- Raspberry Pi 4 Private Internet Access
- Raspberry Pi Private Internet Access Control
- Connect To Raspberry Pi Remotely
- Raspberry Pi Private Internet Access System
- Free Vpn For Raspberry Pi
- Raspberry Pi Private Internet Access Router
- Raspberry Pi Private Internet Access Device
- Control your Raspberry Pi from anywhere with VNC Connect remote access software: it's completely free for personal use and up to 5 devices. If you need to use VNC Connect commercially or you want to connect to more than 5 devices, start a trial today.
- How to set up a VPN (Private Internet Access) in Raspberry Pi 1. If you don’t have done this already, you need to install OpenVPN. Sudo apt-get install openvpn 2. Move to the OpenVPN directory in / ect: cd /etc/openvpn 3. Download from the Private Internet Access website the zip folder.
- Access Your Raspberry Pi From Outside Your Home or Local Network. If you’ve ever tried to set up your Raspberry Pi as an Internet of Things device, you’ll know that unless you jump through some massive hoops, you’re stuck serving web pages and data on your local network.
You can connect to your Raspberry Pi over the internet from another computer or a mobile device. There are a number of ways to do this, which we cover below.
Dos And Don’t Of A Pi Server. My Pi Web server hosts a single Web page that connects to a MySQL.
One method is to set up port forwarding on your router. To do this, you must change the configuration of your router to forward all inbound traffic from the internet on a specific port to the local IP address of your Raspberry Pi. Most routers have this feature available. However, every router is different so you will need to consult your router's user manual for instructions. The settings can be tricky if your Pi is behind a firewall or if there is more than one router. One disadvantage of port forwarding is that it exposes a network port on your private LAN to the public internet. This is a known security vulnerability and must be managed carefully.
Rather than using port forwarding on your local router, there are a number of third-party online port forwarding services available. These provide varying levels of functionality - see their websites for more details.
Set up a private VPN using OpenVPN software on Ubuntu 20.04 LTS and Raspberry Pi 4. Light weight and cost effective security.
If you've followed along in my other tutorials, you're now familiar with setting up an Ubuntu server. But the other tutorials set up Ubuntu on the cloud. This time, we'll do it on-site with a neat little single-board computer that's been around for some time now. It's the tried and true Raspberry Pi.
But why on-site rather than on the cloud? The main reason is content. Some content providers limit access if through a cloud based VPN. But if your VPN is behind your home internet, then content is delivered to your device as if you're sitting comfortably at home.
If you choose to implement this on a cloud server. I'd recommend you set up your own server through a company like Linode, rather than using a VPN company. Though people at the public wifi may not be able to spoof your internet browsing, that VPN company now has all your data and browsing information. Even if they say they won't use it, why would you trust them?
Once you've set up your VPN, skip ahead and create a new VPN client file.
Ubuntu 20.04 on Raspberry Pi 4
First off, you have to get the Raspberry Pi 4. You can get them anwhere like at Target, Newegg, etc. There are several ways to install Ubuntu 20.04 LTS on Raspberry Pi 4. The Imager method didn't work for me. The PC I used to set up the SD Card was Ubuntu Desktop with the standard Gnome environment. The Raspberry Pi Foundation recommends a Class 6 micro SD card. Searching Newegg there were more choices when I included Class 6 and Class 10 (or UHS-I or U1). What worked is the following.
Go to the official Ubuntu on Raspberry Pi download page. I downloaded Ubuntu 20.04 for Raspberry Pi 4 - 64-bit. Note where you downloaded the file.
Insert the micro SD card into your PC. Assuming you are running Ubuntu Desktop on your PC, run the program
Disks. Select your SD card on the left panel. Click on the vertical
... up top next to the minimize button. Click on
Restore Disk Image.... Click on
(None) next to
Image to Restore. Select the file you downloaded above. Click on
Start Restoring.... For Windows, it might be easier to use the Raspberry Pi Imager but it didn't work for me with a Linux PC.
The official Ubuntu installation documentation talks about headless server install through wifi. Because I want to minimize risk of VPN failure, I will connect the Raspberry Pi 4 to the network by cable and not use wifi. Moreover, the Ubuntu official documentation for headless wifi set up just plain didn't work for me. If you want to use wifi, I leave it to you to figure these steps out yourself.
Unmount the SD drive, remove it from the PC and place it in the Raspberry Pi 4. Plug in the micro HDMI cord connected to a monitor, a keyboard into the USB and network cable into the ethernet port. Now plug in the USB-C power source.
