Install and Configure OpenVPN on Raspberry Pi
This is a supplement post on setting and configuring OpenVPN. However, we are going to configure OpenVPN on a Raspberry Pi.
Download and Install Raspbian OS
Download the latest Raspbian OS and burn the image to a SD card using the software Etcher. Once we booted up the Raspberry Pi, we can follow the wizard to set password, enable wifi and update the software. We can also choose to enable ssh and vnc using Raspberry Pi Configuration software. We can also run the configuration software from command line using raspi-config.
Install OpenVPN and Easy-Rsa
Once the system is updated, we can proceed to install OpenVPN using the command:
sudo apt-get install -y openvpn
The repository for Raspberry Pi do not have version 3 of easy-rsa. Version 3 of easy-rsa is more easier to use without the need to perform many configuration. To use Easy-RSA version 3, we can download the package from github at the location https://github.com/OpenVPN/easy-rsa. Once we downloaded and unzipped the software, we can copy the content to /etc/openvpn folder.
Preparing Easy-RSA Folder
In this section we will show you how to prepare for Easy-RSA. First, go to Github site on Easy-RSA and download the latest package here.
Next, we extract the archive to the Downloads folder. Then we make new directory using the command below:
# make a direcotry for easy-rsa sudo mkdir /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa sudo cp -rv <download folder of easy-rsa>/* ./
The rest of the configuration is the same as our post "Configuring OpenVPN on AWS EC2 (Update: Aug 2018)". Please proceed to follow with the rest of the configuration.
If you are placing the Raspberry Pi behind your router, we need to configure the router tp perform port forwarding on TCP 1194 to the Raspberry Pi. Please consult the manual of your particular router on performing port forwarding.
Testing and Troubleshooting
Listed below are some tips on troubleshooting OpenVPN:
- Check if the server is running using systemctl command.
- Use journalctl -xe to check for error message.
- Please note that every time we change something of the conf file, we MUST restart the service.
- A common error on the server configuration file is the setting of user nobody and group nobody. Commented it out for the server to run smoothly.
- We have to eliminate every error so that the server is up and running.
- Common error are location of the key file, so check the path carefully. As software getting updates and changes are made. The path of the key may not be the same.
- Similarly, we must make sure that client configuration file is loaded without any issue.
- Common problem is the client could not find the location of the key.
- Eliminate each problem until the profile is loaded to the client software.
- If both the server and client is running without error, but we still could not establish connection. Then we need to troubleshoot from client to server. First make sure that the client do not have firewall. Or at least the firewall is disabled for troubleshooting.
- Next, check the router that is in front of the Raspberry Pi. Change the setting such that the router can response to ping. Also make sure that you got the correct public IP address of your router. If you can ping the router proceed to next step.
- For next step, we need to check if the port forwarding is done correctly. You can perform the same port forwarding for TCP port 22. This port is for ssh server. Try to connect to the Pi using ssh. If you can perform ssh to the Pi behind the firewall, then it confirm that the method of port forwarding is correct.
- Next, we need to check if the correct port number is used as per server and client configuration file. Also make sure the router is forwarding the correct port number.
- Please also make sure that the correct protocol (tcp or udp) is configure on the server and client. Also check if the router is forward the correct protocol.
- Finally, disable tls-auth first and try connecting. If connection is successful without tls-auth but connection failed when tls-auth is turn on, then we know that the problem lies with tls-auth.
- Change tls-auth to tls-crypt. Also make sure that server got 0 and client got 1 in the configuration.
- If tls is configured correctly, we can also make sure that we have download and use the correct key files. You can download them again.
- If you can make connection to the VPN server with client firewall down, but you could not make connection on client firewall; then the problem is with client firewall.
- Usually, client firewall do not have any problem , because usually we block incoming but allow outgoing. Please make sure that your client firewall allow the vpn port for outgoing traffic.
- If the connection is successful, but you could not browse the Internet; then the problem definitely lies with IP routing.
- First make sure the script is running. Also make sure that when the system reboot it will automatically run the script.
- If the script is running, check the IP routing command. For some system, they do not use eth0 as default, so we need to change the interface name to the correct one.
- If you are using wifi, then you should replace eth0 with wlan0.
Please search the web or ask in the forum when all else failed.