How to install a VPN server on a Raspberry Pi

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey what's up this is ryan coming to you again about some neat technology that could hugely increase business operations at your own startup company do you have internal printers file systems private applications or anything like that do you wish you or your employees could access remotely yet securely from home well you've come to the right place this video will show you how to get an open source vpn installed on hardware that you can purchase for less than a hundred dollars it's an optimal solution for startup companies like ours that have around 15 or fewer people needing to access internal systems remotely let me start by showing you our setup this is our server room while most of our systems are hosted in aws you can see we have a handful of raspberry pi's for various purposes the ones on the left are kubernetes cluster used for demos and training if we ever lose internet connectivity subscribe to our channel if you want to see a video on the setup of that today's video though is going to cover the smaller simpler raspberry pi that acts as a vpn server allowing our employees to work from home while maintaining connectivity to our office network to start off let's begin by plugging the microsd card into our computer to format it with a fresh pi operating system to download and install the raspberry pi operating system open a new browser and go to raspberrypi.org their website locate and click on the downloads link in my case i'm going to choose the installer for the mac os you'll also see installers for different operating systems here as well after the installer has downloaded open or run the installer file in my case since it's a mac it's as simple as choosing open and then dragging the application icon to the applications folder then in a new finder window open up applications and double click on raspberry pi imager to start the app oh wait what this thing came from the internet of course where else did you expect it to come from click open to continue once the application finally comes up click on choose os to select the operating system we want to install on the raspberry pi as you can see the recommended one comes with the desktop included we don't really want that though so instead choose raspberry pi other and on this screen you'll see a list of available raspberry pi operating systems in our case we want to choose the one with no desktop environment as you can see it takes up a whole lot less space than the version that has the desktop included so click on raspberry pi os lite and then click on choose sd card since we've already plugged it into our computer we should see that as an option make sure you choose the sd card intended for the raspberry pi then lastly click on the write button to begin the process it's going to ask for your password in order to proceed this is merely so the application has access to the sd card after you've typed your password press enter or click ok once the installation is complete you may remove the sd card from the usb device the last thing you need to do is insert the sd card back into your raspberry pi to continue at the setup process when you first turn the raspberry pi on you're going to see a couple of raspberry logos at the top of the screen followed by a lot of text scrolling through that's just loading up different systems and services after that text is finished scrolling by you'll be presented with a logon prompt and for now we're just going to use the default username and password username is pi the password is raspberry r-a-s-p-b-e-r-r-y once you've logged in we're going to set up ssh so we can connect to the raspberry pi remotely to get ssh enabled we type sudo raspi dash config in the configuration ssh is kind of in a weird spot i would expect it to be under network options but it's actually in here under interfacing options so we choose this and as you can see ssh is the second option on this screen so we're going to load this up and it says do you want ssh to be enabled obviously we're going to say yes but one other thing we want to pay attention to is this caution it does mention that the default password is a security risk so that's something we'll have to change after we get the ssh turned on so for now we just push enter to say yes to enable ssh now that it's enabled push enter to go back and it's going to take us to the main screen and right here press enter to change the user password and press enter again to enter a new password so it's asking us what we want it to be obviously we're going with the word password actually that's not what i did but make sure you pick something that's secure for your needs push okay to accept these changes and we're back to this screen so to get out we push the right arrow that'll move us to our select and finish options and we're just going to say finish because we're done and now that we've turned ssh on we can shut down the raspberry pi put it in its permanent home and then we can connect to it from our normal computer to do the rest of the configuration so to shut down the system we need to type sudo shutdown now using the static or reserved ip address for the raspberry pi we are now going to ssh into the system to get the pi vpn service installed to do so from a terminal window on your computer we're going to type ssh pi which is the username at the static or reserved ip address that you have for your system in my case it's 192.168.0.18 and that i've got set up as a reserved ip address on my router then it's going to ask for the password and this is what we set up when we're on the raspi config screen pi vpn can be found if we go to pi vpn pivpn.io this website has lots of information including the details of how to install pi vpn on your raspberry pi as well as technical information including different configuration options you can change along the way for our purposes right now we're just going to use this curl command at the very top of the page so i'm going to copy this and if i go back to the raspberry pi all i have to do is paste that in installation of the pi vpn will take several minutes so just sit back and i'll fast forward through the installation process until the next part where user input is required here we are at the first prompt for this part obviously we're just going to say okay the next step is going to walk us through setting up the static ip for the raspberry pi since i'm doing this at the router level i'm kind of going to skip through this part a little bit and just leverage dhcp in your case if you if you statically assign the ip address to the raspberry pi you can leave that as is if you haven't done either option you can let the wizard walk you through getting the