How to Create an OpenVPN server

This guide will show the necessary steps to get an OpenVPN server running on your Raspberry Pi

 

First of all you would want to make sure your Raspberry Pi is updated and upgraded. For this tutorial we are going to be running all commands as the root user. To change to the root user enter;

sudo su

apt-get install update

apt-get install upgrade

After everything has been upgraded and installed the next step is to install openvpn and openssl if you don’t already have it installed.

apt-get install openvpn openssl

Once OpenVPN has been installed, we have to now configure it. Firstly copy the easy-rsa file into the openvpn folder.

 cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa

Once that has been copied over we need to edit the var file so that when the script runs it put the config files correctly.

 nano /etc/openvpn/easy-rsa/vars

Then on line 15 change

export EASY_RSA=”`pwd`”

to

export EASY_RSA=”/etc/openvpn/easy-rsa”

Then press CTRL + x and save it.Then you need to clean-all the easy-rsa. This will make sure all files are in place. So next change into the easy-rsa directory.

cd /etc/openvpn/easy-rsa

view the files by typing ls

Screen Shot 2014-03-26 at 14.10.41

Then we need to run the clean-all command. But first we need to point it to the vars file. So run;

source /etc/openvpn/easy-rsa/vars

and then we run the clean-all command

/etc/openvpn/easy-rsa/clean-all

Now to see that that necessary files are there type ls again and hopefully you should see something  like this;

Now you have successfully configured your files you need to set up OpenVPN. Run;

 ln -s openssl-1.0.0.cnf openssl.cnf

cd ..

Now we need to create the keys and certificates for the VPN. You can either press enter on all of the certificate prompts or fill them out it makes no difference.

./easy-rsa/build-ca OpenVPN

./easy-rsa/build-key-server server

./easy-rsa/build-key client1

./easy-rsa/build-dh

build-dh takes a while so be patient

The next part is making the config file for OpenVPN. To do this type;

nano openvpn.conf

Edit this file to look like this;

dev tun
#defines which protocol tcp/udp
proto udp
#
#Defines the port to connect
port 1194
#
#This defines where keys and cert are kept
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
#
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
push “redirect-gateway def1"
#
#DNS to googles DNS servers
push “dhcp-option DNS 8.8.8.8"
push “dhcp-option DNS 8.8.4.4"
log-append /var/log/openvpn
comp-lzo

Then save these files using CTRL + X.

echo 1 > /proc/sys/net/ipv4/ip_forward

ifconfig

When you see your network adapters you want to use for VPN traffic. If you are connected via ethernet port it is usually eth0, the inet address that comes from adapter should be your raspberry Pi’s IP address. We need this information to add to the ip tables.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT –to 192.168.0.2

Tip: Instead of 192.168.0.2 add your raspberry Pi’s IP address

cd .. 

nano sysctl.conf  

On line 28 you need to remove the # from in front of “#net.ipv4.ip_forward=1” to make it “net.ipv4.ip_forward=1”.

service openvpn restart

Now you have fully configured your OpenVPN server. Now we need to create the files to connect to it.

nano /etc/openvpn/easy-rsa/keys/newvpn.ovpn

This editor will create a file called newvpn.ovpn. Enter the following into this file to connect with the vpn.


dev tun
client
proto udp
remote YOUR_NETWORK_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

TIP: On line 4 make sure you add your public ip address and not your Pi’s IP

Save this file. Then run;

 nano /etc/rc.local

Add these two lines above exit 0;

iptables -t nat -A INPUT -i eth0 -p udp -m udp –dport 1194 -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT –to-source 192.168.0.2

Now we are up and running. We can copy the keys and certificates to our computer. Simple navigate to /etc/openvpn/easy-rsa/keys and do a copy function for all of the keys you need.

The keys we need are ca.crt, client1.crt, client1.key and newvpn.ovpn

Once these have been downloaded successfully open your client that you are going to use and configure the VPN tunnel.

You can use Tunnelblick for Mac – http://code.google.com/p/tunnelblick/

Use  OpenVPN for Windows – https://openvpn.net/index.php/open-source/downloads.html

To make another client just run;

sudo su

source /etc/openvpn/easy-rsa/vars

/etc/openvpn/easy-rsa/build-key client2

Then copy the client2 keys just like above. Finally dont forget to change the newvpn.ovpn file to point the client2 keys and not the client1 keys.

Thank you if you have any questions please comment below.

Set up VNC server on Raspberry Pi

How to set up a VNC server

The tutorial today will show you how to run a VNC (Virtual Network Computing) server on your Raspberry Pi. This will allow you to view your Pi’s desktop and control your Pi like your computer was a monitor for it. This can be useful  if you would like to install a program via GUI. The program we are going to install is tightVNC server.

sudo apt-get install tightvncserver

Once you have installed tightVNC then you have done all of the necessary installation requirements to get the VNC server started. Next you need to start the VNC server to get it up and running you run the command;

vncserver

After you run this command you will be asked to enter a password for your VNC server. Now you server has been set up and fully configured. The next stage is making sure that you have set up port forwarding on your router. To be able to use the VNC server, you need to port forward port 5900 to the ip address of your Pi. Port forwarding is different on each router so it is impossible for me to show you how to do that, please refer to your routers brand website.

