(in)security raspberry pi openvpn android tunnel vpn

Published on April 5th, 2013 | by Kalen Wessel

18

Raspberry Pi OpenVPN and Android

During the month of May and half of June Thomas and I will be traveling all over Europe. During the trip we will be spending a fair share of time in hostels in which 90% of them offer free WiFi. This is great since I won’t have much of a Data plan while I am over there. The downfall is the security risks that arise when using an open Access Point. To mitigate the risk of any plaintext traffic transmitting from my phone I will be using a VPN tunnel back home. This will offer a layer of protection on all my network traffic and keep prying eyes off any sensitive data.

I’ll be using OpenVPN for both the server and client because they offer a open source server and a simple Android client application which makes setting up the connection relatively painless.

Since the VPN needs to be up running 24/7 and I don’t want to waste energy so I’ll be using a Raspberry Pi to host the server. Let’s get started:

Setting up OpenVPN Server on Raspbian

Login as root first:

su

Start by installing the OpenVPN and OpenSSL packages using aptitude:

apt-get install openvpn openssl

Move into OpenVPN directory and copy the easy RSA configuration folder:

cd /etc/openvpn
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa

Using whichever texteditor you prefer, open the vars file:

nano easy-rsa/vars

Modify the line which points to the EASY_RSA  directory so that it matches the following:

export EASY_RSA=”/etc/openvpn/easy-rsa”

Save the file. Now run the vars file:

. ./easy-rsa/vars

You should see a prompt telling you to run clean-all, do so:

./easy-rsa/clean-all

Move into the easy-rsa directory and create a symbolic link for the OpenSSL configuration file:

cd easy-rsa
ln -s openssl-1.0.0.cnf openssl.cnf

Time to create the certs:

./build-ca

generating-ca

./build-key-server server

generating-server-ca

./build-key client-name

generating-key-client-ca

Run Build DIFFIE-HELLMAN

./build-dh

Create the file openvpn.confg

cd ../
nano openvpn.conf

Paste in the following:

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push “redirect-gateway def1"
#set the dns servers
push “dhcp-option DNS 8.8.8.8"
push “dhcp-option DNS 8.8.4.4"
log-append /var/log/openvpn
comp-lzo

Setup routing from the VPN to the Raspberry Pi’s interface to allow access to the outside. Be sure to change the IPADDRESS_OF_RPI  to the correct local IP.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to IPADDRESS_OF_RPI

To enable packet forwarding even after reboots you must uncomment the following line from your sysctl.cong

nano /etc/sysctl.cong

Uncomment the following:

#net.ipv4.ip_forward=1

Restart OpenVPN:

service openvpn restart

Modify the rc.local file to update iptables on reboots

nano /etc/rc.local

Make sure to change IPADDRESS_OF_RPI. ifconfig eth0 will show you the IP address. Be sure to change the IPADDRESS_OF_RPI  to the correct local IP.

iptables -t nat -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source IPADDRESS_OF_RPI

Setting up OpenVPN Client on Android

You can find the application in the Google Playstore.

OpenVPN Android APP

Install and open it up:

OpenVPN - Main Sceen

Click on the plus symbol to add a new connection.

OpenVPN - Connection Name

Under server address add the public IP address.

Under the drop down menu “Types” select “Certificates”

OpenVPN - Config

It is now time to add the two certificates and key file that were generated on the server. There are various ways to transfer the certs from the Raspberry Pi to your Android phone.

I ended up using WinSCP from a local computer on the network to copy the files and then put them into Dropbox so that my phone could easily access them. An alternative method to getting the files onto the phone is by setting up an SSH server on the phone. Dropbear SSH server would work. Then use something like SCP to copy the certs and key straight from the Raspberry Pi to the Android device.

OpenVPN - Types

Go back to the main screen of OpenVPN and select your new connection.

