Professional Documents
Culture Documents
Build A Smart Raspberry Pi VPN - Ira Finch PDF
Build A Smart Raspberry Pi VPN - Ira Finch PDF
Server
+ Tor Router
by Ira Finch
3rd Edition
Rev 3.0
July 14, 2019
Text copyright © 2015-2019 Ira Finch
All Right Reserved
irafinch888@bitman.org
What's New
The 3rd Edition includes:
And, as always, I will to continue improving this book, the scripts and
my supporting web site to make this the best how-to guide on
OpenVPN on the Raspberry Pi. Your support, suggestions and
feedback are always welcome.
Why VPN?
VPN stand for Virtual Private Network. It is a data encryption and
forwarding mechanism which allows secure communication over the
Internet without the risk of eavesdropping or content blocking
(censorship).
Corporations use VPN for clients and off-site employees to connect to
their internal network. Individuals use it to access blocked sites or
share information securely.
Take for instance an Open WiFi hot-spot at your local coffee shop. All
the data going across their WiFi network is open and unsecured.
Anyone with the right (free) tools can intercept that data and record
everything you send/receive. Unless you only visit HTTPS sites, you’re
vulnerable to hackers. In addition, being on a public open WiFi
network means that others on that network can ‘see’ your computer
and try to directly hack into it.
If you connect to a VPN Server as soon as you connect to a WiFi hot-
spot, you’re secure. Other uses can still ‘see’ your computer, but they
can’t read what you’re doing, nor can then hack into your computer.
And I’m not just talking PCs here: Smart-phones, tablets, gaming
devices. All are vulnerable on an open WiFi network without VPN.
Why Tor?
Tor is a software tool that enables anonymous internet usage. As
Internet Privacy is being eroded away more and more by governments
and enterprises; tracking, surveillance, targeting and identity theft
become prevalent. Data can, and is, being collected and sold on what
pages we visit, videos we watch, information we read, products we
buy and people we communicate with. Our on-line freedoms, privacy
and identity are disappearing and we have little say in the matter. Tor
can help.
For more information on Tor, please read this Wikipedia page:
https://en.wikipedia.org/wiki/Tor_(anonymity_network)
Why build?
You will have total control over your very own VPN Server. You won’t
be sharing bandwidth with others (unless you give them access). You
won’t be paying monthly fees to some corporation. And you won’t
have to worry about your activity being logged and sold (or given
away) to some other corporation or government agency.
It’s fun and educational. You’ll learn a little about the RPi, Linux, VPN,
SSL, Tor, Bash, Python, etc. And once you’re done, you might find
yourself wanting more. There are dozens of projects for the RPi, from
motion detectors to Internet radios that you might find just as
interesting.
Why this book?
There are many sites on the Web that describe pieces and parts to
building a VPN Server, but none that I have found contain complete
step-by-step instructions for doing so. Moreover, none contain
directions on how to build a smart, stand-alone, plug-n-play anywhere
VPN Server (including Tor) using a Raspberry Pi.
What this book covers, from start to finish, is how to build and
configure a Raspberry Pi VPN server that will:
1. Determine its IP Address, the Router’s IP Address, and its
External IP Address.
2. Open ports on whatever router its connected to to allow VPN
and SSH External Access for maintenance.
3. Detect Changes in any of the IP addresses and reconfigure
as required so static IPs are not needed.
4. eMail you with the External IP address, whenever it changes,
so you know where to VPN connect to it.
5. Keep logs of changes and errors.
6. Perform basic housecleaning (i.e. ‘reboot’, clear cache)
periodically for memory leaks, etc.
I’ve built several of these so far so that I can conduct business without
the fear of prying eyes.
I’m very pleased with the stability and power of the Raspberry Pi and
the code I have written to bring all the piece parts together to make it
as maintenance free as possible and as smart as I require.
I think you’ll find it to be the same. But, perhaps you’ll find some area I
missed or think of an enhancement to make it even better. And that
would be wonderful!
Which Pi to Buy?
Personally, I'd buy the fastest Pi available: currently the model 3B.
Basically, because its still very inexpensive and has more than enough
horsepower to get the job done.
If you're curious how the different models compare against a direct
connection when using OpenVPN and OpenVPN over SSL, the
following chart should help:
This was generated using the data from the SpeedTest.net web site
over a 50Mb/s rated internet service. As you an see, OpenVPN has a
noticeable impact on performance and OpenVPN over SSL slows it
down even more. However, all these Pi models have fairly respectable
speeds (except maybe the Pi Zero).
