====== PiVPN installation and configuration ====== The question why you need a [[https://de.wikipedia.org/wiki/Virtual_Private_Network|VPN]] is easy to answer, it offers the possibility to use your own infrastructure sensibly on the go. Concrete examples: * Secure use of the Internet in public HotSpots * Access to the home network hard drive VPNs are offered by a wide variety of providers, but are usually subject to a fee or limited in data volume. In addition, there is the consideration that you have to trust the provider, because all network traffic runs through their server and can be read there.\\ For your own VPN solution you can use * your own (WLAN) router * a computer in the home network in question Some router manufacturers offer the option of setting up a VPN in the device. I myself have a Fritz!Box and can set up a VPN there. The AVM website offers very good HowTo entries. However, the implementation only allows "IPsec" with "Xauth", which is not supported on many devices. An app from AVM helps on smartphones, but to connect a Windows 10 laptop, for example, requires software from third-party manufacturers. Running a computer at home sounds complicated, but it isn't. The RaspBerry Pi, a cheap (both to buy and run) home server. The range of software is overwhelming, as usual with Linux, and also free. \\ For your own VPN solution, [[https://de.wikipedia.org/wiki/OpenVPN|OpenVPN]] comes into play. OpenVPN supports all common platforms and does not require a server from a provider. \\ So how does PiVPN come into play? Installing, configuring and operating an OpenVPN server requires specialist knowledge that not everyone wants to acquire. To get around this problem, a tool was made available with PiVPN that takes over these tasks in a simple way. The [[http://www.pivpn.io/|official website of the PiVPN project]] offers information about the project, on the [[https://github.com/pivpn/pivpn|GitHub page of the project]] the source code can be viewed. \\ Articles worth reading on this topic (including helpful sources from my first attempts with PiVPN): * [[https://www.kuketz-blog.de/pivpn-raspberry-pi-mit-openvpn-raspberry-pi-teil3/|Kuketz Blog]] in which other useful uses of the RaspBerry Pi can also be found * [[https://www.ostechnix.com/pivpn-simplest-openvpn-setup-configuration-designed-raspberry-pi/|OStechnix]] with quite detailed installation description * [[https://www.datenreise.de/raspberry-pi-vpn-server-einricht-anleitung/|Datenreise.de]] where the installation and configuration of OpenVPN is described without tools * Also helpful is [[https://github.com/pivpn/pivpn/issues|the issue list of the OpenVPN project]] in which not only errors but also solutions for special problems can be found. * [[https://duckduckgo.com/?q=PiVPN+Installation&t=h_&ia=web|Search engines]] for research purposes are also helpful ===== Preparation ===== Before the installation, one should gather some information that will be needed during the installation. The most important ones are listed here, in most cases suitable suggestions are made. * Name of the network interface, usually eth0 or wlan0. Since the switch to version 9 (Stretch), the names have been changed by default. E.g. eth0 is just called "en" followed by the MAC address * Port number on which OpenVPN should be addressed. This port number must also be forwarded to the RaspBerry Pi on the router. The manufacturer's documentation should be consulted to set up "port forwarding" on the router. * The protocol to be used can be UDP or TCP, each with advantages and disadvantages. I personally prefer UDP as it is a connectionless protocol and offers better performance. TCP offers the advantage that it can be better hidden if a firewall has to be circumvented. In this case it is recommended to use TCP port 443 and port-sharing with the web server. * Setting up a dynamic address is also necessary. There are various free providers of such services, which is the best depends on the support in the home router. ===== Installation ===== curl -L https://install.pivpn.io | bash That's it, a few questions are asked during the installation, the answers to which are pre-assigned for the "normal" VPN user. It is advisable to take a look at the [[https://www.sitepoint.com/setting-up-a-home-vpn-using-your-raspberry-pi/|English step-by-step instructions]]. to get an impression of the answers to be selected. \\ After the installation, [[http://www.pivpn.io/|PiVPN]] is ready for use. Profiles for the clients can be created immediately, which can be used with any platform (Windows, Mac, Android, IOS or Raspberry Pi). can become. I list download links for the clients here: \\ * [[https://itunes.apple.com/de/app/openvpn-connect/id590379981?mt=8|IOS]] * [[https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=de|Android]] * [[https://openvpn.net/index.php/open-source/downloads.html|Windows]] * [[https://openvpn.net/index.php/access-server/docs/admin-guides/183-how-to-connect-to-access-server-from-a-mac.html|MAC]] ===== Configuration ===== We now have a working VPN (__V__irtual __P__rivat __N__etwork) in which all participating devices are connected to each other. All participants (clients) use the Internet access of the OpenVPN server (in this case our Raspberry Pi) and all Internet access is via the home network. The traffic between OpenVPN client and OpenVPN server is always encrypted. This also ensures a secure connection in public HotSpots.