Raspberry Pi DIY VPN

[DBK]

On another thread I mentioned I was having a go building the Raspberry Pi VPN server described on the BBC Click program (www.bbc.co.uk/click)

Well after two or three day's effort I now seem to have it up and running. The instructions the BBC put out were not really complete and I found the odd error in them and at one point I was obliged to register on FB in order to see what was written there by the Click team and ask the odd question. As it turned out this didn't help much but I now have lots of new friends I've never heard of.

It doesn't seem to slow things down too much. Normal internet access on my tablet using the app downloaded from www.speedtest.net gave a download speed of around 15Mbs without the VPN and this reduced to about 13 Mbs through the VPN. Upload speeds were the same, around 3 Mbs for me.

I won't be able to properly test it in the real world until we go away to France in September and try for example doing things like internet banking and in the unlikely event of getting a good free wifi signal logging on to BBC iPlayer. I'm not too fussed about TV but as it encrypts everything then doing internet banking should be a little safer. I've set it to 1024 bit encryption, it is possible to increase that to 2048 but it says this will slow things down but if I get bored I may give this a go and see what the difference is. I am using the latest Pi 2 model which is significantly faster than the old one. The instructions said the keys would take at least five minutes to generate but it made mine in less than a minute. The 2048 keys are supposed to take five hours or more so it will be interesting to see how long it takes to generate those.

If anyone wants to give it a go I can let them know about my experiences and the poo traps I fell in. I'm not sure it isn't anything more than a "hobbyist" solution and if you need a VPN for say business use then a paid for or even a free one might be better. There is another video you can find on the Click website which gives an overview of what to look for in VPNs services. It is quite short but it certainly suggests they are not all the same and the level of encryption and vulnerability to attack differs and if you are really paranoid then don't use one with servers in the US as the secret squirrels there can have access to your data quite easily.

But the Raspberry Pi is a great little thing and I am now going to join all those school children and start fiddling with it! (The Pi that is)

Afternote: The link to the VPN server is: http://www.bbc.co.uk/news/technology-33548728
and the bit about VPN services: http://www.bbc.co.uk/news/technology-33520371

 

[bubble63]

nice write up

we have 3 PI's doing 'stuff' great fun

 

[Judge Mental]

Show off

 

[magicsurfbus]

My Pi's still in its box in the cupboard somewhere. I bought it for school use before I'd decided to retire a year early. I was wondering about trying to use it for transferring photos from a DSLR camera direct to a portable storage medium so as not to tie up a laptop but I never got round to it.

The 1980s style computer I'm really looking forward to now is the ZX Spectrum Vega console with over 1000 retro games onboard. It's USB powered so I should be able to take it in the MH.

 

[chaser]

^{_{Subscribers  do not see these advertisements}}

 

[hilldweller]

building the Raspberry Pi

100% BRITISH !

Fades message to Rule Britannia.....

 

[hilldweller]

My Pi's still in its box.

Her majesty is not amused.

 

[2657]

What puzzles me is why the BBC should be promoting a gadget/software that will circumvent it's own limits on viewing iplayer whilst abroad!!

 

[DBK]

What puzzles me is why the BBC should be promoting a gadget/software that will circumvent it's own limits on viewing iplayer whilst abroad!!

That occurred to me as well. Fortunately, they don't ask for your reasons!

 

[Cossieg]

Interesting and was thinking of doing this but looked at the CLICK website and.......

It won't give you the option of appearing to be from somewhere else but you can use it to connect external devices like a smartphone to browse the internet more securely through your home network, and access shared files and media on your home computer.

So you can't use this abroad to watch bbc iPlayer it seems?

^{_{Subscribers  do not see these advertisements}}

 

[buttons]

My son in the US got himself a Pi a while ago for a hobby, it is now taking over all his spare time. He is using an arduino uno to drive his robotic projects being controlled by his Pi. which he wrights pages of code just to get it to carry out small processes. He has set himself up with soldering iron and a store of components and is enjoying every minuet of it. It must be good as it is keeping him from his computer games......

