Secure browsing via untrusted wifi networks using OpenVPN and the Raspberry Pi

27 January 2013 — 38 Comments

The Raspberry Pi can easily be setup as an OpenVPN server. One common feature is to access servers or services on the remote network. Another use case is to provide a secure connection when you’re not at home.

You can do this by sending all traffic over the VPN connection, instead of only traffic for the remote servers. The idea is to connect your laptop to your OpenVPN server (this is encrypted by default) and access the internet from there. Whatever you send over the wifi connection, is encrypted by the VPN and thus safe. In the comments on the previous post there was someone trying to set this up. To help him solve the issue, I tested this myself, and decided to write a post showing how to do it because I really like the idea.

This is how it looks like: you’re on a untrusted network (red) and create a safe VPN connection (green) and all traffic will flow over the green network, to the also trusted home network (lighter green). People on the red network now cannot see the sites you visit.

OpenVPN secure wifi browsing

Here’s how to set it up:

  1. Allow the OpenVPN server to route ip traffic
  2. Tell the default gw where to send traffic for OpenVPN clients
  3. Send DNS servers to the VPN Clients
  4. Configure the OpenVPN Client
  5. Test your setup

Allow the OpenVPN server to route ip traffic
First of all, you need to allow the OpenVPN server to route packets.

sudo vim /etc/sysctl.conf

Add this line, or alter it if it already exists:

net.ipv4.ip_forward = 1

Then activate the change:

sudo sysctl -p

The change is now activated, and persistent.

Tell the default gw where to send traffic for OpenVPN clients
Another important step is to tell the default gateway in the home network (lighter green) where to send traffic for theOpenVPN clients. If you omit this step, this traffic gets lost. More info in this post. Short story: add this static route to your default gateway. If it’s Linux, you’d run:

sudo route add -net 10.8.0.0/24 gw 10.5.5.5

Assuming 10.5.5.5 is the ip address of the OpenVPN server. When your router is not Linux, check the manual on howto add a static route.

Send DNS servers to the VPN clients
Most ISP’s restrict the usage of their DNS servers to their own network. When you connect to Wifi, you probably receive some DNS servers via DHCP. When you connect to VPN and then send all traffic through the VPN, you are effectively using the network (and internet connection) of your VPN server and not the local network. The DNS-servers you received via DHCP might not work because you access them from another network. To solve this, configure the OpenVPN server to push public DNS servers to use. Alternatively you can also push some local DNS servers or the DNS servers of your ISP.

sudo vim /etc/openvpn/server.conf

Add or edit these lines:

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

These are Google’s public DNS servers. Just enter some DNS servers that work on the network of your OpenVPN server and that you are allowed to use.

Configure the OpenVPN client
I’m using Viscosity and all I have to do is enable a setting to send all traffic over the VPN connection.

viscosity_enable_all_traffic_over_vpn

Alternative way: It’s also possible to configure the ‘Send all traffic over VPN connection’ on the server-side instead of the client. Both has pros and cons, of course. To set it server-side set this option in the server config:

push "redirect-gateway def1"

Test your setup
The final step: test your setup! Make sure you’re connected through some other network than the one the OpenVPN server is in. Use some public Wifi service of connect over 3G. My iPhone can share its 3G connection and start a Wifi hotspot. My MacBook connects via Wifi, then does the OpenVPN connection to the Pi. The expected behavior is then to see the public ip address of the OpenVPN server’s internet connection, instead of the 3G ip address. Use a website like whatismyip.com to test this. Do this before connecting the VPN, and after. It should be different.

Enjoy your secure browsing experience!

38 responses to Secure browsing via untrusted wifi networks using OpenVPN and the Raspberry Pi

  1. 
    Nello Lucchesi 31 January 2013 at 03:24

    Thank you for the tutorial. I’d like to do the same thing on

    -Server: TomatoUSB w/ VPN
    http://tomato.groov.pl/?page_id=31

    -Client: Tunnelblick
    http://code.google.com/p/tunnelblick/

    Would you be able to give me a clue how to configure these GUIs?