\\ But sometimes we want more, e.g. access to other devices in our home network, the NAS drive is an example. In order to gain access to the home network, a "route", i.e. the path from the client via the VPN to the home network, must be defined. To do this, the configuration file of the OpenVPN server (etc/openvpn/server.conf) must be changed and the following lines added (preferably at the end of the file): push "route 192.168.178.0 255.255.255.0 10.8.0.1" route 192.168.178.0 255.255.255.0 10.8.0.1 We can now access the devices in our home network via the VPN, but we cannot address them with a name. If the home router provides a DNS service for the home network (e.g. the Fritz Box), the devices can also be addressed by name. The entry must be made in /etc/openvpn/server.conf push "dhcp option DNS 192.168.178.1" push "dhcp option DOMAIN fritz.box be added. ===== Create and manage clients ===== The server is running, now we come to the clients. The OpenVPN software must be installed on each client and a configuration file must be transferred. This configuration file is required for the OpenVPN client. There is no need to describe the installation of the OpenVPN software, as this differs depending on the platform, I'll leave that to the friendly Mr. Google. How do we get a configuration file now? So far we've only talked about Openvpn, but not PiVPN. PiVPN provides us with a few helpful tools for maintaining and operating our VPN. In order not to spend endless nights reading and understanding the configuration options for an OpenVPN client, we simply give the command pivpn --help ::: Control all PiVPN specific functions! ::: ::: Usage: pivpn [option] ::: ::: commands: ::: -a, add [nopass] Create a client ovpn profile, optionally nopass ::: -c, clients List any connected clients to the server ::: -d, debug Start a debugging session if having trouble ::: -l, list List all valid and revoked certificates ::: -r, revoke Revoke a client ovpn profile ::: -h, help Show this help dialog ::: -u, uninstall Uninstall PiVPN from your system! and get a list of available options. A client configuration file is e.g pivpn -a Enter a Name for the Client: myiphone Enter the password for the client: Enter the password again to verify: spawn ./easyrsa build-client-full myiphone Note: using Easy-RSA configuration from: ./vars rand: Use -help for summary. Generating a 4096 bit RSA private key ..........................++ .................................................. ....++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/meiniphone.key.Pc9twDGhFw' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf Check that the request matches the signature signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'myiphone' Certificate is to be certified until Sep 12 12:54:03 2027 GMT (3650 days) Write out database with 1 new entries Database updated Client's cert found: myiphone.crt Client's Private Key found: myiphone.key CA public key found: ca.crt tls-auth Private Key found: ta.key ================================================== Done! myiphone.ovpn successfully created! myiphone.ovpn was copied to: /home/pi/ovpns for easy transfer. ================================================== We have now created our first client and must transfer the resulting configuration file to the client. We can see where to find it in the last paragraph of the output. ====== For experts ====== In addition to the usual use, use of the home network from outside, I have implemented the following setup. The OpenVPN server is installed on a KVM server of my web host with Debian 9, i.e. outside of the home network. The installation of PiVPN also works without any problems under Debian, since the standard packages are installed from the server repository and Raspbian is based on Debian. The aim should be to enable the following connection:\\ Home Network <- Raspberry Pi <-> OpenVPN Server <-> OpenVPN Client to realize. Note that between home network and Raspberry Pi, the arrow only points in one direction. ===== Preparation ===== My server on the Internet has no access to other, private networks. I have now implemented a Raspberry Pi as a client in my home network, which connects to the internet server from home. The client is also able to propagate routes, so I made sure on the Raspberry Pi that data packets can be forwarded from one adapter (the OpenVPN tunnel device) to another. The entry makes this in the /etc/sysctl.conf file net.ipv4.ip_forward=1 To enable this without a reboot, the command sudo sysctl -w net.ipv4.ip_forward=1 be dropped off; be discontinued; be deducted; be dismissed. The entry in the sysctl.conf only serves to enable this setting again after the reboot. In order to make life difficult for us (and to keep the server safe), the firewall on the Raspberry Pi now intervenes, which blocks the technically possible traffic again. The commands /sbin/iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE /sbin/iptables -A FORWARD -i wlan0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A FORWARD -i tun0 -o wlan0 -j ACCEPT ensure that the firewall accepts the traffic. These settings do not survive a reboot, so a script must be stored under /etc/init.d that reactivates these settings after the network start. Better (and recommended) is the method via the package [[https://packages.debian.org/iptables-persistent|iptables-persistent]] to ensure that the firewall rules are also active after the network start. sudo apt-get install iptables-persistent netfilter-persistent The question of whether the current rules should be adopted can confidently be answered with "Yes". The files /etc/iptables/rules.v4 and /etc/iptables/rules.v6 now contain the currently valid settings that are activated on reboot. The commands sudo iptables-save >filename sudo iptables-restore /etc/iptables/rules.v4 be changed. How the whole thing works with IPv6 I leave to the man pages. =) ===== Configuration ===== Now is the moment to enable the connection. The OpenVPN client on the Raspberry Pi must now tell the OpenVPN server that it is providing a route to a network. To do this, a new file must be created on the OpenVPN server under /etc/openvpn/client-config. The filename MUST match the name given by the "pivpn -a" command. The content is as follows: ifconfig-push 10.8.0.250 255.255.255.0 iroute 192.168.178.0 255.255.255.0 As soon as the Raspberry Pi registers with the VPN, the corresponding route is communicated to all clients who AFTER register with the VPN. The OpenVPN server also takes note of the routes immediately.\\ The question arises how to ensure that the Raspberry Pi always receives the above address 10.8.0.250. Good question, here is the answer. Another configuration file is required on the server, which instructs it to always assign the same IP to the Raspberry Pi. The file is called \\ /etc/openvpn/client-config/dhcp-persist and must contain the correct name that was assigned with "pivpn -a" in the first field separated by commas. client_name,10.8.0.250 "client_name" should therefore be replaced with this name. \\ If I didn't forget anything and everything was installed and configured correctly, everything works now. Integrating another "home network", e.g. that of a girlfriend, is no longer difficult, is it?