Raspberry Pi DIY VPN

Discussion in 'Web Connections' started by John Laidler, Jul 24, 2015.

  1. John Laidler

    John Laidler Funster

    Joined:
    Jan 9, 2013
    Messages:
    8,586
    Likes Received:
    11,574
    Location:
    Plympton, Devon
    On another thread I mentioned I was having a go building the Raspberry Pi VPN server described on the BBC Click program (www.bbc.co.uk/click)

    Well after two or three day's effort I now seem to have it up and running. The instructions the BBC put out were not really complete and I found the odd error in them and at one point I was obliged to register on FB :eek: in order to see what was written there by the Click team and ask the odd question. As it turned out this didn't help much but I now have lots of new friends I've never heard of.

    It doesn't seem to slow things down too much. Normal internet access on my tablet using the app downloaded from www.speedtest.net gave a download speed of around 15Mbs without the VPN and this reduced to about 13 Mbs through the VPN. Upload speeds were the same, around 3 Mbs for me.

    I won't be able to properly test it in the real world until we go away to France in September and try for example doing things like internet banking and in the unlikely event of getting a good free wifi signal logging on to BBC iPlayer. I'm not too fussed about TV but as it encrypts everything then doing internet banking should be a little safer. I've set it to 1024 bit encryption, it is possible to increase that to 2048 but it says this will slow things down but if I get bored I may give this a go and see what the difference is. I am using the latest Pi 2 model which is significantly faster than the old one. The instructions said the keys would take at least five minutes to generate but it made mine in less than a minute. The 2048 keys are supposed to take five hours or more so it will be interesting to see how long it takes to generate those.

    If anyone wants to give it a go I can let them know about my experiences and the poo traps I fell in. I'm not sure it isn't anything more than a "hobbyist" solution and if you need a VPN for say business use then a paid for or even a free one might be better. There is another video you can find on the Click website which gives an overview of what to look for in VPNs services. It is quite short but it certainly suggests they are not all the same and the level of encryption and vulnerability to attack differs and if you are really paranoid then don't use one with servers in the US as the secret squirrels there can have access to your data quite easily. :)

    But the Raspberry Pi is a great little thing and I am now going to join all those school children and start fiddling with it! (The Pi that is)

    Afternote: The link to the VPN server is: http://www.bbc.co.uk/news/technology-33548728
    and the bit about VPN services: http://www.bbc.co.uk/news/technology-33520371
     
    Last edited: Jul 24, 2015
    • Like Like x 9
  2. bubble63

    bubble63 Funster

    Joined:
    Aug 10, 2012
    Messages:
    497
    Likes Received:
    446
    Location:
    cambridge
    nice write up(y)

    we have 3 PI's doing 'stuff' great fun:cool:
     
    • Like Like x 1
  3. Judge Mental

    Judge Mental Funster Deceased RIP

    Joined:
    Sep 2, 2009
    Messages:
    6,782
    Likes Received:
    6,034
    Location:
    Sarth London
    Show off:(
     
    • Like Like x 2
  4. magicsurfbus

    magicsurfbus Funster

    Joined:
    Oct 11, 2010
    Messages:
    3,510
    Likes Received:
    8,266
    Location:
    NW England
    My Pi's still in its box in the cupboard somewhere. I bought it for school use before I'd decided to retire a year early. I was wondering about trying to use it for transferring photos from a DSLR camera direct to a portable storage medium so as not to tie up a laptop but I never got round to it.

    The 1980s style computer I'm really looking forward to now is the ZX Spectrum Vega console with over 1000 retro games onboard. It's USB powered so I should be able to take it in the MH.
     
    • Like Like x 3
  5. chaser

    chaser Funster

    Joined:
    Feb 16, 2013
    Messages:
    7,141
    Likes Received:
    7,756
    Location:
    uttoxeter
    :Eeek::doh:(n):(
     
    • Like Like x 1
  6. hilldweller

    hilldweller Funster Life Member

    Joined:
    Dec 5, 2008
    Messages:
    26,475
    Likes Received:
    25,170
    Location:
    Macclesfield
    100% BRITISH !

