{"id":3214,"date":"2015-09-01T22:20:37","date_gmt":"2015-09-02T05:20:37","guid":{"rendered":"http:\/\/kmwoley.com\/blog\/?p=3214"},"modified":"2017-05-21T16:24:56","modified_gmt":"2017-05-21T23:24:56","slug":"raspberry-pi-openvpn-the-babys-webcam-secure-access-to-your-home-network","status":"publish","type":"post","link":"https:\/\/kmwoley.com\/blog\/raspberry-pi-openvpn-the-babys-webcam-secure-access-to-your-home-network\/","title":{"rendered":"Raspberry Pi + OpenVPN + the Baby&#8217;s Webcam &#8211; Secure Access to your Home Network"},"content":{"rendered":"<p>M and I have a great webcam setup for our home for the lil nugget &#8211; it&#8217;s a simple <a href=\"http:\/\/www.amazon.com\/D-Link-Wireless-Surveillance-mydlink-Enabled-DCS-932L\/dp\/B004P8K24W\" target=\"_blank\" rel=\"noopener noreferrer\">DLink webcam<\/a> that costs less than $50. So much cheaper than an expensive, baby-specific monitor.<\/p>\n<p><a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/20150525_125611-e1440895242157.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3215\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/20150525_125611-e1440895242157-576x1024.jpg\" alt=\"\" width=\"248\" height=\"441\" srcset=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/20150525_125611-e1440895242157.jpg 576w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/20150525_125611-e1440895242157-169x300.jpg 169w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/20150525_125611-e1440895242157-84x150.jpg 84w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/20150525_125611-e1440895242157-400x711.jpg 400w\" sizes=\"auto, (max-width: 248px) 100vw, 248px\" \/><\/a><\/p>\n<p>We use a tablet and our phones to check in on the baby using this great app <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.alexvas.dvr.pro&amp;hl=en\" target=\"_blank\" rel=\"noopener noreferrer\">(tinyCam Monitor Pro)<\/a> &#8211; the best feature is that you can turn off your phone and still have the audio alert you to the baby starts making noise louder than the ambient room noise (i.e. squelch the volume &amp;\u00a0not have to listen all the time to\u00a0the white noise we pump into the nugget&#8217;s ears to keep him happily asleep).<\/p>\n<p>The problem is that we can&#8217;t view the webcam from outside the house securely. DLink provides an app that lets you view the camera when you&#8217;re not on your home WiFi, but it does so in an insecure way &#8211; basically broadcasting the video feed for anyone to intercept and see. That creeps me out.<\/p>\n<p>So we needed a way to get secure access from our phones, anywhere in the world, back into our home network so we could see the camera. Well, need is a strong term&#8230; desire, perhaps.<\/p>\n<p>This is what Virtual Private Networks (VPN) were built for &#8211; I&#8217;ll walk through how I set one up for our home.<\/p>\n<p><em>This is a tech how-to. It&#8217;ll take an afternoon or a weekend to complete the project. It was a pain in the butt for me &#8211; I&#8217;m writing these instructions down in the hopes I can save someone else some time.<\/em><\/p>\n<p><!--more--><\/p>\n<h1>Instructions<\/h1>\n<h2>What we&#8217;re trying to do.<\/h2>\n<p>Allow secure access to things inside your home&#8217;s network from anywhere in the world.<\/p>\n<p>Specifically, enabling our Android phones\u00a0and Windows laptops to access our home network, including our baby camera (and file shares and whatever else we want) while we&#8217;re not at home. It&#8217;s also a great way to provide yourself secure web browsing when you&#8217;re away from home.<\/p>\n<p>These instructions are focused on our Android phones (both running Lollipop), and our Windows 10 laptops. They&#8217;ll probably work for your Mac\/iPhone as well.<\/p>\n<p>These instructions are specific to setting up a Raspberry Pi Linux machine with OpenVPN software, and then connecting to it from the outside world.<\/p>\n<h2>What you&#8217;ll need.<\/h2>\n<ul>\n<li>Raspberry Pi &#8211; It&#8217;s basically a very cheap, power efficient, simple computer.\u00a0I used an older &#8220;Model B&#8221;, but there are <a href=\"http:\/\/www.amazon.com\/Raspberry-Pi-Model-Desktop-Linux\/dp\/B00T2U7R7I\/\" target=\"_blank\" rel=\"noopener noreferrer\">newer ones out there.<\/a><\/li>\n<li>All the stuff to make the Raspberry Pi run:\n<ul>\n<li>Keyboard<\/li>\n<li>SD card<\/li>\n<li>USB power supply<\/li>\n<li>Ethernet<\/li>\n<li>HDMI cable<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.amazon.com\/CanaKit-Raspberry-Complete-Original-Preloaded\/dp\/B008XVAVAW\" target=\"_blank\" rel=\"noopener noreferrer\">You can buy almost all of it as a kit, easy enough for under $70.<\/a><\/p>\n<p><em>Tip:<\/em> you can actually run an OpenVPN server on any computer that&#8217;s always running within your home network. I used the Raspberry Pi because it&#8217;s small, cheap, doesn&#8217;t use a lot of power, and has &#8216;good enough&#8217; performance for what I need. If you need amazing performance, you&#8217;ll definitely want a newer Raspberry Pi 2.<\/p>\n<h2>What I assume you already have.<\/h2>\n<ul>\n<li>A computer<\/li>\n<li>Broadband internet and a home network router<\/li>\n<li>Time<\/li>\n<li>Willingness to make some mistakes and learn<\/li>\n<\/ul>\n<h2>What I don&#8217;t assume.<\/h2>\n<p>I don&#8217;t assume you know anything about Linux, Raspberry Pi, Home Networking, etc. Undoubtedly I may leave out some critical step or you may encounter something different. If you do encounter trouble, I&#8217;m sorry. Leave a comment and maybe I can help. Hopefully the Internet has both of our backs.<\/p>\n<h2>Step 1) Get that Raspberry Pi Setup<\/h2>\n<p>There are some great guides out there to getting the Raspberry Pi computer up and running. I recommend going <a href=\"https:\/\/www.raspberrypi.org\/help\/noobs-setup\/\" target=\"_blank\" rel=\"noopener noreferrer\">here to get started<\/a> and following their instructions to setup your Raspberry Pi.<\/p>\n<p>You&#8217;ll know you&#8217;re done with this step when you can successfully log in to the Raspberry Pi&#8217;s terminal, which is the text interface where we&#8217;ll be doing most of our work.<\/p>\n<p><em>This is the only step in the process that I&#8217;ll send you off to somewhere else to do something&#8230; the remainder of the instructions here are self-contained.<\/em><\/p>\n<h2>Step 2) Make Raspberry Pi Secure<\/h2>\n<p>Out of the box, the Raspberry Pi has a couple of default passwords. It&#8217;s a really good idea to change them.<\/p>\n<p>First, change the super user password by running this\u00a0commands on the Raspberry Pi terminal:<\/p>\n<pre style=\"padding-left: 30px;\">sudo passwd<\/pre>\n<p>Follow the prompts to enter a new password. Change the password to something very secure. This changes the &#8216;root&#8217; user&#8217;s password. &#8216;root&#8217; is very special in Linux &#8211; it&#8217;s the user who has full control of everything on the machine. By default, other users don&#8217;t have full control of the machine. The <strong>sudo <\/strong>command here is a way to say, let me temporarily become the root user so I can do something privileged. You&#8217;ll see that command a lot.<\/p>\n<p>Next\u00a0run the following command:<\/p>\n<pre style=\"padding-left: 30px;\">passwd<\/pre>\n<p>This changes the &#8216;pi&#8217; user&#8217;s password. It can be the same (or different) from the root user&#8217;s password. That&#8217;s up to you.<\/p>\n<h2>Step 3) Setup SSH<\/h2>\n<p>Up until this point, you haven&#8217;t had to do anything on the network. If you haven&#8217;t done so already, plug the Raspberry Pi into your internet router because we&#8217;re about to go online.<\/p>\n<h3>3.1 Enable SSH on the Raspberry Pi<\/h3>\n<p>SSH is a tool that allows you to connect securely between two computers. By default, the Raspberry Pi doesn&#8217;t have SSH turned on, so we need to do that so you can connect to it.