How to set up a Raspberry Pi VPN server - Raspberry Pi Forums

-

after lot of frustration, i've set working tls vpn server raspberry pi. had set static key server worked nicely, decided tls server better because of disadvantages associated former. there lot of tutorials out there on how this, didn't find 1 complete solution worked me in once place; in end, solution found came few different sources. among them, [url=hhttp://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing]this[/url] readwrite, great paper eric jodoin, , openvpn website's howto.

clear, goal have pi vpn server @ home connect client while on public wifi networks. importantly, of client's network traffic routed through encrypted vpn connection. main reason wanted post howto make easier others might facing difficulty trying same thing. i've tried provide both rationale behind why being done throughout , relevant citation interested in reading more. i've assumed starting point new version of raspbian strong password , ssh enabled. also, assumed commands entered root.
  1. update , upgrade:

    enter following terminal:

    code: select all

    sudo -s  #  **rest of instructions assume you've done sudo apt-get update sudo apt-get upgrade
  2. install openvpn, make few changes:
    install openvpn

    code: select all

     sudo apt-get install openvpn
    once installed, move easy-rsa directory /etc/openvpn, because,
    it's best copy directory location such /etc/openvpn, before edits, future openvpn package upgrades won't overwrite modifications (from openvpn's howto).

    can done with:

    code: select all

    cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
    then:

    code: select all

    nano /etc/openvpn/easy-rsa/vars
    find export easy_rsa= line , change

    code: select all

    export easy_rsa=”/etc/openvpn/easy-rsa”
    if want, can change export key_size=1024

    code: select all

    export key_size=2048
  3. generate certificate , key:
    in terminal, enter:

    code: select all

    cd /etc/openvpn/easy-rsa . ./vars ./clean-all ./build-ca
    after ./build-ca need enter (for example, "vpnserver") "common name". else can press enter. you'll have enter 'y' couple of times @ end.
    generate certificate , private server key:

    code: select all

    ./build-key-server server
    can press enter again, enter "server" common name.
    create client:

    code: select all

    ./build-key-pass client1
    press enter except enter "client1" common name , pem passphrase (you'll asked when log in).
    now,

    code: select all

    ./build-dh
    generate static preshared hmac key shown below.
    "because server drop packet lacking authentication code computed preshared openvpn hmac key.
    furthermore, clients preshared openvpn hmac key able exchange certificates.
    therefore, attempts @ buffer overflow through malicious packet injection or mitm using fake certificates defeated attacker unable compute valid authentication code without openvpn hmac key." jodoin "soho remote access vpn. easy pie, raspberry pi ..."

    code: select all

    openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key
  4. copy files , make few system changes:
    once complete, ssh client pi , securely transfer files required client:

    code: select all

    scp /etc/openvpn/easy-rsa/keys/client1.key user@123.456.789.101:/home/user/ scp /etc/openvpn/easy-rsa/keys/client1.crt user@123.456.789.101:/home/user/ scp /etc/openvpn/easy-rsa/keys/ca.crt user@123.456.789.101:/home/user/ scp /etc/openvpn/easy-rsa/keys/ta.key user@123.456.789.101:/home/user/
    copy text here , save /etc/openvpn/server.conf on pi server. remember @ file , change values appropriate before moving on. specifically, make sure enter pi's lan address in correct spot (see comments) , make sure dh key size correct.
    go here , copy/past text file called client.conf on client. remember again go through file , make appropriate changes (see comments). make sure copy/paste entire contents of /etc/openvpn/easy-rsa/keys/ta.key server <tls-auth> ... </tls-auth> block.
    now, on server:

    code: select all

    nano /etc/sysctl.conf
    find , uncomment line:

    code: select all

    #net.ipv4.ip_forward=1
    then,

    code: select all

    sysctl -p
    now, reboot pi.
    enter:

