How to Easily Configure a VPN on Raspberry Pi

Carsten Podszun
Last update
17. Feb 2021

You should never take the safety of your Internet connection for granted, especially when using a public network. So, why not take your home network everywhere with you? No, not by carrying your router under your arm, but with a VPN! Using Raspberry Pi as a VPN server is a particularly convenient way to do precisely this, and below we'll show you how.

A Raspberry Pi is an inexpensive mini-computer without a case, mouse, of any other of the traditional external accompaniments. Originally envisioned as a tool for helping children interactively learn about computers, they've since become popular for all sorts of routine functions owing to their low cost and ease of replacement. By configuring your Raspberry Pi as a VPN network, you'll be able to connect to it from anywhere, allowing you to surf without risks, or access data and files on your home network.

Advantages of Using a Raspbery Pi as an OpenVPN Server

  • Raspberry Pi's biggest advantage is certainly its low price. Compared to using a complete Linux computer as a VPN server, both the purchase and running costs are significantly lower. The device is also capable of staying connected to a network 24/7, without cooling and minimal electricity usage, maintaining the integrity of your VPN tunnel.

  • Another major advantage is that OpenVPN's VPN server software is completely free, and available for most operating systems, including Windows, MacOS, Android, iOS, and Linux.

  • Building a mini-computer is relatively simple and will help ensure that your VPN server is both stable and 100% reliable.

Setup Preparations

You will need:

  1. 1.
    A Raspberry Pi (ideally Model 2 or newer).
  2. 2.
    A micro-SD flash memory card with Raspbian-Jessie  installed.
  3. 3.
    An Internet connection (either by network cable or WiFi) to Raspberry Pi.
  4. 4.
    A micro-USB power connection.

Additionally, you should also consider if you want to connect your Raspberry Pi to a monitor, mouse, and keyboard, or if you would prefer to access the devices using SSH. Usually, monitoring the server using SSH makes the most sense, since you can access the Raspberry Pi using tools through programs on your main computer like PuttY, WinSCP, or OpenSSH.

To access your Raspberry Pi using SSH, you only need to know the device's IPv4 address. You can find this out by checking your router when the Raspberry Pi is connected to your local network.

Adjust your IP Addresses

Should you want to connect to the VPN server using SSH it makes sense to assign it a fixed IP address as greatly eases your ability to access it. For OpenVPN, it is also important that the server has and can be accessed by a fixed local IP address in your network.

It's also logical for the VPN server to have the same address when you access it remotely. Most Internet service providers (ISPs) assign their routers new, dynamic IP addresses every 24 hours, so you will also need to use a dynamic DNS (DDNS) service.

To do this, follow the steps below:

  1. 1.
    Assign the VPN server a fixed IP in your local area network (LAN)
    In the administrator area of your router, you can assign the Raspberry Pi a fixed IPv4 address using its Mac address.
  2. 2.
    Enable port forwarding on the router
    Through port forwarding, you'll make the fixed local IP address of your router accessible from outside of your LAN. OpenVPN uses port 1194. If your Raspberry Pi has an IP address of, then all of your router's UDP data traffic needs to be routed through port 1194.
  3. 3.
    Assign a host name using a DNS service
    When you want to access your network from somewhere else, you'll need to set up a DDNS service, since your ISP likely alters your router's IP address every 24 hours. Alternatively, you could ask them if it is possible to be assigned a fixed IP address.
    If this isn't possible, you can use a service like No-IP, which is supported by most routers. This gives your router a fixed host name that is forwarded automatically to your new IP address when your router's IP address is channged. Installation instructions for No-IP, can be found on the service's website .

Update Raspberry Pi

Before installing OpenVPN or Pi VPN, you should install all available updates for the device's operating system. This can be done by executing the following commands:

sudo apt-get update sudo apt-get upgrade

Change your username and password

To be on the safe side, we recommend changing your Raspberry Pi's standard username and password ("Raspberry" and "Pi"). This can be done either locally, or over SSH using the following command:

sudo raspi-config

2 Options: PiVPN vs. OpenVPN

OpenVPN is the most popular VPN solution for Linux systems, and by extension, for Raspberry Pi. The program is not only very secure, but also open source, and as a result, completely free. Since its installation through text-based commands is difficult, particularly for new users, PiVPN  offers a much easier alternative.