<\/p>\n<p>In\u00a0Raspberry Pi&#8217;s command terminal, run<\/p>\n<pre style=\"padding-left: 30px;\">sudo raspi-config<\/pre>\n<p style=\"padding-left: 30px;\">Navigate to <span style=\"text-decoration: underline;\">Advanced Options<\/span><strong> &gt; <\/strong><span style=\"text-decoration: underline;\">SSH <\/span>and choose <span style=\"text-decoration: underline;\">Enable<\/span>. Then you can exit.<\/p>\n<p style=\"padding-left: 30px;\"><a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-19_06_50-pi@berry_-.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3218 size-thumbnail\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-19_06_50-pi@berry_--150x150.png\" alt=\"\" width=\"150\" height=\"150\" \/><\/a>\u00a0<a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-19_08_08-pi@berry_-.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3219 size-thumbnail\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-19_08_08-pi@berry_--150x150.png\" alt=\"\" width=\"150\" height=\"150\" \/><\/a>\u00a0<a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-19_08_55-pi@berry_-.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3220 size-thumbnail\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-19_08_55-pi@berry_--150x150.png\" alt=\"\" width=\"150\" height=\"150\" \/><\/a><\/p>\n<h3>3.2 Find out your Raspberry Pi&#8217;s IP Address<\/h3>\n<p>Internet Protocol (IP) addresses are how computers know how to find each other on the internet. We need to know the Raspberry Pi&#8217;s IP address so we can log into it from our computer. Run this command and take note of the &#8216;inet address&#8217; displayed &#8211; it&#8217;s probably something like 192.168.1.35.<\/p>\n<pre style=\"padding-left: 30px;\">ifconfig<\/pre>\n<p style=\"padding-left: 30px;\"><a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-19_12_49-pi@berry_-.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3221 size-medium\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-19_12_49-pi@berry_--300x57.png\" alt=\"\" width=\"300\" height=\"57\" srcset=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-19_12_49-pi@berry_--300x57.png 300w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-19_12_49-pi@berry_-.png 1024w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-19_12_49-pi@berry_--150x28.png 150w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-19_12_49-pi@berry_--400x75.png 400w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<h3>3.3 Get an SSH client &amp; log into your Pi<\/h3>\n<p>This next step depends on what kind of computer you have.<\/p>\n<p><b>Apple Mac<br \/>\n<\/b>If you have a Mac, you can open the Terminal app (\/Applications\/Utilities\/), and type the following command, changing the bold\u00a0<strong>RaspberrypiIPAddress\u00a0<\/strong>part of the\u00a0line with the IP address you got in the previous step.<\/p>\n<pre style=\"padding-left: 30px;\">ssh pi@<strong>RaspberryPiIPAddress<\/strong><\/pre>\n<p>For example:<\/p>\n<pre style=\"padding-left: 30px;\">ssh pi@192.168.1.50<\/pre>\n<p><strong>Windows<\/strong><br \/>\nIf you&#8217;re on Windows, you&#8217;ll need to download an SSH client. I recommend putty.exe, because it&#8217;s small and easy to use.<\/p>\n<p style=\"padding-left: 30px;\"><a href=\"http:\/\/the.earth.li\/~sgtatham\/putty\/latest\/x86\/putty.exe\" target=\"_blank\" rel=\"noopener noreferrer\">Download PuTTy here.<\/a><\/p>\n<p>Once you download it, run the program and use your IP address to connect to your Pi.<\/p>\n<p style=\"padding-left: 30px;\"><a href=\"https:\/\/kmwoley.com\/blog\/raspberry-pi-openvpn-the-babys-webcam-secure-access-to-your-home-network\/2015-08-29-19_41_43-putty-configuration\/\" rel=\"attachment wp-att-3222\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-thumbnail wp-image-3222\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-19_41_43-PuTTY-Configuration-150x150.png\" alt=\"2015-08-29 19_41_43-PuTTY Configuration\" width=\"150\" height=\"150\" \/><\/a><\/p>\n<p>When you connect, you will be prompted for your user name (&#8220;pi&#8221;) and your password (the one you set in Step 2).<\/p>\n<p>Now that you&#8217;re logged in from your computer, let&#8217;s just keep working from there.<\/p>\n<h2>Step 4) Update\/Install Raspberry Pi&#8217;s Software<\/h2>\n<p>It&#8217;s always a good idea to run the most up to date software to make sure you&#8217;re protected against vulnerabilities that may have been found &amp; fixed. It&#8217;s pretty easy to do it on Linux. On the Raspberry Pi, you just run these two commands:<\/p>\n<pre style=\"padding-left: 30px;\">sudo apt-get update\r\nsudo apt-get upgrade<\/pre>\n<p>There&#8217;s that <strong>sudo <\/strong>again&#8230; you need to be the root user to be able to update the machine. The first command updates the internal knowledge about what software is ready to be upgraded, the second command actually does the upgrade. This can take a few minutes. Go grab a beverage if you don&#8217;t have one.<\/p>\n<p>Next you&#8217;ll want to make sure the Raspberry Pi&#8217;s firmware is up to date. That can be done with the following two commands:<\/p>\n<pre style=\"padding-left: 30px;\">sudo apt-get install rpi-update\r\nsudo rpi-update<\/pre>\n<p>The last piece of software we&#8217;re going to install is the OpenVPN software. That&#8217;s done with the following command:<\/p>\n<pre style=\"padding-left: 30px;\">sudo apt-get install openvpn<\/pre>\n<p>Last, but not least, it&#8217;s probably time to reboot your Raspberry Pi. You can do that with the following command:<\/p>\n<pre style=\"padding-left: 30px;\">sudo reboot<\/pre>\n<p>Once it has rebooted, you can SSH back in (i.e. log in) again using the instructions from the end of step 3 above.<\/p>\n<p>You should be all set with the basic software install now. We&#8217;ll come back to configuring it later.<\/p>\n<h2>Step 5) Setup Static Internet Addresses<\/h2>\n<p>In order for you to be able to reach your home from anywhere else in the universe, you need to know what IP address to look up. IP addresses are how computers find each other on the internet. It&#8217;s how we logged into your Raspberry Pi from your computer in Step 3. Unfortunately, they can change over time so we need to fix up a few things.\u00a0If you don&#8217;t know much about them, don&#8217;t worry&#8230;<\/p>\n<h3>5.1) Set up a personal domain name for yourself<\/h3>\n<p>Your home network has an External IP address &#8211; this is the single address that represents your home router. Your external IP address changes a lot &#8211; pretty much every time you reboot your router &#8211; so it&#8217;s a really good idea to use a service that can be updated to always know your external IP address. This is done through the domain name system. The domain name system (DNS) is the way that Internet domain names are located and translated into Internet Protocol addresses. A\u00a0domain name is a meaningful and easy-to-remember &#8220;handle&#8221; for an Internet address.<\/p>\n<p>There are a lot of services out there where you can create your own Domain Name and point it back to your home network. I like\u00a0<a href=\"https:\/\/freedns.afraid.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/freedns.afraid.org\/<\/a> because it&#8217;s free. Follow the links in the steps below to get a DNS setup for your home:<\/p>\n<ol>\n<li>Make your account -&gt; <a href=\"https:\/\/freedns.afraid.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">freedns.afraid.org<\/a> -&gt; <a href=\"https:\/\/freedns.afraid.org\/signup\/\" target=\"_blank\" rel=\"noopener noreferrer\">Signup<\/a><\/li>\n<li>Make a DNS\u00a0record (<a href=\"https:\/\/freedns.afraid.org\/subdomain\/\" target=\"_blank\" rel=\"noopener noreferrer\">subdomains<\/a> -&gt; Add -&gt; Save)\n<ul>\n<li>Pick any subdomain name and domain that you want. This will be the address you use to find your way home.<\/li>\n<li>Leave all the other options as default.