I was running Raspbmc in Raspberry Pi which I like to use once a year (but I’m not gonna write about that part). What’s interesting about that device is that I always have it on and it’s connected to my router, so it makes it a great candidate for installing vpn server in it. And instead of getting another Pi to run vpn server and keep it up and running 24/7, it’s a good idea to just install OpenVpn on it also since it’s built on top of linux and that’s what I had. There have been lot of changes to the project and it also changed it’s name to OSMc. So I just decided to reformat, get OSMC and install OpenVpn on it again. Since I didn’t provision that server with chef (would be interesting to see someone run chef client in Pi though) I had to do everything manually again. Decided to write about it in case others would be interested in creating similar setup also. And since OSMC is built on top of Debian, this guide mostly applies to any Debian based setup.
Before anything let’s install needed packages and switch to root user since most of what we’ll do will require sudo permissions:
Let’s create easy-rsa folder:
Now set following variables in /etc/openvpn/easy-rsa/vars file:
Now let’s kill old keys (if they exist) and source those variables:
It’s time to build the keys and certs now. To build CA certificate run:
To build the server key run:
To build the DH key run:
To build the TA key run:
After having keys generated, let’s create the server config in /etc/openvpn/server.conf file:
Here open vpn will listen on 1194 and it’s udp, if you want it to listen on a different port or be tcp, make sure to change this. redirect-gateway is to forward internet traffic and to be able to access other boxes on the network. Next line is to resolve dns. I put my router gateway so local hostnames will also resolve. Your gateway may be different. If for a scpecific client we don’t want to redirect internet traffic we can add this to client config:
Now we need to configure os for forwarding. Run:
Open */etc/sysctl.conf file and uncomment
net.ipv4.ip_forward = 1 line.
This will allow port forwarding but we still need to configure the firewall.
This will configure firewall for forwarding and we save the configuration to /etc/iptables.up.rules file. We need to restore those settings when interface starts after the reboot. Let’s create a script file for it /etc/network/if-pre-up.d/iptables:
And make the script executable:
Now vpn server is configured. We need to restart OpenVpn or just reboot the server to make sure that firewall will still work.
For mac I like to use Tunnelblick client and for iOS OpenVpn app. This should be almost same setup even if you prefer to use other clients.
Again, let’s switch to root user, source the variables and generate client certs.
I like to generate one key per device I’m using and I prefer to have password for my mac client (using build-key-pass) and no password for iOS client (using build-key).
We need to create the client config file also, which should look something like this:
Make sure to set SERVER DNS and CLIENT NAME. For Tunnelblick we can just create a folder which name ends with .tblk, put config file, ca.crt, and our client .crt and .key files in it. Securely transfer this folder to client and open it while you have Tunnelblick installed. Tunnelblick will create a configuration for it.
For iOS, setup is similar but we’ll use .ovpn file with certs and key embedded in it. Save the above config in .ovpn file without ca, cert and key lines, name it your CLIENT NAME.ovpn and run following lines:
Note to change CLIENT NAME to your client name. Transfer this file securely to your phone and open it while you have OpenVpn installed.