The Beginner's Guide to PiVPN

[3Ktone]

 

A PiVPN might seem like a nightmare to accomplish. But in this simple guide, I will detail how to set up the odds and ends of a PiVPN, as well as detail some of my experiences in its usage.

 

 

If you already have a Raspberry Pi set up, you can skip the following section as these steps only pertain to users who have not set up a Pi. Just make sure you open a port for the VPN on your router (default for PiVPN is 1194, but others can be used) and have assigned a static IP to your Pi before continuing.

 

-----------------------------------------------------

 

This is the setup guide for a Raspberry Pi. If you have already done this, skip this section.

 

The first thing you will need to do is acquire a Raspberry Pi and all the materials needed to set it up. For this project, you can use just about any generation of Raspberry Pi, including the Zero. I am using a Raspberry Pi 1 Model B, but any model should just about work. You will also need an SD card (microSD for newer models) with a capacity of at least 8GB (4 for Raspbian Lite)¹, a network connection (preferably ethernet, though WiFi can work), and a computer that both has PuTTY (or another SSH client) installed and is capable of flashing an image to the SD card (I recommend balenaEtcher). You are also going to need admin access to your router.

 

[1]: If you plan to use an SD card that is 64 GB or more, you will need to make sure it is formatted in the FAT32 format.

 

The first step is to download Raspbian. I recommend just going with the Lite version unless you also plan to use the Pi for other purposes that would require a GUI. Do note that the ZIP files the images come in are a bit large (at about 400 MB for the Lite version and a little over 1 GB for the Full version), so be prepared to wait.

 

Once the ZIP is downloaded, you will need to extract with an archive manager compatible with the ZIP64 format. I used the built-in one in windows, though you can also use a third-party program (such as 7-Zip [Windows], The Unarchiver [Mac], or Unzip [Linux]).

 

Flash the .img file to your SD card. BelanaEtcher is the recommended tool to do this and it is easy enough to use.

 

Once the image is flashed to your SD card, insert the SD card into your Raspberry Pi and plug it in.

 

You will need to hook up a keyboard and monitor to your Pi temporarily to enable the SSH server. Login with username "pi" and password "raspberry". We will want to change these later.

 

Once you've logged in, run the following command:

sudo raspi-config

Once the command-line GUI appears, select "Interface Options", select SSH, and enable.

 

Once this has finished, you can exit the GUI and unplug the Pi. Unhook the monitor and keyboard, but leave your ethernet cable (if hooked onto the network that way) and plug the Pi back in. It is now in headless mode.

 

Go back to your computer and go into your router. You will need to find the client entry listed "raspberrypi". Copy the MAC address and assign it a static ip (aka IP Reservation). The exact process for this varies from router to router. The IP can be the same one it was assigned by the DHCP or another free IP. I assigned mine to 192.168.1.25, but any IP should work. If you change the IP from what the DHCP assigned it, be sure to reboot your Pi so the new Network configuration takes effect.

 

While we are in the router, go to the Port Forwarding tab (In my router it is called "Virtual Servers", so check the exact process for your router. Open up a port for your VPN (the default is 1194, but you can assign it to anything so long as you also change the PiVPN config). You can also open up port 22 if you want to SSH into your Pi from outside your house (useful for external mantinence), but make sure to change the password before you do this. This is all the configuration you should need to do in the router.

 

Open up PuTTY (or your SSH client of choice) and connect to the IP you assigned your Pi using the SSH protocol on port 22. Login with the default credentials "pi" and "raspberry".

 

The first thing we want to do now is to change the password. Run this command:

passwd

Enter the old password "raspberry", then enter your new password and confirm it. At this point, you have changed the default password. If you lose the new password, you will have to reinstall Raspbian. You can also go one step further by changing the login username.

 

In order to do this, we will need to add a temporary user. Add a user with this command (you can also replace "temp" with some other name):

sudo adduser temp

Enter a password, then hit enter for the rest of the fields.

Next, add the user to the Sudo group:

sudo adduser temp sudo

Disconnect your PuTTY session and log back in as user "temp"

 

Now, run this command, replacing #USERNAME with whatever username you want:

sudo usermod -l #USERNAME pi

Disconnect and log back in with your new username. The password will be the one you changed for "pi" as your new username is now in the place the old "pi" username.

 

Now delete the "temp" user with the following command:

sudo deluser temp

You will need to enter your password. After you do, the only account on the Pi will be your account. Your Pi is now secure.

 

Finally, run this command:

sudo apt-get update

This will update all packages/repositories to make sure they are secure.

 

At this point, we are ready to move onto the installation of PiVPN.

 

--------------------------------------------------------------------------

 

For those of you just joining us, we are now moving to the installation of PiVPN. Make sure that you have opened up a port for the VPN on your router before continuing.

 

In order to install, we have to simply run one command:

curl -L https://install.pivpn.io | bash

This command will start the download of PiVPN. You may need to re-enter your password as Sudo is needed for the install. Note that during this install, you may be waiting a while between selecting various options. Be patient; the Pi is a cheap computer, not a fast computer. If you are changing selections, use the spacebar. The enter key will automatically apply the current selection on lists.