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p>You&#8217;ll see your entry appear in the <a href=\"https:\/\/freedns.afraid.org\/subdomain\/\" target=\"_blank\" rel=\"noopener noreferrer\">subdomains<\/a> page when you&#8217;re done. Write down your full domain name (example: yoursubdomain.afraid.org). We&#8217;re going to need it later.<\/p>\n<h3>5.2 Update your domain with your external IP address<\/h3>\n<p>Next you need to tell your Raspberry Pi to periodically update freedns.afraid.org so that it knows your current External IP address, in case it changes in the future. We&#8217;ll do that by using a tool called <strong>crontab <\/strong>which is designed to do things like this periodically.<\/p>\n<ol>\n<li>Go to <a href=\"http:\/\/freedns.afraid.org\/dynamic\/\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/freedns.afraid.org\/dynamic\/<\/a><\/li>\n<li>Look for the link that says <span style=\"text-decoration: underline;\">&#8216;quick cron example&#8217;<\/span> towards the bottom of the page. Click the link.<\/li>\n<li>At the very bottom of the page, you&#8217;ll see a line that looks like this:\n<pre>3,8,13,18,23,28,33,38,43,48,53,58 * * * * sleep 27 ; wget --no-check-certificate -O - https:\/\/freedns.afraid.org\/dynamic\/update.php?blahblahblahblah &gt;&gt; \/tmp\/freedns_subdomain_domain_com.log 2&gt;&amp;1 &amp;<\/pre>\n<\/li>\n<li>Copy the line from the bottom of your <span style=\"text-decoration: underline;\">&#8216;quick cron example&#8217;<\/span>.<\/li>\n<li>On your Raspberry Pi&#8217;s SSH terminal, type the following command.\n<pre>crontab -e<\/pre>\n<p>This will open the <strong>nano<\/strong> editor. This is the default text file editor on Raspberry Pi.<\/li>\n<li>Scroll to the bottom of the file (using your arrow keys on your keyboard) &amp; paste the text from step 3 into the file.\n<ul>\n<li><em>Hint:<\/em> on Windows, right clicking in the PuTTY window will paste text under your cursor.<\/li>\n<\/ul>\n<\/li>\n<li>Save the file by pressing Ctrl-O, and then Ctrl-X to exit.<\/li>\n<\/ol>\n<p>Now <strong>crontab <\/strong>will run every now and then and tell your DNS service your external IP address. You now can always reach your home network while you&#8217;re out in the world.<\/p>\n<h3>5.3\u00a0Internal Static IP Addresses &amp; Port Forwarding<\/h3>\n<p>In the previous steps, we setup a domain name so that you can always reach your home network. Once we can reach the home network, however, we still need to make it possible to reach the Raspberry Pi machine which is behind your home router&#8217;s firewall.<\/p>\n<p>In these next steps, you&#8217;re going to have to configure your home router. Unfortunately, every home router is different so I can&#8217;t give you specific advice. I&#8217;ll show you what it looks like on my router in hopes it&#8217;ll help you find the same options on your own home router. I suggest searching the web for the model of your router and keywords like &#8216;static ip address&#8217; and &#8216;port forwarding&#8217; to learn about your specific router.<\/p>\n<p><strong>Set a static IP Address for your Pi<\/strong><\/p>\n<ol>\n<li>Login to your router in a browser\u00a0(likely at\u00a0<a href=\"http:\/\/www.routerlogin.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/www.routerlogin.net\/<\/a>)<\/li>\n<li>Find the place where you can set static IP addresses, sometimes called &#8220;Address Reservation&#8221;. In my router that&#8217;s under the\u00a0<span style=\"text-decoration: underline;\">Advanced<\/span>\u00a0tab under <span style=\"text-decoration: underline;\">Setup<\/span> &gt; <span style=\"text-decoration: underline;\">LAN Setup<\/span>.<br \/>\n<a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_09_08.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3223 size-medium\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_09_08-300x142.png\" alt=\"\" width=\"300\" height=\"142\" srcset=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_09_08-300x142.png 300w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_09_08.png 1024w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_09_08-150x71.png 150w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_09_08-400x190.png 400w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/li>\n<li>When you find the right place in your router, you should be able to set a static IP address associated with the Raspberry Pi in your router. That makes sure your IP address of the Pi never changes in the future. Note that you&#8217;re looking to set up a static IP for the IP address you found in Step 3.2 above, and the MAC address in the entry should match the <span style=\"text-decoration: underline;\">HWAddr<\/span> you saw in that same step by running\u00a0<strong>ifconfig<\/strong>.<br \/>\n<a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_16_56.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3224 size-medium\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_16_56-300x142.png\" alt=\"\" width=\"300\" height=\"142\" srcset=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_16_56-300x142.png 300w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_16_56.png 1024w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_16_56-150x71.png 150w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_16_56-400x189.png 400w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/li>\n<\/ol>\n<p><strong>Set up port-forwarding to your Pi<\/strong><\/p>\n<p>Next, we need to make it possible for external internet traffic to reach the Raspberry Pi inside your home network. To do so, we forward a port from the external network to the internal network. This is basically punching a tiny, very specific hole in the defenses of your home network to let a particular kind of traffic in to a specific machine inside the firewall. Again, every router is different&#8230; yours will likely have different instructions. I suggest searching the web here.<\/p>\n<ol>\n<li>Log into your router if you&#8217;re not already.<\/li>\n<li>Navigate to the Port Forwarding configuration. In my router, it&#8217;s under\u00a0the\u00a0<span style=\"text-decoration: underline;\">Advanced<\/span>\u00a0tab under <span style=\"text-decoration: underline;\">Advanced\u00a0Setup<\/span> &gt; <span style=\"text-decoration: underline;\">Port Forwarding \/ Port Triggering<\/span>.<br \/>\n<a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_25_19.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3225 size-medium\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_25_19-300x139.png\" alt=\"\" width=\"300\" height=\"139\" srcset=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_25_19-300x139.png 300w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_25_19.png 1024w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_25_19-150x70.png 150w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-29-20_25_19-400x186.png 400w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/li>\n<li>Once you find the right place, you want to set up a port forwarding rule with the following parameters:\n<ul>\n<li>Protocol: UDP<\/li>\n<li>External Port: 1194<\/li>\n<li>Internal Port: 1194<\/li>\n<li>Name: OpenVPN (if required)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p>Hopefully that&#8217;s enough information to get things setup right.<\/p>\n<p>You can test that it&#8217;s all setup correctly\u00a0later when we get to setting up the OpenVPN software.<\/p>\n<h2>Step 6) Setup the OpenVPN Server on your Raspberry Pi<\/h2>\n<p>Finally! We get around to some software configuration on the Pi. This is where we make the magic happen.<\/p>\n<h3>6.1 Configuration of easy-rsa<\/h3>\n<p>In order to securely connect between two computers, OpenVPN uses keys which provide the authentication and security between the two computers. These keys that we&#8217;re about to generate are the shared secrets that make it possible for you to connect from the outside world. It&#8217;s important that you protect the keys were about to generate and make sure nobody gets access to them, or they could get access to your network.