 

[DBK]

Interesting and was thinking of doing this but looked at the CLICK website and.......

It won't give you the option of appearing to be from somewhere else but you can use it to connect external devices like a smartphone to browse the internet more securely through your home network, and access shared files and media on your home computer.

So you can't use this abroad to watch bbc iPlayer it seems?

I'm not sure about that, my understanding was the client I've installed on my tablet speaks directly to the VPN server through a tunnel and then the VPN server (the Raspberry Pi) speaks to the www. The client is encrypting what it sends and only the server can understand this and then it speaks in plain English, so to speak, to whatever website you are accessing and that website will see the message as coming from the server?

Edit. Just re-read your post and think I understand. If you live in Spain this won't help you fool the Beeb into thinking you live in the UK. It should work for me as the server will be in the UK (in No 1 son's bedroom) when I access it from say Spain. If you live overseas then a commercial VPN is the only answer I think.

 

[LewB]

Hi DBK, I'd be really appreciate some help with setting up a VPN, I've tried the BBC click vpn instructions twice now but I've fallen into the poo traps you've mentioned! Could you also point out the errors you found in the instructions. If nothing else I've discovered I'm more computer illiterate than I thought I was!

 

[DBK]

Hi DBK, I'd be really appreciate some help with setting up a VPN, I've tried the BBC click vpn instructions twice now but I've fallen into the poo traps you've mentioned! Could you also point out the errors you found in the instructions. If nothing else I've discovered I'm more computer illiterate than I thought I was!

I'll have a go later this morning but essentially there are three issues, getting the code right of course, setting up the DNS translation thing and then getting the router to do port forwarding.
I'll see if I can post the code on here somehow.

 

[Lenny HB]

Sounds very interesting, info appropriated.
If setting up a private VPN tunnel to your network do you need a fixed IP address? I have one anyway just curious.

^{_{Subscribers  do not see these advertisements}}

 

[DBK]

Sounds very interesting, info appropriated.
If setting up a private VPN tunnel to your network do you need a fixed IP address? I have one anyway just curious.

No, you don't need a fixed IP address, that's where the DNS lookup thing comes in. It is a free service which tells the VPN client on your tablet what the IP address is of your home router at that moment.

 

[Lenny HB]

Sounds good as most of the software VPN's need a PC running & won't connect to a network via router, it would be very useful to connect to my NAS drive when away, I know I can do it with professional software such as NetScreen.

 

[DBK]

I'm glad this came up again as it wasn't until I started to write this I realised how much had faded over the past few weeks. It has been useful to write the following down and save it for when my memory has totally gone!

Raspberry Pi VPN

Just follow the BBC instructions but there are few nuances. The guide tells you how to give the Pi a static IP address but the method described is not considered best practice although it works and this is how I have done mine. The problem is they set the static IP address to the one it has been given by the router. Technically, this means the address comes from the DHCP pool and if you make one of these static I believe the router could at a later time try and allocate the same address to a different device. With my router the DHCP pool goes from 192.168.1.64 to 192.168.1.254 so to allocate an address outside this you could say choose 192.168.1.63 but when I tried this I had problems with port forwarding although I think I have now found the reason for this but I haven’t tried it again. More on this later but for the moment just follow the advice given in the BBC guide as it will work and the chances of a conflict are low I think.

If you follow all the instructions down to where it shows the command

sudo -s

you should hopefully not have any problems with them, it is just a matter of following your nose. You don’t have to use the sudo -s command, I got into difficulties using it because when I took a break and had to start again I forgot to issue it and ran into all sorts difficulties which I didn’t understand because I was being told I didn’t have permission to do things I was able to before I took a break. However, you can either use sudo -s as suggested or type sudo before all the subsequent commands and if you do get told you can’t do something this is where to look for the problem although Linux is a pain with these permissions but it comes from the original Unix which was designed for large networks and it ensured ordinary users couldn't fiddle with it!

