Published on April 5th, 2013 | by Kalen Wessel23
Raspberry Pi OpenVPN and Android
During the month of May and half of June Thomas and I will be traveling all over Europe. During the trip we will be spending a fair share of time in hostels in which 90% of them offer free WiFi. This is great since I won’t have much of a Data plan while I am over there. The downfall is the security risks that arise when using an open Access Point. To mitigate the risk of any plaintext traffic transmitting from my phone I will be using a VPN tunnel back home. This will offer a layer of protection on all my network traffic and keep prying eyes off any sensitive data.
I’ll be using OpenVPN for both the server and client because they offer a open source server and a simple Android client application which makes setting up the connection relatively painless.
Since the VPN needs to be up running 24/7 and I don’t want to waste energy so I’ll be using a Raspberry Pi to host the server. Let’s get started:
Setting up OpenVPN Server on Raspbian
Login as root first:
Start by installing the OpenVPN and OpenSSL packages using aptitude:
apt-get install openvpn openssl
Move into OpenVPN directory and copy the easy RSA configuration folder:
cd /etc/openvpn cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa
Using whichever texteditor you prefer, open the vars file:
Modify the line which points to the EASY_RSA directory so that it matches the following:
Save the file. Now run the vars file:
You should see a prompt telling you to run clean-all, do so:
Move into the easy-rsa directory and create a symbolic link for the OpenSSL configuration file:
cd easy-rsa ln -s openssl-1.0.0.cnf openssl.cnf
Time to create the certs:
Run Build DIFFIE-HELLMAN
Create the file openvpn.confg
cd ../ nano openvpn.conf
Paste in the following:
dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem user nobody group nogroup server 10.8.0.0 255.255.255.0 persist-key persist-tun status /var/log/openvpn-status.log verb 3 client-to-client push “redirect-gateway def1" #set the dns servers push “dhcp-option DNS 220.127.116.11" push “dhcp-option DNS 18.104.22.168" log-append /var/log/openvpn comp-lzo
Setup routing from the VPN to the Raspberry Pi’s interface to allow access to the outside. Be sure to change the IPADDRESS_OF_RPI to the correct local IP.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to IPADDRESS_OF_RPI
To enable packet forwarding even after reboots you must uncomment the following line from your sysctl.cong
Uncomment the following:
service openvpn restart
Modify the rc.local file to update iptables on reboots
Make sure to change IPADDRESS_OF_RPI. ifconfig eth0 will show you the IP address. Be sure to change the IPADDRESS_OF_RPI to the correct local IP.
iptables -t nat -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source IPADDRESS_OF_RPI
Setting up OpenVPN Client on Android
You can find the application in the Google Playstore.
Install and open it up:
Click on the plus symbol to add a new connection.
Under server address add the public IP address.
Under the drop down menu “Types” select “Certificates”
It is now time to add the two certificates and key file that were generated on the server. There are various ways to transfer the certs from the Raspberry Pi to your Android phone.
I ended up using WinSCP from a local computer on the network to copy the files and then put them into Dropbox so that my phone could easily access them. An alternative method to getting the files onto the phone is by setting up an SSH server on the phone. Dropbear SSH server would work. Then use something like SCP to copy the certs and key straight from the Raspberry Pi to the Android device.
Go back to the main screen of OpenVPN and select your new connection.
A prompt will appear asking you to trust this application, check off the box and click OK
If all goes as intended you should see “Connected:SUCCESS”
At this point the VPN tunnel is up and running. All data that leaves your phone will tunnel back to your VPN server. This results in a safer browsing experience when using public wireless.
I hope this tutorial was useful for you. If you experience any problems during the setup just leave a comment and I will get back to you.