Using the Raspberry Pi to establish a Virtual Private

Network (VPN) Connection to a Home Network

Constadinos Lales Aparicio Carranza, PhD
Computer Engineering Technology Computer Engineering Technology
New York City College of Technology, CUNY New York City College of Technology, CUNY
186 Jay Street, Brooklyn, NY 11201 186 Jay Street, Brooklyn, NY 11201
[email protected] [email protected]

Abstract - Because of the advances in I. Introduction

technology, people are able to bring
computer devices such as laptops, Raspberry pi is a small credit card sized
tablets, and smart phones with them computer that includes ports such as
anywhere they go. In addition, they are HDMI, Ethernet, 2 USBs version 2.0,
able to connect to various networks out Audio, and RCA Video. In addition,
there in the public to obtain internet Raspberry Pi includes a SanDisk card
access. With this luxury, these people slot which is used as the Pis storage and
run into, serious, problems. One of GPIO (General Purpose Input/Output)
these problems is security. When pins which can be programmed using
accessing public internet, the data python. There are two models of the Pi
transferred from ones computer is not that is available to purchase in different
encrypted and is available to anyone electronic sites. Model A comes with a
who has some knowledge of computer 256MB RAM and costs $25 and Model
networking. In addition, these networks B comes with 512MB RAM and costs
may take away from our freedom of web $35. There are several, Linux based,
browsing by blocking different websites. operating systems available for the Pi
They can also view every website that that can be downloaded online and
one goes on while connected to their written on the SanDisk card. Each
internet. All of these problems can be operating system has its pros and cons.
solved by setting up a virtual private The one to choose from depends on what
network (VPN). A VPN is a network a user wants to use the raspberry pi for.
that uses encryption to securely connect The Pi operates at 700MHz by default,
two different networks together using but can be overclock to 900MHz.
public telecommunication such as the Furthermore, the Pi is powerful enough
internet. To establish a VPN to support videos in 1080p using
connection, one needs to connect to a OpenGL ES 2.0 and hardware-
server. In this paper, we will be accelerated OpenVG [1].
describing how we used the Raspberry
Pi (A cheap microcomputer) as a VPN After writing one of the operating
server to a home network; in order to systems to the raspberry pi and placing
create a VPN connection between a the SanDisk in the Pis slot, one is ready
home network and the public internet. to utilize the Pi. The Pi can be accessed
by attaching a HDMI cable from the Pi to
Keywords - Raspberry Pi; VPN(Virtual the TV and a keyboard. However, if
Private Network); OpenVPN those items are unavailable to a person,
one can also connect to the Pi via SSH Large companies with offices all around
(Secure Shell) using putty. SSH is a the globe need a way to connect to their
secure way to remotely connect to a different offices and organizations
command line. This is done by either together. The type of VPN that they
connecting the Pi to a PC and sharing would use to do that is Site-to-Site VPN.
you internet or connecting it to your This allows organizations to have routed
router. This will provide the Pi with an connections with separate offices, or with
IP address that is used to connect via other organizations over the internet.
SSH. Putty also offers X11 forwarding This logically acts as a dedicated Wide
which allows you to use an xming server Area Network link. When using this type
to open up the GUI (Graphical User of VPN, the protocol used for tunneling
Interface) of the Pi by using the is IPSec. This is a security mechanism
lxsession command on the Pis that encrypts any traffic supported by the
command line. Thus, one is able to fully IP protocol, such as Internet, e-mail,
access the Pi with just an Ethernet cable, Telnet, and more. IPSec uses either
a five volt micro USB charger, the digital certificates or pre-shared keys to
computer application putty, and xming. provide authentication, data encryption
When the Pi boots up for the first time it and negotiation. To summarize, if one
detects that there is no configurations needs a network that holds multiple
made and tells the user to use the sudo devices to another network with many
raspi-config to configure it. The most devices on it, they would use Site-to-Site
important configuration to be done on the VPN and the protocol that would need to
Raspberry Pi is expanding the root file be configured is IPSec [3].
system. By default the Pi uses only 2GB
of memory and not all the memory
available to the SanDisk.

