Configuring OpenVPN on Raspberry Pi: A Comprehensive Guide
Ohidur Rahman Bappy
MAR 22, 2025
Introduction
Setting up a Virtual Private Network (VPN) on your Raspberry Pi can enhance your network security and privacy. This guide walks you through installing and configuring OpenVPN on your Raspberry Pi, along with setting up routing and NAT.
Prerequisites
Before you start, ensure your Raspberry Pi is updated:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
Step 1: Install OpenVPN
First, install OpenVPN on your Raspberry Pi:
sudo apt-get install openvpn
Enable the OpenVPN service to start automatically:
sudo systemctl enable openvpn
Step 2: Configure OpenVPN
Copy the OpenVPN config files and certificates provided by your VPN provider to your Raspberry Pi. Use a tool like WinSCP for transferring files.
Ensure you're in the correct directory:
cd /home/pi
Move the configuration files to the OpenVPN folder:
sudo mv * /etc/openvpn/
Rename the configuration file to end with .conf:
cd /etc/openvpn
sudo mv *.ovpn vpn.conf
Create an authentication file containing your VPN username and password:
sudo nano auth.txt
Enter your credentials on separate lines:
username
password
Secure the authentication file:
sudo chmod 600 /etc/openvpn/auth.txt
Edit the configuration file to use absolute paths:
sudo nano vpn.conf
Update these lines:
ca /etc/openvpn/CACertificate.crt
cert /etc/openvpn/UserCertificate.crt
key /etc/openvpn/PrivateKey.key
auth-user-pass /etc/openvpn/auth.txt
Restart the OpenVPN service:
sudo service openvpn restart
Verify the connection using:
wget http://ipinfo.io/ip -qO -
Step 3: Enable IP Routing
Enable IP forwarding to allow network traffic to flow through your Raspberry Pi:
sudo /bin/su -c "echo -e '\n#Enable IP Routing\nnet.ipv4.ip_forward = 1' > /etc/sysctl.conf"
sudo sysctl -p
Step 4: Set Up Firewall and NAT
Configure iptables for Network Address Translation (NAT):
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Allow necessary internal traffic:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -i eth0 -p icmp -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Set default policies:
sudo iptables -P FORWARD DROP
sudo iptables -P INPUT DROP
sudo iptables -L
Make iptable rules persistent:
sudo apt-get install iptables-persistent
sudo systemctl enable netfilter-persistent
Step 5: Client Device Configuration
Connect any network device to the VPN by changing its default gateway to match your Raspberry Pi's IP address.
For serving a server on specific ports, add these rules:
sudo iptables -A INPUT -i eth0 -p tcp --dport 9090 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
For a broader configuration, allow all ports:
sudo iptables -A INPUT -i eth0 -p tcp --dport 1:65535 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p udp --dport 1:65535 -j ACCEPT
Save the configuration:
sudo iptables-save > /etc/sysconfig/iptables
Redirect all ports to 10000:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1:65535 -j DNAT --to-destination 192.168.1.10:10000
Conclusion
With OpenVPN configured, your Raspberry Pi can now function as a secure VPN server, routing traffic securely through the internet. Ensure to adjust your network settings according to your security needs and network design.