Building a Raspberry Pi OpenVPN Server the Hard Way

Why CentOS?

It’s trickier to work with, so there is a bit more that can be learned.

Raspbian makes this task a lot easier with the help of pivpn, but that takes the fun out of it.

Epel-release is not actually compatible with aarch64, so we’re forced to use the more challenging CentOS 7 instead of CentOS 8.

Plus rpmforge is dead, so the stuff I need will be missing from compatible repos, and it will need to be installed from source.

After this is done I’ll definitely want to play around some more with CentOS, and if I eventually decide I prefer Raspbian I’ll just buy another Pi, since they’re extremely cheap.

Supplies Required

Install a Ton of Requirements

sudo yum -y install \
    perl \
    perl-Net-DNS \
    perl-IO-Socket-SSL \
    perl-IO-Socket-INET6 \
    perl-JSON-PP \
    perl-File-Temp \
    wget \
    lzo-devel \
    pam-devel \
    http://repo.openfusion.net/centos7-x86_64/perl-Data-Validate-IP-0.27-1.of.el7.noarch.rpm \

sudo yum group install “Development Tools”

wget http://www.openssl.org/source/openssl-1.1.1g.tar.gz
tar -xvzf openssl-1.1.1g.tar.gz
cd openssl-1.1.1g
./config –prefix=/usr/
sudo make install
cd ~

wget https://swupdate.openvpn.org/community/releases/openvpn-2.5.0.tar.gz
tar -zxf openvpn-2.5.0.tar.gz
cd openvpn-2.5.0
sudo make install
cd ~

Configuring the Network

  1. Reserve IP address
    Router LAN Settings
  2. Forward port 1194
    Router Port Forward Settings

Configuring Dynamic DNS

  1. Enable Dynamic DNS for Your Domain
    DNS Settings Screenshot

  2. Get and Extract ddclient Tarball

     wget https://github.com/ddclient/ddclient/archive/v3.9.1.tar.gz
     tar xvfa v3.9.1.tar.gz
     cd ddclient-3.9.1

    sudo cp ddclient /usr/sbin/ sudo mkdir /etc/ddclient sudo mkdir /var/cache/ddclient sudo cp sample-etc_ddclient.conf /etc/ddclient/ddclient.conf cd ~

  3. Edit /etc/ddclient/ddclient.conf with your preferred text editor

    • Set use=web
    • Set policy, login, and password
    • Add your domain to a new line at the bottom

    ddclient settings

  4. Test ddclient for Errors

    sudo ddclient -daemon=0 -debug -verbose -noquiet

  5. Enable ddclient Service

    sudo cp sample-etc_systemd.service /etc/systemd/system/ddclient.service
    sudo systemctl enable ddclient.service
    sudo systemctl start ddclient.service

Configuring Firewall

  1. Enable Kernel IP Forwarding

    echo 1 > /proc/sys/net/ipv4/ip_forward

    Edit /etc/sysctl.conf with your preferred text editor

    • Uncomment net.ipv4.ip_forward=1
  2. Set Firewall settings

    sudo firewall-cmd --add-service openvpn
    sudo firewall-cmd --permanent --add-service openvpn
    sudo firewall-cmd --add-masquerade
    sudo firewall-cmd --permanent --add-masquerade

  3. Test Firewall for Errors

    firewall-cmd --list-services
    firewall-cmd --query-masquerade

Configuring OpenVPN

  1. Download Easy-RSA

    wget https://github.com/OpenVPN/easy-rsa/archive/v3.0.8.tar.gz
    tar -zxf v3.0.8.tar.gz

  2. Copy Sample Server Config

    wget https://raw.githubusercontent.com/OpenVPN/openvpn/master/sample/sample-config-files/server.conf

  3. Edit /etc/openvpn/server.conf with your preferred text editor

    • Uncomment push “redirect-gateway def1 bypass-dhcp”
    • Uncomment push “dhcp-option DNS” and set to your preferred DNS server(s)
    • Uncomment user nobody
    • Uncomment group nogroup
    • Set ca /etc/openvpn/ca.crt
    • Set cert /etc/openvpn/client.crt
    • Set key /etc/openvpn/client.key
    • Set dh /etc/openvpn/dh2048.pem
    • Set tls-auth /etc/openvpn/ta.key 1
  4. Put Config in /etc/openvpn and rename it to the following