After you have forwarded the port 5900 to your Pi, you can now go ahead and connect to your Raspberry Pi. The program that I use is VNC viewer. It is a free program that is available on all major platforms. Go to https://www.realvnc.com/download/ to download this program.

Once it has installed, open the VNC viewer. Once the program has opened you should then get the connection box;

Screen Shot 2014-03-23 at 16.42.46

Replace the 192.168.0.15 with the ip of your Raspberry Pi. Then select connect and enter the password that you entered earlier.

Screen Shot 2014-03-23 at 16.58.18

Thank you for reading, if you spot any mistakes or have any questions please comment below.

How to set up a wireless adapter

How to set up a wireless adapter

For this tutorial i will be using a RT5370 Wireless Adapter to connect to my network. Firstly, power down your Pi and then insert your USB adapter. Secondly, power your Pi and ssh into it. If you want to check your USB is being read correctly or you want to know the model of your adapter, simply type in lsusb. You should get an output with something like this;

Screen Shot 2014-03-22 at 17.49.13

Now you know that your adapter is being recognised you can now go on to getting your network adapter set up. There are many ways of doing this, like using the wpa_suppicant file. This method is easier, works for most networks and requires only editing one file. To enter your network information you need to edit the interface file, so run;

sudo nano /etc/network/interfaces

you should then get a file that looks like this;

Screen Shot 2014-03-22 at 17.57.03

You need to then edit the file so it looks something like this;

Tip: The ” ” for your networks name and password is essential.

To save the file you need to press CTRL + o, then to exit the editor CTRL + x. Then to test that you have correctly set up wifi run the code sudo ifup --force wlan0 up. This will force the network adapter to get an ip from your networks DHCP server. If this runs without any errors, type in the command ifconfig. You should then see an ip address assigned to eth0 which is the ip address that you connected to the pi, and also an ip assigned to the wlan0;

Screen Shot 2014-03-22 at 19.59.52

Thank you for reading if you have any comments, see any mistakes or if you have any specific tutorial you would like me to cover please comment below.

How to make a secure FTP server with vsftpd

This tutorial will guide you through how to make a secure ftp server on the Raspberry Pi, the program we will be using is vsftpd ( Very Secure File Transfer Protocol Deamon). This system is a secure version of the ftp protocol. Unlike ftp vsftpd encrypts all traffic so username and passwords aren’t sent over clear text.

The first step is to make sure all of your system is updated and upgraded. Then you need to install the program vsftpd, to do this run the install command;

sudo apt-get install vsftpd

 

As soon as you run this command you have set up and installed an ftp server. To make sure everything up to now has ran correctly and is all set up you can try to log in. First of all you need to download an ftp client for later on so go ahead and download it now. The client that i am going to use is FileZilla. FileZilla is a free open source program that can manage an ftp server connection.

Download a copy for your operating system – https://filezilla-project.org/

To test the server, get the program up and running  try and log in using anonymous as the user and leave the pass blank

Tip: Where the ip is 192.168.0.2, enter the address of your Raspberry Pi

But because ftp isnt secure you should configure the server to run over TLS. This would encrypt all traffic that goes between your machine and the ftp server. First of all we need to edit the vsftpd config file, before you edit all config files it is always reccomended to make a backup. So we back up the config file by running this command;

 sudo cp /etc/vsftpd.conf /etc/vsftpd.conf_bak

 

Once the file is backed up you can now edit the config file;

sudo nano /etc/vsftpd.conf

First of all you want to edit the following config file to look something like this one;

 

listen=YES
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
#This is a welcome message responce from your server
ftpd_banner=Welcome to my FTP
#
# SSL
ssl_enable=YES
#this selects the cipher type
ssl_ciphers=HIGH
#
#choose according to your preference
force_local_data_ssl=YES
#
#choose according to your preference
force_local_logins_ssl=YES
#
#enable this if you enable ssl.
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
#
#give the correct path to your currently generated *.pem file
rsa_cert_file=/etc/vsftpd/vsftpd.pem
#the *.pem file contains both the key and cert
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
#
pasv_enable=YES
pasv_min_port=12000
pasv_max_port=12100
#
#Some mobile clients require this
require_ssl_reuse=NO

Each of the lines are commented but if you need to understand this further please refer to the man page for vsftpd by typing in;

man vsftpd

Now just before you can connect to your ftp server with tls encryption you need to create a certificate and key for your ftp server to use. First of all we need to make sure OpenSSL is installed and updated. You should already have this installed and updated if you followed my previous tutorials.

sudo apt-get install openssl

sudo apt-get install update

sudo apt-get install upgrade

After this you then want to create the certificate and key for your server.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

Once you have ran this command you should then be able to connect to your server. Dont forget that each time you edit the config file you must then restart your vsftpd service. Run these commands to restart;

sudo service vsftpd restart

If this restarts with no errors you can now connect to your server, but beware that some routers must have ports forwarded to be able to work correctly. These are the ports that i have forwarded from my router;

Make sure that you put your IP address of your raspberry Pi in the IP address section. After this you should be able to get your ftp server working.

