Monday, September 29, 2014

OpenVPN & Raspberry Pi auto-installer

Openvpn server on your Raspberry PI

From wikipedia:
OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange.
What that means is that openvpn will allow you to safely and securely route your internet traffic through an untrusted network to a trusted one. It does this by encrypting your traffic so nobody can read it until it goes out from your openvpn server.
There are some benefits to this:
  1. Prevent others from snooping on your traffic.
  2. Access websites that are blocked by your work, school, or oppressive governments.
  3. Access assets on your home network from anywhere.
This auto-install script will turn your raspberry pi into an openvpn server so you can browse the internet safely and securely.
Then why use it? Because sometimes you end up on insecure networks (think starbucks, stadiums, etc). This will protect your privacy in those situations. It will not prevent people from finding you if you are stupid and do something illegal.

Running the installer

The auto-installer is completely automated and can be run directly from the web.
From your raspberry pi:
# Set the user
$ OPENVPN_USER='stephen.openvpn.local'

# Run the installer
$ curl "" | sudo bash

The default key size is 4096 bits long. You can change the key size by exporting the KEY_SIZE variable before running the installer:

# Change the key size to something other than 4096
$ KEY_SIZE=2048

Remember that you should always inspect these types of files before ever running them. You can download it locally and run it like so:
# Download the file
$ wget ""

# Make sure it's legit
$ less bootstrap

# Execute it
$ chmod +x bootstrap
$ sudo ./bootstrap stephen.openvpn.local

What's the installer do

The installer script will download openvpn and generate all of the necessary root certificates for you. Then it will generate and sign a new certificate for a user. Lastly it will create the ovpn file and place it in /root/client_<some_user>.
All you need to do is download that file into your openvpn client software and you'll be able to safely and securely connect to the host.


I've included a Vagrantfile for you to run tests. Simply clone the repo and then run:
$ vagrant up
==> default: Forcing shutdown of VM...
==> default: Destroying VM and associated drives...
==> default: Running cleanup tasks for 'shell' provisioner...
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Importing base box 'wheezy64'...
==> default: Make sure that your firewall allows incoming UDP connections to port 1194.
==> default:
==> default: The last thing necessary is to securely copy the configuration file over to your
==> default: computer and then load it. The configuration file is located at:
==> default:
==> default:   /root/client_test.ovpn
The vagrant guest will be running the openvpn server. You can pull down the client file and connect to it locally.

Clone the repo

Edit: 2014-12-23

The original bootstrap was missing some iptables rules that allowed the raspberry pi to masquarade and forward IP. I've updated the script and everything should be working out of the box now.


  1. This comment has been removed by the author.

  2. Hi Stephen,

    Awesome piece of work - saves me an hour each time now! Thank you!.

    A couple of quick questions -

    - what changes would be needed to the script to force the use of 2048 keys?
    - If I needed to issue more than one client key, how would I do that?

    many thanks

    1. Thanks. It should be easy to use a 2048-bit key but you'll need to regenerate your certificate authority and keys.

      Download the script and change these lines to match the new key:

      When the installer is done, you'll need to open up the server config and change the key name to have 2048 in it.

      I think I'll just update the script to use 4096-bit keys. Check back soon :)

    2. I've made the default key size 4096 in the newest branch of master.

  3. hi Stephen,

    After the succesfull install I've added another user to my Raspberry. Guess I now have to add this user to the VPN. Can I run the script again?

    1. It's much easier than that. Since the openvpn's configuration has "auth-user-pass" enabled, all you need to do is create a user for them on your host. When they attempt to connect to the VPN, they'll be prompted to enter a user and password. That's the same password you create for them.

      If you want to remove access simply remove their user or disable their password by running "passwd -l ". They won't be able to make it past the login.

    2. Sorry I forgot to mention. In order to be required to use a user and password, you'll want to add the following line to the end of your server.conf file and restart the service:

      "plugin /usr/lib/openvpn/ login"

  4. thanks, the sudo user create went wrong, working perfect now!

  5. Hey, awesome script, but once I imported the ovpn to my software, its asking for a username and password. Is the username and password from the raspberry pi, or did i miss a step in installing the script?

  6. this is what i get
    Wed Dec 30 04:45:41 2015 WARNING: No server certificate verification method has been enabled. See for more info.
    Wed Dec 30 04:45:41 2015 LZO compression initialized
    Wed Dec 30 04:45:41 2015 Control Channel MTU parms [ L:1558 D:1212 EF:38 EB:0 ET:0 EL:3 ]
    Wed Dec 30 04:45:41 2015 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Wed Dec 30 04:45:41 2015 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
    Wed Dec 30 04:45:41 2015 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
    Wed Dec 30 04:45:41 2015 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
    Wed Dec 30 04:45:41 2015 Local Options hash (VER=V4): '66096c33'
    Wed Dec 30 04:45:41 2015 Expected Remote Options hash (VER=V4): '691e95c7'
    Wed Dec 30 04:45:41 2015 UDPv4 link local: [undef]
    Wed Dec 30 04:45:41 2015 UDPv4 link remote: [AF_INET] X.X.X.X:1194
    Wed Dec 30 04:45:41 2015 MANAGEMENT: >STATE:1451468741,WAIT,,,

    i wait then it restarts saying
    Wed Dec 30 04:51:56 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Wed Dec 30 04:51:56 2015 TLS Error: TLS handshake failed
    Wed Dec 30 04:51:56 2015 TCP/UDP: Closing socket
    Wed Dec 30 04:51:56 2015 SIGUSR1[soft,tls-error] received, process restarting
    Wed Dec 30 04:51:56 2015 MANAGEMENT: >STATE:1451469116,RECONNECTING,tls-error,,
    Wed Dec 30 04:51:56 2015 Restart pause, 2 second(s)

    I read that the TLS error is because there is a firewall or something..... i have added the whole openvpn to allow everything on the windows firewall. just cant seem to figure it out please help.