static ip address assigned to the raspberry pi for you in my case since i've configured the router to always assign the same ip address to the raspberry pi i'm going to say yes i want to keep using dhcp the next screen here is going to help us configure the user account on the raspberry pi that's going to retain all the vpn configurations we create in our case we only have the pi user so if we continue on that's our only choice here we're just going to press enter to retain the pi user as that option for installation mode we're going to stick with openvpn to do that we just press the down arrow and then the space bar to select that and then we press enter to make our selection for openvpn then for the protocol selection we're going to keep this on udp it generally provides for a faster more pleasant vpn experience for your end users to do this we just press enter to continue for the openvpn port we're going to leave this set to the default as well 1194 just press enter yes i want to keep this it's what i just said the dns provider is what will be used when your end users connect to your vpn if you have complex dns for your internal domain you probably already know what you need to set here and you're going to end up picking the custom option for most cases though you're probably going to pick one of these options in the list in my case i'm going to go with google so i'm just going to scroll down using the arrow buttons and when i find google i'll press the space bar to make that choice and then press enter to make the final selection and again for a custom search domain this kind of relates to the dns option on the previous screen and since i don't have an internal dns setup i'm going to stick with the default option of no and just proceed if again you have some complex internal dns setup you probably do want to say yes and then you probably also already know how to set those options it's usually nicer and easier and more user friendly to have a dns entry take you directly to your vpn so for our case we're going to choose dns entry by using the down arrow pressing the space bar and then pressing enter to make the selection that takes us to the entry screen here where we type in our domain name that points to our vpn server once you've typed that in go ahead and press enter to say okay you'll get a confirmation screen here asking if that's correct most likely it is but it's always wise to double check this one to make sure you typed it correctly if it's good to go press enter to say yes this next screen for installation mode is basically asking if you want to use newer more modern and faster types of encryption versus older and slower encryption for vpn if this is a new setup for your vpn system and you're going to have new clients connected to it you're more than likely going to say yes and use the new fast way if you currently have older vpn clients connecting to your server you probably want to say no to use the older rsa version of encryption in our case here we're just going to say yes to use the new one for certificate size as the screen kind of already says 256 is a good recommended level and probably more than sufficient for our needs so i'm going to keep this just by pressing enter and proceeding then on this screen obviously i'm just going to press enter to say okay while the pi vpn system generates those certificates lastly since this vpn server is going to be constantly running it is nice to have it do frequent security updates by itself so for this i'm going to say yes i do want that installed i'm going to continue by pressing enter and here where it asks if i really want to obviously i'm saying yes the installation is now complete and on the screen it has information on how i can add new vpn users so keeping those commands in mind i press enter to complete the installation and lastly it suggests a reboot which is a really good idea so i'm going to press left to choose yes and then press enter to initiate the reboot doing so is going to kick me off of the pi vpn server and that's okay there are some other configuration options that you might need to change for your use case on the pi vpn server for more details of what those options are and what they do please refer to the technical information section on the pi vpn website you might also find more information on openvpn's website as well depending on what configuration changes you make that may have an impact on the files that are created when you create a new vpn user some of these changes include things like how internet traffic is routed once the end user is connected to your network after waiting just a few moments the pi server is probably rebooted and we're going to try and reconnect to it so we can create our first vpn user to do so we just use that ssh command again so ssh pi at and then the ip address that you have either statically or reserved for the pi server and then again it's going to prop for the password once you've typed that in you should see your prompt where it says pi at raspberry pi that indicates you have successfully connected via ssh to your pi server again and once connected if you type the command pi vpn and press enter if all went well with the installation you should see a screen similar to this to add our first user we're going to type pi vpn space dash a and press enter the system will then walk us through a series of prompts to create our first vpn user the first prompt is the name for the client so i'm just going to type my name and press enter the next prompt asks how long the certificate should be valid for in this case it's roughly three years and that's good enough for me so i'm just going to press enter the last prompt here asks for a password that the vpn user is going to have to type in when they first set up their vpn client to connect to this server this should be a fairly secure password that no one else can guess make sure it's a strong and secure password after typing that in and pressing enter it's going to have you confirm the same password and after you've verified that password it should say that the user is successfully created to confirm that if i type pi vpn dash l that will give me a list of all users that have been created including the server itself so as we look here the first entry is the server and then after that are any users that we've created additionally from the output above when it created the user you will note that it has the directory where it saved the configuration file to that's something that we're going to need to copy from the vpn server to our local system so we can hand out to our end users for their use if we take a look at that directory we'll see that there's one file in there right now and this is the configuration file for the user that we just set