A prompt will appear asking you to trust this application, check off the box and click OK

OpenVPN - Trust Connection

If all goes as intended you should see “Connected:SUCCESS”

OpenVPN - Connection Success

At this point the VPN tunnel is up and running. All data that leaves your phone will tunnel back to your VPN server. This results in a safer browsing experience when using public wireless.

I hope this tutorial was useful for you. If you experience any problems during the setup just leave a comment and I will get back to you.

Tags: , , , , ,


About the Author

is a multidisciplinary systems administrator. Whether it's auditing network security, implementing scale-able systems, or providing technical services - he makes it his focus to perform due diligence on all his tasks.



18 Responses to Raspberry Pi OpenVPN and Android

  1. Gavin Steed says:

    Did you leave out the step ./build-dh ?

    • Kalen Wessel says:

      I did. Thank you for catching that. You run ./build-dh after you create the client key. I’ve updated the guide.

  2. francesco says:

    Hi
    I followed the tutorial and I’m able to connect successfully to the raspberry (I can see Samba shares, files etc..). Unfortunately my internet traffic is not re-routed from the raspberry to the internet…any idea..?
    Thanks
    F

    • Kalen Wessel says:

      Can you confirm you uncommented this line. This allows the rpi to forward traffic through it.

      nano /etc/sysctl.cong
      Uncomment the following:

      #net.ipv4.ip_forward=1

      • francesco says:

        yes, I did it during my first attempt (should it be nano /etc/sysctl.conf ?)

        I was wondering…when I enter the rules for the iptable (manually or via rc.local) they should be visible with
        sudo iptables -L
        instead I can’t see any rules there….not sure if this is relevant..
        thanks for your help
        F

        • francesco says:

          ok I think I’m getting there….
          if I connect to the OPENVPN server from my LAN it works perfectly: I can go on the internet via the raspberry no problem…the problem is when I try to access the VPN from the internet and rout the traffic back out. I suspect it may have to do with the home router…? not sure

  3. Pingback: Do you have rogue Internet gateways in your network? Check it with nmap, (Sat, Jul 20th) | CyberSafe NV

  4. Pingback: Do you have rogue Internet gateways in your network? Check it with nmap, (Sat, Jul 20th) | perfectbacon.com

  5. Pingback: Do you have rogue Internet gateways in your network? Check it with nmap, (Sat, Jul 20th) | Tech Info..

  6. Yusuf says:

    Wouldn’t it be better to install the VPN server directly on your router by using DD-WRT? Just thinking out loud that it may be a better approach

    • Kalen Wessel says:

      You definitely could do that. But depending on what model of router you have you might be limited on resources. This was at least the case with my router, it simply didn’t have the capacity to run OpenVPN.

  7. Yusuf says:

    Informative article nonetheless and an interesting use of raspberry pi :)

  8. Alex says:

    I am trying to follow the instructions but I get stuck on the:

    “…Now run the vars file:”
    . ./easy-rsa/vars

    The error I get is:

    pi@raspberrypi /etc/openvpn $ . ./easy-rsa/vars
    -bash: ”/etc/openvpn/easy-rsa”/whichopensslcnf: No such file or directory
    NOTE: If you run ./clean-all, I will be doing a rm -rf on ”/etc/openvpn/easy-rsa”/keys

    If I try the run ./clean-all I get:

    pi@raspberrypi /etc/openvpn $ ./clean-all
    -bash: ./clean-all: No such file or directory

    So where am I going wrong???

  9. Pingback: Do you have rogue Internet gateways in your network? Check it with nmap, (Sat, Jul 20th) | IT Security

  10. mark-os says:

    You can try easyvpn-pi:
    https://github.com/mmsystems/easyvpn-pi

    To install:
    Conect to raspberry with ssh

    sudo apt-get update
    sudo apt-get -y install ca-certificates
    git clone https://github.com/mmsystems/easyvpn-pi
    cd easyvpn-pi
    chmod +x easyvpn-pi.sh
    ./easyvpn-pi

    Follow the onscreen instructions.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Current day month ye@r *

Back to Top ↑