Option 1: Set up a VPN Server With PiVPN

PiVPN is based on OpenVPN, which means that it is compatible with Linux and all of its current distributions including Raspbian, Debian, and Ubuntu.

Step 1: Install PiVPN

Since PiVPN uses a bash script, you don't need to download and install it like typical software. Rather, simply execute the following commands in command prompt:

curl -L https://install.pivpn.io | bash

Step 2: Configure PiVPN

When PiVPN starts, you'll receive a notification that you should use a static IP address. If you have already assigned your router a fixed IP address (as recommended above) you can skip this step.

Finally, you will need to create a local user account, in which OpenVPN's configuration settings are saved. Here, select the user account you created, and in the next step, activate automatic updates (‘unattended upgrades‘).

In the next dialog box, select UDP from the list of VPN protocols, leaving the recommended port number as 1194, so long as you've set this port for forwarding on your router (as recommended above).

Key length can be kept at 2048-bit, since this provides a high level of security. Depending on the Raspberry Pi model you're using, the time needed to create keys can vary.

In the next step, you'll be asked if the VPN server is accessible by fixed IP address, or host name (‘DNS Entry‘). If a DNS service like No-IP is installed on your router, enter the relevant host name here.

After restarting your computer, initial setup is already complete.

Step 3: Add and Remove Network Clients

In PiVPN, installing and configuring the client is very straightforward. You only need to enter the following in command prompt:

pivpn add

You should then be prompted for the desired username and password. The configuration file will then be named ‘[Client].ovpn‘ and saved in the ‘~/ovpns‘ folder.

You will only need this file for the client through which you access the VPN server, since it contains all keys and server certificates. You can simply import them to any desired OpenVPN client.

Clients can be easily removed with the following command:

pivpn revoke

Option 2: Configure a VPN Server Using OpenVPN

For those more familiar with Linux, or desiring of greater freedom in configuring their VPN server, OpenVPN offers an alternative to PiVPN.

Our step-by-step guide assumes that the most up-to-date version of Raspbian is being used. If you follow all of the steps below, configuring an OpenVPN server on your Pi is not particularly difficult, even without significant background knowledge.

Step 1: Install OpenVPN and Create an RSA file

The software, as well as the OpenSSL encryption protocol are installed by executing the following command:

sudo apt-get install openvpn openssl

Once OpenVPN has been installed, you will need to copy the easy-RSA script to the the corresponding configuration directory by using the following command:

sudo cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa

Next, you'll need to open the "vars" file (in the appropriate folder) and modify it.

sudo nano /etc/openvpn/easy-rsa/vars

The line export EASY_RSA=“‘pwd‘“ needs to be replaced with the following:

export EASY_RSA="/etc/openvpn/easy-rsa"

You can also change the key length here. To prevent performance issues, on Raspberry Pi model 3's, you should use a 2048-bit key length. For model 2's, this will create problems, so, for these devices, you're best off using a 1024-bit key length, which will sacrifice a bit of security for improved performance. To make changes to the encryption, you only need to change the value in the line "export KEY_SIZE=" from 2048 to 1024.

Now, you can return to the easy-RSA configuration directory and start settings with root rights, by executing the vars script. Once complete, the configuration file will be made accessible through a symbolic link. This is accomplished by executing the following four lines:

cd /etc/openvpn/easy-rsa sudo su source vars ln -s openssl-1.0.0.cnf openssl.cnf

Step 2: Create certificates

The key files for OpenVPN will now be changed and then newly created. For the country name, enter US. All additional prompts that open can be accepted.

./clean-all ./build-ca OpenVPN

Now, the key files can be generated through the following command:

./build-key-server server

Step 3: Set up a VPN Client

A client needs to be set up for every device that you intend to access your VPN server with. In turn, each client requires a certificate and the correct key. Here too, you'll need to enter the country code, and assign the client a name. In our example, we named the client ‘desktop-pc‘.

./build-key desktop-pc

Alternatively, you can use the command build-key-pass instead of build-key to create a password for your client.