Initial Ubuntu VPN login and settings
The initial login is
ubuntu for both username and password. You may have to wait a minute before the OpenSSH keys are created for the OS. It took a while for mine. I don't know why. After the first log in, it will ask you to create a different password. Remember this!!
Let's update and upgrade Ubuntu by running
sudo apt update && sudo apt upgrade. Create your own user, and be sure to replace
username with your own.
Add the new
username to group
sudo. This will allow you to do root/sudo commands. Again, be sure to replace
username with your own.
Log out as
ubuntu by running the command
exit. Login as your new
username. Delete the
ubuntu user by running the following command.
You may want to change your timezone to the one your are in physically. Do this by typing
sudo dpkg-reconfigure tzdata.
VPN Network Settings and Firewall
Here are some basic assumptions for network name (FQDN) and addresses. Please substitute your own where appropriate. The addresses here are made up but will be used consistently throughout. The ports are accurate. I will set up two VPN's in case one is blocked for whatever reason; but this is for another tutorial. We'll start with one for now. To minimize risk of blocking, we will use standard HTTP/HTTPS ports.
- You do not want or need to host a web server from home
- Public FQDN (WAN) pointing to home router: router.publicdomain.com
- Private FQDN (LAN) pointing to home router: router.private.home
- Private FQDN (LAN) pointing to Raspberry Pi VPN: vpn.private.home
- Public IP address assigned to the house: 220.127.116.116
- Private home router LAN IP address: 192.168.146.1
- Private Raspberry Pi VPN LAN IP address: 192.168.146.11
- Router port 80 will forward to VPN port 80 (why you can't host a web server)
- Router port 443 will forward to VPN port 443 (why you can't host a web server)
- Router port 50022 will forward to VPN port 22
The VPN will be a host in my router's local area network (LAN). I made this image for an older tutorial several years ago. The modem and router graphics are outdated, but the schematic still works.
The Raspberry Pi host name should be changed to conform to our settings above. Replace
vpn in the following command.
The LAN IP address assigned to the Raspberry Pi VPN for this tutorial will be
192.168.146.11. Make sure whatever IP address you use is accessible on your LAN; and make sure no other host is using that IP address. Alternatively, find out what IP address your DHCP assigned to the Raspberry Pi VPN. Regardless of what address you decide on, you must use that address instead of
192.168.146.11 example I give. Also be sure to replace the tutorial's router IP addresses
192.168.146.1 with whatever addresses your actual router/gateway uses.
Let's make sure the IP address is static and does not change any more. Either use the address you picked above, or stick with the DHCP one. For the DHCP, get the current IP address by typing
ifconfig. Look for the
inet address for
eth0. The network address is set up via netplan. Let's find out what configuration file we are using by typing
ls /etc/netplan. Use whatever file is listed there. It's probably the same, but let's go ahead and edit the file by typing
sudo nano /etc/netplan/50-cloud-init.yaml.
My netplan configuration file had some tips on preventing this file from being overwritten. If you don't see this in your configuration file, then just ignore it. It says to create the file by typing
sudo nano /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg.
Load up the new settings by typing
sudo netplan apply. Now that we have a static IP address, let's tell our VPN server it's okay to forward network traffic from one device (eth0 - ethernet cable) to another (tun0 - OpenVPN tunnel). Let's edit a configuration file by typing
sudo nano /etc/sysctl.conf.
The file has to be reloaded by typing
sudo sysctl -p.
Now let's do the firewall for our VPN. The only outside traffic we want additional to a basic set up are 80, 443 and 22. I don't use the default firewall ufw. Instead, I prefer the granular controllability allowed with iptables. The basic template of my iptables is based on the github examples by @jirutka.
Raspberry Pi 4 Private Internet Access
The following steps will turn off and disable ufw. Then download a service that allows the iptables rules be saved and reloaded correctly, when the server is reboot or shutdown. OK to save current iptables when prompted.
Copy-paste the iptables rules by @jirutka to a text editor. Modify any lines that you may want. If you don't need ipv6, then turn it off in Ubuntu. Look into this tutorial by linuxbabe. Now copy-paste these modified rules files to /etc/iptables/rules.v4 and /etc/iptables/rules.v6 (if using ipv6).
We have to make some edits to each file. Be sure to do it for both the
In case you happen to use the command sudo iptables-save, make sure you save the formatted rules files. That way you have them as reference. Otherwise, the command saves the iptables without any formatting.
