openVPN on raspberry and IPv6

Posted on by

project:

run openvpn for myself on my colocated raspberry and *drumroll* add ipv6 transport :)

manual is stolen from the fine people at n0where.net
https://n0where.net/openvpn-raspberry-pi/
this is the manual how to run it on a raspberry 1b using raspbian wheezy

Step 1

To be able to install the latest program versions we should update our packet sources:

sudo apt-get update

Step 2

Now we are installing Open VPN and OpenSSL.

sudo apt-get install openvpn openssl

Step 3

We are switching to the directory and paste a directory we will be needing later into it.

cd /etc/openvpn
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa

Step 4

Now we open the file easy-rsa/vars with nano and apply some changes.

nano /easy-rsa/vars
export EASY_RSA=”`pwd`”
export EASY_RSA=”/etc/openvpn/easy-rsa”

Step 5

We change the directory, log in as root user and execute some configurations.

cd easy-rsa
sudo su
source vars
./clean-all
./pkitool –initca
ln -s openssl-1.0.0.cnf openssl.cnf

Step 6

Now we are able to generate the components for the encryption of Open VPN. After the first input you will be asked for the abbreviation of your country (US = USA, DE – Germany, AT = Austria, CH – Switzerland). All other inputs can simply be confirmed.

./build-ca OpenVPN
./build-key-server server
./build-key client1

Step 7

The calculation of the last components can take a few minutes.

./build-dh
exit

Step 8

We have to switch the directory again and create the file openvpn.conf with the following content:

cd ..
sudo touch openvpn.conf
sudo nano openvpn.conf

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push “redirect-gateway def1”
#set the dns servers
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
log-append /var/log/openvpn
comp-lzo

You can change the DNS-servers to any DNS you like.(openDNS?)

Step 9

Now, create the internet-forwarding for the CPN clients. If you are not using an ethernet-cable (e.g. Wifi) you will have to replace “eth0″ with the name of your network device.

sudo sh -c ‘echo 1 > /proc/sys/net/ipv4/ip_forward’
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE

Step 10

One of the final steps will be to delete the “#” before net.ipv4.ip_forward=1 in sysctl.conf.

cd ..
sudo nano sysctl.conf

Step 11

A part of the above settings have to be endorsed as a crontab to work permanently. Insert following line at the end of the crontab file (replace “eth0″ if you did above):

crontab -e

@reboot sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE

Step 12

Again change to the root-user and to the directory /etc/openvpn/easy-rsa/keys in which we will create the file raspberrypi.ovpn and fill it with the code of the second paragraph. RASPBERRY-PI-IP should be replaced by the IP address of your Pi or, if you are using a DynDNS service, by the given domain.

sudo su
cd /etc/openvpn/easy-rsa/keys
nano raspberrypi.ovpn

dev tun
client
proto udp
remote RASPBERRY-PI-IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

Step 13

Now create a packet with all the needed files for the client, which we will place in /home/[user] and give the user pi the needed rights to the file.

tar czf openvpn-keys.tgz ca.crt ca.key client1.crt client1.csr client1.key raspberrypi.ovpn
mv openvpn-keys.tgz /home/[user]
chown user:user /home/[user]/openvpn-keys.tgz
exit

Step 14

Restart the server.

sudo /etc/init.d/openvpn start

Finished!
now import the certificates, the .ovpn file and enable LZO compression in gnome/network-manager and it should work out of the box.

Interesting project: Stop censorship and become unstoppable by running on port 443 and TCP instead of UDP and port 1149 (which is the default)

in /etc/openvpn/openvpn.conf change
proto udp
port 1194

to

proto tcp
port 443

restart the openvpn daemon, do the same in your .ovpn file (on your mobile/laptop) and you will look just like another browser :)

in the mobile client the ovpn file needs editing, in gnome-network-manager (whatever this is called) you need to set it up manually:
openvpn_TCP_443

now for the IPv6 part: (pending.. get your lazy ass to the hackspace and fix it already!)
sources:
https://community.openvpn.net/openvpn/wiki/IPv6
http://silmor.de/ipv6.openvpn.php
https://www.sparklabs.com/forum/viewtopic.php?t=1381
https://www.digitalocean.com/community/questions/openvpn-ipv6-works-only-in-local-network