    • sudo mv server.conf /etc/openvpn/server-udp-1194.conf

    If directory doesn’t exist

    • sudo mkdir /etc/openvpn

Configure Cryptography

  1. Edit ~/easy-rsa-3.0.8/easyrsa3/vars.example with your preferred text editor and save as vars

    • Set new value for set_var EASYRSA_REQ_COUNTRY
    • Set new value for set_var EASYRSA_REQ_PROVINCE
    • Set new value for set_var EASYRSA_REQ_CITY
    • Set new value for set_var EASYRSA_REQ_ORG
    • Set new value for set_var EASYRSA_REQ_EMAIL
    • Set new value for set_var EASYRSA_REQ_OU
  2. Generate Diffie-Hellman

    sudo openssl dhparam -out /etc/openvpn/dh2048.pem 2048

  3. Generate CA and server

    cd ~/easy-rsa-3.0.8/easyrsa3
    ./easyrsa init-pki
    ./easyrsa build-ca
    sudo cp ~/easy-rsa-3.0.8/easyrsa3/pki/ca.crt /etc/openvpn/
    ./easyrsa gen-req server nopass
    ./easyrsa sign-req server server
    sudo cp ~/easy-rsa-3.0.8/easyrsa3/pki/issued/server.crt /etc/openvpn/
    sudo cp ~/easy-rsa-3.0.8/easyrsa3/pki/private/server.key /etc/openvpn/
    openvpn --genkey secret ta.key
    sudo cp ta.key /etc/openvpn/
    cp ta.key ~

  4. Generate a client

    mkdir ~/newclient
    mv ~/ta.key ~/newclient/
    ./easyrsa gen-req client1 nopass
    cp ./pki/private/client1.key ~/newclient
    ./easyrsa sign-req client client1
    cp ./pki/issued/client1.crt ~/newclient
    cp ~/easy-rsa-3.0.8/easyrsa3/pki/ca.crt ~/newclient
    cd ~
    wget https://raw.githubusercontent.com/openvpn/openvpn/master/sample/sample-config-files/client.conf
    mv client.conf newclient/client1.ovpn

  5. Edit client1.ovpn with your preferred text editor

    • Replace occurrences of my-server-1 with your server address
    • Uncomment group nogroup
    • Uncomment user nobody
    • Comment Out ca ca.crt
    • Comment Out cert client.crt
    • Comment Out key client.key
    • Comment Out tls-auth ta.key 1
    • Add key-direction 1 at the bottom
  6. Combine the Client Config

    cd ~/newclient
    echo “” >> client1.ovpn
    cat ca.crt >> client1.ovpn
    echo “” >> client1.ovpn
    echo “” >> client1.ovpn
    cat client1.crt >> client1.ovpn
    echo “” >> client1.ovpn
    echo “” >> client1.ovpn
    cat client1.key >> client1.ovpn
    echo “” >> client1.ovpn
    echo “<tls-auth>” >> client1.ovpn
    cat ta.key >> client1.ovpn
    echo “</tls-auth>” >> client1.ovpn

  7. Download the Client Config

    scp paige@ .

Clean Up

cd ~
sudo rm -rf v3.9.1.tar.gz \
    ddclient-3.9.1 \
    openssl-1.1.1g.tar.gz \
    openssl-1.1.1g \
    openvpn-2.5.0.tar.gz \
    openvpn-2.5.0 \

Enabling the Service

Sometimes when you build and compile OpenVPN from source, it doesn’t get registered by systemd.

To fix this do the following.

  1. Create a file at /etc/systemd/system/ called openvpn@server.service with the following data.

    Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
    After=syslog.target network.target
    ExecStart=/usr/local/sbin/openvpn –daemon –cd /etc/openvpn/ –config /etc/openvpn/server-udp-1194.conf

  2. Enable this new service

    sudo systemctl daemon-reload
    sudo systemctl enable openvpn@server.service

  3. Reboot

    sudo reboot now