At this juncture, we can make the server
headless. Be sure to logout by typing
exit, and then unplug the HDMI and keyboard cables. If you don't do this, somebody visiting your home can plug in and potentially do very bad things. Alternatively, you can type in the command
shutdown now, unplug everything and then plug in just the ethernet and power cables. You can now access your Raspberry Pi VPN through a remote terminal by typing
ssh [username]@[ip address] (substitute your own values for
[ip address]) on your LAN.
Router and DNS Settings
I don't have a dedicated IP address through my home internet service provider. I don't want to remember a numerical address, and so I use Dynamic DNS. This service updates my DNS registrar with my home IP address; so that when I access my WAN FQDN it points to my home network. With our assumptions/settings above, I would log into my domain registrar (e.g., Namecheap) and set up Dynamic DNS on the domain registrar server. I then set up a dynamic DNS client (ddclient) on my router. It's beyond the scope of this tutorial, but go Bing it to find out more. Read more here if you also use Namecheap Dynamic DNS with ddclient.
I set up a forwarding Bind9 DNS server on my home router. This DNS server forwards requests to my caching Bind9 DNS server on the cloud. To make my VPN host accessible by FQDN on my LAN, I need to create an
A RECORD on my home router's DNS. Using a separate terminal accessing your
router.private.home, update the router's Bind9 DNS db file by typing
sudo nano /var/cache/bind/router.private.home. Your file will be different. Make sure you edit your correct file and use your own LAN host and domain names. This is optional. You can always refer to your VPN by IP address.
After updating your router's DNS entries, reload the service by typing in the router terminal
sudo service bind9 reload for Ubuntu 18 or
sudo service named reload for Ubuntu 20. Test it out by typing
ping vpn.private.home. If you happen to change or update these
A RECORDS, you'll have to remember to update the serial number and flush the DNS cache by typing
sudo systemd-resolve --flush-caches.
Router Port Forwarding
Whenever traffic is sent from the world-wide-web to our public IP address, we want to make sure the VPN picks up the correct signals. Some public wifi put extreme restrictions on which ports they allow. Some businesses also restrict whether UDP is even allowed on some ports. To ensure we minimize the risk of public wifi blocking our traffic, we will mimic regular http or https website traffic. In other words, we will use TCP ports 80 and 443. Unfortunately, you will not be able to host a standard web server from home.
You will need to login to your router. Bing search your router model and port forwarding. You follow the proprietary guides for off-the-shelf routers. The rest of this section on port forwarding will be based on a custom built one. If you're all set with the proprietary port forwarding, then skip to the next section (Harden VPN SSH server).
My network has Ubuntu installed on the router. And so it should already be set up to forward IPv4 traffic. If you have an Ubuntu based router with IPv4 forwarding set up already, then we need to update our iptables to accomplish port forwarding.
Open a terminal and ssh into
router.private.home. Make a back up of your iptables by typing
sudo cp /etc/iptables/rules.v4 /etc/iptables/rules.v4.bak. Let's edit the file by typing
sudo nano /etc/iptables/rules.v4.
Be sure the following lines are in the file. How it is organized is also important. You can add the
-A FORWARD lines with all the other
FORWARD chains. Be sure the lines with
-A PREROUTING and
-A POSTROUTING are after the
: (colon) entries under
*nat. The lines below are not a complete file. Do not just copy-paste this as your actual file. Your router will break. There are three sets of lines each for ports
While still in the
router.private.home terminal, let's load the new iptables rule by typing
Harden VPN SSH server
If you chose to modify your router's DNS records to include
vpn.private.home, you can now access your Raspberry Pi VPN through the LAN by typing
ssh [username]@vpn.private.home rather than using the
IP address. If you chose to do Dynamic DNS and set up port forwarding correctly, you can also access it through the world wide web by typing
ssh [username]@router.publicdomain.com -p 50022. Now go ahead and get back into a Raspberry Pi VPN terminal. Let's make sure only the users who have certificates get access to our server. Let's back up the configuration file.
In the nano editor, add the following lines to the top. For
[username] type in your own username.
Now that the ssh server daemon knows only you have access, let's restart the service. We'll also create a read-only folder and file for our SSH keys.
To create a ssh key, there are two basic methods I use: (1) Linux way and (2) Windows way. The Windows way is through the Putty and its keygen programs. I leave it to you to explore this option yourself.