Again, just follow the BBC instructions noting there is a point where you have to give your server a name which you should write down. What I did was to print out the BBC instructions and write things like this on the actual paper copy, subsequently typing them into an electronic copy.

There is mention at one point of a PEM pass phrase, which is just a password by any other name, so add something in using the usual password rules, a few capitals, numbers etc. It then goes on about a des3 pass phrase and I suggest using the same password you have already created as they did.

After a bit more key tapping it describes how to create the server.conf file. Mine is reproduced below. The Server name is WindyBottom (old family joke, don’t ask!) The Pi static address ends in 106 which you can see has been added in a couple of places. The other bit you have to change is your router address, mine ends in 254 but other routers may be different. You should be able to find your router address by going into its setup which should be described in any instructions you have for it.


local 192.168.1.106 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/WindyBottom.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/WindyBottom.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # IF YOU CHANGED YOUR ENCRYPTION TO 2048, CHANGE THAT HERE
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.1.106 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 192.168.1.254" # THIS SHOULD BE YOUR ROUTER ADDRESS AND MAY DIFFER FROM THE ONE SHOWN
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

It then describes changes to existing files and there is some chown and chmod-ding to be done. These are important otherwise you run into permission issues.

The next potentially hairy bit is the creation of the file ddclient.conf where the instructions given by the BBC are seriously lacking in the sort of detail someone like me needs! The first hurdle is the file is at /etc/ddclient.conf and not /etc/ddclient/ddclient.conf as described in the original instructions although I think it may now have been amended.

When you go to the following site:

https://blogdotmegajasondotcom.wordpress.com/2011/03/14/use-ddclient-with-changeip-com/

It gives a sample of the ddclient.conf file you need to amend. BUT, before you can do this you need to set up the dynamic DNS thingy using www.changeip.com It is a few weeks since I did this but from memory you need to register on this site and then in the Products area select Fee Dynamic DNS. This will take you to a page where you can add a free domain under different sub-domains but I just used the default dynamic-dns.net and created my own unique web address “DBK.dynamic-dns.net” except it wasn’t “DBK” I used but yours will be different anyway. I can’t remember if when creating this I had to enter a user name and password, I am not sure I did and if I did I must have used the same details as the ones I used for creating my account on changeip.com as these are the details shown in the ddclient.conf file. Not a lot of help there I am afraid but when you go through the process of creating your domain, which is free, just make a note of any logins you have to create.

When you come to edit the ddclient.conf file you need to make some changes. My file is shown below: My comments in capitals.

#ddclient.conf

#I left these things at their defaults
daemon=1200 # check every 20 min
syslog=yes # log update msgs to syslog
mail=root # mail all msgs to root
mail-failure=root # mail failed update msgs to root
pid=/var/run/ddclient.pid # record PID in file.
#tell ddclient how to get your ip address
use=web, web=ip.changeip.com
#provide server and login details
protocol: dyndns2
server: nic.changeip.com #DO NOT CHANGE THIS
login: yourLogin #THIS AND THE ONE BELOW ARE THE ONES YOU USE TO
# LOGIN TO CHANGEIP.COM
password: yourPassword
#specify the domain to update
#for changeip.com, this can also be *1 or *2 #NO IDEA WHAT THIS MEANS!
# for your "DynSets"
dbk.dynamic-dns.net #THIS IS THE DOMAIN YOU CREATED IN CHANGEIP.COM
# WHERE YOU WILL REPLACE “dbk” WITH YOUR DOMAIN

The next step involves creating the default.txt file. Here is mine:

client
dev tun
proto udp
remote dbk.dynamic-dns.net 1194 #REPLACE WITH YOUR DYNAMIC DNS DOMAIN FROM CHANGEIP.COM LEAVE 1194
# UNCHANGED
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20


The 4th line “remote dbk.dynamic-dns.net 1194” should of course be amended replacing “dbk” with whatever your domain is.