    Thank you!

    • 

      For the server, look at the menu: VPN tunneling | OpenVPN server. There are multiple tabs with config settings. Never used this, but I assume you can find the needed settings there.

      For the client, Tunnelblick allows you to edit the config file, so you can simply add the lines you want. Although Tunnelblick proved to be very unstable to me. I’m using Viscosity instead.

  2. 
    Nello Lucchesi 31 January 2013 at 15:36

    It’s not clear to me how to do the first two steps with the TomatoUSB GUI:
    up:

    1. Allow the OpenVPN server to route ip traffic
    2. Tell the default gw where to send traffic for OpenVPN clients

    And it’s not clear to me what the OpenVPN Client configuration looks like given the Viscosity settings.

    • 

      Since you use a router device for VPN you probably do not to do anything to make it do routing. It is enabled automatically. I also expect it to add a static route automatically.

      It’s probably easiest to find a manual and follow that. I am not familiar with the device but since it is just OpenVPN with a GUI I’m sure it can be done.

      Good luck!

      • 
        Nello Lucchesi 5 February 2013 at 21:13

        I’m using TomatoUSB w/ OpenVPN, trying to follow a recipe from Jan Just Keijser’s book, OpenVPN Cookbook. My server configuration file and the log from starting it up are below.

        Is the OpenVPN server starting correctly?

        It all looks reasonable to me except this line:

        Feb 4 13:35:08 router daemon.err openvpn[2642]: event_wait : Interrupted system call (code=4)

        I don’t know what it means and I have no idea how to fix it if it’s a probem.

        Thank you for taking a look.

        – nello

        OpenVPN Server Configuration Created by TomatoUSB GUI

        root@router:/tmp/home/root# cat /etc/openvpn/server2/config.ovpn
        # Automatically generated configuration
        daemon
        server 192.168.200.0 255.255.255.0
        proto udp
        port 1194
        dev tun22
        comp-lzo adaptive
        keepalive 15 60
        verb 3
        push "redirect-gateway def1"
        tls-auth static.key 0
        ca ca.crt
        dh dh.pem
        cert server.crt
        key server.key
        status-version 2
        status status
        # Custom Configuration
        push "route 10.198.0.0 255.255.0.0"
        user nobody
        group nobody
        persist-key
        persist-tun

