Raspberry Pi / Linux OpenVPN Tutorial - [http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing]

Raspberry Pi - Linux OpenVPN Tutorial.txt

RaspberryPi OpenVPN Tutorial by [http://readwrite.com/author/lauren-orsini/]
----------------------------
 * http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing/
 * http://readwrite.com/2014/04/11/building-a-raspberry-pi-vpn-part-two-creating-an-encrypted-client-side
 
These instructions should also be suitable for any recent OpenVPN installation, on any Linux disto - modify accordingly.

NOTE: Copy'n'paste anything between quotes below - but not the quotes, and only if it is preceeded by the word run!
      I've assumed you are logged in to your RaspberryPi as the pi user.
      Instructions where brackets [like-this] are used means, choose your own value.
      Any text NOT preceeded by a step number, or indented, is output from a command, or is text that belongs in a file.
      Any text in parenthesis (like this) is commentary to command output, just for guidance.

 1) Set up NOOBS and install Raspbian - google it.
 2) Setup a static IP address for the Raspberry Pi on your home network - google it.
 3) Enable SSH on the RaspberryPi - copy and paste ya know - "sudo update-rc.d ssh enable ; sudo service ssh start"
 4) On your router, forward the OpenVPN port 443/TCP (usually 1194/UDP) to the static IP of your Raspberry Pi - see point 2
 5) Run "passwd" to change the default password (raspberry) for the user "pi" - as you have ssh enabled, it kinda makes sense.

    Now become root for the remaining steps, run "sudo su -"

 6) Run "apt-get update && apt-get upgrade" - It shouldn’t take long, and it’ll save you troubleshooting later on.
 7) Run "apt-get install -y openvpn" - this will install... yes, the OpenVPN package.
 8) Run "cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa" - to copy the easy-rsa scripts to the openvpn directory.
 9) Run "cd /etc/openvpn/easy-rsa"
10) Run "sed -i 's|export EASY_RSA=.*|export EASY_RSA=/etc/openvpn/easy-rsa|' /etc/openvpn/easy-rsa/vars" - to make life easy.
11) Run this also if you are paranoid "sed -i 's|export KEY_SIZE=.*|export KEY_SIZE=2048|' /etc/openvpn/easy-rsa/vars"
12) Run "cd /etc/openvpn/easy-rsa"
13) Run "source ./vars && ./clean-all && ./build-ca" - load variables into environment, remove any old keys, and create a CA.
    You can safely hit enter to accept the defaults.

Generating a 2048 bit RSA private key
...............+++
.....................................................................................................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:
Name [EasyRSA]:
Email Address [[email protected]]:

14) Run "./build-key-server [Server_Name]" - build server key, I've used "Server" - so use that, or remember to rename it elsewhere!
    You will be asked lots of stuff - take the defaults, unless you really want to use different values.
    The "Common Name" MUST be the [Server_Name] you picked above - it should default to this.

Generating a 2048 bit RSA private key
............................................................................................+++
..........................+++
writing new private key to 'Server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [Server]:
Name [EasyRSA]:
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (*this MUST be left blank, just hit enter*)
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'Server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Dec 27 22:34:30 2026 GMT (3650 days)
Sign the certificate? [y/n]:y (Obviously, type “y.”)


1 out of 1 certificate requests certified, commit? [y/n]y (Obviously, type “y.”)
Write out database with 1 new entries
Data Base Updated

15) Run "./build-key-pass [Client_Name]" - build client key, I've used "Client1" etc - so use that, or remember to rename it elsewhere!

Generating a 2048 bit RSA private key
...................................+++
...................................+++
writing new private key to 'Client1.key'
Enter PEM pass phrase: (Make it something you will remember!)
Verifying - Enter PEM pass phrase: (Entering it again, just to make sure you used the same one!)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [Client1]:
Name [EasyRSA]:
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (*MUST be left blank, just hit enter*)
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'Client1'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Dec 27 22:36:34 2026 GMT (3650 days)
Sign the certificate? [y/n]:y (Signing certifies it for 10 years by default.)


1 out of 1 certificate requests certified, commit? [y/n]y (Obviously, type “y.”)
Write out database with 1 new entries
Data Base Updated

16) Run "cd keys" and run "openssl rsa -in Client1.key -des3 -out Client1.3des.key" - remember I said I used Client1 etc?

Enter pass phrase for Client1.key: (the pass phrase you used earlier)
writing RSA key
Enter PEM pass phrase: (the pass phrase you used earlier)
Verifying - Enter PEM pass phrase:

17) Then "cd /etc/openvpn/easy-rsa/" and run "./build-dh"
    Be patient! This bit will take a while on a RaspberryPi... especially if you chose to run step 11 above!

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..................................................+.......................................................................................................................+....................................................................................................................................................+.........................................................+.......................+..............+..............+..................................................................................................................................................+....................................................................++*++*

18) Run "openvpn –-genkey –-secret keys/ta.key" - we're almost there!
    We’re going to implement OpenVPN’s build-in Denial of Service (DoS) attack protection.
    You might already know that a DoS attack is successful when a hacker finds out your server’s address,
    and generates such a large number of access requests that your server crashes.
    With this in place, the server won’t even entertain the idea of authenticating an access request,
    unless it detects this static key first. Thus, a hacker can’t just spam the server with random repeated requests.