Please Note: The actual limiting factor of your connection speed will
be your rated Upload Speed. This is because the Raspberry Pi needs
to 'upload' the data, or web site, you requested back to you from its
home internet connection. If this connection has a rating of 50Mb/s
Down and 5Mb/s Up, then 5Mb/s is going to be your best speed.
Again, because it must use that 'Up' link to send the data back to you.
So even a Pi B+ is more than fast enough for most installations – even
for streaming video.
For more (boring) technical details on this data and how it was
generated, visit my supporting web site:
http://bitman.org/irafinch/rpivpn
Note: I did not conduct speed tests while connected through the
Tor Router. And I probably never will. The Tor network is too
unpredictable: traffic is bounced through a random number of
servers for any given connection making performance testing
meaningless. The end result is that you will find that internet
speeds will range from horrible to tolerable at any given moment
through Tor.
We need to install the software now, its just a dumb box at this point.
So just unplug it for now.
Yup, this was a very short chapter. They get longer…
CHAPTER 2 - Load up the Raspberry Pi
Now, if you live in a place where the Internet sucks and downloading
large files takes forever (or never), you’re gonna need Free
Download Manager. It’s a life-saver. It supports up to 10
simultaneous downloads, cutting up that large file into 10 slices and
downloading each one concurrently. It auto-recovers and auto-
resumes and can turn a day long download into just a few minutes.
It’s saved my soul on many occasion:
Free Download Manager:
http://www.freedownloadmanager.org/download.htm
Note: All the software needed for this project is freeware / open
source. And that is the best kind, IMHO. But if you find
something you like and it works well for you, a donation to the
author(s) is always in order.
Next, download the Raspbian OS from here:
http://www.raspberrypi.org/downloads/
Click on the RASPBIAN Icon and then on the Download ZIP button
on under the RASPBIAN JESSIE heading (or whichever is newest)
Note: I recommend downloading the LITE (not FULL) version
of Raspbian software as the Full version contains a lot of extra
stuff we don't need. Plus, the full version will boot into the
Desktop mode and we'll be doing everything from the
command prompt instead.
If you using Internet Explorer (IE), clicking on the Download ZIP link
should start Free Download Manager to download the file (if you
installed its Browser Extension). Otherwise, just right-click on the
Download ZIP link, select ‘Copy Link Address’ and paste the link into
the ‘Add Download’ window (click on the (+) button) of Free
Download Manager.
Now you need to download Win32DiskImager to make an image of
the Raspbian OS on your SD card from here:
http://sourceforge.net/projects/win32diskimager/
Click on the Files heading for the latest version. Its not a large file
(about 13MB) so it should not take long. Run it to install it.
Once it has finished downloading and is installed:
1. Insert your SD card into the SD card reader and note which
drive letter it assigned.
If its not formatted for Fat32, you’ll need to do that now.
2. Extract the Rasbian OS from the Raspbian OS ZIP file.
3. Run Win32DiskImager as Administrator by right-clicking
on the program and selecting Run as Administrator.
4. Select that Raspbian OS image file (.img).
5. Select the Drive Letter of the Micro SD Card.
Make sure you select the CORRECT drive letter or you
could wipe out your Windows PC!!
6. Click Write and wait for it to complete.
7. Exit Win32DiskImage
8. Open the SD Card in Explorer and create a file at its root
called ssh (all lowercase and no extension). This enables
SSH (Secure Shell) logins.
9. Eject the SD card.
MiniUPnP
MiniUPnP is the easiest to install, and also the fastest running. So
we are going to install that one initially. If you have issues getting
MiniUPnP to work with your router, you can refer to the second part
of this chapter to install PortMapper, an alternate UPnP software
package.
If you’re not already logged into your RPi with puTTY, do so now and
set to root user with:
sudo -s
Now run the installation commands for command-line MiniUPnP and
its Python module:
apt-get install miniupnpc
apt-get install python-pip
pip install miniupnpc
Answer ‘Y’ to any prompt about additional disk space, etc.
The first command installing the command-line upnpc program for
testing. The second command installs the Python Package Installer
(PIP) that is used in the third command to install the miniupnpc
Python package used layer in our Python script.