        Starting OpenVPN from TomatoUSB GUI

        root@router:/tmp/home/root# cat /tmp/var/log/messages
        Feb 4 13:35:03 router user.info kernel: tun: Universal TUN/TAP device driver, 1.6
        Feb 4 13:35:03 router user.info kernel: tun: (C) 1999-2004 Max Krasnyansky
        Feb 4 13:35:03 router user.info kernel: device tun22 entered promiscuous mode
        Feb 4 13:35:03 router daemon.notice openvpn[2633]: OpenVPN 2.2.2 mipsel-linux [SSL] [LZO2] [EPOLL] built on Oct 20 2012
        Feb 4 13:35:03 router daemon.warn openvpn[2633]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
        Feb 4 13:35:05 router daemon.notice openvpn[2633]: Diffie-Hellman initialized with 2048 bit key
        Feb 4 13:35:05 router daemon.notice openvpn[2633]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
        Feb 4 13:35:05 router daemon.notice openvpn[2633]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
        Feb 4 13:35:05 router daemon.notice openvpn[2633]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
        Feb 4 13:35:05 router daemon.notice openvpn[2633]: TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
        Feb 4 13:35:05 router daemon.notice openvpn[2633]: Socket Buffers: R=[112640->131072] S=[112640->131072]
        Feb 4 13:35:05 router daemon.notice openvpn[2633]: TUN/TAP device tun22 opened
        Feb 4 13:35:05 router daemon.notice openvpn[2633]: TUN/TAP TX queue length set to 100
        Feb 4 13:35:05 router daemon.notice openvpn[2633]: /sbin/ifconfig tun22 192.168.200.1 pointopoint 192.168.200.2 mtu 1500
        Feb 4 13:35:05 router daemon.notice openvpn[2633]: /sbin/route add -net 192.168.200.0 netmask 255.255.255.0 gw 192.168.200.2
        Feb 4 13:35:05 router daemon.notice openvpn[2633]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
        Feb 4 13:35:05 router daemon.notice openvpn[2642]: GID set to nobody
        Feb 4 13:35:05 router daemon.notice openvpn[2642]: UID set to nobody
        Feb 4 13:35:05 router daemon.notice openvpn[2642]: UDPv4 link local (bound): [undef]:1194
        Feb 4 13:35:05 router daemon.notice openvpn[2642]: UDPv4 link remote: [undef]
        Feb 4 13:35:05 router daemon.notice openvpn[2642]: MULTI: multi_init called, r=256 v=256
        Feb 4 13:35:05 router daemon.notice openvpn[2642]: IFCONFIG POOL: base=192.168.200.4 size=62
        Feb 4 13:35:05 router daemon.notice openvpn[2642]: Initialization Sequence Completed
        Feb 4 13:35:08 router daemon.err openvpn[2642]: event_wait : Interrupted system call (code=4)
        Feb 4 13:35:08 router daemon.notice openvpn[2642]: TITLE,OpenVPN 2.2.2 mipsel-linux [SSL] [LZO2] [EPOLL] built on Oct 20 2012
        Feb 4 13:35:08 router daemon.notice openvpn[2642]: TIME,Mon Feb 4 13:35:08 2013,1360006508
        Feb 4 13:35:08 router daemon.notice openvpn[2642]: HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t)
        Feb 4 13:35:08 router daemon.notice openvpn[2642]: HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
        Feb 4 13:35:08 router daemon.notice openvpn[2642]: GLOBAL_STATS,Max bcast/mcast queue length,0
        Feb 4 13:35:08 router daemon.notice openvpn[2642]: END

      • 

        Hi Nello,

        It’s not an error that looks too serious on its own. Is there any other error message? What happens when you try to connect a client? Does it work, or log any errors?

        What exactly isn’t working and what did you try?

        As I do not have such a device of my own I cannot test nor debug it. I’ve also read that some bugs are fixed and you need to run the latest firmware.

      • 
        Nello Lucchesi 5 February 2013 at 22:04

        When I tried to connect with a client I always get an error that the TLS handshake is not completed within 60 seconds. (See my Tunnelblick connection log below).

        I interpret this to mean that I have a connectivity problem.

        So, I tried working backwards:

        1. Is the service started? You say ‘yes’.

        2. What IP/port is listening for a connection? I thought 192.168.200.1 on port 1194; is that correct?

        3. Is that IP/port blocked by a firewall? I have a port forwarding rule to forward both UDP/TCP received from any IP on port 1194 to 192.168.200.1 on port 1194. Is there a way to test that it’s working?

        Does this analysis seem correct?

        See below for client information.

        I’m running Tunnelblick on the LAN, behind my router; my Mac’s IP is 10.10.49.134; the router’s internal IP is 10.10.49.1; is there a routing problem from my 10.10… IP to the VPN service on my router if it’s 192.168… ? Do I need to change the VPN service to be on 10.10… too?

        I’m at my wit’s end and you are the only person responding to my posts. I really appreciate your help.

        Thank you.

        – nello


        OpenVPN Client Configuration
        # Specify that we are a client and that we
        # will be pulling certain config file directives
        # from the server.
        client
        proto udp
        remote 192.168.200.1
        port 1194
        dev tun
        nobind

        # SSL/TLS parms.
        ca ca.crt
        cert nello.crt
        key nello.key
        ns-cert-type server

        # tls-auth key is used on the server
        tls-auth ta.key 1

        # Downgrade privileges after initialization (non-Windows only)
        ;user nobody
        ;group nobody

        # Try to preserve some state across restarts.
        persist-key
        persist-tun

        # Select a cryptographic cipher.
        ;cipher x

        # Enable compression on the VPN link.
        comp-lzo

        # Log file verbosity.
        #
        # 0 is silent, except for fatal errors
        # 4 is reasonable for general usage
        # 5 and 6 can help to debug connection problems
        # 9 is extremely verbose
        verb 6