    Fades message to Rule Britannia.....
     
    • Like Like x 1
  7. hilldweller

    hilldweller Funster Life Member

    Joined:
    Dec 5, 2008
    Messages:
    26,475
    Likes Received:
    25,170
    Location:
    Macclesfield
    Her majesty is not amused.
     
    • Like Like x 1
  8. matamoros

    matamoros Funster

    Joined:
    May 15, 2008
    Messages:
    2,280
    Likes Received:
    3,445
    Location:
    Ex Rochdale now Tavira, S. Brittany & Europe
    What puzzles me is why the BBC should be promoting a gadget/software that will circumvent it's own limits on viewing iplayer whilst abroad!!
     
    • Like Like x 1
  9. John Laidler

    John Laidler Funster

    Joined:
    Jan 9, 2013
    Messages:
    8,586
    Likes Received:
    11,574
    Location:
    Plympton, Devon
    That occurred to me as well. Fortunately, they don't ask for your reasons!
     
    • Like Like x 1
  10. Cossieg

    Cossieg Funster

    Joined:
    Jan 25, 2013
    Messages:
    189
    Likes Received:
    89
    Location:
    Yate for the summer!
    Interesting and was thinking of doing this but looked at the CLICK website and.......

    It won't give you the option of appearing to be from somewhere else but you can use it to connect external devices like a smartphone to browse the internet more securely through your home network, and access shared files and media on your home computer.

    So you can't use this abroad to watch bbc iPlayer it seems?
     
    • Like Like x 2
  11. buttons

    buttons Funster

    Joined:
    Aug 27, 2009
    Messages:
    12,950
    Likes Received:
    10,722
    Location:
    Hertfordshire
    My son in the US got himself a Pi a while ago for a hobby, it is now taking over all his spare time. He is using an arduino uno to drive his robotic projects being controlled by his Pi. which he wrights pages of code just to get it to carry out small processes. He has set himself up with soldering iron and a store of components and is enjoying every minuet of it. It must be good as it is keeping him from his computer games......:)
     
    • Like Like x 2
  12. John Laidler

    John Laidler Funster

    Joined:
    Jan 9, 2013
    Messages:
    8,586
    Likes Received:
    11,574
    Location:
    Plympton, Devon
    I'm not sure about that, my understanding was the client I've installed on my tablet speaks directly to the VPN server through a tunnel and then the VPN server (the Raspberry Pi) speaks to the www. The client is encrypting what it sends and only the server can understand this and then it speaks in plain English, so to speak, to whatever website you are accessing and that website will see the message as coming from the server?

    Edit. Just re-read your post and think I understand. If you live in Spain this won't help you fool the Beeb into thinking you live in the UK. It should work for me as the server will be in the UK (in No 1 son's bedroom) when I access it from say Spain. If you live overseas then a commercial VPN is the only answer I think.
     
    • Like Like x 1
  13. LewB

    LewB Read Only Funster

    Joined:
    Aug 10, 2015
    Messages:
    3
    Likes Received:
    2
    Location:
    Cornwall
    Hi DBK, I'd be really appreciate some help with setting up a VPN, I've tried the BBC click vpn instructions twice now but I've fallen into the poo traps you've mentioned! Could you also point out the errors you found in the instructions. If nothing else I've discovered I'm more computer illiterate than I thought I was!
     
  14. John Laidler

    John Laidler Funster

    Joined:
    Jan 9, 2013
    Messages:
    8,586
    Likes Received:
    11,574
    Location:
    Plympton, Devon
    I'll have a go later this morning but essentially there are three issues, getting the code right of course, setting up the DNS translation thing and then getting the router to do port forwarding.
    I'll see if I can post the code on here somehow.
     
  15. Lenny HB

    Lenny HB Funster

    Joined:
    Oct 18, 2007
    Messages:
    5,258
    Likes Received:
    5,081
    Location:
    West Sussex
    Sounds very interesting, info appropriated.
    If setting up a private VPN tunnel to your network do you need a fixed IP address? I have one anyway just curious.
     
