(in)security raspberry pi openvpn android tunnel vpn

Published on April 5th, 2013 | by Kalen Wessel


Raspberry Pi OpenVPN and Android

During the month of May and half of June Thomas and I will be traveling all over Europe. During the trip we will be spending a fair share of time in hostels in which 90% of them offer free WiFi. This is great since I won’t have much of a Data plan while I am over there. The downfall is the security risks that arise when using an open Access Point. To mitigate the risk of any plaintext traffic transmitting from my phone I will be using a VPN tunnel back home. This will offer a layer of protection on all my network traffic and keep prying eyes off any sensitive data.

I’ll be using OpenVPN for both the server and client because they offer a open source server and a simple Android client application which makes setting up the connection relatively painless.

Since the VPN needs to be up running 24/7 and I don’t want to waste energy so I’ll be using a Raspberry Pi to host the server. Let’s get started:

Setting up OpenVPN Server on Raspbian

Login as root first:


Start by installing the OpenVPN and OpenSSL packages using aptitude:

apt-get install openvpn openssl

Move into OpenVPN directory and copy the easy RSA configuration folder:

cd /etc/openvpn
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa

Using whichever texteditor you prefer, open the vars file:

nano easy-rsa/vars

Modify the line which points to the EASY_RSA  directory so that it matches the following:

export EASY_RSA=”/etc/openvpn/easy-rsa”

Save the file. Now run the vars file:

. ./easy-rsa/vars

You should see a prompt telling you to run clean-all, do so:


Move into the easy-rsa directory and create a symbolic link for the OpenSSL configuration file:

cd easy-rsa
ln -s openssl-1.0.0.cnf openssl.cnf

Time to create the certs:



./build-key-server server


./build-key client-name




Create the file openvpn.confg

cd ../
nano openvpn.conf

Paste in the following:

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
status /var/log/openvpn-status.log
verb 3
push “redirect-gateway def1"
#set the dns servers
push “dhcp-option DNS"
push “dhcp-option DNS"
log-append /var/log/openvpn

Setup routing from the VPN to the Raspberry Pi’s interface to allow access to the outside. Be sure to change the IPADDRESS_OF_RPI  to the correct local IP.

iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to IPADDRESS_OF_RPI

To enable packet forwarding even after reboots you must uncomment the following line from your sysctl.cong

nano /etc/sysctl.cong

Uncomment the following:


Restart OpenVPN:

service openvpn restart

Modify the rc.local file to update iptables on reboots

nano /etc/rc.local

Make sure to change IPADDRESS_OF_RPI. ifconfig eth0 will show you the IP address. Be sure to change the IPADDRESS_OF_RPI  to the correct local IP.

iptables -t nat -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to-source IPADDRESS_OF_RPI

Setting up OpenVPN Client on Android

You can find the application in the Google Playstore.

OpenVPN Android APP

Install and open it up:

OpenVPN - Main Sceen

Click on the plus symbol to add a new connection.

OpenVPN - Connection Name

Under server address add the public IP address.

Under the drop down menu “Types” select “Certificates”

OpenVPN - Config

It is now time to add the two certificates and key file that were generated on the server. There are various ways to transfer the certs from the Raspberry Pi to your Android phone.

I ended up using WinSCP from a local computer on the network to copy the files and then put them into Dropbox so that my phone could easily access them. An alternative method to getting the files onto the phone is by setting up an SSH server on the phone. Dropbear SSH server would work. Then use something like SCP to copy the certs and key straight from the Raspberry Pi to the Android device.

OpenVPN - Types

Go back to the main screen of OpenVPN and select your new connection.

A prompt will appear asking you to trust this application, check off the box and click OK

OpenVPN - Trust Connection

If all goes as intended you should see “Connected:SUCCESS”

OpenVPN - Connection Success

At this point the VPN tunnel is up and running. All data that leaves your phone will tunnel back to your VPN server. This results in a safer browsing experience when using public wireless.

I hope this tutorial was useful for you. If you experience any problems during the setup just leave a comment and I will get back to you.

Tags: , , , , ,

About the Author

is a multidisciplinary systems administrator. Whether it's auditing network security, implementing scale-able systems, or providing technical services - he makes it his focus to perform due diligence on all his tasks.

24 Responses to Raspberry Pi OpenVPN and Android

  1. Gavin Steed says:

    Did you leave out the step ./build-dh ?

    • Kalen Wessel says:

      I did. Thank you for catching that. You run ./build-dh after you create the client key. I’ve updated the guide.

  2. francesco says:

    I followed the tutorial and I’m able to connect successfully to the raspberry (I can see Samba shares, files etc..). Unfortunately my internet traffic is not re-routed from the raspberry to the internet…any idea..?

