Configure the tap interface
Open the file /etc/network.d/tap in nano, add the following lines, and then save the file:
INTERFACE=‘tap0’ CONNECTION=‘tuntap’ MODE=‘tap’ USER=‘nobody’ GROUP=‘nobody’
We then need to add the tap0 interface to our bridge, so edit /etc/network.d/bridge and change the bridge interfaces line to look like:
Finally, change the networks line in /etc/ conf.d/netcfg to:
Notice that the tap network needs to be started first, so that it can be added to the bridge successfully.
Now that we have configured OpenVPN, we want to enable it permanently. Use the command ‘systemctl enable openvpn@server’ and then reboot the Pi to make sure that everything starts successfully from a clean boot. Our VPN is now configured, so we’re going to set up dynamic DNS and port forwarding so that we can access it from the internet.
Set up the dynamic DNS
Head over to www.no-ip.com/personal/ and sign up for the No-IP Free option. Once you have done that, don’t bother downloading No-IP’s client because we’ve already installed it. Go to your email inbox and follow the activation link that was just sent to you by No- IP. You can now sign into your account. Once you have logged in, select the ‘Add a host’ option. Choose a hostname and a domain to be part of from the drop-down list. Leave the host type as ‘DNS Host’ and then click the ‘Create Host’ button. For example, we used the hostname liam-ludtest with the domain no-ip.org, so we would access that using liam-ludtest.no-ip.org.
Run the command:
noip2 -C -Y
to be taken through interactive configuration of the No-IP client. We left the update interval to the default 30 minutes, meaning the client will check every 30 minutes for an IP address change. Once done, start the daemon with:
After a minute or two, your IP address will be accessible via your No-IP hostname. However, it’s likely that trying it from inside your house will simply take you to your router’s homepage.
NAT port forwarding
It is likely that there are multiple devices behind your router that all use the same external IP address. This is because of the shortage of IPv4 addresses, and also because it is more secure to segregate the internet from your internal home network. NAT (network address translation) forwards a port from the router’s external IP address to a computer on the LAN (local area network). In this case, we’ll want to forward any traffic for TCP port 22 that comes to your router’s external IP address to the IP address of your Raspberry Pi. TCP port 22 is the port used for SSH. SSH will provide remote access to your Raspberry Pi, and also access to any files on it via SCP (Secure Copy Protocol). You’ll also want to forward UDP port 1194, as that’s what OpenVPN uses.
The configuration of port forwarding really depends on the router that you are using, so you may have to look it up. The chances are
that it will be hidden away in the ‘Advanced’ section of your wireless router. You should be able to access your router by typing your No-IP hostname into your web browser. If not, it should be at the address of your default gateway that we used earlier on.
On our router, we had to go to Advanced>NAT> Port Mapping, and add a mapping (Fig 1). We then had to add a second mapping for OpenVPN, using port 1194 specifying UDP rather than TCP as the protocol.
Install an OpenVPN client
We’ll use a virtual machine running Ubuntu 12.04 as our example VPN client. There are simply too many possible combinations to show them all. There are a couple of options that must be used on every client, however:
Use a TAP device
Use LZO data compression
Do not use the default gateway on the remote network (on Ubuntu, this is called ‘Use this connection only for resources on its network’). This basically means ‘don’t tunnel my internet through this VPN’. If this option is disabled, then the client’s internet connection wouldn’t work because we haven’t configured our VPN to deal with internet.
Ubuntu uses Network Manager to configure its networks, so the instructions we give here should be almost identical to any other distribution that uses the same thing. Ubuntu doesn’t come with the OpenVPN plug-in for Network Manager by default, so we’ll need to start by installing it. From a terminal, run:
sudo apt-get update sudo apt-get install network-manager- openvpn-gnome
Copy the required certificates to the client
We need three files from the Raspberry Pi to be able to connect successfully:
The certificate authority certificate
The client certificate
The client key
We’ll be using SCP to copy the files into the /etc/openvpn/keys directory:
cd /etc/openvpn sudo mkdir keys cd keys sudo scp root@[Pi’s IP address]:/etc/ openvpn/easy-rsa/keys/ca.crt . sudo scp root@[Pi’s IP address]:/etc/ openvpn/easy-rsa/keys/[client].crt . sudo scp root@[Pi’s IP address]:/etc/ openvpn/easy-rsa/keys/[client].key . sudo chmod +r *
Note that we use chmod to add read permissions because the files need to be readable by all users. We need to do this because the Network Manager GUI doesn’t run as root.
Create the VPN connection
Note that you’ll probably want to be on a different subnet to your server otherwise it’s likely you’ll run into connectivity issues on the client because of the aforementioned routing problem. We worked around this problem while at home by using a virtual machine that’s connected with NAT. As far as the virtual machine is concerned, it’s on the 10.0.2.0/24 subnet.
Click on the Network icon in the top menu bar and click on the ‘Edit connections’ option. You will then be shown a window that has multiple tabs at the top. Go to the VPN tab and click ‘add’. Select OpenVPN as the connection type and then click on ‘Create’. Now fill in the appropriate information.
We need to set the advanced settings that we mentioned before:
Use a TAP device
Use LZO data compression
The final thing we need to set is the option to ‘Use this connection only for resources on its network’. To do this, go to the IPv4 Settings tab and click the Routes button. Tick the box for the aforementioned option and then click Okay. Once you have done this, you can Save your connection and close the Network Connections window.
Test your connection
Click on the Network icon in the menu, hover over the VPN Connections option and then click on the VPN that you just created. You should see a success message and a padlock as part of the Network icon. Open up a terminal and run ifconfig to check that the tap device has been corrected with an appropriate IP address, and that you can ping a device behind the VPN.