    code: select all

    iptables -a input -i tun+ -j accept iptables -a output -o tun+ -j accept iptables -t nat -a postrouting -s 10.8.0.0/24 -o eth0 -j masquerade iptables -i forward -i tun0 -o eth0 -s 10.8.0.0/24 -d 192.168.0.0/24 -m conntrack --ctstate new -j accept iptables -a input -i eth0 -m state --state new -p udp --dport 1194 -j accept iptables -a forward -i tun+ -j accept iptables -a forward -i tun+ -o eth0 -m state --state related,established -j accept iptables -a forward -i eth0 -o tun+ -m state --state related,established -j accept service openvpn restart
    if pi connected wirelessly, interface wlan0, not eth0, change if necessary in above commands. note these commands have entered each time pi reboots. commands above assume pi connected through ethernet cable. if error this:

    code: select all

    "iptables v1.4.14: can't initialize iptables table `nat': table not exist (do need insmod?) perhaps iptables or kernel needs upgraded.":
    see section below on how fix (i had this).
    make sure port forwarding set on router - port 1194 upd should forwarded pi's lan address.
  5. connect client , verify traffic being routed through vpn:
    go client machine , connect:

    code: select all

    sudo openvpn /home/user/client.conf
    if successful, should see message saying

    code: select all

    initialization sequence completed
    on client make sure web traffic being routed through vpn doing

    code: select all

    traceroute www.google.com
    first step should

    code: select all

    1  10.8.0.1 (10.8.0.1)
    using setup, verified wireshark web traffic being routed through vpn server (except dns).
  6. that's it! basic set can own customization/security hardening
if see iptables error:

code: select all

sudo apt-get install rpi-update sudo skip_backup=1 rpi-update
fixed problem me.

hey rmurr --

when './clean-all' -

code: select all

please source vars script first (i.e. "source ./vars") make sure have edited reflect configuration
thoughts? did '. ./vars' first? tried 'source ./vars/' no avail...

-cw


raspberrypi



Comments

Post a Comment

Popular posts from this blog

Convierte tu Raspberry en un NAS. Firmware fvdw-sl 15.3 - Raspberry Pi Forums

-
¿conocéis este proyecto? fvdw-sl 15.3 para raspberry pi. convierte la raspi en un nas. http://plugout.net/viewtopic.php?f=31&t=1880 llevo tiempo intentando encontrar la forma de hacer que una de mis raspberry se comporte como un nas. configurando samba, minidlna, transmision, ftp, nfs, etc. pues con esta distribución lo tengo todo hecho. lo instalé ayer y me tiene soprendido. ahora mi raspi es un nas, hecho y derecho. caracterísitcas. - interfaz web. que cambia en función de si eres el administrador o un usuario. - gestión de usuarios. puediendo dar distintos permisos carpetas y funciones. - gestión de carpetas - vpn - ftp - nfs - webdav - varios servidores dlna como minidlna, townky, etc - varios gestores de descarga como transmision, mldonkey, etc - gestión de periféricos usb como impresoras o webcam. - gestión de cron para automatizar procesos. - creo que se basa en arch linux. por cierto, estoy creando una tarea para que me exporte un archivo txt del dis...
Read more

How to format a Get Request

-
i have external server running mysql. have installed php script that, when accessed http deliver data 1 of tables. works fine browser: code: [select] http://www.seti.net/php/getevents.php i cannot figure out how send command arduino. have ethernetclient library working , can access google in example. when send command through client: code: [select] client.println("//get /php/getevents.php http/1.0"); the server returns: code: [select] </head><body> <h1>method not implemented</h1> <p>get /php/getevents.php not supported.<br /> what correct way format in arduino? i use send temperature web server. note lack of http version , additional blank line after - not sure whether difference important works: code: [select] void  sendtemptoserver() { char getrequest[80]; if (client.connect(server, 80))   {   sprintf(getrequest,"get /cgi-bin/arduino.cgi?reading=%s&arduino_id=23&sensor_id=1",t...
Read more

avrdude: verification error, first mismatch at byte 0x0000 0x0c != 0x62

-
hello, im confused uno r3, uploaded code quite few months in uno, working fine. now without having altered of circuits, trying upload code changes,im getting strange error "avrdude: verification error, first mismatch @ byte 0x0000          0x0c != 0x62" i tried research able solve issue,  im running kind of fuse bit being changed or clock speed altered, im pretty sure did not play around these items. any people, please . . thanks taz Arduino Forum > Using Arduino > Installation & Troubleshooting > avrdude: verification error, first mismatch at byte 0x0000 0x0c != 0x62 arduino
Read more