Benutzer-Werkzeuge

Webseiten-Werkzeuge


en:howtos:pivpn
Übersetzungen dieser Seite:

PiVPN installation and configuration

The question why you need a VPN is easy to answer, it offers the possibility to use your own infrastructure sensibly on the go. Concrete examples:

  • Secure use of the Internet in public HotSpots
  • Access to the home network hard drive

VPNs are offered by a wide variety of providers, but are usually subject to a fee or limited in data volume. In addition, there is the consideration that you have to trust the provider, because all network traffic runs through their server and can be read there.
For your own VPN solution you can use

  • your own (WLAN) router
  • a computer in the home network in question

Some router manufacturers offer the option of setting up a VPN in the device. I myself have a Fritz!Box and can set up a VPN there. The AVM website offers very good HowTo entries. However, the implementation only allows „IPsec“ with „Xauth“, which is not supported on many devices. An app from AVM helps on smartphones, but to connect a Windows 10 laptop, for example, requires software from third-party manufacturers. Running a computer at home sounds complicated, but it isn't. The RaspBerry Pi, a cheap (both to buy and run) home server. The range of software is overwhelming, as usual with Linux, and also free.

For your own VPN solution, OpenVPN comes into play. OpenVPN supports all common platforms and does not require a server from a provider.

So how does PiVPN come into play? Installing, configuring and operating an OpenVPN server requires specialist knowledge that not everyone wants to acquire. To get around this problem, a tool was made available with PiVPN that takes over these tasks in a simple way. The official website of the PiVPN project offers information about the project, on the GitHub page of the project the source code can be viewed.

Articles worth reading on this topic (including helpful sources from my first attempts with PiVPN):

Preparation

Before the installation, one should gather some information that will be needed during the installation. The most important ones are listed here, in most cases suitable suggestions are made.

  • Name of the network interface, usually eth0 or wlan0. Since the switch to version 9 (Stretch), the names have been changed by default. E.g. eth0 is just called „en“ followed by the MAC address
  • Port number on which OpenVPN should be addressed. This port number must also be forwarded to the RaspBerry Pi on the router. The manufacturer's documentation should be consulted to set up „port forwarding“ on the router.
  • The protocol to be used can be UDP or TCP, each with advantages and disadvantages. I personally prefer UDP as it is a connectionless protocol and offers better performance. TCP offers the advantage that it can be better hidden if a firewall has to be circumvented. In this case it is recommended to use TCP port 443 and port-sharing with the web server.
  • Setting up a dynamic address is also necessary. There are various free providers of such services, which is the best depends on the support in the home router.

Installation

curl -L https://install.pivpn.io | bash

That's it, a few questions are asked during the installation, the answers to which are pre-assigned for the „normal“ VPN user. It is advisable to take a look at the English step-by-step instructions. to get an impression of the answers to be selected.
After the installation, PiVPN is ready for use. Profiles for the clients can be created immediately, which can be used with any platform (Windows, Mac, Android, IOS or Raspberry Pi). can become. I list download links for the clients here:

Configuration

We now have a working VPN (Virtual Privat Network) in which all participating devices are connected to each other. All participants (clients) use the Internet access of the OpenVPN server (in this case our Raspberry Pi) and all Internet access is via the home network. The traffic between OpenVPN client and OpenVPN server is always encrypted. This also ensures a secure connection in public HotSpots.
But sometimes we want more, e.g. access to other devices in our home network, the NAS drive is an example. In order to gain access to the home network, a „route“, i.e. the path from the client via the VPN to the home network, must be defined. To do this, the configuration file of the OpenVPN server (etc/openvpn/server.conf) must be changed and the following lines added (preferably at the end of the file):

push "route 192.168.178.0 255.255.255.0 10.8.0.1"
route 192.168.178.0 255.255.255.0 10.8.0.1

We can now access the devices in our home network via the VPN, but we cannot address them with a name. If the home router provides a DNS service for the home network (e.g. the Fritz Box), the devices can also be addressed by name. The entry must be made in /etc/openvpn/server.conf

push "dhcp option DNS 192.168.178.1"
push "dhcp option DOMAIN fritz.box

be added.