<\/p>\n<p>Whew. Warnings over. Let&#8217;s do this.<\/p>\n<p>OpenVPN comes with a tool called\u00a0<strong>easy-rsa\u00a0<\/strong>that makes creating the keys simple.<\/p>\n<p>Go back to your SSH terminal and log into your Pi if you&#8217;re not already logged in.<\/p>\n<p>From the command prompt, do the following actions:<\/p>\n<ol>\n<li>Move the easy-rsa directory to somewhere better &#8211; this is a good idea to make sure it doesn&#8217;t get overwritten\/changed in further upgrades.\n<pre>sudo cp -r \/usr\/share\/doc\/openvpn\/examples\/easy-rsa\/2.0 \/etc\/openvpn\/easy-rsa<\/pre>\n<\/li>\n<li>Make some changes to the\u00a0<strong>easy-rsa\u00a0<\/strong>configuration\n<ul>\n<li>Open the <strong>easy-rsa<\/strong> configuration file:\n<pre>cd \/etc\/openvpn\/easy-rsa\r\nnano vars<\/pre>\n<\/li>\n<li>Inside the vars file, find the line that starts with &#8220;export EASY_RSA=&#8221; and replace it with:\n<pre>export EASY_RSA=\u201d\/etc\/openvpn\/easy-rsa\u201d<\/pre>\n<\/li>\n<li>Make the key strength higher by making it longer. Find the line that starts with &#8220;export KEY_SIZE&#8221; and replace it with:\n<pre>export KEY_SIZE=2048<\/pre>\n<\/li>\n<li>There are other things you can change here if you wish, like the organization name, email, etc. but you really don&#8217;t have to.<\/li>\n<li>Save and close the file (Ctrl-O, Ctrl-X)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h3>6.2\u00a0Generating keys<\/h3>\n<p>Now that\u00a0<strong>easy-rsa<\/strong> is set up, we can generate keys.<\/p>\n<p><strong>Generating Server Keys<br \/>\n<\/strong>Run the following commands to generate the keys for your Raspberry Pi server:<\/p>\n<pre style=\"padding-left: 30px;\">cd \/etc\/openvpn\/easy-rsa\r\n. .\/vars\r\n.\/clean-all\r\n.\/build-ca<\/pre>\n<p>The last command will ask you a few questions. You only have to enter a something into the &#8220;Common Name&#8221; field (the name of your server would be a fine choice). At the end, you should say &#8216;y&#8217; to all the questions.<\/p>\n<p>Next, we build the keys for the server:<\/p>\n<pre style=\"padding-left: 30px;\">.\/build-key-server server<\/pre>\n<p>This will ask you a few questions again. All of the other questions you can answer by pressing the Enter key.<\/p>\n<p>Finally, we have just a couple more keys to generate.<\/p>\n<pre style=\"padding-left: 30px;\">openvpn --genkey --secret \/etc\/openvpn\/easy-rsa\/keys\/ta.key\r\n.\/build-dh<\/pre>\n<p>That last command will take a very, very long time. Go get a beverage and check back every 20 min or so to see if it&#8217;s done.<\/p>\n<p><strong>Generating Client Keys<br \/>\n<\/strong>A client is a machine that&#8217;s going to be connecting to our Raspberry Pi OpenVPN server. We need to make unique keys for each of those clients. The\u00a0<strong>build-key<\/strong> command creates a key for an individual computer. Run the commands below to generate a key for a remote client &#8211; replace <b>&#8216;clientname&#8217;<\/b> with a name that you want to associate with the phone or computer.<\/p>\n<pre style=\"padding-left: 30px;\">cd \/etc\/openvpn\/easy-rsa\r\n.\/build-key <strong>clientname<\/strong><\/pre>\n<p style=\"padding-left: 30px;\"><a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-10_31_48-New-notification.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3238 size-medium\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-10_31_48-New-notification-295x300.png\" alt=\"\" width=\"295\" height=\"300\" srcset=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-10_31_48-New-notification-295x300.png 295w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-10_31_48-New-notification.png 1006w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-10_31_48-New-notification-147x150.png 147w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-10_31_48-New-notification-400x407.png 400w\" sizes=\"auto, (max-width: 295px) 100vw, 295px\" \/><\/a><\/p>\n<p>Suppose you had two phones (phone1, phone2) and a Windows machine (computer1) \u00a0you want to create keys for &#8211; you&#8217;d run the following command, once for each device.<\/p>\n<pre style=\"padding-left: 30px;\">.\/build-key phone1\r\n.\/build-key phone2\r\n.\/build-key computer1<\/pre>\n<p>Run <strong>build-key<\/strong> for each device that&#8217;ll be connecting to the VPN. You can name them whatever you want.\u00a0When you get done, you&#8217;ll have all the keys generated and located in <strong>\/etc\/openvpn\/easy-rsa\/keys<\/strong><\/p>\n<p><em>Tip:<\/em> if you ever need to add a new client, you can always come back and run <strong>.\/build-key<\/strong> for that new computer in the future.<\/p>\n<h3>6.4 Configure the OpenVPN Server<\/h3>\n<p>We now have to tell the OpenVPN server how it should behave. All of the settings for OpenVPN live in configuration files. We need to create one.<\/p>\n<p>Open a text file editor and create the\u00a0<span style=\"text-decoration: underline;\">server.conf<\/span> file for OpenVPN:<\/p>\n<pre style=\"padding-left: 30px;\">nano \/etc\/openvpn\/server.conf<\/pre>\n<p>Cut and paste the following text into the file you just opened:<\/p>\n<pre style=\"padding-left: 30px;\"># the same port you configured on your router for forwarding\r\nport 1194\r\n\r\n# basic OpenVPN configuration\r\nproto udp\r\ndev tun\r\n\r\n# key and authentication configuration\r\nca \/etc\/openvpn\/easy-rsa\/keys\/ca.crt\r\ncert \/etc\/openvpn\/easy-rsa\/keys\/server.crt\r\nkey \/etc\/openvpn\/easy-rsa\/keys\/server.key # This file should be kept secret\r\ndh \/etc\/openvpn\/easy-rsa\/keys\/dh2048.pem\r\ntls-auth \/etc\/openvpn\/easy-rsa\/keys\/ta.key 0 # This file should be kept secret\r\n\r\n# configuration of the VPN's IP addresses\r\nserver 10.8.0.0 255.255.255.0\r\nifconfig-pool-persist \/etc\/openvpn\/easy-rsa\/ipp.txt\r\n\r\n# Add route to Client routing table for the OpenVPN Server\r\npush \"route 10.8.0.1 255.255.255.255\"\r\n\r\n# Add route to Client routing table for the OpenVPN Subnet\r\npush \"route 10.8.0.0 255.255.255.0\"\r\n\r\npush \"redirect-gateway def1 bypass-dhcp\"\r\nkeepalive 10 120\r\n\r\n# encryption configuration\r\ncipher AES-256-CBC\r\nauth SHA512\r\ntls-cipher DHE-RSA-AES256-SHA\r\n\r\n# enable compression of the data traffic\r\ncomp-lzo\r\n\r\n# The maximum number of concurrently connected\r\n# clients we want to allow.\r\nmax-clients 5\r\n\r\nuser nobody\r\ngroup nogroup\r\n\r\npersist-key\r\npersist-tun\r\n\r\nstatus \/var\/log\/openvpn-status.log 300\r\nlog \/var\/log\/openvpn.log\r\nverb 1\r\nmute 20<\/pre>\n<p>When you&#8217;re done, save and close the file (Ctrl-O, Ctrl-X).<\/p>\n<p>Now that the server is configured, you can (re)start the OpenVPN service:<\/p>\n<pre style=\"padding-left: 30px;\">sudo service openvpn restart<\/pre>\n<p>You should see a success message that looks similar to this:<\/p>\n<p style=\"padding-left: 30px;\"><a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-07_34_03-pi@berry_-.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3231 size-medium\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-07_34_03-pi@berry_--300x40.png\" alt=\"\" width=\"300\" height=\"40\" srcset=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-07_34_03-pi@berry_--300x40.png 300w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-07_34_03-pi@berry_-.png 1024w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-07_34_03-pi@berry_--150x20.png 150w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-07_34_03-pi@berry_--400x54.png 400w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<h3>6.5) Create the Client configuration files<\/h3>\n<p>There are two different ways you can set up your clients. One is to direct all Internet traffic through the OpenVPN server from the client &#8211; this is called a &#8220;full tunnel&#8221; VPN because you&#8217;re sending all of the traffic through the OpenVPN secure tunnel to your home network. The second way is to direct only the\u00a0Internet traffic to the OpenVPN server that needs to reach inside your home network &#8211; this is called a &#8220;split tunnel&#8221; VPN configuration, since the traffic has a different route depending on if it&#8217;s going to your home network or not.