Building A Raspberry Pi VPN HowTo: Creating An Encrypted Client Side
By now, it’s pretty apparent that turning your Raspberry Pi into a Virtual Private Network is an all-evening activity. But as security flaws further compromise our Internet lives, it feels increasingly worth it to have a secure server on your side. That way, you’re free to write emails and transfer data without worrying about what or whom might be intercepting it as it travels from your computer to the Web.
If you’ve followed the steps from other Raspberry Pi VPN HowTo, you’ve got a fully functional VPN server on your Raspberry Pi. You can use this to connect securely to your home network wherever there’s an unencrypted wireless connection. You can also access shared files and media you keep stored on your home network.
Only, you can’t access those files just yet. We’ve created keys for clients (computers and devices) to use, but we haven’t told the clients where to find the server, how to connect, or which key to use.
If you remember, we created several different client keys for each of the devices we want to grant VPN access. We called them Client1, Client2 and Client3.
It’d be a lot of trouble to generate a new configuration file for each client from scratch, which is why we’ll use an ingenious script written by Eric Jodoin of the SANS institute. Instead of generating a file for each client on our own, this script will do it for us.
Following The Script
The script will access our default settings to generate files for each client. The first thing we need to do, then, is create a blank text file in which those default settings can be read.
nano /etc/openvpn/easy-rsa/keys/Default.txt
Fill in the blank text file with the following:
client
dev tun
proto udp
remote <YOUR PUBLIC IP ADDRESS HERE> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
It should look like the screenshot below, except it should show your public IP address. You’ll see that I deleted my own public IP address because that’s private information you shouldn’t be sharing around. On the other hand, local static IP addresses are very similar for everyone. They usually start with “192.168.”
Now, if you don’t have a static public IP address, you need to use a dynamic domain name system (DDNS) service to give yourself a domain name to put in place of the IP address. I recommend using the free service DNS Dynamic, which lets you pick a name of your choice. Then on your Pi, you need to run DDclient to update your DDNS registry automatically. I wrote a full tutorial for how to do this here.