Now to test it. Enter the following:
upnpc -s
Among all the junk it spits out, there should be a line starting with:
Found valid IGD
However, if you don’t see that, or instead find error messages such
as “No IGD UPnP Device found on the network !”, then MiniUPnP
is unable to connect to your router. This could be due to UPnP not
being enabled on your router, or MiniUPnP is not compatible with
your router. Please refer to your router's user manual to ensure it
supports UPnP and how to enable it.
If MiniUPnP is not working with your router, and it supports UPnP,
continue on to the next section, PortMapper (alternative to
MiniUPnP) to use it instead. Otherwise, we are done with this
chapter!
Note: If your router does not support UPnP or you do not wish
to enable it, please refer to Appendix C - Frequently Asked
Questions under What if my Router does not support UPnP
or I don't want to enable it?
Notice the last line before the # prompt? Yup, you now have a
working VPN Server! But…
The problem is, no one can talk to it or even knows how to talk to it.
So we still have a little more work to do.
We need to generate some keys, both public and private to be used
to connect to our RPi VPN server. We’ll be using RSA (Rivest-
Shamir-Adleman) Cryptosystem. It’s already built into the OpenVPN,
so all we need to do is tell OpenVPN to use it.
Now enter the following at the # prompt (its one long line):
cp -r /usr/share/easy-rsa /etc/openvpn/easy-
rsa
This copies the RSA software from the ‘examples’ directory to the
‘etc’ directory so we can make changes and not screw up the
original.
Now we just ‘change directory’ over to our working copy so we can
muck with it:
cd /etc/openvpn/easy-rsa
And make a working copy of the vars.example file:
cp vars.example vars
There is no need to change any of the options in the vars file at this
point, the defaults work well for this setup.
Now its time to generate the CA (Certificate Authority) certificate and
the Root CA certificate. That’s the first step in creating a pair of keys
(server and client) to use our VPN server. So do the following:
./easyrsa init-pki
2. Build our CA, enter:
Now that you have OpenVPN for Android installed, to test this setup,
follow these steps on your Android:
You’ll now see a new icon in your system tray. It looks like a gray
window with a padlock on it. Right click on the icon and click on
Connect. A log window will appear showing the progress of
connecting to you RPi VPN Server. Once it has connected
successfully, the icon will turn green and the padlock will be closed
(locked) indicating a secure connection.
Any Windows application you run that connects to the Internet (web
browsers, email clients, etc.) will do so through the VPN client and
your RPi VPN server and be secure from prying eyes.
To disconnect, just right-click on the icon and select Disconnect.
Please refer to Appendix A – Maintenance, What to do if the external
IP address changes, for steps to update your Windows OpenVPN
GUI client file if/when the external IP address of your RPi changes.
CHAPTER 10 - Ship It!
Time to put your RPi in its Forever Home.
Now, if you are building an RPi VPN to access blocked content, it
needs to be outside the network that is doing the blocking. However,
if you're following this project to protect yourself on open WiFi hot-
spots, you only need place it in your home attached to your Internet
router.
Note: I am not advocating illegal activity. Any rules, regulations,
policies or laws broken in the use of this VPN server is your
own responsibility and absolutely no responsibility or liability on
the part of the Author is expressed or implied. You are doing so
at your own risk, period.
So, now, if you need to send it somewhere to live, just shut it down
using the following command:
sudo shutdown -h now
Unplug the network cable and power cable and put everything in a
box and send it to wherever it needs to go.
Note: As covered in the Preface of this book, running your RPi
VPN Server Wirelessly prevents you from shipping it to a
remote location and having someone just 'plug it in'. The SSID
(wifi name), password, security type need to be set manually
for wherever it is being installed. See Appendix A for directions.
For Ethernet: The recipient on the other end just needs to plug it
into their router and plug in the power. Within an hour, you will get an
email from your RPi with its new External, Internal, and Router’s IP
addresses. At that time you will need to edit your .ovpn config files to
use the new External IP address. This is also covered in Appendix A.
For Android
1. Run the OpenVPN for Android App on your Android
device.
2. Click on the Setting Icon to the right of the profile to be
changed
3. Click on the Server List tab
4. Enter the new External IP address into the Server Address
edit box that you received in the email from your RPi
Remember the External IP address is the FIRST address
listed in the email
5. Click the back arrow to exit and you’re done.
For Windows
1. Right-click on WordPad in the Accessories folder of the
Start Menu and select Run as Administrator.