<\/p>\n<p><strong>Do I have to choose now?<br \/>\n<\/strong>No! You can actually have both tunnel types set up on your clients, and pick each\u00a0time you connect. This is what I do &#8211; 90% of the time I use the split tunnel because I&#8217;m at work or at a family member&#8217;s house and I trust the network. I only use the full tunnel when I&#8217;m internet banking from a public place like a coffee shop.<\/p>\n<p>So, you can create both of the files described below or just the one you want. We&#8217;ll move them to the client later.<\/p>\n<p><strong>Full Tunnel Configuration<br \/>\n<\/strong>Using the &#8216;full tunnel&#8217; configuration is a good idea if you want to protect 100% of all traffic coming out of the client device &#8211; this is how people in China and other heavily regulated countries get access to the real Internet, and how you can connect securely from an untrusted WiFi at a seedy coffee shop. By sending all traffic through securely though your home network, you get the security\/trust level of your home network. The disadvantage here can be performance, since you&#8217;re going to be limited by the Raspberry Pi&#8217;s bandwidth and the bandwidth of your home network.<\/p>\n<p>Below, we&#8217;ll create the client configuration file for a full tunnel connection and save them on your Raspberry Pi.<\/p>\n<p>Open a text file editor and create the\u00a0<span style=\"text-decoration: underline;\">client-full.ovpn<\/span>\u00a0file for OpenVPN:<\/p>\n<pre style=\"padding-left: 30px;\">nano \/etc\/openvpn\/client-full.ovpn<\/pre>\n<p>Cut and paste the following text into the file you just opened:<\/p>\n<pre style=\"padding-left: 30px;\"># Full Tunnel OpenVPN client configuration\r\nclient\r\ndev tun\r\nproto udp\r\n\r\n# you must change 'subdomain.domain.com' \r\n# to your home DNS entry\r\nremote <strong>subdomain.domain.com<\/strong> 1194\r\n\r\n# Keep trying indefinitely to resolve the host name\r\n# of the OpenVPN server.\r\nresolv-retry infinite\r\n\r\nnobind\r\npersist-key\r\npersist-tun\r\n\r\n# key &amp; authentication configuration\r\nca ca.crt\r\ncert client.crt\r\nkey client.key\r\nremote-cert-tls server\r\ntls-auth ta.key 1\r\n\r\n# encryption configuration\r\ncipher AES-256-CBC\r\nauth SHA512\r\n\r\n# enable compression of the data traffic\r\ncomp-lzo\r\n\r\n# logging setup\r\nmute-replay-warnings\r\nverb 3\r\nmute 20\r\n<\/pre>\n<p><em>Important!<\/em> You need to change the\u00a0<strong>subdomain.domain.com<\/strong> in the file to the DNS address you created in Step 5.2. This is how the client knows what computer to connect to when it opens up the tunnel.<\/p>\n<p>When you&#8217;re done, save the file and exit\u00a0<strong>nano\u00a0<\/strong>(Ctrl-O, Ctrl-X).<\/p>\n<p><strong>Split Tunnel Configuration<\/strong><br \/>\nUsing a &#8216;split tunnel&#8217; configuration is good if you&#8217;re not worried about the security of your general Internet traffic, and you just want to be able to securely access things that are inside your home network.<\/p>\n<p>Below, we&#8217;ll create the client configuration file for a full tunnel connection and save them on your Raspberry Pi.<\/p>\n<p>Open a text file editor and create the\u00a0<span style=\"text-decoration: underline;\">client-split.ovpn<\/span>\u00a0file for OpenVPN:<\/p>\n<pre style=\"padding-left: 30px;\">nano \/etc\/openvpn\/client-split.ovpn<\/pre>\n<p>Cut and paste the following text into the file you just opened:<\/p>\n<pre style=\"padding-left: 30px;\"># Split Tunnel OpenVPN client configuration\r\nclient\r\ndev tun\r\nproto udp\r\n\r\n# you must change 'subdomain.domain.com' \r\n# to your home DNS entry\r\nremote <strong>subdomain.domain.com<\/strong> 1194\r\n\r\n# ignore the server's instructions about routing\r\n# all data to the OpenVPN server\r\nroute-nopull\r\n\r\n# direct this client to route only a subset of traffic\r\n# to the OpenVPN server through the tunnel\r\n#\r\n# you must change 'INTERNAL_HOME_ADDRESS' to your \r\n# home's IP address range.\r\nroute <strong>INTERNAL_HOME_ADDRESS<\/strong> 255.255.255.0\r\n\r\n# Keep trying indefinitely to resolve the host name\r\n# of the OpenVPN server.\r\nresolv-retry infinite\r\n\r\nnobind\r\npersist-key\r\npersist-tun\r\n\r\n# key &amp; authentication configuration\r\nca ca.crt\r\ncert client.crt\r\nkey client.key\r\nremote-cert-tls server\r\ntls-auth ta.key 1\r\n\r\n# encryption configuration\r\ncipher AES-256-CBC\r\nauth SHA512\r\n\r\n# enable compression of the data traffic\r\ncomp-lzo\r\n\r\n# logging setup\r\nmute-replay-warnings\r\nverb 3\r\nmute 20\r\n<\/pre>\n<p><em>Important!<\/em> You need to change the\u00a0<strong>subdomain.domain.com<\/strong> in the file to the DNS address you created in Step 5.2. This is how the client knows what computer to connect to when it opens up the tunnel.<\/p>\n<p><em>Also important!<\/em> You need to change the\u00a0<strong>INTERNAL_HOME_ADDRESS\u00a0<\/strong>to the IP Address range in your\u00a0<em>internal\u00a0<\/em>network. Remember when we got your IP address for your Raspberry Pi in Step 3? You&#8217;ll use that address here, with a small change. You should change the last of the four number to a &#8216;0&#8217;. For example, if you&#8217;re Raspberry Pi&#8217;s IP address was &#8216;192.168.1.50, you&#8217;d change the line to:<\/p>\n<pre style=\"padding-left: 30px;\">route <strong>192.168.1.0<\/strong> 255.255.255.0<\/pre>\n<p><span style=\"line-height: 1.5;\">When you&#8217;re done, save the file and exit\u00a0<\/span><strong style=\"line-height: 1.5;\">nano\u00a0<\/strong><span style=\"line-height: 1.5;\">(Ctrl-O, Ctrl-X).<\/span><\/p>\n<h3>6.6) Networking Setup: Internet Forwarding &amp; Firewalls<\/h3>\n<p>I bet you thought we were done with networking setup. You were wrong. Sorry. In order for OpenVPN to forward Internet traffic around correctly, we need to update the firewall rules and forwarding rules on the Raspberry Pi itself. These steps allow the Raspberry Pi to give clients access to both your internal (home) network, as well as the ability to use external internet connection.<\/p>\n<p>First, create a file that contains the firewall update rules.<\/p>\n<pre style=\"padding-left: 30px;\">sudo nano \/etc\/openvpn\/firewall.sh<\/pre>\n<p>Into that file, cut and paste the following:<\/p>\n<pre style=\"padding-left: 30px;\">#!\/bin\/bash\r\n# clear out the filter and nat tables\r\niptables -t filter -F\r\niptables -t nat -F\r\n\r\n# permit established\/related traffic\r\niptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\r\n\r\n# forward traffic to the subnet\r\niptables -A FORWARD -s \"10.8.0.0\/24\" -j ACCEPT\r\n\r\n# reject forwarded traffic that hasn't matched any rules yet\r\niptables -A FORWARD -j REJECT\r\n\r\n# NAT for accessing the LAN\r\niptables -t nat -A POSTROUTING -s \"10.8.0.0\/24\" -j MASQUERADE<\/pre>\n<p style=\"padding-left: 30px;\"><a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-07_44_11-Cortana.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3233 size-thumbnail\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-07_44_11-Cortana-150x150.png\" alt=\"\" width=\"150\" height=\"150\" \/><\/a><\/p>\n<p style=\"padding-left: 30px;\">Save and close the file (Ctrl-O, Ctrl-X).<\/p>\n<p>Now you need to make that file executable &#8211; i.e. make it so it can run as a script and actually run those command as if you typed them in to the prompt.<\/p>\n<pre style=\"padding-left: 30px;\">sudo chmod +x \/etc\/openvpn\/firewall.sh<\/pre>\n<p>You can test out if you were successful by running the script:<\/p>\n<pre style=\"padding-left: 30px;\">sudo \/etc\/openvpn\/firewall.sh<\/pre>\n<p>Next, we want to make sure this file runs each time the computer boots. To do that, we&#8217;ll modify the <strong>rc.local<\/strong> file which is a script that gets run at boot, and we&#8217;ll tell it to run our <strong>firewall.sh<\/strong> at each system startup.