19) Run "vi /etc/openvpn/server.conf" and add the following text... - pay attention to the comments!

local 192.168.2.0 # This will be the static IP you gave your RaspberryPi in step 2 above!
dev tun 
proto tcp # Using tcp and the known safe port below (for HTTPS), will allow you to traverse a proxy
port 443 # Using 443 will allow you to traverse a proxy
ca /etc/openvpn/easy-rsa/keys/ca.crt 
cert /etc/openvpn/easy-rsa/keys/Server.crt # If you didn't use "Server" above - rename this!
key /etc/openvpn/easy-rsa/keys/Server.key # If you didn't use "Server" above - rename this!
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If followed step 11 above - then change this to reflect 2048 in the filename!
server 10.8.0.0 255.255.255.0 
# server and remote endpoints 
ifconfig 10.8.0.1 10.8.0.2 
# Add route to Client routing table for the OpenVPN Server 
push "route 10.8.0.1 255.255.255.255" 
# Add route to Client routing table for the OpenVPN Subnet 
push "route 10.8.0.0 255.255.255.0" 
# your local subnet 
push "route 192.168.2.0 255.255.255.0" # Make sure this matches the IP network and subnetmask for your network!
# Set primary domain name server address to the SOHO Router 
# If your router does not do DNS, you can use Google DNS 8.8.8.8 
push "dhcp-option DNS 192.168.2.1" # Set this to your internal DNS resolver/router IP - or use google.
# Override the Client default gateway by using 0.0.0.0/1 and 
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of 
# overriding but not wiping out the original default gateway. 
push "redirect-gateway def1" 
client-to-client 
duplicate-cn 
keepalive 10 120 
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 
cipher AES-128-CBC 
comp-lzo 
user nobody 
group nogroup 
persist-key 
persist-tun 
status /var/log/openvpn-status.log 20 
log /var/log/openvpn.log 
verb 1

20) Run "sed -i 's|^.*net.ipv4.ip_forward=1.*|net.ipv4.ip_forward=1|' /etc/sysctl.conf" - persist IP forwarding after a reboot.
21) Run "sysctl -p" - enable IP forwarding now.
22) Run "vi /etc/firewall-openvpn-rules.sh" and add the following text, ensure you use the static IP used in step 2 above!

#!/bin/sh 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.XX.X

23) Run "chmod 700 /etc/firewall-openvpn-rules.sh && chown root /etc/firewall-openvpn-rules.sh"
24) Run
    "sed -i 's|^iface eth0 inet\( .*\).*|iface eth0 inet\1\n    pre-up /etc/firewall-openvpn-rules.sh|' /etc/network/interfaces"

    Ensure you have something similar to below in your "/etc/network/interfaces" file:

iface eth0 inet manual
    pre-up /etc/firewall-openvpn-rules.sh

25) Enable OpenVPN on the RaspberryPi, run "update-rc.d openvpn enable ; service openvpn start"

26) To reload the networking settings, and enable the iptables rule above, run "service networking restart"

27) Run "vi /etc/openvpn/easy-rsa/keys/Default.txt" and add the following text...

client
dev tun
proto tcp
remote <YOUR PUBLIC/EXTERNAL IP ADDRESS HERE, OR YOUR DYNAMIC FULLY QUALIFIED HOSTNAME> 443
resolv-retry infinite 
nobind 
persist-key 
persist-tun 
mute-replay-warnings 
ns-cert-type server 
key-direction 1 
cipher AES-128-CBC 
comp-lzo 
verb 1 
mute 20

28) Run "vi /etc/openvpn/easy-rsa/keys/MakeOVPN.sh" and add the following text to it...

#!/bin/bash

# Default Variable Declarations
DEFAULT="Default.txt"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".3des.key"
CA="ca.crt"
TA="ta.key"

#Ask for a Client name
echo -n "Please enter an existing Client Name:"
read NAME

#1st Verify that client’s Public Key Exists
if [ ! -f $NAME$CRT ]; then
 echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
 exit
fi
echo "Client’s cert found: $NAME$CR"

#Then, verify that there is a private key for that client
if [ ! -f $NAME$KEY ]; then
 echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY"
 exit
fi
echo "Client’s Private Key found: $NAME$KEY"

#Confirm the CA public key exists
if [ ! -f $CA ]; then
 echo "[ERROR]: CA Public Key not found: $CA"
 exit
fi
echo "CA public Key found: $CA"

#Confirm the tls-auth ta key file exists
if [ ! -f $TA ]; then
 echo "[ERROR]: tls-auth Key not found: $TA"
 exit
fi
echo "tls-auth Private Key found: $TA"

#Ready to make a new .opvn file - Start by populating with the default file
cat $DEFAULT > $NAME$FILEEXT

#Now, append the CA Public Cert
echo "<ca>" >> $NAME$FILEEXT
cat $CA >> $NAME$FILEEXT
echo "</ca>" >> $NAME$FILEEXT

#Next append the client Public Cert
echo "<cert>" >> $NAME$FILEEXT
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT
echo "</cert>" >> $NAME$FILEEXT

#Then, append the client Private Key
echo "<key>" >> $NAME$FILEEXT
cat $NAME$KEY >> $NAME$FILEEXT
echo "</key>" >> $NAME$FILEEXT

#Finally, append the TA Private Key
echo "<tls-auth>" >> $NAME$FILEEXT
cat $TA >> $NAME$FILEEXT
echo "</tls-auth>" >> $NAME$FILEEXT

echo "Done! $NAME$FILEEXT Successfully Created."

#Script written by Eric Jodoin


29) Run "cd /etc/openvpn/easy-rsa/keys/ ; chmod 700 MakeOVPN.sh"

30) Then run "./MakeOVPN.sh" - Remember I used Client1 earlier? ;-)

The file produced - hopefully - is now ready to be imported into your OpenVPN client.