 

If you are running the new version of Raspian Buster, you may get a message that states that the OS might not be supported. You can ignore this.

 

After running through a few introductory screens, you will come to a screen asking you ton confirm your network configuration. If it is correct, select "yes". If not, select "no" to edit them and continue.

 

You will then be asked to select a local user to hold the VPN profiles. If you have more than one user, select your username and continue.

 

You will then be if you want to enable automatic security updates. I HIGHLY recommend you select "yes".

 

On the next screen, you will be asked to select either TCP or UDP. Select UDP unless there is a specific reason you need TCP.

 

On the next screen, you will be asked to confirm the VPN port. The default is 1194, but change this if you set the VPN port to something else on your router. It will ask you to confirm the port before continuing.

 

The next screen will ask for your encryption level. 2048-bit will be fine for most users. However, you can select 4096-bit if you are paranoid about snooping. 1024-bit is not recommended except for testing.

 

The next screen will ask you if you want to download the Diffie-Hellman (DH) parameters from 2-Ton Digital. In short, the DH parameters govern how the encryption keys are sent. If you are fine downloading the database and having the parameters randomly selected from it, then select "yes". If you are extremely paranoid, select "no" and your Pi will generate the DH parameters. Be warned, generating the DH parameters can take HOURS if you have selected 4096-bit encryption. (Correction: It will only ask if you want to grab the security keys from a database if you select 4096-bit encryption. If you select 2048-bit, it will automatically generate the keys.)

 

You will then be asked if you want to use your public IP for login or if you want to use a Domain Name. If you have set up a DDNS domain name through a provider like DynDNS or NO-IP, then select "DNS Entry" and enter your domain name on the next screen. Otherwise, continue.

 

The next screen will ask you what DNS service provider you want to use. I recommend selecting Cloudflare (AKA 1.1.1.1), but you can select another service provider if you want. If you are using PiVPN in conjunction with a Pi-Hole server (or you want to enter a custom DNS), scroll down and select "Custom", then enter the IPs for the DNS server.

 

The next screen will ask you if you want to add a custom search domain. Unless you have your own website, select "no".

 

You have now completed the install/configuration or PiVPN. You will receive a screen asking you to reboot; select "yes" unless you have a good reason not to reboot right now.

 

The next step is to create your VPN connection profiles.

 

If you changed the default username on your pi, be SURE to create the directory /home/#USERNAME/ovpns or you will receive an error message. You can do this with the following command (replace #USERNAME with the username you use to log in):

sudo mkdir -p /home/#USERNAME/ovpns

 

Once your Pi has rebooted, run the following command to create a VPN profile:

pivpn -a

If you want to add a profile without a password, then you will want to run this command instead of the one listed above:

pivpn -a nopass

You may need to re-enter your password to allow Sudo to run.

 

You will then be asked to fill out a few fields:

The first field will ask you what you want the name of the profile to be. Pick whatever you want for the profile.

The next field will ask you how long you want the profile to last. Unless you want a limited time frame, keep the default number (which is just shy of 3 years, at which point you'll probably want a new profile for the sake of security).

Finally, you'll need to enter a password and confirm said password. Personally, I generate a 32-character password with LastPass and copy-paste it into the terminal (use right-click to paste into the PuTTY terminal).

 

In order to retrieve the VPN profile, you will need to connect with an FTP service, like Filezilla. Connect to the Pi's IP on port 22; be sure to enter your username and password.

 

Navigate to /home/#USERNAME/ovpns/ to retrieve the OpenVPN profile.

 

Copy the OpenVPN profile to your computer.

 

That's everything you need to do on the Pi's side! If you want more than one user, you will need to create multiple profiles.

 

In order to connect to the PiVPN, you will need to download OpenVPN client. The OVPN client is available for all major desktop and mobile platforms. All you have to do is open the profile with the application and enter the password.

 

You should be all set now! If you have any questions or want clarification in a certain area, just ask.

[3Ktone]

I just realized that I forgot to detail some of my experiences with PiVPN, but that post was getting pretty long anyway (my computer was starting to lag). So I'll put them here instead:

 

For a low use server, PiVPN is a great option if you don't want to pay for a VPN service. I have run into issues occasionally where I was able to access the server because of internet blocking. However, this might be as simple a fix as just changing the port.

 

Unfortunately, I do not know of a way to bring up the configurator after installation. When I wanted to change a setting, I have had to uninstall and reinstall PiVPN. Maybe there is an easier way of doing this, but I'm not sure.

 

You might be able to run PiVPN and Pi-Hole on the same Raspberry Pi, but I have not tried it myself. More research would be required.

[Salacious B Crum]

10 hours ago, KonKey125 said:

You might be able to run PiVPN and Pi-Hole on the same Raspberry Pi, but I have not tried it myself. More research would be required.

I can confirm this can be done I also pointed pi-hole to my router/gateway for whole network coverage