2. Click on Open in the WordPad Menu and navigate to:
C:\Program Files\OpenVPN\config
3. Select All Documents from the All WordPad Documents
drop-down
4. Open your OpenVPN Client config file (.ovpn)
5. Find the line starting with remote and change the External
IP address shown to the one given in the email from your
RPi
Remember the External IP address is the FIRST address
listed in the email.
6. Click on the Save icon in the title bar and close WordPad.
Any time you receive and email from your RPi where the External IP
address has changed, you will need to make these changes in your
OpenVPN Client config file(s). You do not need to re-create these
files as you did in Chapter 7 until 10 years have passed -or- you re-
create the Server keys in Chapter 5 (for some reason).
APPENDIX A - Maintenance
I said this was nearly maintenance free. Nothing runs forever without
a little help.
Additional Maintenance tips can be found on my supporting web site
for this book at: http://bitman.org/irafinch/rpivpn/
OpenVPN
We need to edit the OpenVPN Client config file(s) (.ovpn) to set this
new address. To do so, follow these steps for the device that needs
changing:
For Android
For Windows
For standard OpenVPN connections:
1. Right-click on the OpenVPN GUI icon in the System Tray
2. Hover over your Client Configuration name in the pop-up
menu
3. Click on Edit Config in the pop-up side menu
4. Change the IP address on the remote line sent from your
RPi (Ext)
Do not change the port number after the IP address
5. Click on File then Save, and then File and Exit
1. Insert your SD card into the SD card reader and note which
drive letter it assigned.
If its not formatted for Fat32, you’ll need to do that now.
2. Run Win32DiskImager as Administrator by right-clicking
on the program and selecting Run as Administrator.
3. Select the RPi image backup you previously created.
4. Select the Drive Letter of the Micro SD Card.
Make sure you select the CORRECT drive letter or you
could wipe out your Windows PC!!
5. Click Write and wait for it to complete.
6. Exit Win32DiskImage and eject the SD card.
sudo -s
cat /var/log/openvpn.log
If this is the case, the current workaround is to comment out the
local line in server.conf :
nano /etc/openvpn/server.conf
Then just place a ‘#’ (without the quotes) in front of local line. Ctrl+X
and Y to save and exit. Then reboot:
shutdown -r now
Otherwise, refer to the Help / Troubleshooting page on the
supporting website for more information, or contact the author
directly via the email address given on the copyright page of this
book.
sudo /root/check_ip.py -s
Router Issues
No UPnP Support
If your router does not support UPnP, it is still possible to use it – it
just won't be portable or as dynamic in its auto-configuration. Please
refer to Appendix C under What if my Router does not support UPnP
or I don't want to enable it?
Connection Issues
VPN Client Connects but No Internet
If you can connect to the RPi VPN Server, but cannot access the
Internet with either a Web Browser, eMail or internet app, then its
probably due to the firewall on Raspbian OS.
Review Chapter 5 and ensure everything is set up and configured as
described. Specifically check the last part of that chapter where
open_vpn_firewall.sh is created and added to the /etc/rc.local
file. This opens the firewall in the Raspbian OS and allows OpenVPN
to receive and transmit.
There is also a bug in the current Jessie version (Nov 2015) that is
keeping the firewall rules from running at startup. A work-around to
this is to set that script to run after everything else has started.
sudo -s
nano /etc/rc.local
add /etc/open_vpn_firewall.sh on a line just before the exit 0 in
the script.
Press Ctrl+X and Y to save and exit.
VPN Client Connects but is really slow and/or times out often
This most often is due to a poor or slow internet connection on you
Android or Windows device, especially over Cellular Data Networks.
This is also common if you RPi VPN Server is located overseas.
There is not much that can be done in this situation other than try to
get a better Cell Signal or use a faster internet connection.
Another, less likely scenario is an ISP (Internet Service Provider)
between you and you RPi has changed the Maximum Transmission
Unit (MTU) size to something less than the standard of 1500 bytes.
Some foreign ISPs are known to do this to discourage the use of
VPN services. If you feel this might be the case, you can add the
tun-mtu 1300 parameter on a new line at the end of the
server.conf and the defaults.txt files created in Chapter 5 and
Chapter 7, respectively.
You will need to restart the OpenVPN service on the RPi through
Putty:
sudo -s
/root/check_ip.py -v
You will also need to rebuild and download a new client .ovpn file as
described in Chapter 7. Or if you are an experienced Windows or
Android user, you can edit the .ovpn client file directly using
WordPad in Windows and the VPN for Android app on your
Android device to add the tun-mtu 1300 parameter.