up this is what we'll need to copy to our system so i'm going to do that in a different tab i already have another terminal window open and we're going to use a command called scp it's for secure copy over ssh similar to the ssh command we'll type scp the username at the ip address or the pi vpn server in my case it's 192.168.0.18 and then we're going to do a colon followed by the path of where the file is located in our case it's in home slash pi slash ovpns slash ryan.ovpn and since this is a copy command the next parameter is the destination file so i'm just going to copy it to my local directory here by typing space period when i push enter it's going to ask me for the password for the pi user just like when we try to connect over ssh and after i type that in it should show the status of the copy and if i look at the current directory to see this file there it is it's now copied to my local system and i can use it to connect to our vpn server in order to connect we first need to install some client software this is the same as your end users installing software on their remote workstations so they can connect to your network through the vpn server since i'm using a mac a common client for this is called tunnel blick so if i search for that it should be the first thing that pops up i'm going to go straight to downloads and i'm going to select the stable option so if i click on this it should initiate the download once downloaded all i have to do is open this file and then double click to begin installation normally you'd probably want to follow the instructions further down on their website for verifying downloads this just ensures that what you downloaded is safe for you to install we can do that by running the shaw sum command i previously did that before recording this video so i'm very sure that this download's safe but i suggest you do this yourselves so back to the installer if i double click it's going to it's going to show me this ridiculous message again saying it came from the internet i know that i just downloaded it so i'm going to say open and it's going to ask for my password and that should begin installation once the installation is complete you should see the icon for tunnelblick up in your system bar the easiest way to configure our vpn client however is by opening up our finder window and locating the file that we downloaded from the vpn server earlier in my case it's ryan.ovpn i can take this file and just drag it up to the top and drop it on the tunnelblick icon doing so is going to ask how i want to get this installed in my case i only want this available to me because vpn is a secure thing and i don't want all users being able to connect to my network as me so in this case i'm going to choose the default option only me here it's going to ask for my password this is the password to my local system this is not the password that we set up and secured the ovpn file with and that should bring up a message saying that the configuration was successfully completed and if that's true if we click on this i have an option now for connect ryan before i connect though i want to switch over to this other window real fast and demonstrate how this connectivity makes a difference what we're looking at here is a query that runs against the database located in my office network but right now i'm actually recording this video from my house so if i try to run this query it'll sit here for a while and it's eventually going to time out because there's no connectivity in some cases depending on your network connection you might actually see a connection failure message pop up almost immediately and this is pretty much what we would expect we don't want people outside of our main office network connecting to our internal systems but that's kind of exactly what vpn provides you though any users who are properly authenticated and that you trust to be connected to your office they can connect via the vpn and then should be able to do any normal office activities from their remote location so after having seen this fail if i now go up here and try to connect we're going to get a prompt just this first time and this is because i haven't saved this password in the keychain and we just set up this user configuration this password it's asking for or more specifically passphrase this is what we set up when we first created the user on the pi vpn using that pi vpn command so with that password i'm going to save in the keychain so i won't have to remember it again and then i'm going to click ok it should start connecting automatically but if it doesn't you can always click on the tunnel blick icon up top and then choose connect and then your username as it's connecting you'll see a status indicator in the top right corner and once that's connected this is where it gets really neat that same query i was trying to run earlier i am now connected to my vpn at my office so when i try to run this i will actually get some results coming back just as if i were sitting there in the office as you've just seen i'm able to conduct day-to-day business operations even though i'm at home thanks to this vpn connectivity this functionality can easily help your business maintain operations if employees are unable to physically come into the office a couple of things to note however about this startup scale vpn be sure to use strong passphrases when setting up vpn users and avoid sending the generated user configuration files through public email better options could include putting it on a usb drive for them to copy and then being sure that that file is deleted once they're done with the copy or you could leverage a secure file share platform like box microsoft onedrive or google drive just don't be dumb about how you transfer the file to anybody remember those configuration files you created are just like passwords anyone that has it can potentially get into your vpn and onto your network secondly depending on your internet connectivity options you might experience slowness in your normal activities while connected through vpn once connected you are at the mercy of the upload bandwidth of your office you can get more information on openvpn's website on how to route traffic if this becomes an issue for you check the video's description for links to raspberry pi hardware kits and other resources that we covered in this video and as always please subscribe to our channel to get notified of other cool how-to videos we'll come up with thanks again for watching
Info
Channel: Sketch Development
Views: 5,477
Rating: undefined out of 5
Keywords: VPN, Server, RaspberryPi, Howto
Id: ptsphp79CdQ
Channel Id: undefined
Length: 23min 13sec (1393 seconds)
Published: Wed Sep 30 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.