Create and manage clients

The server is running, now we come to the clients. The OpenVPN software must be installed on each client and a configuration file must be transferred. This configuration file is required for the OpenVPN client. There is no need to describe the installation of the OpenVPN software, as this differs depending on the platform, I'll leave that to the friendly Mr. Google. How do we get a configuration file now? So far we've only talked about Openvpn, but not PiVPN. PiVPN provides us with a few helpful tools for maintaining and operating our VPN. In order not to spend endless nights reading and understanding the configuration options for an OpenVPN client, we simply give the command

pivpn --help
::: Control all PiVPN specific functions!
:::
::: Usage: pivpn <command> [option]
:::
::: commands:
::: -a, add [nopass] Create a client ovpn profile, optionally nopass
::: -c, clients List any connected clients to the server
::: -d, debug Start a debugging session if having trouble
::: -l, list List all valid and revoked certificates
::: -r, revoke Revoke a client ovpn profile
::: -h, help Show this help dialog
::: -u, uninstall Uninstall PiVPN from your system!

and get a list of available options. A client configuration file is e.g

pivpn -a
Enter a Name for the Client: myiphone
Enter the password for the client:
Enter the password again to verify:
spawn ./easyrsa build-client-full myiphone
Note: using Easy-RSA configuration from: ./vars
rand: Use -help for summary.
Generating a 4096 bit RSA private key
..........................++
.................................................. ....++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/meiniphone.key.Pc9twDGhFw'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Check that the request matches the signature
signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'myiphone'
Certificate is to be certified until Sep 12 12:54:03 2027 GMT (3650 days)
Write out database with 1 new entries
Database updated
Client's cert found: myiphone.crt
Client's Private Key found: myiphone.key
CA public key found: ca.crt
tls-auth Private Key found: ta.key
==================================================
Done! myiphone.ovpn successfully created!
myiphone.ovpn was copied to:
  /home/pi/ovpns
for easy transfer.
==================================================

We have now created our first client and must transfer the resulting configuration file to the client. We can see where to find it in the last paragraph of the output.

For experts

In addition to the usual use, use of the home network from outside, I have implemented the following setup. The OpenVPN server is installed on a KVM server of my web host with Debian 9, i.e. outside of the home network. The installation of PiVPN also works without any problems under Debian, since the standard packages are installed from the server repository and Raspbian is based on Debian. The aim should be to enable the following connection:

Home Network <- Raspberry Pi <-> OpenVPN Server <-> OpenVPN Client

to realize. Note that between home network and Raspberry Pi, the arrow only points in one direction.

Preparation

My server on the Internet has no access to other, private networks. I have now implemented a Raspberry Pi as a client in my home network, which connects to the internet server from home. The client is also able to propagate routes, so I made sure on the Raspberry Pi that data packets can be forwarded from one adapter (the OpenVPN tunnel device) to another. The entry makes this in the /etc/sysctl.conf file

net.ipv4.ip_forward=1

To enable this without a reboot, the command

sudo sysctl -w net.ipv4.ip_forward=1

be dropped off; be discontinued; be deducted; be dismissed. The entry in the sysctl.conf only serves to enable this setting again after the reboot. In order to make life difficult for us (and to keep the server safe), the firewall on the Raspberry Pi now intervenes, which blocks the technically possible traffic again. The commands

/sbin/iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
/sbin/iptables -A FORWARD -i wlan0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o wlan0 -j ACCEPT

ensure that the firewall accepts the traffic. These settings do not survive a reboot, so a script must be stored under /etc/init.d that reactivates these settings after the network start. Better (and recommended) is the method via the package iptables-persistent to ensure that the firewall rules are also active after the network start.

sudo apt-get install iptables-persistent netfilter-persistent

The question of whether the current rules should be adopted can confidently be answered with „Yes“. The files /etc/iptables/rules.v4 and /etc/iptables/rules.v6 now contain the currently valid settings that are activated on reboot. The commands

sudo iptables-save >filename
sudo iptables-restore <filename

serve to save or restore the current rules. In order to save changed rules for the reboot, the file /etc/iptables/rules.v4 with the commands

sudo iptables-save >/etc/iptables/rules.v4

be changed. How the whole thing works with IPv6 I leave to the man pages. =)

Configuration

Now is the moment to enable the connection. The OpenVPN client on the Raspberry Pi must now tell the OpenVPN server that it is providing a route to a network. To do this, a new file must be created on the OpenVPN server under /etc/openvpn/client-config. The filename MUST match the name given by the „pivpn -a“ command. The content is as follows:

ifconfig-push 10.8.0.250 255.255.255.0
iroute 192.168.178.0 255.255.255.0

As soon as the Raspberry Pi registers with the VPN, the corresponding route is communicated to all clients who AFTER register with the VPN. The OpenVPN server also takes note of the routes immediately.
The question arises how to ensure that the Raspberry Pi always receives the above address 10.8.0.250. Good question, here is the answer. Another configuration file is required on the server, which instructs it to always assign the same IP to the Raspberry Pi. The file is called
/etc/openvpn/client-config/dhcp-persist and must contain the correct name that was assigned with „pivpn -a“ in the first field separated by commas.

client_name,10.8.0.250

„client_name“ should therefore be replaced with this name.
If I didn't forget anything and everything was installed and configured correctly, everything works now. Integrating another „home network“, e.g. that of a girlfriend, is no longer difficult, is it?

en/howtos/pivpn.txt · Zuletzt geändert: 2022/02/18 08:09 von 127.0.0.1