Lastly, it could be that your ISP is blocking OpenVPN connections.
Refer to APPENDIX E – OpenVPN over SSL for instructions on
using SSL with OpenVPN.
VPN Client, or Putty fails to connect and times out
Ensure you have the correct External IP address set in the
defaults.txt file created in Chapter 7. If need to edit that file to set a
different IP address, then please refer to Appendix A, What to do if
the external IP address changes.
If you are running your RPi wirelessly, then your WiFi adapter
probably has a sleep mode to conserve power. You may need to try
connecting to it 2-3 times to wake it up before it is successful.
This also has the same causes as the above topic VPN Client
Connects but is really slow and/or times out often. Please refer to
that section for help.
Putty Issues
Can't Paste Text into Putty Window
There are five ways to paste text into the Putty window. First copy
the text from this book in your Kindle reader App by highlighting it
and using Ctrl+C, then try the following to paste into the Nano editor
of the Putty Window:
sudo -s
nano /root/check_ip.py
Change these three lines at the start of the script, setting their Port
Numbers to 0 :
ExtVPNPort=0
ExtSSHPort=0
ExtSSLPort=0
This will prevent PortMapper from trying to use UPnP to set the Port
Forwards on your router.
To disable the use of UPnP completely, also change these lines as
follow:
UsePortMapper=False
UseMiniUPnP=False
You can download the latest version here:
http://bitman.org/irafinch/rpi-vpn.zip
If you have an older version of check_ip.sh and don't want to
download the latest check_ip.py, we need to edit the check_ip.sh
script to remove the PortMapper calls:
sudo -s
nano /root/check_ip.sh
Using Ctrl+K, remove all the lines in that script between:
#
# Loop through each UPnP device that looks like a Router with
each Lib
# and match its Index back to the real router's IP Address
#
AND
#
# Check if any IP changed and email me if so
#
And that should take care of it.
I cannot provide any assistance with this change as it breaks my
script and is untested.
Will these instructions work with the Raspberry Pi Zero?
It should, but I honestly don't know for sure. It all depends on
compatibility of the SMTP Mail services, VPN Service, and
PortMapper with that device and it's Operating System. I hope to test
that device out in the future.
APPENDIX D – Harden your SSH Login
This Appendix applies only after you have built your RPi VPN Server
and have it running successfully.
Hopefully you've chosen a very strong password for your 'pi'
username login. After all, as we discussed in Chapter 2, it is exposed
on the Internet through SSH. If you want to increase security on this
front, as I have, you can install and enable Google 2-Step
Verification on your RPi.
Note: This is not a tutorial on Google's 2-Step Verification
service or its companion Android Authenticator App. If you are
not familiar with this service and do not already have the
Authenticator App on your Android device, please do not
attempt to run this service on your RPi. You could easily lock
yourself out, requiring a complete wipe and reload of your RPi's
SD Card.
You can read/learn more about Google 2-Step Verification here:
https://www.google.com/landing/2step/
So, if you already use Google Authenticator, have the app installed
on your Android Phone and are comfortable using it, then these
instructions will show you how to set up your RPI VPN server with 2
Step Authentication for SSH logins. This will:
Help prevent Man In The Middle Attacks
Harden your RPi against brute-force login attempts
Further secure your RPi even if your password is
compromised
sudo -s
Now install the package:
nano /etc/pam.d/sshd
And add this line anywhere in the file:
auth required pam_google_authenticator.so
Press Ctrl+X and Y to save and exit.t.
Now, enable Google Authenticator in the SSH Config file:
nano /etc/ssh/sshd_config
Find the following line and change it from no to yes:
ChallengeResponseAuthentication yes
Press Ctrl+X and Y to save and exit.
Step 3. Activate 2 Step Authentication for Your Login Account
You probably login to your RPi as 'pi' user. So lets get back to that
account to activate it:
exit
Your RPi prompt should now be pi@servername (where servername
is the name of your RPi). Now enter:
google-authenticator
You will be shown a QR code you can scan into the Android Google
Authenticator App (or enter in the Secret Key). It will also give you 5
Emergency Scratch Codes that you should write down and save in
case you can't use your Google Authenticator App on you Android
device.
I recommend answering 'Y' to all the questions - except the fourth
one: increasing the windows from 1:30min up to 4min. You shouldn't
have problems in this area, so I suggest entering 'N' on that one.