II. Understanding VPN

Now that the Raspberry Pi is setup, it is
time to setup the VPN server. Before
doing so, one must understand the tunnel
protocols and types of VPN connection
there are available in order to be able to
choose the one that is right for them.
Some of the most common VPN security The type of VPN this paper is mostly
technologies are Internet Protocol interested in is Remote Access VPN that
Security (IPSec), Secure Sockets Layer is when an individual host connects to a
(SSL), Transport Layer Security (TLS), private network. Remote access VPN is a
Point-to-Point Tunneling Protocol method of connecting one network with a
(PPTP), Layer 2 Forwarding (L2F), and single device to another network. This is
Layer Two Tunneling Protocol (L2TP), usually used for travelers who need to
The two basic types of Cisco VPNs one access the company network securely
can have is Site-to-site and Remote over the internet. Though, we believe
access [2]. that it should be used not only by
travelers, who want to work anywhere
they go, but by anyone who wants to
access the internet securely in public we were going to use to set up our VPN
without any restrictions. The protocols server. we were more interested in good
that can be setup with Remote access security than fast setup and the type of
VPN is IPSec and SSL. SSL is a VPN connection we wanted to
communication protocol that provides implement was Remote access thus
secure Internet-based on client to server narrowing our option to SSL VPN. Next,
interactions. Authentication is developed we looked for software that supported
between the server to client by using SSL VPN connection and we stumbled
public key cryptography and digital upon OpenVPN.
certificates. Once authentication is
established the entire communication III. OpenVPN Configurations
session is encrypted [3].
To create our VPN server on the
Raspberry Pi, we decided to use
OpenVPN. OpenVPN is a software
application that establishes site-to-site or
remote access connections through the
custom use of security protocol
SSL/Transport Layer Security (TLS).
Additionally, OpenVPN is an open
source application. To obtain the
software OpenVPN on the Raspberry Pi,
we used the command sudo apt-get
install openvpn openssl. The client we
were using to connect to the Raspberry
Pi server was Windows 7 Toshiba laptop.
SSL VPN is a bit more challenging to set
We went to the OpenVPN website and
up compared to PPTP. PPTP is a
downloaded the software for our client.
Microsoft VPN technology that uses
standard authentications protocols, such
Before building the keys and
as Challenge Handshake Authentication
certifications, it is recommended to
Protocol (CHAP), or Password
redirect the files in the Raspberry Pi
Authentication Protocol (PAP). PPTP /usr/share/doc/openvpn/examples/easy-
does not encrypt data unless it is used rsa/2.0 to the main directory
along with other Microsoft encrypted etc/openvpn by using the command.
mechanism. PPTP can be used by most
operating systems and servers including cp -r
android phones. Although PPTP offers /usr/share/doc/openvpn/examples/easy-
an easy and fast way of connecting to a rsa/2.0 /etc/openvpn/easy-rsa
different network, the authentication
protocols used are easier to crack. Thus, This is done to ensure that no
PPTP should not be used if one cares modifications get overwritten when
about security [3]. OpenVpn packages are upgraded. Next
you enter the vars files located in the
After discovering about all the security easy-rsa and export the top level easy-rsa
technologies out there, we had to make tree by using the commands
our decision on the tunneling protocols
nano easy-rsa/vars
 we had to forward the Rasbperry Pis IP
and changing address to our public IP address and this
export EASY_RSA=pwd` To export is done by enabling IP forwarding and
EASY_RSA=/etc/openvpn/easy-rsa using the commands
echo 1 > /proc/sys/net/ipv4/ip_forward
Then, we build the keys and certificates nano sysctl.conf
needed by using these commands on the edit #net.ipv4.ip_forward=1 to
net.ipv4.ip_forward=1
Raspberry Pi.
./easy-rsa/clean-all Next, We had to edit the Raspberry Pis
./easy-rsa/build-ca OpenVPN IP tables to allow packets to be sent from
./easy-rsa/build-key-server server the VPN server IP address, and the
./easy-rsa/build-key client1 Raspberry Pi IP address along with the
./easy-rsa/build-dh
port we configured in the server
configuration file. This is done by editing
Next, we needed to create the the Rasperry Pis rc.local file which runs
configurations for the server of the when the Pi is booting up. In addition,
Raspberry Pi. In these configurations, we the port used in the server configuration
included the layer our device was file needed to be port forward by the
connected in, the location of the server router that we were using.
key and certificate, the protocol used to
establish connection, the port number sudo nano /etc/rc.local
we wanted to use, the servers ip address, then add to the end of the file before exit
how long we wanted the openvpn to iptables -t nat -A INPUT -i eth0 -p udp -m
attempt to establish connection, and the udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s
DNS servers we wanted to set.
10.8.0.0/24 -o eth0 -j SNAT --to-source Pi IP
nano openvpn.conf address
dev tun
proto udp Lastly, we had to give our client its key
port 1194 and certificates that was built previously
ca /etc/openvpn/easy-rsa/keys/ca.crt and we configured the settings for the
cert /etc/openvpn/easy-rsa/keys/server.crt clients OpenVPN using the following
key /etc/openvpn/easy-rsa/keys/server.key commands. The following files (ca.crt,
dh /etc/openvpn/easy-rsa/keys/dh1024.pem client1.crt, client1.key, and
user nobody
vpnsettings.ovpn) needed to be placed in
group nogroup
server 10.8.0.0 255.255.255.0
our clients C:\Program
persist-key Files\OpenVPN\config directory folder.
persist-tun nano vpnsettings.ovpn
status /var/log/openvpn-status.log
dev tun
verb 3
client-to-client
client
push redirect-gateway def1" proto udp
#set the dns servers remote Pis IP address 1194
push dhcp-option DNS 8.8.8.8" resolv-retry infinite
push dhcp-option DNS 8.8.4.4" nobind
log-append /var/log/openvpn persist-key
comp-lzo persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