<\/p>\n<p>Open the\u00a0<strong>rc.local\u00a0<\/strong>file:<\/p>\n<pre style=\"padding-left: 30px;\">sudo nano \/etc\/rc.local<\/pre>\n<p>Just before the &#8220;exit 0&#8221;, put the following line:<\/p>\n<pre style=\"padding-left: 30px;\"># NAT settings to allow access to local &amp; remote network for OpenVPN\r\n\/etc\/openvpn\/firewall.sh<\/pre>\n<p style=\"padding-left: 30px;\"><a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-07_39_31-pi@berry_-.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3232 size-thumbnail\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-07_39_31-pi@berry_--150x150.png\" alt=\"\" width=\"150\" height=\"150\" \/><\/a><\/p>\n<p>Save the file and exit (Ctrl-O, Ctrl-X).<\/p>\n<h3>6.6 Enable IP forwarding<\/h3>\n<p>The last step is to tell the Raspberry Pi that it&#8217;s allowed to forward Internet traffic from the OpenVPN clients to the external internet &#8211; that&#8217;s done by modifying the <strong>sysctl.conf<\/strong> file.<\/p>\n<pre style=\"padding-left: 30px;\">sudo nano \/etc\/sysctl.conf<\/pre>\n<p>Find the line that reads<\/p>\n<pre style=\"padding-left: 30px;\">#net.ipv4.ip_forward=1<\/pre>\n<p>and uncomment it out (remove the &#8220;#&#8221;):<\/p>\n<pre style=\"padding-left: 30px;\">net.ipv4.ip_forward=1<\/pre>\n<p style=\"padding-left: 30px;\"><a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-07_58_29-pi@berry_-_etc_openvpn.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3234 size-thumbnail\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-30-07_58_29-pi@berry_-_etc_openvpn-150x150.png\" alt=\"\" width=\"150\" height=\"150\" \/><\/a><\/p>\n<p>Save and exit (Ctrl-O, Ctrl-X)<\/p>\n<h2>Your Pi is Baked!<\/h2>\n<p>Look at that! We&#8217;re all done configuring the Raspberry Pi&#8217;s OpenVPN server&#8230; we&#8217;re ready to connect our first client and see if it all worked!<\/p>\n<p>Let&#8217;s reboot the Raspberry Pi &#8211; we&#8217;re done here for now.<\/p>\n<pre style=\"padding-left: 30px;\">sudo reboot<\/pre>\n<h1>Connecting Remote Clients<\/h1>\n<p>Each device behaves a little differently and has different instructions. Here are instructions for the two device types we have running. If you want to set up an Apple Mac or iPhone, you&#8217;re going to have to do some googleing to figure it out on your own.<\/p>\n<h2>Connecting from Android<\/h2>\n<ol>\n<li>On \u00a0your Android phone, install\u00a0the following two apps from the Google Play store:\n<ul>\n<li><a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.estrongs.android.pop&amp;hl=en\" target=\"_blank\" rel=\"noopener noreferrer\">ES File Explorer<\/a>\u00a0(we&#8217;ll use this to get the keys onto the phone)<\/li>\n<li><a href=\"https:\/\/play.google.com\/store\/apps\/details?id=net.openvpn.openvpn&amp;hl=en\" target=\"_blank\" rel=\"noopener noreferrer\">OpenVPN Connect<\/a> (the Android OpenVPN software)<\/li>\n<\/ul>\n<\/li>\n<li>Make sure your phone is connected to your home&#8217;s WiFi and that the Raspberry Pi is turned on.<\/li>\n<li>Create a location for your OpenVPN files on the phone\n<ul>\n<li>Launch the <strong>ES File Explorer<\/strong> app<\/li>\n<li>Navigate to the sdcard directory: <span style=\"text-decoration: underline;\">Local<\/span> &gt; <span style=\"text-decoration: underline;\">SD 0.<\/span><\/li>\n<li>Click the <span style=\"text-decoration: underline;\">New<\/span> button, select <span style=\"text-decoration: underline;\">Folder<\/span>, and name it &#8220;OpenVPN&#8221;<br \/>\n<a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-03-04.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3246 size-medium\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-03-04-169x300.png\" alt=\"\" width=\"169\" height=\"300\" srcset=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-03-04-169x300.png 169w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-03-04.png 576w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-03-04-84x150.png 84w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-03-04-400x711.png 400w\" sizes=\"auto, (max-width: 169px) 100vw, 169px\" \/><\/a><\/li>\n<\/ul>\n<\/li>\n<li>Transfer the required files from the Raspberry Pi\n<ul>\n<li>In\u00a0the <strong>ES File Explorer<\/strong> app, navigate to\u00a0<span style=\"text-decoration: underline;\">Network<\/span> &gt;\u00a0<span style=\"text-decoration: underline;\">FTP<br \/>\n<a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-03-33.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3247 size-medium\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-03-33-169x300.png\" alt=\"\" width=\"169\" height=\"300\" srcset=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-03-33-169x300.png 169w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-03-33.png 576w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-03-33-84x150.png 84w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-03-33-400x711.png 400w\" sizes=\"auto, (max-width: 169px) 100vw, 169px\" \/><\/a><br \/>\n<\/span><\/li>\n<li>Click the\u00a0<span style=\"text-decoration: underline;\">New<\/span> button and select\u00a0<span style=\"text-decoration: underline;\">sftp<\/span><\/li>\n<li>Enter the connection details to allow your phone to log into your Pi\n<ul>\n<li>Server: the IP address of your Raspberry Pi<\/li>\n<li>Username: &#8220;pi&#8221;<\/li>\n<li>Password: the password you&#8217;ve been using to log into your Pi<br \/>\n<a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/Screenshot_2015-08-30-08-16-56.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3236 size-medium\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/Screenshot_2015-08-30-08-16-56-169x300.png\" alt=\"\" width=\"169\" height=\"300\" srcset=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/Screenshot_2015-08-30-08-16-56-169x300.png 169w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/Screenshot_2015-08-30-08-16-56.png 576w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/Screenshot_2015-08-30-08-16-56-84x150.png 84w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/Screenshot_2015-08-30-08-16-56-400x711.png 400w\" sizes=\"auto, (max-width: 169px) 100vw, 169px\" \/><\/a><\/li>\n<\/ul>\n<\/li>\n<li>Copy the\u00a0keys\u00a0to your Android Phone.\n<ul>\n<li>Once you log into your Pi, navigate to <strong>\/etc\/openvpn\/easy-rsa\/keys<\/strong><\/li>\n<li>Copy the files below to the &#8216;OpenVPN&#8217; directory you created on your phone earlier (<span style=\"text-decoration: underline;\">Local<\/span> &gt; <span style=\"text-decoration: underline;\">SD 0<\/span> &gt; O<span style=\"text-decoration: underline;\">penVPN<\/span>)\n<ul>\n<li>Every device will need the following two files:\n<ul>\n<li>ta.key<\/li>\n<li>ca.crt<\/li>\n<\/ul>\n<\/li>\n<li>Copy only\u00a0the two files that are specific to this <strong>clientname<\/strong> that you created in step 6.2:\n<ul>\n<li><strong>clientname<\/strong>.crt<\/li>\n<li><strong>clientname<\/strong>.key<\/li>\n<\/ul>\n<\/li>\n<li>Rename the two <strong>clientname<\/strong> files to:\n<ul>\n<li>client.crt<\/li>\n<li>client.key<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Copy the client configuration files to your phone.\n<ul>\n<li>Navigate to <strong>\/etc\/openvpn\/<\/strong><\/li>\n<li>Copy the following two files (or one, depending on your configuration) to your phone, in the same directory we used above ((<span style=\"text-decoration: underline;\">Local<\/span> &gt; <span style=\"text-decoration: underline;\">SD 0<\/span> &gt; O<span style=\"text-decoration: underline;\">penVPN<\/span>)\n<ul>\n<li>client-full.ovpn<\/li>\n<li>client-split.ovpn<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>When you&#8217;re done, your OpenVPN directory should look like this:<br \/>\n<a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-09-46.