Step 4. Restart SSH and Test
Restart SSH with the following command:
Caveats:
1. You will be encrypting and decrypting the data twice: once for
OpenVPN and then again for SSL. This can slow things down
2. You must use TCP for OpenVPN and SSL. UDP can't be used.
This can also slow things down.
3. Your RPi OpenVPN server must always run OpenVPN over
SSL for all connections. This is a extra connection step that you
didn't need to do before, and extra software to configure and
maintain.
4. You might be breaking the law (as stated previously)
Still want to proceed? Let's do it!
sudo -s
apt-get update
apt-get upgrade
apt-get install stunnel4
cd /etc/stunnel
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out
server.csr
The second command creates the server key with 2048 bit
encryption. It is slower, but more secure. So you can change it to a
lower value, like 1024, but its not recommended.
The last command above is very similar to when we created the
OpenVPN server keys. It will ask for a bunch of optional fields to be
entered. You can set them to whatever you wish, or just leave blank.
However, I like to set the Common Name field to the same as the
Server's Hostname your set your RPi to in Chapter 5, with an 'SSL'
suffix. This just makes it easier for me to keep track of the Keys and
Servers they belong to.
All fields after "Common Name" should be left blank.
Now we will create the certificate and combine it with the key. We're
setting the certificate to be good for 10 years, just like the OpenVPN
certificate.
Enter these 5 commands (the first command is really long and may
appear on multiple lines):
nano /etc/default/stunnel4
And add this line to the end of the file:
ENABLED=1
Press Ctrl+X and Y to save and exit.
Now we need to create the stunnel.conf file:
nano /etc/stunnel/stunnel.conf
It's a new file, so it will be empty. Fill it with the following:
sslVersion = all
options = NO_SSLv2
cert = /etc/stunnel/server.pem
pid = /var/run/stunnel.pid
output = /var/log/stunnel
socket = l:TCP_NODELAY=1
[openvpn]
client = no
accept = 443
connect = 000.000.000.000:1194
Or download the script from here: http://bitman.org/irafinch/rpi-
vpn.zip
Note: Replace the 000.000.000.000 with your RPi's IP address.
This can be found in the first line of the /root/check_ip.txt file.
The 'trick' we are performing here is in the [openvpn] section. This
tells stunnel that we are a Host, not a Client, to accept data through
port 443 (standard SSL port) from outside requests, and then
forward those data packets to port 1194 (OpenVPN Port) on our
Raspberry Pi.
Press Ctrl+X and Y to save and exit.
nano /etc/openvpn/server/server.conf
Find and change the proto udp line to: proto tcp
Press Ctrl+X and Y to save and exit.
cat /root/check_ip.txt
If you create any new Client Certificates, you will want them to
default to the correct VPN Host (localhost), Port (1194) and Protocol
(TCP). So we need to edit that file now:
nano /etc/openvpn/easy-rsa/pki/defaults.txt
Change the remote line to: remote localhost 1194
Change the proto line to: proto tcp
Now add the following line to end of the file:
route 000.000.000.000 255.255.255.255 net_gateway
crontab -e
Add these lines to the end of the file:
# restart openssl daily at 5:10pm : 10 17
10 17 * * * /root/check_ip.py -s > /root/cron.log 2>&1
./check_ip.py
If you do not receive any emailed error messages, we can proceed
with restarting your RPi to enable OpenVPN over SSL:
./check_ip.py -r
We're done with the RPi set up. Now we need to makes changes to
the Android and Windows clients
9. Click OK
10. Now click on the ALLOWED APPS tab
11. Find SSLDroid and check the box next to it
This excludes its data from being processed by OpenVPN for
Android
12. Click the Android Back button repeatedly to back out of
the OpenVPN for Android app.
Note: you will only need to do steps 10 & 11 for existing
OpenVPN client certificates. Any new client certificates you
create on your RPi will have these options already set from
step 5 of the previous section: Setting up your RPI for
OpenVPN over SSL
Now run SSLDroid and:
1. From its app menu, select Add Tunnel
2. Give it a meaningful Tunnel name, like the RPi Server it will
connect to.
3. Set Local Port to: 1194
4. Set Remote Host to the External IP address of your RPi (from
Step 3 of OpenVPN for Android changes above)
5. Set the Remote Port to: 443
6. Leave all other fields blank and click Apply
We are done setting up your Android Device!