For the Linux way, make sure you are on your local (laptop or desktop) device. At your
$ command prompt, type
ssh-keygen. You can use the default name or type in your own, but make sure it is saved in your
/home/[username]/.ssh/ directory. I use the default settings and save a password. The password is optional. I will assume you didn't change the default name, and a key-pair named
id_rsa was created. If you will be doing ssh to multiple remote servers/hosts, then I recommend creating a unique name for each.
Now we need to get the key we just created for the local machine readable to the remote (Raspberry Pi VPN) host. Use the command at your local (laptop or desktop) device
ssh-copy-id -i /home/[username]/.ssh/id_rsa [username]@vpn.private.home. Be sure to substitute your username inside the square brackets. Alternatively, you can copy the contents of the local
/home/[username]/.ssh/id_rsa.pub (via nano or cat) and paste it in the remote (Raspberry Pi VPN)
Install OpenVPN and Easy RSA CA
Let's install OpenVPN with haveged entropy and easy-rsa certificates. The versions as of the original publication of the blog are OpenVPN 2.4.7 and Easy-RSA 3.0.6.
We have to create the OpenVPN certificates that we will use for authorized traffic. We will use Easy RSA for this.
Build certificate authority.
We want to add some elliptic curve cryptography to our certificates. Could be faster according to DigitalOcean. Add the following lines anywhere.
Now we create the Easy RSA certificate authority (CA).
When prompted for
Common Name: enter something like
VPN CA. Now we build the Easy RSA server called VPN. We will also create an openvpn key.
Let's copy some of these keys to the OpenVPN configuration folder.
OpenVPN Server Configuration
Before we get to the configuration, we have to figure out our server's MTU. If you stick with the default MTU, you run the risk of severely slow throughput in the VPN. Instead of 30+ Mbps, you may get 3 Mbps instead.
You must use a remote host to test your VPN server's MTU. While on the remote host, use
ping to find the largest MTU. The following command is for Linux. You can search Bing for commands in Windows and Mac OS X. To find the right MTU, start with size
1500. Decrease the size by
10 (e.g., try
1490 next) if you see output like:
local error: Message too long,
1 packets transmitted, 0 received, +1 errors, 100% packet loss or anything similar. Keep decreasing by
10 until you have successful transmission. Be sure to replace the actual IP address of your server in the command.
You've found your MTU once the output shows a successful ping. For example,
1 packets transmitted, 1 received, 0% packet loss. Use this number in the
tun-mtu setting below.
We will now create the OpenVPN server configuration file. First, let's copy over the sample file as a back up. Be sure to read this file to understand what our configuration file means.
Now let's create the actual configuration file by typing
sudo nano /etc/openvpn/server.conf. These settings balance speed with encryption/validation overhead on the CPU. See Private Internet Access for their discussion. Also be sure to replace the MTU number above in the appropriate field.
Raspberry Pi Private Internet Access Control
Let's start the service and enable it.
OpenVPN Client Configuration
Connect To Raspberry Pi Remotely
Let's create a folder and basic configuration file as our template.
Be sure to read the back up file for pointers. But go ahead and enter the lines below. Be sure to put in your own IP address or FQDN for the public IP address, rather than
The client's certificates and keys will be concatenated together with the OpenVPN client configuration file. Let's create a bash file by typing
Make the file executable by typing
chmod 700 ~/client-configs/make_config.sh.
Raspberry Pi Private Internet Access System
Create VPN Client File
These are the steps to create the OpenVPN client file.
When delivering these client files to the end-user, please make sure you use secure methods. Sending it as an email attachment is not secure. It will be bounced around several servers. You put in so much effort already, all to be wasted by giving these files to these email MTA relays. I recommend delivering by private document server, USB flash drive or SFTP.
To revoke any clients, use the revoke command. I may update the tutorial to show this down the road.
VPN Client Customization
Free Vpn For Raspberry Pi
If the end-user has a Linux device, they must customize their OpenVPN file because of glitchy DNS handling. The main difference on DNS handling among Linux versions is
resolvconf. To find out, type
cat /etc/resolv.conf. If you see the following line, your system uses
Be sure to UNCOMMENT the semi-colons as appropriate for Linux OpenVPN client configuration files! If your client does use
systemd-resolved, then be sure to also run the following command on the client machine.
Raspberry Pi Private Internet Access Router
There are plenty of other tutorials out there to show you how to load OpenVPN on other clients like Windows, iOS and Android. Feel free to Bing it as well.
Raspberry Pi Private Internet Access Device
In the future, I want to try Tinc VPN or WireGuard; and do head-to-heads with OpenVPN. The speed is just so danged slow with OpenVPN.