Creation of the certificates and key is completed with the following command:


Finally, log the root user out using the exit command.

Step 4: Generate Configuration Data

OpenVPN's configuration data is generated with the following command:

sudo nano /etc/openvpn/openvpn.conf

This configuration data must be supplemented with a few other pieces of information, which we'll describe in detail below. Make sure that UDP is selected as protocol, that routing via IP tunnel is activated, and that the port is set to its default (1194).

The SSL/TSL root certificate (ca), digital certificate (cert), and key need to be created in the easy-RSA directory. Make sure that you enter the correct encryption (1024 or 2048).

The command server ensures that Raspberry Pi is used as the VPN server. With redirect-gateway def1 bypass-dhcp, all IP traffic is routed through the IP tunnel.

Next, you need to name the public DNS server that the VPN server will utilize. For example, is a public DNS server used by Google. Of course, you can also use the IPv4 address of another DNS server. In this case, log information will be written in the openvpn file.

Finally, you'll need to configure some additional parameters. persist-key, ensures that key data is not read again, while persist-tun ensures that the drivers are not restarted. With user nobody and group nogroup the daemon's rights are removed, while verb regulates the log file's completeness. By adding 0 no data is saved apart from error messages. We recommend a value of 3. The client-to-client parameter allows us to define which other VPN clients are identified, while LZO compression is activated with comp-lzo.

Config data should now read as:

dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem server push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS" log-append /var/log/openvpn persist-key persist-tun user nobody group nogroup status /var/log/openvpn-status.log verb 3 client-to-client comp-lzo

You can save your parameters by pressing Crtl+O and exit the editor with Crtl+X.

Step 5: Create a script for Internet access

In order to use the VPN tunnel to connect to your home network, you need to create a path. To do this, begin by creating an rplvpn file with the following command:

sudo nano /etc/init.d/rpivpn

In this file, you'll be able to enter comments that serve as headers for the Linux-Init script. Beyond that, you can activate ip_forward, set iptables as packet filters for forwarding, and protect LAN and Internet access. The file should look like this when finished:

#! /bin/sh ### BEGIN INIT INFO # Provides: rpivpn # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: VPN initialization script ### END INIT INFO echo 'echo "1" > /proc/sys/net/ipv4/ip_forward' | sudo -s iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -F POSTROUTING iptables -t nat -A POSTROUTING -s /24 -o eth0 –j MASQUERADE

With Crtl+O and Crtl+X you can save and close the file, respectively.

To finish, you'll need to grant the script certain rights, which is done by entering the following command:

sudo chmod +x /etc/init.d/rpivpn sudo update-rc.d rpivpn defaults

You can now execute the script, and restart the server.

sudo /etc/init.d/rpivpn sudo /etc/init.d/openvpn restart

Step 6: Complete client set-up

You're almost there! Before finishing, you only need to combine the certificates and keys from your client(s) and prepare them for export. To do this, again grant yourself root rights, and open the client file which you want to modify. For our example, we again used "desktop-pc".

sudo su cd /etc/openvpn/easy-rsa/keys nano desktop-pc.ovpn

Now, add information about your DNS provider n line 4 of this file, or about your static IP address (for example, in line 10 and the name of your client in line 11. Save and close the editor with Crtl+O and Crtl+X. Once finished, the file should look like this:

dev tun client proto udp remote 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert desktop-pc.crt key desktop-pc.key comp-lzo verb 3

Zip the configuration data together with the certificates and keys (should you not have a Zip packet installed, you can easily get one by entering apt-get install zip).

zip /home/pi/raspberry_desktop-pc.zip ca.crt desktop-pc.crt desktop-pc.key desktop-pc.ovpn

Then adjust the file's rights with chown pi:pi /home/pi/raspberry_desktop-pc.zip and finish setup with exit. The Zip file you've created can be transferred to you PC using SCP of SFTP software. 

Thus, you've done everything and can immediately connect to your local network using Raspberry Pi and an OpenVPN server.

Carsten Podszun studied computer science and business administration and was self-employed in the retail industry for 15 years. Since 2014 he is a consultant for startups, freelance author and writes at EXPERTE.com about homepage, hosting & IT security.
Continue Reading
Other languages