  16. John Laidler

    John Laidler Funster

    Joined:
    Jan 9, 2013
    Messages:
    8,586
    Likes Received:
    11,574
    Location:
    Plympton, Devon
    No, you don't need a fixed IP address, that's where the DNS lookup thing comes in. It is a free service which tells the VPN client on your tablet what the IP address is of your home router at that moment.
     
    • Like Like x 1
  17. Lenny HB

    Lenny HB Funster

    Joined:
    Oct 18, 2007
    Messages:
    5,258
    Likes Received:
    5,081
    Location:
    West Sussex
    Sounds good as most of the software VPN's need a PC running & won't connect to a network via router, it would be very useful to connect to my NAS drive when away, I know I can do it with professional software such as NetScreen.
     
  18. John Laidler

    John Laidler Funster

    Joined:
    Jan 9, 2013
    Messages:
    8,586
    Likes Received:
    11,574
    Location:
    Plympton, Devon
    I'm glad this came up again as it wasn't until I started to write this I realised how much had faded over the past few weeks. It has been useful to write the following down and save it for when my memory has totally gone!

    Raspberry Pi VPN

    Just follow the BBC instructions but there are few nuances. The guide tells you how to give the Pi a static IP address but the method described is not considered best practice although it works and this is how I have done mine. The problem is they set the static IP address to the one it has been given by the router. Technically, this means the address comes from the DHCP pool and if you make one of these static I believe the router could at a later time try and allocate the same address to a different device. With my router the DHCP pool goes from 192.168.1.64 to 192.168.1.254 so to allocate an address outside this you could say choose 192.168.1.63 but when I tried this I had problems with port forwarding although I think I have now found the reason for this but I haven’t tried it again. More on this later but for the moment just follow the advice given in the BBC guide as it will work and the chances of a conflict are low I think.

    If you follow all the instructions down to where it shows the command

    sudo -s

    you should hopefully not have any problems with them, it is just a matter of following your nose. You don’t have to use the sudo -s command, I got into difficulties using it because when I took a break and had to start again I forgot to issue it and ran into all sorts difficulties which I didn’t understand because I was being told I didn’t have permission to do things I was able to before I took a break. However, you can either use sudo -s as suggested or type sudo before all the subsequent commands and if you do get told you can’t do something this is where to look for the problem although Linux is a pain with these permissions but it comes from the original Unix which was designed for large networks and it ensured ordinary users couldn't fiddle with it!

    Again, just follow the BBC instructions noting there is a point where you have to give your server a name which you should write down. What I did was to print out the BBC instructions and write things like this on the actual paper copy, subsequently typing them into an electronic copy.

    There is mention at one point of a PEM pass phrase, which is just a password by any other name, so add something in using the usual password rules, a few capitals, numbers etc. It then goes on about a des3 pass phrase and I suggest using the same password you have already created as they did.

    After a bit more key tapping it describes how to create the server.conf file. Mine is reproduced below. The Server name is WindyBottom (old family joke, don’t ask!) The Pi static address ends in 106 which you can see has been added in a couple of places. The other bit you have to change is your router address, mine ends in 254 but other routers may be different. You should be able to find your router address by going into its setup which should be described in any instructions you have for it.


    local 192.168.1.106 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
    dev tun
    proto udp
    port 1194
    ca /etc/openvpn/easy-rsa/keys/ca.crt
    cert /etc/openvpn/easy-rsa/keys/WindyBottom.crt # SWAP WITH YOUR CRT NAME
    key /etc/openvpn/easy-rsa/keys/WindyBottom.key # SWAP WITH YOUR KEY NAME
    dh /etc/openvpn/easy-rsa/keys/dh1024.pem # IF YOU CHANGED YOUR ENCRYPTION TO 2048, CHANGE THAT HERE
    server 10.8.0.0 255.255.255.0
    # server and remote endpoints
    ifconfig 10.8.0.1 10.8.0.2
    # Add route to Client routing table for the OpenVPN Server
    push "route 10.8.0.1 255.255.255.255"
    # Add route to Client routing table for the OpenVPN Subnet
    push "route 10.8.0.0 255.255.255.0"
    # your local subnet
    push "route 192.168.1.106 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
    # Set primary domain name server address to the SOHO Router
    # If your router does not do DNS, you can use Google DNS 8.8.8.8
    push "dhcp-option DNS 192.168.1.254" # THIS SHOULD BE YOUR ROUTER ADDRESS AND MAY DIFFER FROM THE ONE SHOWN
    # Override the Client default gateway by using 0.0.0.0/1 and
    # 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
    # overriding but not wiping out the original default gateway.
    push "redirect-gateway def1"
    client-to-client
    duplicate-cn
    keepalive 10 120
    tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
    cipher AES-128-CBC
    comp-lzo
    user nobody
    group nogroup
    persist-key
    persist-tun
    status /var/log/openvpn-status.log 20
    log /var/log/openvpn.log
    verb 1