To test, disable Wifi mode on your Android so we access your
network and RPi externally from the Internet, then:
1. Run SSLDroid and from its App menu select Start Service.
Its little green icon should appear in the Notification Bar
2. Exit SSLDroid. The icon should remain in the Notification Bar.
3. Run OpenVPN for Android and click on your profile to run it.
You should see it connect to your RPI just as before but using
IP address 127.0.0.1 (localhost) and port 1194
Note: Now, every time you wish to connect to your RPI, you will
need to repeat those above three steps. And you can only
connect using OpenVPN over SSL. Straight OpenVPN will no
longer work (as we covered at the beginning of this Appendix).
If you are unable to connect, please review all the steps in this
chapter to ensure it is all set up correctly. Also refer to the
Troubleshooting Appendix in the book and on the supporting web
site: http://bitman.org/irafinch/rpivpn
sudo -s
apt-get update
apt-get upgrade
apt-get install tor
Next step it to edit the Tor configuration file, torrc:
nano /etc/tor/torrc
Copy/Paste the following lines at the top of the torrc file:
Log notice file /var/log/tor/notices.log
VirtualAddrNetworkIPv4 10.192.0.0/16
TransPort 9040
TransListenAddress 10.8.0.1
DNSPort 9053
DNSListenAddress 10.8.0.1
AutomapHostsOnResolve 1
nano /etc/openvpn/server.conf
Now comment out these 6 lines by placing a # character in front of
them, as shown:
Note: The local, last route and dhcp-option IP addresses will
be different depending on your network. They are your
Raspberry PI’s IP address for the local and last route and your
Router’s IP address on the dhcp-option.
# local 192.168.3.50
# ifconfig 10.8.0.1 10.8.0.2
# push "route 10.8.0.1 255.255.255.255"
# push "route 10.8.0.0 255.255.255.0"
# push "route 192.168.3.50 255.255.255.0"
# push "dhcp-option DNS 192.168.3.1"
crontab -e
And comment out @reboot command by placing a # character in
front of it:
# @reboot /root/open_vpn_firewall.sh &
nano /root/iptables_rules.sh
Copy/Paste the following lines into the empty nano editor window:
#!/bin/bash
sleep 30
Adapter=`ip -o link show | awk '{print $2,$9}' | grep 'UP'| awk -F: '{print $1}'`
if [ -z "$Adapter" ]
then
Adapter='eth0'
fi
echo "Adapter = |$Adapter|"
# Clear iptables
iptables -F
iptables -t nat -F
iptables -X
# Accept Established, Related connections
iptables -A INPUT -i $Adapter -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A OUTPUT -o $Adapter -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A INPUT -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun0 -o lo -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A FORWARD -i tun0 -o lo -j ACCEPT
iptables -A FORWARD -i lo -o tun0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A FORWARD -i lo -o tun0 -j ACCEPT
# Accept localhostloop
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Accept SSH
iptables -A INPUT -i $Adapter -p tcp -m tcp --dport 22 -j ACCEPT
# Accept OpenVPN
iptables -A INPUT -i $Adapter -p udp -m udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun0 -s 10.8.0.0/24 -p udp -m udp --dport 123 -j ACCEPT
iptables -A INPUT -i tun0 -s 10.8.0.0/24 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i tun0 -s 10.8.0.0/24 -p tcp -m tcp -j ACCEPT
nano /root/tor_startup.sh
Copy/Paste the following 3 lines into the empty nano window:
#!/bin/sh
sleep 30
/usr/sbin/service tor start
Press Ctrl+X and Y to save and exit.
Set the script to Executable and Root owner with these 2
commands:
crontab -e
And paste these lines at the bottom of the file:
# Start Tor after Boot
@reboot /root/tor_startup.sh &
Press Ctrl+X and Y to save and exit.
Note: Don’t forget the & on the end. It tells Raspbian to run that
script but don’t wait for it to finish, just keep going. Otherwise
we may end up waiting 30 seconds for your RPi to boot.
This script will wait 30 seconds after the RPi boots and then start the
Tor service. By that time, everything (including OpenVPN), should be
up and running and ready.
Now just reboot your Pi, wait 30 seconds for Tor to initialize, then try
connecting to it via OpenVPN from outside your network. Once
connected, browse to any of these web sites to see what your public
IP address is now. It should be different that your actual one if Tor is
working properly:
http://whatsmyip.co
http://icanhazip.com
If you try google.com, you may even get a different
language/country version!
If you run into any problems and it does not appear to be working
properly: