How to run your own OpenVPN server on a Raspberry PI
In this short article I will explain how to setup your own VPN (Virtual Private Network) server on a Raspberry PI with OpenVPN. After we setup the server, we will setup an obfuscation server in order to disguise our traffic indicating that we’re using a VPN. This will help us evade some form of censorship.
Why use a VPN?
First, let’s talk about why you may want to use a VPN server:
- Avoid man in the middle attacks. If you have a malicious user on your local network — even your roommate — that person is able to monitor your unencrypted traffic and tamper with it.
- Hide your internet activity from your ISP (Internet Service Provider) or University, in my case.
- Unblock services. My University blocks all UDP (User Datagram Protocol) packets. This means that I cannot use any application that communicates via UDP. I can’t use my email client, play games, or even use Git!
I decided to setup a VPN on my home internet using a Raspberry Pi. This way I can connect to my home network while I’m at the University. If you need a VPN server in another country, you can buy a 5$/month virtual private server from DigitalOcean. You can use my referral link in order to get $10 off — that’s two months of free VPN. But you don’t have to use it if you don’t want to.
This step is really easy, because we will use a shell script to do it for you. So you just have to “press” next and finish.
The installation will take a long time, depending on the key-size you chose. On my Raspberry Pi 3 Model B, it took about 3 hours.
Please go this repository and then follow the instructions
OpenVPN-install — Set up your own OpenVPN server on Debian, Ubuntu, Fedora CentOS, and Arch Linux
If you don’t know the IP address of your server, just put 0.0.0.0 . I’ve chosen 443 for the port and TCP (Transmission Control Protocol) for the protocol.
Note: This is very important because my university only allows TCP/80 and TCP/443 ports, the rest are pretty much blocked. Also Obfsproxy only works with TCP, so make sure you chose TCP!
After the script has finished, you’ll get an .ovpn file. It can be imported in your favourite VPN client, and everything should work out of the box.
Testing the connection
Import the .ovpn file in your VPN client and change the ip 0.0.0.0 to the local ip of your Raspberry PI. Depending on your network configuration it may be of the form 192.168.*.* .
Note: This will only work if you are connected to the same WiFi as the Pi is.
I’ve configured my router so the PI always gets a reserved IP address. You may have to check out your router settings if you want to do something similar.
If the connection is successful, congratulations, you now have a VPN server! But, you cannot access it from outside… yet.
If you only want an OpenVPN server without the obfuscation proxy, then you can skip to Port Forwarding.
Obfuscation Proxy Install
Obfs4 is a scrambling proxy. It disguises your internet traffic to look like noise. Somebody who snoops on your traffic won’t actually know what you’re doing, and it will protect you from active probing attacks which are used by the Great Firewall of China.
Note: This method won’t work if your adversary allows only whitelisted traffic :(
Let’s install the proxy server now.
0. Install the required package:
- Create a directory that will hold the configuration.
2. Create the configuration file.
In the configuration file, you will paste the following things:
TOR_PT_SERVER_BINDADDR is the address on which the proxy will listen for new connections. In my case it is it 0.0.0.0:444 — why 444 and not 443? Well, because I don’t want to change the OpenVPN server configuration which is currently listening on 443. Also, I will map this address later to 443 using Port Forwarding.
TOR_PT_ORPORT should point to the OpenVPN server. In my case, my server runs on 127.0.0.1:443
3. Create a SystemD service file.
Then paste the following contents into it:
4. Start the Obfuscation proxy.
Now, make sure that OpenVPN is running and run the following commands in order to start the proxy and enable it to start on boot.
5. Save the cert KEY
After the service has started, run the following command and save the cert KEY.
The key is of the form Bridge obfs4 :
cert= KEY iat-mode=0 . You will need it when you’re connecting to the VPN.
6. Testing the connections.
Open up your VPN client and change the ip from 443 to 444 in order to connect to the proxy instead of the OpenVPN server.
After that, find the Pluggable Transport option in your OpenVPN client and see if it supports obfs4.
If everything works, then you’re all set! Congratulations! Only a few more things to tweak before using this VPN from the outside world.
In order to access the OpenVPN server from the outside world we need to unblock the ports, because they are most likely blocked. As you remember, I have reserved my PI’s IP address on my router to always be 192.168.1.125 so it doesn’t change if the PI disconnects or if the router reboots.
This way I have defined the following rules in my Port Forwarding table:
The outside port 443 will point to the obfuscation’s server port 444. If you don’t have an obfuscation server, then leave 443->443.
The port 25 will point to the PI’s SSH port 22. This is only for my own convenience.
In case I want to access the OpenVPN server directly without the obfuscation proxy, I have created a rule 444->443
The service port is the OUTSIDE port that will be used with your PUBLIC IP address. To find your public IP, use a service like whatsmyip.com.
The internal port is the INSIDE port. It can be used only when you are connected to the network.
Note: The first rule is saying redirect all the connections from PUBLIC_IP:443 to 192.168.1.125:444
- Find your public IP and replace your old IP with the public IP in the .ovpn file or in the VPN client.
- Connect to the VPN.
In most cases, your IP will change because it’s a dynamic IP. A way to overcome this is to create a small program on the PI that saves your IP and sends you an email every day or so. You may also store the IP in an online database such as Firebase.
My router has Dynamic DNS setting. This way I can use a service provider like NoIP and get a domain like example.no-ip.com that will always point to my public IP address.
If you have any questions hit me up on Twitter.
How to Set Up OpenVPN on a Raspberry Pi
Today we are going to look at how to set up OpenVPN on a Raspberry Pi.
Setting up OpenVPN on a Raspberry Pi is fairly straightforward due to PiVPN. The PiVPN project allows you to easily and securely install WireGuard or OpenVPN on a Raspberry Pi. Before looking at how to set up OpenVPN on a Raspberry Pi, you must ensure that you have a DDNS hostname or static IP address. This will be covered in the steps below.
1. How to Set Up OpenVPN on a Raspberry Pi
The process below will look at how to set up OpenVPN on a Raspberry Pi
1. Run the command below to install PiVPN.
2. The first screen will inform you that you need to set a static IP address. It’s best to set a static IP address in your router’s settings, as you are ensuring that DHCP does not try and give this address to any other devices.
However, certain routers (mostly ISP-provided ones) do not allow you to complete DHCP reservations. If you can’t set a static IP address for your Raspberry Pi in your router, set a static IP address on the Raspberry Pi by selecting No and following the instructions. I specified a static IP address in my router so I selected Yes.
3. You will now need to select a local user. If you’ve created a different user (outside of the default pi user), you will have the option here. For most people, you will select the Pi user.
4. You will be brought to a screen that will inform you that PiVPN will allow you to install OpenVPN or WireGuard on a Raspberry Pi. Select OpenVPN and then OK.
5. The next section will have a few default settings. My recommendation is to keep these settings, but if you intend on changing any of them, select yes. The suggested approach is to select No to proceed.
6. OpenVPN will now install!
7. The default port that OpenVPN uses is UDP 1194. If you would like to change this, you can do that here. Select OK and then select Yes to confirm the port settings are correct.
8. You now need to select the DNS provider you’d like to use. Select Custom if you’d like to use your own DNS server (Pi-hole/AdGuard Home, etc.), or any of the public DNS providers if you don’t want to use a local DNS server.
9. You will now be prompted to use your public IP address or public DNS entry. If you have a static IP address, you are free to use this address. However, if you have a dynamic external IP address, you will need to set up DDNS. You can learn how to do that here.
10. If you selected to use a dynamic DNS address, you can enter that information here. At the next screen, select Yes to confirm that it is correct.
11. You will be prompted that the server key and HMAC key will be generated. Select OK.
12. The next step will tell you that the VPN Server will check for unattended upgrades, and a periodic reboot will be required. This is a great option. Enable unattended upgrades (unless you have a good reason not to) and proceed. The packages will now install.
13. The installation is now complete! Reboot your Raspberry Pi. The next section will explain how you can set up VPN profiles.
1.1 OpenVPN Profile Creation – How to Set Up OpenVPN on a Raspberry Pi
1. Creating a profile is very easy thanks to PiVPN. Run the command below to start the profile creation.
2. Enter a name for your client. You will then be asked how long the certificate will last. Most people will use the default 1080 day certificate, but this can be adjusted if you’d like. Then, enter and verify a password for the client. The profile will then be created!
3. You can access the profile by navigating to the ovpns folder.
4. It is recommended that you transfer this file locally, meaning by using a network share or an external USB stick. The reason is that your .ovpn file contains a certificate at the bottom. While simply having this file won’t allow you to connect (you still need the password defined above), it’s still recommended that you do your best to keep it local to the device using it. With that disclaimer, if you want to email it to yourself, that’s another option as well.
Follow the instructions below if you’d like to mount an external USB drive to your Raspberry Pi and move the .ovpn file.
5. Make a directory to mount the external USB drive to.
6. Find the drive by name. You will have to use the device name.
7. Mount the drive to the folder location and copy the file! NOTE: Make sure that you replace /dev/sda1 and the .ovpn file with your device name and file name.