FileZilla Setup

Open the FileZilla program, go to file then site manager.

Screen Shot 2014-03-25 at 12.45.20

Then enter your Raspberry Pis Ip in the host section.

On the encryption box select “Require explicit FTP over TLS”

Change the logon type to normal and then enter your username and password into the boxes provided.

The screenshot doesnt show anything in Host But put your Raspberry Pi’s IP here.

When you then select connect you should get a pop up box asking if you wanted to accept the unknown certificate. Check that the credentials are the ones you entered earlier when you created the openssl certificate and key.

You should then be able to log in to your ftp server. If you would like to “jail” local users and have virtual users, keep an eye on this blog. I will be posting a part 2 soon.

If you have any comment or improvement please comment below. Also don’t be afraid to ask any question.

 

 

 

Getting started with SSH + Initial Setup

SSH  and the initial setup of your Raspberry Pi

Now that you have the SD card set up, we can now try and connect to your Pi. I am assuming that the pi is plugged in via ethernet to your router, and you have forwarded the ssh port 22 to your Raspberry Pi’s ip. During this tutorial I am going to use the pre installed ssh client in the terminal on the mac. If for what ever reason you want to use another client, the tutorials will still work fine with that client.

To ssh to your raspberry pi just type in the following command but replace 192.168.0.15 with your Pi’s ip address.

ssh pi@192.168.0.15

You should then get asked if you want to connect to the device with the key displayed, just type yes and then enter the password. The default password for the raspbian image is ‘raspberry’.

Tip: If you get any errors at this point please check that you have port forwarded to the Pi correctly.

The first set of commands to run are the update and upgrade commands. These commands are pretty self explanatory.

sudo apt-get update
sudo apt-get upgrade

These commands might take a while so be patient.

After these have been configured it is highly recommended that you  change the password for the default pi account. Simply type passwd into the prompt. Enter your current password (raspberry) and then your new password.

Now your Pi is fully updated and secure, now you can customise it further by using the sudo raspi-config command.

sudo raspi-config

Here you can change lots of features of your Pi. You can over-clock your Pi, change your password and even change the keyboard layout.

Thanks for reading, if you have any questions or requests please comment below.

Setting up your SD card.

Setting up your SD card

Firstly, you need to download an image to install on your SD card to get your Raspberry Pi up and running. When I first got my Raspberry Pi it had NOOBS OFFLINE pre installed . NOOBS (New Out Of the Box Software) is a small image that comes installed on most SD cards that are advertised for the Raspberry Pi. It is preloaded with software that would download and install the distro of your choice.

If you want to go straight to a headless (no monitor or keyboard) Raspberry Pi, what I recommend is that you format the SD card and start from scratch.

These steps will guide you on how to install the Raspbian official distro on a Mac via terminal.

Firstly, we need to download the distro so we can flash it to the SD card. Go to the Raspberry Pi website and download the Raspbian file. Whilst the file is downloading you need to prepare your SD card. Open up Disk Utilities and format the card into MS-DOS format,  giving it a name in CAPITALS, I called mine SDCARD. Next open up the terminal and type in;

df -h

You should then see a list like the one below.

Screen Shot 2014-03-21 at 12.25.10

Then look in the last column, and find the mount point of your SD card. Follow the row to the first column, make a note of this. In the picture above my mount point is “/Volumes/SDCARD” and my filesystem is “/dev/disk1s1”. Once you have this information you can then proceed to flash the SD card. Before we do that, we need to unmount the SD card from the system. To do this run this command (instead of /Volumes/SDCARD use your mount point);

diskutil unmount /Volumes/SDCARD

Once unmounted, the SD card is ready to be flashed. To flash the SD card, we need to use the filesystem of your card that we got earlier. “/dev/disk1s1” was my filesystem but to flash it we edit that to “/dev/rdisk1”, we have taken away the s1 from the end and added an r. We flash the card using the following command;

     sudo dd bs=1m if=~/path/to/img of=/dev/rdisk1

The command line should then look like it isn’t doing anything, but if you press ctrl + T you will see the status of the flash. Once the process is complete and the terminal goes back to the normal prompt, you have finished ! Simply disconnect your SD card from your Mac and plug it into the Raspberry Pi. Even though above I stated that this is a headless set up, you can still connect your tv, keyboard and mouse to your Raspberry Pi and have it running from desktop. All of my tutorials will be suited for the headless setup, I will not go through the desktop setup of any programs (unless requested).

If you have any problems or questions comment below and i will try and answer them as well as I possibly can. Also if you have any more specific tutorials that you would like please comment and I will try my best.

Thanks