security update is not an option.  Instead of disposing a good piece of hardware, we can install Linux. However, before we start playing around with the Linux installation, we need to take stock of the hardware capability. We might need to upgrade some hardware so that we can run Linux smoothly. Mac Mini 2009 Specification This Mac has Core 2 Duo CPU (P8700) running at 2.53GHz. It support PC3-8500 DDR3 RAM running at 1066MHz. This Mac Mini has a Nvidia Geforce 9400M video card. It support 2 display output. Wifi specification is 802.11a/b/g/n. This is pretty high end at the time.  However, this WiFi uses Broadcom chipset (BCM4321), which is not very well supported in Linux since it
Read more

Configure Unattended Upgrades on Raspberry Pi

-
If we were to run Raspberry Pi headless (without attached monitor), it would be nice if we can perform unattended system upgrades. In Debain/Ubuntu class of software, we can perform unattended upgrades using the software package unattended-upgrades.  To install the software, use the command below:  sudo apt-get install unattended-upgrades # Following are additional software required # we only need mailutils or bsd-mailx, choose 1 sudo apt-get install mailutils sudo apt-get install bsd-mailx sudo apt-get install update-notifier-common Next, we need to edit the configuration files: sudo nano /etc/apt/apt.conf.d/50unattended-upgrades The configuration should be similar as below: Unattended-Upgrade::Origins-Pattern { // Codename based matching: // This will follow the migration of a release through different // archives (e.g. from testing to stable and later oldstable). // "o=Debian,n=jessie"; // "o=Debian,n=jessie-update
Read more

Install and Configure RealVNC in Linux Ubuntu 18.04 LTS

-
Image
RealVNC is a commercial company that sell VNC license for the enterprise market. However, the company allow home user to setup VNC server for personal use. The limitation is that you are only allow 5 connection. User must register an ID with the company. The configuration of your VNC will be stored on the company's server. Since RealVNC is professionally produce, it is much better compare to the open source product in Linux. The main advantage is easy configuration although there are steps to install and start the server especially on Linux platform. We do not need to worry about ip address and port number. What the server and client required is our RealVNC ID which we have created. Unlike the default Vino server that comes with Ubuntu, RealVNC will start without user login. The system is created with security in mind. Encryption is done transparently without any intervention from user. We will be showing a simple guide on how to install and Configure RealVNC Connect (serv
Read more