8. The file will now exist on your external USB drive!
1.2 Port Forwarding – How to Set Up OpenVPN on a Raspberry Pi
We now need to port forward UDP port 1194 on our router to our Raspberry Pi. Now, port forwarding will be completely different on every brand’s router settings page. This is a great guide that shows how to port forward on a few different brands of routers, but the best thing to do is try and google the name of your router and port forwarding. Example: Netgear port forwarding
- Create a port forwarding rule for UDP port 1194 to your Synology NAS’s IP address. In the example below, 192.168.1.220 is the IP address of my Synology NAS.
Assuming that you were able to open UDP port 1194 successfully, the port configuration is now complete!
1.3 OpenVPN Configuration – How to Set Up OpenVPN on a Raspberry Pi
This section is important for future steps (so you know what kind of profiles you’d like to create). We will be creating either a split-tunnel VPN, a full-tunnel VPN, or both in later steps.
Split-Tunnel VPN: Traffic is only sent through your network if it is attempting to access an internal resource. Your IP address when navigating to a site outside of your network will be the IP address of the network that you are currently on.
Full-Tunnel VPN: All traffic is sent through your home network. Your IP address for internal and external requests will be your home network’s IP address.
I created a very basic image below that explains this, but we will look at how to configure both in later steps. It’s important to note that both connection types will allow you to access your local network. This only shows how traffic is routed differently to external networks.
NOTE: This is not the exact network flow. I am simplifying the process as much as I can.
1.3.1 OpenVPN Config File Change for Split-Tunnel
By default, the OpenVPN config file is set as full-tunnel. If you’re interested in setting up a Full-Tunnel and Split-Tunnel VPN profile, create two different .ovpn config files. In the Split-Tunnel config file, add the data below.
NOTE: If you create a Split-Tunnel profile, you must change the 192.168.1.0 IP address to use your local subnet. 192.168.1.0 and 192.168.0.0 are the most common, but you might have changed this to something different.
1.3.2 OpenVPN Client Configuration – How to Set Up OpenVPN on a Raspberry Pi
Setting up OpenVPN on the client is very simple as soon as you have the .ovpn file added to the device.
1. Download the OpenVPN client software for your device here.
2. Select the add button at the bottom and then choose File. You should now be prompted to browse for the .ovpn file that we created earlier. Upload the file and then enter the private key password that we created earlier.
3. You should now be able to connect to your VPN from an outside network and access your local resources! If you are created two profiles (one for Split-Tunnel and one for Full-Tunnel), you will have to do this twice.
2. Conclusion – How to Set Up OpenVPN on a Raspberry Pi
This tutorial showed how to set up OpenVPN on a Raspbery Pi using PiVPN. PiVPN makes it easy to set up WireGuard as well, so check out my tutorial on that if you haven’t yet! This is my preferred approach for accessing my local network from an outside network. While services can be exposed using a reverse proxy server or port forwarding, this is generally the more secure option.
Thanks for checking out the tutorial on how to set up OpenVPN on a Raspberry Pi. If you have any questions on how to set up OpenVPN on a Raspberry Pi, please leave them in the comments! You can also leave a comment on the YouTube video if you have any questions on how to set up OpenVPN on a Raspberry Pi!
Please share if this helped you!
You Might Also Like
Nginx Proxy Manager Raspberry Pi Install Instructions!
How to Setup Apache Guacamole on a Raspberry Pi!
How to Install Emby on a Raspberry Pi
How to Setup Jellyfin on a Raspberry Pi
This Post Has 11 Comments
Hi! I’m having issues when I try to connect to my OpenVPN. I’m running pihole and pivpn on the same device. Not sure why I’m getting this issue, any help would be highly appreciated. I’m using dynu for DDNS, used one of their subdomains. It seems to be syncing fine but when I run the .sh file and do cat logfile then I’m getting “nochg”, not sure what does that mean but it still keeps to be syncing online on the website everyday though. I’m leaving the logs below, please have a look:
3/9/2021, 3:49:51 PM OpenVPN core 3.git::58b92569 win x86_64 64-bit built on Feb 10 2021 15:20:23
⏎3/9/2021, 3:49:52 PM Frame=512/2048/512 mssfix-ctrl=1250
⏎3/9/2021, 3:49:52 PM UNUSED OPTIONS
4 [resolv-retry] [infinite]
8 [verify-x509-name] [XX-RPIServer_927bf58e-58a0-4503-924b-68806a85ea0f] [name]
12 [verb] 
⏎3/9/2021, 3:49:52 PM EVENT: RESOLVE ⏎3/9/2021, 3:49:52 PM EVENT: WAIT ⏎3/9/2021, 3:49:52 PM Contacting “myip”:PORT via UDP
⏎3/9/2021, 3:49:52 PM WinCommandAgent: transmitting bypass route to “myip”
“host” : “”myip””,
“ipv6” : false