This tip covers how to add an Open VPN server to a Raspberry Pi for remote access.
A VPN allows a remote connection to resources on your local network. Many network modem/routers provide a VPN server, although some ISPs (including TPG and iiNet) remove this capability from the routers they provide, citing security concerns. If you need to use their router for a VoIP service, you'll need an alternative.
A VPN server can easily be added to a Raspberry Pi as a cheap solution, though you will still need to set up a port forwarding rule in the network router. It's a good idea to set up a static IP address (as a DHCP reservation) on the Raspberry Pi, so its internal IP address doesn't change over time.
If your ISP doesn't provide a static external IP address for your internet service, it's also a good idea to set up a dynamic DNS service. The VPN needs to point it to your external IP address, but a dynamic address can change from time to time, which will break the VPN until you re-configure it. It's easier to use a dynamic DNS service to give you an easy-to-remember address that updates whenever your IP address changes. Check your router's settings to see if it supports any dynamic DNS services like DynDNS or No-IP. No-IP is free for limited usage and works perfectly for a VPN.
Install OpenVPN With PiVPN
OpenVPN is open-source software that allows you to set up a VPN on just about any type of hardware. A great solution for the Raspberry Pi is to use PiVPN. It uses a set of open-source scripts that turn OpenVPN's configuration into an easy-to-use wizard.
Open a terminal window to the RPi (via SSH or Telnet), go to super user and make sure all software is up to date:
$ sudo su
# apt-get update
Install PiVPN by running the following command:
# curl -L https://install.pivpn.io | bash
The script will take a few minutes to install OpenVPN, then walk through the configuration process. First, PiVPN requires a static IP address. If you set up a static IP, answer Yes.
After choosing your user (the default Pi user is fine, unless you have another you wish to use), PiVPN will ask whether you want to use WireGuard, a new VPN protocol, or OpenVPN. Use the arrow keys to move the cursor to OpenVPN, press Space to select it then press Enter to continue.
For the next few steps, the default settings are fine for most users. You'll be asked whether you want to use UDP or TDP (you should choose UDP unless you have a good reason for not doing so), what port you want to use (1194 is fine unless something else is using it), and what DNS provider you want to use (any are suitable).
OpenVPN 2.4 features are worth enabling unless you know you're using apps that don't support them. Choose the recommended security certificate when prompted - larger sizes grant better security, but can slow things down and aren't necessary for most users. Enable unattended upgrades to allow PiVPN to install the necessary packages and update the configuration files.
Finally, you can choose a DNS to use when you connect to your VPN. Skip adding a custom search domain (unless you know what that is and want to use one). Once that's done, you'll be prompted to reboot the Pi.
After rebooting, open a Terminal window and run:
# sudo su
# pivpn add
Give the configuration file a name (eg. js-msp), set how many days the certificate lasts (the default value is fine), and enter a password. A .ovpn file will be created in /home/pi/ovpns. This will be needed to connect to the VPN. Copy it to your PC and keep it somewhere safe.
PiVPN recommends repeating this process for other devices, so if you have other laptops or phones you want to use this VPN on, re-run this command to generate their own config files now. To check and/or edit the .ovpn file, open the file in Notepad. For example, to edit the dynamic DNS service, replace the IP address in line 4 with your custom URL.
This completes the configuration of the Raspberry Pi.
Add Port Forwarding Rule to router
Before you can successfully connect, you need to set up a port forwarding rule for the VPN's port on your network router. Log into your router's configuration page, find the port forwarding option, and forward port 1194 to the internal IP address of your Pi.
For the Archer 1600V router login to the router and go to:
Advanced → NAT Forwarding → Virtual Servers and set up the rule as follow.
| Interface Name: | pppoe_ptm_2_0_d |
| Service Type: | OpenVPN |
| External Port: | 1194 |
| Internal IP: | 192.168.1.20 |
| Internal Port: | 1194 |
| Protocol: | UDP |
Connect to the VPN from anywhere
To connect to the VPN you'll need a VPN app, or "client". OpenVPN has an official client called OpenVPN Connect, which is available on Windows, macOS, Linux, iOS, and Android. Go to OpenVPN and scroll down to Get Started with OpenVPN Connect and click the platform of your choice.
Launch the OpenVPN Connect app and click the "File" tab to add a new profile. Drag and drop the configuration file you copied from the Pi. Click the Add button, and you can connect to your VPN by flipping the toggle switch on and entering your password.
Note that you will need to disable TLS in settings if you don't have https enabled on your home network.