    It then describes changes to existing files and there is some chown and chmod-ding to be done. These are important otherwise you run into permission issues.

    The next potentially hairy bit is the creation of the file ddclient.conf where the instructions given by the BBC are seriously lacking in the sort of detail someone like me needs! The first hurdle is the file is at /etc/ddclient.conf and not /etc/ddclient/ddclient.conf as described in the original instructions although I think it may now have been amended.

    When you go to the following site:

    https://blogdotmegajasondotcom.wordpress.com/2011/03/14/use-ddclient-with-changeip-com/

    It gives a sample of the ddclient.conf file you need to amend. BUT, before you can do this you need to set up the dynamic DNS thingy using www.changeip.com It is a few weeks since I did this but from memory you need to register on this site and then in the Products area select Fee Dynamic DNS. This will take you to a page where you can add a free domain under different sub-domains but I just used the default dynamic-dns.net and created my own unique web address “DBK.dynamic-dns.net” except it wasn’t “DBK” I used but yours will be different anyway. I can’t remember if when creating this I had to enter a user name and password, I am not sure I did and if I did I must have used the same details as the ones I used for creating my account on changeip.com as these are the details shown in the ddclient.conf file. Not a lot of help there I am afraid but when you go through the process of creating your domain, which is free, just make a note of any logins you have to create.

    When you come to edit the ddclient.conf file you need to make some changes. My file is shown below: My comments in capitals.

    #ddclient.conf

    #I left these things at their defaults
    daemon=1200 # check every 20 min
    syslog=yes # log update msgs to syslog
    mail=root # mail all msgs to root
    mail-failure=root # mail failed update msgs to root
    pid=/var/run/ddclient.pid # record PID in file.
    #tell ddclient how to get your ip address
    use=web, web=ip.changeip.com
    #provide server and login details
    protocol: dyndns2
    server: nic.changeip.com #DO NOT CHANGE THIS
    login: yourLogin #THIS AND THE ONE BELOW ARE THE ONES YOU USE TO
    # LOGIN TO CHANGEIP.COM
    password: yourPassword
    #specify the domain to update
    #for changeip.com, this can also be *1 or *2 #NO IDEA WHAT THIS MEANS!
    # for your "DynSets"
    dbk.dynamic-dns.net #THIS IS THE DOMAIN YOU CREATED IN CHANGEIP.COM
    # WHERE YOU WILL REPLACE “dbk” WITH YOUR DOMAIN

    The next step involves creating the default.txt file. Here is mine:

    client
    dev tun
    proto udp
    remote dbk.dynamic-dns.net 1194 #REPLACE WITH YOUR DYNAMIC DNS DOMAIN FROM CHANGEIP.COM LEAVE 1194
    # UNCHANGED
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    mute-replay-warnings
    ns-cert-type server
    key-direction 1
    cipher AES-128-CBC
    comp-lzo
    verb 1
    mute 20


    The 4th line “remote dbk.dynamic-dns.net 1194” should of course be amended replacing “dbk” with whatever your domain is.

    Then you have to make the MakeOVPN.sh file which just means copying and pasting from the instructions. I use the PuTTy program to do this where it is very easy to select and copy from the instructions and then right click in the PuTTy window and it just pastes in what you have selected.