The guide we used to learn about these

configurations for Openvpn are from
references [4 - 5].

IV. Experimental Results

In order to test the VPN server we have
created, we needed to leave the Pi in the
router of the network we wanted to
connect to (our home network) and travel
outside looking hotspots that provide
internet access. We brought our laptop
with us which included all the client
configurations files and the software
OpenVPN. We brought our laptop to a
local burger king and connected it to its
public internet.

Afterwards, it was time to see if we

successfully configure our VPN server.
We did this by running OpenVPN as

administrator and pressing connect.
 also use the Pis VPN server to enter
foreign websites from another country.
For example, from the US we are unable
to enter websites for the UK, but if we
were connected to a network in the UK
we will be able to enter these website. To
do this, one will need to obtain the IP
from a service provider. Usually these
services cost money, but we were able to
find a website that provides an IP
addresses from the UK for free [7].

References
[1] Upton, E.. Raspberry Pi Faqs
N.p.. Web. 23 Nov 2013.
http://www.raspberrypi.org/faqs
[2] Microsoft Technet, . VPN
Tunneling Protocols N.p.. Web.
5 Dec 2013.
As one can see, We were successful http://technet.microsoft.com/en-
connecting to our home network from us/library/cc771298(v=WS.10).as
burger king through a full tunnel p&xgt;.
connection using the SSL/TLS protocol. [3] Microsoft TechNet, . How VPN
This resolves the security issues one has Works N.p.. Web. 22 Nov 2013.
when connecting to a public internet and http://technet.microsoft.com/en-
we are now able to roam the web without us/library/cc779919(v=ws.10).as
any regulations. Moreover, We can p&xgt;.
access our Pi or any servers set up on our [4] Open vpn N.p.. Web. 22 Nov
home network anywhere we go. 2013.
http://openvpn.net/index.php/open
V. Conclusions source/documentation/howto.html.
[5] "Raspberry Pi Tutorials." Home.
What makes the Raspberry Pi so special
N.p., n.d. Web. 22 Nov. 2013.
is its size and pricing. Raspberry Pi has
[6] Muncaster, Phil. "Raspberry Pi
given us the opportunity to create $35
Puts Holes in China's Great
value projects that are worth way more
Firewall, The Register. N.p., 29
than its cost. We were inspired to create
May 2013. Web. 12 Dec. 2013.
a VPN network when we found out how
http://www.theregister.co.uk/201
China was using the Pi to bypass its great
3/05/29/raspberry_pi_helps_hass
firewall [6]. A tech-savvy Chinese man
le_free_circumvention_great_fire
used VPN to connect to one of the many
wall/
foreign VPN providers and was able to
[7] VPNBOOK, . Free openvpn and
escape the governments censorship. On
pptp N.p.. Web. 15 Dec 2013.
top of that, he was able to use his Pi as a
http://www.vpnbook.com/
hotspot giving more people access to this
freedom. Using this idea, a person could