        # Silence repeating messages
        mute 5

        # Silence duplicate packet warnings
        mute-replay-warnings

        Tunnelblick Connection Log

        2013-02-05 14:52:03 *Tunnelblick: OS X 10.8.2; Tunnelblick 3.3beta32 (build 3183)
        2013-02-05 14:52:03 *Tunnelblick: Attempting connection with VPN Client Config using shadow copy; Set nameserver = 1; monitoring connection
        2013-02-05 14:52:03 *Tunnelblick: openvpnstart start VPN\ Client\ Config.tblk 1337 1 0 1 0 370 -atADGNWradsgnw
        2013-02-05 14:52:03 *Tunnelblick: openvpnstart log:
        Loading tap.kext

        OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

        /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn
        --cd
        /Library/Application Support/Tunnelblick/Users/nello/VPN Client Config.tblk/Contents/Resources
        --daemon
        --management
        127.0.0.1
        1337
        --config
        /Library/Application Support/Tunnelblick/Users/nello/VPN Client Config.tblk/Contents/Resources/config.ovpn
        --log
        /Library/Application Support/Tunnelblick/Logs/-SUsers-Snello-SLibrary-SApplication Support-STunnelblick-SConfigurations-SVPN Client Config.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_370.1337.openvpn.log
        --management-query-passwords
        --management-hold
        --script-security
        2
        --up
        /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -a -f -atADGNWradsgnw
        --down
        /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -a -f -atADGNWradsgnw
        --up-restart

        2013-02-05 14:52:03 *Tunnelblick: Established communication with OpenVPN
        2013-02-05 14:52:03 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on Oct 20 2012
        2013-02-05 14:52:03 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
        2013-02-05 14:52:03 Need hold release from management interface, waiting...
        2013-02-05 14:52:03 MANAGEMENT: Client connected from 127.0.0.1:1337
        2013-02-05 14:52:03 MANAGEMENT: CMD 'pid'
        2013-02-05 14:52:03 MANAGEMENT: CMD 'state on'
        2013-02-05 14:52:03 MANAGEMENT: CMD 'state'
        2013-02-05 14:52:03 MANAGEMENT: CMD 'bytecount 1'
        2013-02-05 14:52:03 MANAGEMENT: CMD 'hold release'
        2013-02-05 14:52:03 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
        2013-02-05 14:52:03 LZO compression initialized
        2013-02-05 14:52:03 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
        2013-02-05 14:52:03 Socket Buffers: R=[196724->65536] S=[9216->65536]
        2013-02-05 14:52:03 MANAGEMENT: >STATE:1360097523,RESOLVE,,,
        2013-02-05 14:52:03 *Tunnelblick: openvpnstart starting OpenVPN:
        * /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Library/Application Support/Tunnelblick/Users/nello/VPN Client Config.tblk/Contents/Resources --daemon --management 127.0.0.1 1337 --config /Library/Application Support/Tunnelblick/Users/nello/VPN Client Config.tblk/Contents/Resources/config.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Snello-SLibrary-SApplication Support-STunnelblick-SConfigurations-SVPN Client Config.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_370.1337.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -a -f -atADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -a -f -atADGNWradsgnw --up-restart
        2013-02-05 14:52:04 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
        2013-02-05 14:52:04 Local Options hash (VER=V4): 'd79ca330'
        2013-02-05 14:52:04 Expected Remote Options hash (VER=V4): 'f7df56b8'
        2013-02-05 14:52:04 UDPv4 link local: [undef]
        2013-02-05 14:52:04 UDPv4 link remote: 99.31.123.157:443
        2013-02-05 14:52:04 MANAGEMENT: >STATE:1360097524,WAIT,,,
        2013-02-05 14:53:04 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
        2013-02-05 14:53:04 TLS Error: TLS handshake failed
        2013-02-05 14:53:04 TCP/UDP: Closing socket

      • 

        I will look into this more closely tomorrow. For now: could you try setting up the connection from outside your normal network? I suspect this is why it does not work.