Then you have to make the MakeOVPN.sh file which just means copying and pasting from the instructions. I use the PuTTy program to do this where it is very easy to select and copy from the instructions and then right click in the PuTTy window and it just pastes in what you have selected.

To copy the ovpn file to your device I used a free program called WinSCP which I downloaded and then using the Pi’s IP address logged in and copied the file across to my PC and then I just sent the file as an email attachment to myself and on my Nexus tablet opened the email and saved the file in the downloads folder of the Nexus.

I then installed OpenVPN on the Nexus which can be found in the google Playstore. I think you can get it for Apple as well. As before it is a few weeks since I did this but from what I recall the installation wasn’t difficult. When you first open it tap on the three dots in the top right and then select “import from SD card” and then navigate to the ovpn file you have saved on the device. It should then set itself up but probably nothing will happen if you try to connect as you will have to set up port forwarding on your router.

Port Forwarding

So, (nearly there!) port forwarding instructions will be different for different models of router. I will describe how I did it on my BT Home Hub 5.

Enter the router setup screen which in mine is found by typing 192.168.1.254 in the browser address bar. I then select advanced setting, which prompts for a password, which is the admin password not the wifi key. After a few more clicks you can select “Firewall”. Up to this point most routers should be more or less the same in that there will be a firewall settings page you can navigate to and on this page there is (should be) another tab called Port Forwarding.

Select Port Forwarding and on the BT hub there is a button called “manage games and applications” which on clicking will take you to a page where you can create the rule for your VPN. Other routers may have an option to “create an new rule” or something like that.

On the BT hub you have to give the rule a name, I chose RPiVPN but it can be anything. Then there is the game or application definition. I left “Protocol” as “Any” and in the boxes about ports just type 1194 in all four of them. This might look a bit odd but it works. 1194 is the port you are going to use but you only need one although port forwarding allows you to use a range and translate them to a different range, none of which bells and whistles are needed so you just tell it to use port 1194.

The next step, having created this rule is to get the router to use it. Go back to the first Port Forwarding page where there will be two boxes, one listing games and applications and the other the device. If you look in the list of games and applications you should now find the new rule you have created “RPiVPN” listed. Select this.

In the device name box you should find “RaspberryPi” listed and you can select this. I did and it worked but then I tried changing the static IP address of the Pi to something outside the DHCP pool and everything stopped working. I could only get it to work if instead of selecting “RaspberryPi” I scrolled down to the bottom of the list where there was the option to enter an IP address directly. If I did this, in my case entering the Pi’s address of 192.168.1.106 then everything worked!

So, you can take a chance and select “RaspberryPi” or enter the address in manually but when you have done this click the “Add” button and a new line should appear showing the RPiVPN application listed against the device or IP Address.

Everything should now work but I wanted my VPN to work automatically if there was a power cut and in order to do this it is necessary to set it up so it autoruns when the device boots up.

The VPN won’t work unless you fire up the ddclient, so type this in PuTTy:

crontab -e

This file is all comments but add as a last line

@reboot sudo ddclient

Save this (Ctrl X and then Y)

Now, when you start the Pi up the VPN will start, running in the background.

Having created your VPN, once it is all working I saved the entire SD card to my computer using Win32Disk which creates an image of the SD card and means I can re-install it.

I suspect there are still a few gaps in the above description, it is a few weeks since I did this but I hope I have covered the setting up of the dynamic DNS and the port forwarding in more detail than the original BBC instructions because these were the areas which gave me most cause for head scratching.

 

[LewB]

Thanks very much for taking the time to do explain all that. I'm working offshore at the moment but when I get home I'll give it another shot!