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3248 size-medium\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-09-46-169x300.png\" alt=\"\" width=\"169\" height=\"300\" srcset=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-09-46-169x300.png 169w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-09-46.png 576w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-09-46-84x150.png 84w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-09-46-400x711.png 400w\" sizes=\"auto, (max-width: 169px) 100vw, 169px\" \/><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Launch the <b>OpenVPN Connect\u00a0<\/b>app and connect.\n<ol>\n<li>From the &#8216;&#8230;&#8217; menu, select the\u00a0<span style=\"text-decoration: underline;\">Import<\/span> &gt;\u00a0<span style=\"text-decoration: underline;\">Import Profile from SD card<\/span>.<\/li>\n<li>Navigate to your OpenVPN folder, and select one of your two connection files (<span style=\"text-decoration: underline;\">client-full.ovpn<\/span> or <span style=\"text-decoration: underline;\">client-split.ovpn<\/span>).<\/li>\n<\/ol>\n<\/li>\n<li>Connect! &#8211; Hit the &#8216;Connect&#8217; button. Once connected, you should see this:<br \/>\n<a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-11-29.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3249 size-medium\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-11-29-169x300.png\" alt=\"\" width=\"169\" height=\"300\" srcset=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-11-29-169x300.png 169w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-11-29.png 576w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-11-29-84x150.png 84w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/Screenshot_2015-09-01-18-11-29-400x711.png 400w\" sizes=\"auto, (max-width: 169px) 100vw, 169px\" \/><\/a><\/li>\n<\/ol>\n<p>That&#8217;s it. You should now be connected. Hopefully you won&#8217;t need to do any troubleshooting.<\/p>\n<p>Obviously, the best way to test is to see if you can reach something on your internal network while you&#8217;re on a remote network. You can use an app like <strong><a href=\"https:\/\/play.google.com\/store\/apps\/details?id=ua.com.streamsoft.pingtools&amp;hl=en\" target=\"_blank\" rel=\"noopener noreferrer\">Ping Tools<\/a>\u00a0<\/strong>to do a &#8216;Trace Route&#8217; to Google.com to see the exact path your network traffic takes to reach it&#8217;s destination. On a full tunnel, you should see the traffic go through your home network before it goes anywhere else. If you&#8217;re on a split tunnel, you can see how different traffic to different services goes down different paths.<\/p>\n<p>Another thing you can check is your external IP address &#8211; if\u00a0you&#8217;re using the Full Tunnel, you search Google for &#8216;whats my ip&#8217; and Google will tell you your external IP address. If you&#8217;re not on your home wireless (on your mobile data plan, for example) the answer to what your external IP should change depending upon if you&#8217;re connected or disconnected.<\/p>\n<h2>Connecting from Windows<\/h2>\n<p>Note &#8211; these instructions are for Windows Vista and beyond. I&#8217;ve used them successfully on Windows Vista, Windows 8, and Windows 10.<\/p>\n<ol>\n<li>On \u00a0your Windows client, install following two programs:\n<ul>\n<li><a href=\"https:\/\/filezilla-project.org\/download.php?type=client\" target=\"_blank\" rel=\"noopener noreferrer\">FileZilla<\/a>\u00a0(we&#8217;ll use this to get the keys onto the computer from the Raspberry Pi)<\/li>\n<li><a href=\"https:\/\/openvpn.net\/index.php\/open-source\/downloads.html\" target=\"_blank\" rel=\"noopener noreferrer\">OpenVPN<\/a>\u00a0(the Windows\u00a0OpenVPN software)\n<ul>\n<li>Use the default options.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Make sure your computer is connected to your home&#8217;s WiFi and that the Raspberry Pi is turned on.<\/li>\n<li>Transfer the required files from the Raspberry Pi\n<ul>\n<li>Create a directory on your Desktop called &#8216;<strong>keys<\/strong>&#8216;. This is where we&#8217;ll copy the keys temporarily &#8211; it&#8217;s full address will be <strong>C:\\Users\\&lt;username&gt;\\Desktop\\keys<\/strong>\n<ul>\n<li>FileZilla is not able to directly copy the files into their final location, since it doesn&#8217;t have Admin privileges. We&#8217;ll copy them to the Desktop and move them to their final place later.<\/li>\n<\/ul>\n<\/li>\n<li>Launch FileZilla<\/li>\n<li>Enter the connection details to allow your computer\u00a0to log into your Pi into the &#8220;QuickConnect&#8221; bar.\n<ul>\n<li>Server: the IP address of your Raspberry Pi<\/li>\n<li>Username: &#8220;pi&#8221;<\/li>\n<li>Port: 22<\/li>\n<li>Password: the password you&#8217;ve been using to log into your Pi<\/li>\n<\/ul>\n<\/li>\n<li>Copy the\u00a0keys\u00a0to your\u00a0Windows computer\n<ul>\n<li>Once you log into your Pi, navigate to <strong>\/etc\/openvpn\/easy-rsa\/keys<\/strong><\/li>\n<li>Copy the files below to the <strong>C:\\Users\\&lt;username&gt;\\Desktop\\keys<\/strong>\n<ul>\n<li>Every device will need the following two files:\n<ul>\n<li>ta.key<\/li>\n<li>ca.crt<\/li>\n<\/ul>\n<\/li>\n<li>Copy only\u00a0the two files that are specific to this <strong>clientname<\/strong> that you created in step 6.2:\n<ul>\n<li><strong>clientname<\/strong>.crt<\/li>\n<li><strong>clientname<\/strong>.key<\/li>\n<\/ul>\n<\/li>\n<li>After they&#8217;re copied to the computer, rename the two <strong>clientname<\/strong>.\u00a0<em>Tip:\u00a0<\/em>you may have to open the <strong>C:\\Users\\&lt;username&gt;\\Desktop\\keys<\/strong>\u00a0directory in the Windows File Explorer to rename these).\n<ul>\n<li>client.crt<\/li>\n<li>client.key<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Copy the client configuration files to your computer.\n<ul>\n<li>Navigate to <strong>\/etc\/openvpn\/<\/strong><\/li>\n<li>Copy one of the two\u00a0following files\u00a0to the same directory you put the keys into (<strong>C:\\Users\\&lt;username&gt;\\Desktop\\keys<\/strong>)\n<ul>\n<li>client-full.ovpn OR<\/li>\n<li>client-split.ovpn<\/li>\n<\/ul>\n<\/li>\n<li><em>Tip:\u00a0<\/em>If you know you&#8217;re going to use both types of connections, then feel free to copy both files and you can choose at the time of connection. However, I recommend picking one or the other &#8211; OpenVPN will pick up the single file and use it as the default connection if only one file is in the directory.<\/li>\n<\/ul>\n<\/li>\n<li>When you&#8217;re done, things should look like this:<br \/>\n<a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-18_19.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3251 size-medium\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-18_19-300x159.png\" alt=\"\" width=\"300\" height=\"159\" srcset=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-18_19-300x159.png 300w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-18_19.png 1024w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-18_19-150x80.png 150w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-18_19-400x213.png 400w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/li>\n<li>Open Windows File Explorer\n<ul>\n<li>Navigate to <strong>C:\\Users\\&lt;username&gt;\\Desktop\\keys<\/strong>.<strong>\u00a0<\/strong><\/li>\n<li>Move the files to\u00a0<strong>C:\\Program Files\\OpenVPN\\config<\/strong>.<\/li>\n<li>This is where OpenVPN will look for the files by default.<\/li>\n<\/ul>\n<\/li>\n<li>Finally, you may want to delete your &#8216;keys&#8217; directory from the Desktop.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Set the\u00a0OpenVPN client client to run as Administrator.\n<ul>\n<li>Navigate in the Windows File Explorer to\u00a0<strong>C:\\Program Files\\OpenVPN\\bin\u00a0<\/strong><\/li>\n<li>Right click on the\u00a0<strong>openvpn-gui.exe<\/strong> and select\u00a0<span style=\"text-decoration: underline;\">Properties<\/span>.