    To copy the ovpn file to your device I used a free program called WinSCP which I downloaded and then using the Pi’s IP address logged in and copied the file across to my PC and then I just sent the file as an email attachment to myself and on my Nexus tablet opened the email and saved the file in the downloads folder of the Nexus.

    I then installed OpenVPN on the Nexus which can be found in the google Playstore. I think you can get it for Apple as well. As before it is a few weeks since I did this but from what I recall the installation wasn’t difficult. When you first open it tap on the three dots in the top right and then select “import from SD card” and then navigate to the ovpn file you have saved on the device. It should then set itself up but probably nothing will happen if you try to connect as you will have to set up port forwarding on your router.

    Port Forwarding

    So, (nearly there!) port forwarding instructions will be different for different models of router. I will describe how I did it on my BT Home Hub 5.

    Enter the router setup screen which in mine is found by typing 192.168.1.254 in the browser address bar. I then select advanced setting, which prompts for a password, which is the admin password not the wifi key. After a few more clicks you can select “Firewall”. Up to this point most routers should be more or less the same in that there will be a firewall settings page you can navigate to and on this page there is (should be) another tab called Port Forwarding.

    Select Port Forwarding and on the BT hub there is a button called “manage games and applications” which on clicking will take you to a page where you can create the rule for your VPN. Other routers may have an option to “create an new rule” or something like that.

    On the BT hub you have to give the rule a name, I chose RPiVPN but it can be anything. Then there is the game or application definition. I left “Protocol” as “Any” and in the boxes about ports just type 1194 in all four of them. This might look a bit odd but it works. 1194 is the port you are going to use but you only need one although port forwarding allows you to use a range and translate them to a different range, none of which bells and whistles are needed so you just tell it to use port 1194.

    The next step, having created this rule is to get the router to use it. Go back to the first Port Forwarding page where there will be two boxes, one listing games and applications and the other the device. If you look in the list of games and applications you should now find the new rule you have created “RPiVPN” listed. Select this.

    In the device name box you should find “RaspberryPi” listed and you can select this. I did and it worked but then I tried changing the static IP address of the Pi to something outside the DHCP pool and everything stopped working. I could only get it to work if instead of selecting “RaspberryPi” I scrolled down to the bottom of the list where there was the option to enter an IP address directly. If I did this, in my case entering the Pi’s address of 192.168.1.106 then everything worked!

    So, you can take a chance and select “RaspberryPi” or enter the address in manually but when you have done this click the “Add” button and a new line should appear showing the RPiVPN application listed against the device or IP Address.

    Everything should now work but I wanted my VPN to work automatically if there was a power cut and in order to do this it is necessary to set it up so it autoruns when the device boots up.

    The VPN won’t work unless you fire up the ddclient, so type this in PuTTy:

    crontab -e

    This file is all comments but add as a last line

    @reboot sudo ddclient

    Save this (Ctrl X and then Y)

    Now, when you start the Pi up the VPN will start, running in the background.

    Having created your VPN, once it is all working I saved the entire SD card to my computer using Win32Disk which creates an image of the SD card and means I can re-install it.

    I suspect there are still a few gaps in the above description, it is a few weeks since I did this but I hope I have covered the setting up of the dynamic DNS and the port forwarding in more detail than the original BBC instructions because these were the areas which gave me most cause for head scratching.
     
    • Like Like x 2
  19. LewB

    LewB Read Only Funster

    Joined:
    Aug 10, 2015
    Messages:
    3
    Likes Received:
    2
    Location:
    Cornwall
    Thanks very much for taking the time to do explain all that. I'm working offshore at the moment but when I get home I'll give it another shot!
     
    • Like Like x 1
  20. The Wino

    The Wino Funster

    Joined:
    Mar 23, 2012
    Messages:
    1,118
    Likes Received:
    2,015
    Location:
    leicester
    Bought a pi recently just to use for e-mails and web in the motorhome and possibly as a media player mainly as its so low on power requirements and cheap enough to leave in it all the time
     
    • Like Like x 1
Loading...
Similar Threads
  1. jumar
    Replies:
    19
    Views:
    694

Share This Page