 

[The Wino]

Bought a pi recently just to use for e-mails and web in the motorhome and possibly as a media player mainly as its so low on power requirements and cheap enough to leave in it all the time

^{_{Subscribers  do not see these advertisements}}

 

[DBK]

Bought a pi recently just to use for e-mails and web in the motorhome and possibly as a media player mainly as its so low on power requirements and cheap enough to leave in it all the time

I haven't looked at emails and the web yet but if I buy the right connectors I should be able to plug the video output into the MH TV. Just need a DVI to VGA adaptor I think.

 

[OldAgeTravellers]

Hi @DBK ,
I know this is a very old thread I have just stumbled upon it with a Google search, but, how is it working? Is it still Working OK?
I have just spent quite a few hours and in fact ordered a Pi3B to do just what you have done only to find after all the research that my Linksys Router has OpenVPN built in which is even better and of course will be quite happy running 24/7 and only one link in the chain. So I will be activating that so I can work safer when connected to Camp Site WiFi or even McD's. But it occurred to me that it would be worth setting up the Pi as a VPN Gateway in the Van as the PI3B has WiFi built in.
I know all the devices can each have the OpenVPN app but it just seems better to use a gateway on all the time.
I initially was looking at building a Pi VPN to install at my son's house in the UK so I could use iPlayer etc from our house in France and when travelling but he is not too happy about opening his home network up and wants me to build a VPN server on the Amazon Cloud using their AWS Free Tier but personally I think that big companies are getting more and more evil so I would prefer to have control of my own VPN tunnel. I am not that interested in iPlayer anyway.
So an update on how you are finding it would be great. Do you access files on your home NAS etc? as well as using it for Banking etc.
Thanks,
Steve

 

[pappajohn]

100% BRITISH !

Fades message to Rule Britannia.....

With components made in China.

 

[DBK]

Hi @DBK ,
I know this is a very old thread I have just stumbled upon it with a Google search, but, how is it working? Is it still Working OK?
I have just spent quite a few hours and in fact ordered a Pi3B to do just what you have done only to find after all the research that my Linksys Router has OpenVPN built in which is even better and of course will be quite happy running 24/7 and only one link in the chain. So I will be activating that so I can work safer when connected to Camp Site WiFi or even McD's. But it occurred to me that it would be worth setting up the Pi as a VPN Gateway in the Van as the PI3B has WiFi built in.
I know all the devices can each have the OpenVPN app but it just seems better to use a gateway on all the time.
I initially was looking at building a Pi VPN to install at my son's house in the UK so I could use iPlayer etc from our house in France and when travelling but he is not too happy about opening his home network up and wants me to build a VPN server on the Amazon Cloud using their AWS Free Tier but personally I think that big companies are getting more and more evil so I would prefer to have control of my own VPN tunnel. I am not that interested in iPlayer anyway.
So an update on how you are finding it would be great. Do you access files on your home NAS etc? as well as using it for Banking etc.
Thanks,
Steve

It worked - until it was turned off by someone at home while we were away! Which illustrates the problem with a DIY solution. Who is going to fix it when you are out of the country?

I don't use it now or any VPN. BBC iPlayer now works in Europe without one and for banking I just use our broadband connection through the MiFi which is as safe as I need it. I wouldn't use a free or public WiFi for banking but broadband is safe.

 

[OldAgeTravellers]

BBC iPlayer now works in Europe without one and for banking I just use our broadband connection through the MiFi which is as safe as I need it. I wouldn't use a free or public WiFi for banking but broadband is safe.

IPlayer doesn't work for me in Europe, how does it work for you?
Steve

^{_{Subscribers  do not see these advertisements}}

 

[DBK]

IPlayer doesn't work for me in Europe, how does it work for you?
Steve

It just does. It used to detect when you outside the UK and refuse to work but for a year or more that restriction has been lifted. Others can get it to work as well.

It did first ask me to register and I did that when in the UK. This may or may not be significant. If you try to first register when not in the UK it may not like it.