<\/li>\n<li>Go to the\u00a0<span style=\"text-decoration: underline;\">Compatibility<\/span> tab and tick &#8216;Run this program as administrator.&#8217;<br \/>\n<a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-31-20_11_29.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3243\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-31-20_11_29-300x294.png\" alt=\"2015-08-31 20_11_29\" width=\"300\" height=\"294\" srcset=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-31-20_11_29-300x294.png 300w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-31-20_11_29.png 1024w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-31-20_11_29-150x147.png 150w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/08\/2015-08-31-20_11_29-400x392.png 400w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/li>\n<li>Click &#8216;OK&#8217;.<\/li>\n<\/ul>\n<\/li>\n<li>Launch the <b>OpenVPN <\/b>program\n<ul>\n<li>Go to the Start menu, find\u00a0<strong>OpenVPN<\/strong> <strong>GUI<\/strong>, and launch the program. It should ask you for elevated permission to launch.<\/li>\n<li>Once it starts, it places an icon in your task tray (in the lower, right hand corner of your screen)<br \/>\n<a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-18_39_49-.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3252\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-18_39_49--300x66.png\" alt=\"2015-09-01 18_39_49-\" width=\"300\" height=\"66\" srcset=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-18_39_49--300x66.png 300w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-18_39_49--150x33.png 150w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-18_39_49--400x87.png 400w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-18_39_49-.png 696w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/li>\n<li>If you only have one <strong>.ovpn<\/strong> file in your <strong>config<\/strong>, you can double-click on this icon and it will open the connection. If it connects, you&#8217;ll get a notification that it has connected and the icon will go green.<br \/>\n<a href=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-21_40_39-.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3256 size-medium\" src=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-21_40_39--300x103.png\" alt=\"\" width=\"300\" height=\"103\" srcset=\"https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-21_40_39--300x103.png 300w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-21_40_39--150x51.png 150w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-21_40_39--400x137.png 400w, https:\/\/kmwoley.com\/blog\/wp-content\/uploads\/2015\/09\/2015-09-01-21_40_39-.png 940w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/li>\n<li>If you have two (or more) <strong>.ovpn<\/strong> files in your <strong>config\u00a0<\/strong>directory, you&#8217;ll have to right click and select which configuration to use.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p><em>Some Windows-specific settings:<br \/>\n<\/em>Sometimes Windows can be a pain. On at least one of my machines I&#8217;ve had to add the following to the end of my client configuration to get the connection to work properly:<\/p>\n<pre style=\"padding-left: 30px;\"># goes at the end of a Windows client.ovpn file\r\nroute-delay 5\r\nroute-method exe\r\nip-win32 netsh<\/pre>\n<p>Try adding the above if you get a &#8220;Warning: route gateway is not reachable on any active network adapters&#8221; when connecting from a Windows machine.<\/p>\n<h1>Debugging<\/h1>\n<p>If things go wrong, Google is your friend. I wrote these instructions in the hopes of saving others the time and effort it took me to get a good, secure configuration together. Both the OpenVPN forums and the Raspberry Pi forums are great resources for debugging.<\/p>\n<h1>Sources &amp; Resources<\/h1>\n<p>For reference, here are the various resources I used when figuring this out for myself:<\/p>\n<ul>\n<li><a href=\"https:\/\/openvpn.net\/index.php\/open-source\/documentation\/howto.html\" target=\"_blank\" rel=\"noopener noreferrer\">OpenVPN HOWTO<\/a><\/li>\n<li><a href=\"https:\/\/community.openvpn.net\/openvpn\/wiki\/Hardening\" target=\"_blank\" rel=\"noopener noreferrer\">Hardening (making things secure)<\/a><\/li>\n<li><a href=\"https:\/\/forums.openvpn.net\/topic11913.html\" target=\"_blank\" rel=\"noopener noreferrer\">Forum Discussion on finding the best cipher (encryption) settings<\/a><\/li>\n<li><a href=\"https:\/\/www.raspberrypi.org\/forums\/viewtopic.php?t=81657\" target=\"_blank\" rel=\"noopener noreferrer\">How to setup a Raspberry Pi VPN Server <\/a>&#8211; these were really great instructions, but were not exactly right to get the Android\/Windows machines to forward traffic correctly.<\/li>\n<li><a href=\"https:\/\/www.raspberrypi.org\/forums\/viewtopic.php?t=89216&amp;p=626393\" target=\"_blank\" rel=\"noopener noreferrer\">[howto] Install latest openvpn and easyrsa3 <\/a>&#8211; some generally good information about setting up the firewall\/iptables. You could follow these instructions to get the latest OpenVPN on your machine, since <strong>apt-get<\/strong> doesn&#8217;t always install the latest\u00a0version.<\/li>\n<li><a href=\"https:\/\/docs.openvpn.net\/docs\/openvpn-connect\/openvpn-connect-android-faq.html\" target=\"_blank\" rel=\"noopener noreferrer\">Making the Android Phone even more secure with the Android Keychain<\/a> &#8211; I followed these instructions for one of the phones and it worked well, but not sure how much I care. If I lose my phone, I&#8217;ll just delete all my keys and regenerate them.<\/li>\n<li><a href=\"https:\/\/torguard.net\/knowledgebase.php?action=displayarticle&amp;id=119\" target=\"_blank\" rel=\"noopener noreferrer\">TorGuard &#8211;\u00a0OpenVPN error: Warning: route gateway is not reachable on any active network adapters <\/a>&#8211; Helped me debug a Windows OpenVPN error.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>M and I have a great webcam setup for our home for the lil nugget &#8211; it&#8217;s a simple DLink webcam that costs less than $50. So much cheaper than an expensive, baby-specific monitor. We use a tablet and our phones to check in on the baby using this great app (tinyCam Monitor Pro) &#8211; &hellip; <a href=\"https:\/\/kmwoley.com\/blog\/raspberry-pi-openvpn-the-babys-webcam-secure-access-to-your-home-network\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Raspberry Pi + OpenVPN + the Baby&#8217;s Webcam &#8211; Secure Access to your Home Network<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,6],"tags":[342,349,351,344,339,343,341,346,350,348,345,347,340],"class_list":["post-3214","post","type-post","status-publish","format-standard","hentry","category-geek","category-personal","tag-android","tag-es-file-explorer","tag-full-tunnel","tag-linux","tag-openvpn","tag-openvpn-connect","tag-raspberry-pi","tag-security","tag-split-tunnel","tag-tinycam-monitor","tag-tun","tag-vpn","tag-windows-10"],"_links":{"self":[{"href":"https:\/\/kmwoley.com\/blog\/wp-json\/wp\/v2\/posts\/3214","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kmwoley.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kmwoley.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kmwoley.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kmwoley.com\/blog\/wp-json\/wp\/v2\/comments?post=3214"}],"version-history":[{"count":28,"href":"https:\/\/kmwoley.com\/blog\/wp-json\/wp\/v2\/posts\/3214\/revisions"}],"predecessor-version":[{"id":3317,"href":"https:\/\/kmwoley.com\/blog\/wp-json\/wp\/v2\/posts\/3214\/revisions\/3317"}],"wp:attachment":[{"href":"https:\/\/kmwoley.com\/blog\/wp-json\/wp\/v2\/media?parent=3214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kmwoley.com\/blog\/wp-json\/wp\/v2\/categories?post=3214"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kmwoley.com\/blog\/wp-json\/wp\/v2\/tags?post=3214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}