    • Kalen Wessel says:

      Can you confirm you uncommented this line. This allows the rpi to forward traffic through it.

      nano /etc/sysctl.cong
      Uncomment the following:


      • francesco says:

        yes, I did it during my first attempt (should it be nano /etc/sysctl.conf ?)

        I was wondering…when I enter the rules for the iptable (manually or via rc.local) they should be visible with
        sudo iptables -L
        instead I can’t see any rules there….not sure if this is relevant..
        thanks for your help

        • francesco says:

          ok I think I’m getting there….
          if I connect to the OPENVPN server from my LAN it works perfectly: I can go on the internet via the raspberry no problem…the problem is when I try to access the VPN from the internet and rout the traffic back out. I suspect it may have to do with the home router…? not sure

  3. Pingback: Do you have rogue Internet gateways in your network? Check it with nmap, (Sat, Jul 20th) | CyberSafe NV

  4. Pingback: Do you have rogue Internet gateways in your network? Check it with nmap, (Sat, Jul 20th) | perfectbacon.com

  5. Pingback: Do you have rogue Internet gateways in your network? Check it with nmap, (Sat, Jul 20th) | Tech Info..

  6. Yusuf says:

    Wouldn’t it be better to install the VPN server directly on your router by using DD-WRT? Just thinking out loud that it may be a better approach

    • Kalen Wessel says:

      You definitely could do that. But depending on what model of router you have you might be limited on resources. This was at least the case with my router, it simply didn’t have the capacity to run OpenVPN.

  7. Yusuf says:

    Informative article nonetheless and an interesting use of raspberry pi :)

  8. Alex says:

    I am trying to follow the instructions but I get stuck on the:

    “…Now run the vars file:”
    . ./easy-rsa/vars

    The error I get is:

    pi@raspberrypi /etc/openvpn $ . ./easy-rsa/vars
    -bash: ”/etc/openvpn/easy-rsa”/whichopensslcnf: No such file or directory
    NOTE: If you run ./clean-all, I will be doing a rm -rf on ”/etc/openvpn/easy-rsa”/keys

    If I try the run ./clean-all I get:

    pi@raspberrypi /etc/openvpn $ ./clean-all
    -bash: ./clean-all: No such file or directory

    So where am I going wrong???

  9. Pingback: Do you have rogue Internet gateways in your network? Check it with nmap, (Sat, Jul 20th) | IT Security

  10. mark-os says:

    You can try easyvpn-pi:

    To install:
    Conect to raspberry with ssh

    sudo apt-get update
    sudo apt-get -y install ca-certificates
    git clone https://github.com/mmsystems/easyvpn-pi
    cd easyvpn-pi
    chmod +x easyvpn-pi.sh

    Follow the onscreen instructions.

    • Kalen Wessel says:

      That’s a nice looking shell script to simplify the setup process. Thanks for sharing!

    • Dominic Martin says:

      I’d recommend anyone following this script try this. I ended up with some connection errors related to the certificate after following the main guide. In frustration I tried this script. It made things work. Even better, it creates a settings file used by the official Openvpn app for android, iOS, etc (which isn’t the same one that this guide talks about). You don’t need to input the settings manually, just import the file and click connect.

  11. Great post!! You have explained in very details of setting up open VPN on Android. Your tutorial has made it a little bit easier. Thanks for posting such great information.

  12. sam says:

    Hi Kalen,
    Sorry, you have really good instructions but i just want to make sure something, i am kind of not clear on…
    In the openvpn.conf file you have network so that means your Pi interface is on this network?

    If my pi is connected to network (internal) at home for so that is the network i will be setting up in the openvpn.conf file? When i connect VPN i will get IP address from network, right? it will then bring me to my home network and then i can access all my resources from my home LAN?

    Thank you.

    • Kalen Wessel says:

      Hey Sam,

      What will happen is when you connect to the VPN you will be assigned an IP like 10.8.0.x. If you want to communicate with machines on the 192.168.0.x subnet you will need to make some additions to the config and iptables.
      Read the following: OpenVPN Policies specifically look at the “System Administrators” class example since that best matches what you are looking to do.


  13. Dominic Martin says:

    Thankyou for the guide. Some people may have more luck if they perform the following before the first su command.
    sudo passwd
    This will set the password so that the su command will work. I encountered problems trying to use sudo before the commands in the guide but if you can perform that first su, it’s ok.

  14. Bunz says:

    There is a typo where it says: nano /etc/sysctl.cong instead of nano /etc/sysctl.conF

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