How to Create an OpenVPN server

This guide will show the necessary steps to get an OpenVPN server running on your Raspberry Pi


First of all you would want to make sure your Raspberry Pi is updated and upgraded. For this tutorial we are going to be running all commands as the root user. To change to the root user enter;

sudo su

apt-get install update

apt-get install upgrade

After everything has been upgraded and installed the next step is to install openvpn and openssl if you don’t already have it installed.

apt-get install openvpn openssl

Once OpenVPN has been installed, we have to now configure it. Firstly copy the easy-rsa file into the openvpn folder.

 cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa

Once that has been copied over we need to edit the var file so that when the script runs it put the config files correctly.

 nano /etc/openvpn/easy-rsa/vars

Then on line 15 change

export EASY_RSA=”`pwd`”


export EASY_RSA=”/etc/openvpn/easy-rsa”

Then press CTRL + x and save it.Then you need to clean-all the easy-rsa. This will make sure all files are in place. So next change into the easy-rsa directory.

cd /etc/openvpn/easy-rsa

view the files by typing ls

Screen Shot 2014-03-26 at 14.10.41

Then we need to run the clean-all command. But first we need to point it to the vars file. So run;

source /etc/openvpn/easy-rsa/vars

and then we run the clean-all command


Now to see that that necessary files are there type ls again and hopefully you should see something  like this;

Now you have successfully configured your files you need to set up OpenVPN. Run;

 ln -s openssl-1.0.0.cnf openssl.cnf

cd ..

Now we need to create the keys and certificates for the VPN. You can either press enter on all of the certificate prompts or fill them out it makes no difference.

./easy-rsa/build-ca OpenVPN

./easy-rsa/build-key-server server

./easy-rsa/build-key client1


build-dh takes a while so be patient

The next part is making the config file for OpenVPN. To do this type;

nano openvpn.conf

Edit this file to look like this;

dev tun
#defines which protocol tcp/udp
proto udp
#Defines the port to connect
port 1194
#This defines where keys and cert are kept
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
status /var/log/openvpn-status.log
verb 3
push “redirect-gateway def1"
#DNS to googles DNS servers
push “dhcp-option DNS"
push “dhcp-option DNS"
log-append /var/log/openvpn

Then save these files using CTRL + X.

echo 1 > /proc/sys/net/ipv4/ip_forward


When you see your network adapters you want to use for VPN traffic. If you are connected via ethernet port it is usually eth0, the inet address that comes from adapter should be your raspberry Pi’s IP address. We need this information to add to the ip tables.

iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT –to

Tip: Instead of add your raspberry Pi’s IP address

cd .. 

nano sysctl.conf  

On line 28 you need to remove the # from in front of “#net.ipv4.ip_forward=1″ to make it “net.ipv4.ip_forward=1″.

service openvpn restart

Now you have fully configured your OpenVPN server. Now we need to create the files to connect to it.

nano /etc/openvpn/easy-rsa/keys/newvpn.ovpn

This editor will create a file called newvpn.ovpn. Enter the following into this file to connect with the vpn.

dev tun
proto udp
remote YOUR_NETWORK_IP 1194
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
verb 3

TIP: On line 4 make sure you add your public ip address and not your Pi’s IP

Save this file. Then run;

 nano /etc/rc.local

Add these two lines above exit 0;

iptables -t nat -A INPUT -i eth0 -p udp -m udp –dport 1194 -j ACCEPT

iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT –to-source

Now we are up and running. We can copy the keys and certificates to our computer. Simple navigate to /etc/openvpn/easy-rsa/keys and do a copy function for all of the keys you need.

The keys we need are ca.crt, client1.crt, client1.key and newvpn.ovpn

Once these have been downloaded successfully open your client that you are going to use and configure the VPN tunnel.

You can use Tunnelblick for Mac –

Use  OpenVPN for Windows –

To make another client just run;

sudo su

source /etc/openvpn/easy-rsa/vars

/etc/openvpn/easy-rsa/build-key client2

Then copy the client2 keys just like above. Finally dont forget to change the newvpn.ovpn file to point the client2 keys and not the client1 keys.

Thank you if you have any questions please comment below.

About these ads

2 thoughts on “How to Create an OpenVPN server

  1. I have set up OpenVPN on a router with DD-WRT. While this works technicaly, the performance makes it unusable (1.5Mbps).

    Does anyone have any performance data to share?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s