        Try from some public wifi, the neighbor’s home or 3G (with an iPhone or similar) and connect to your public ip on the VPN port. If it does not work, please send those logs as well.

        Could you also provide a (simple) network drawing explaining how everything is connected?

      • 

        Hi Nello, did you have a chance to look at my previous questions? That will help me figure out what’s wrong. Thx!

  3. 

    Remi please can you help me, openvpn is driving me wild.

    You are the only tutorial I could find that actually makes perfect sense.

    I can connect to the openvpn server but can’t seem to browse the internet. No traffic passes through.

    I have a pretty standard setup, here is ifconfig tun0:

    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:516 errors:0 dropped:0 overruns:0 frame:0
    TX packets:99 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:39910 (38.9 KiB) TX bytes:9858 (9.6 KiB)

    Here is my the output of netstat -rn:

    13:09:17 $ netstat -rn
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
    10.8.0.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
    10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
    10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

    My client config is as follows:

    client1
    dev tun
    proto tcp
    remote *external_ip* 443
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client1.crt
    key client1.key
    comp-lzo
    pull dhcp-options

    My server config is:

    port 443
    proto tcp
    dev tun
    ca ca.crt
    cert server.crt
    key server.key # This file should be kept secret
    dh dh1024.pem
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3

    and finally the internal ip of my vpn server is 192.168.1.68

    • 

      Hi Mat,

      You probably need to add this line to the server config, to push the route to the vpn clients:

      push "route 192.168.1.0 255.255.255.0"

      Also, make sure the 192.168.1.254 router knows the route back to the 10.8.0.0/24 network by adding a route to 192.168.1.68. You probably need to add a static route somewhere in the web interface.

      Final thing to check, make sure the firewall allows the traffic you want. Turn the firewall off to see if that works. If it does, tweak it to allow what you want.

      I’ve written three posts about this, when you search on OpenVPN you can browse them all to see some more examples.

      Let me know if this helps or whether you need more help!

      • 
        Nello Lucchesi 7 February 2013 at 00:26

        It is working!!!

        You were right that I had to be outside my firewall.

        I do have a few warnings though.

        Could you read through the log and suggest any improvements?

        Thank you!

        – nello


        2013-02-06 17:12:27 *Tunnelblick: OS X 10.8.2; Tunnelblick 3.3beta32 (build 3183)
        2013-02-06 17:12:27 *Tunnelblick: Attempting connection with TLS Config using shadow copy; Set nameserver = 0; not monitoring connection
        2013-02-06 17:12:27 *Tunnelblick: openvpnstart start TLS\ Config.tblk 1337 0 0 1 1 305 -atADGNWradsgnw
        2013-02-06 17:12:28 *Tunnelblick: openvpnstart log:
        Loading tun.kext

        OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

        /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn
        --cd
        /Library/Application Support/Tunnelblick/Users/nello/TLS Config.tblk/Contents/Resources
        --daemon
        --management
        127.0.0.1
        1337
        --config
        /Library/Application Support/Tunnelblick/Users/nello/TLS Config.tblk/Contents/Resources/config.ovpn
        --log
        /Library/Application Support/Tunnelblick/Logs/-SUsers-Snello-SLibrary-SApplication Support-STunnelblick-SConfigurations-STLS Config.tblk-SContents-SResources-Sconfig.ovpn.0_0_1_1_305.1337.openvpn.log
        --management-query-passwords
        --management-hold
        --script-security
        2

        2013-02-06 17:12:28 *Tunnelblick: Established communication with OpenVPN
        2013-02-06 17:12:28 us=51262 Current Parameter Settings:
        2013-02-06 17:12:28 us=51603 config = '/Library/Application Support/Tunnelblick/Users/nello/TLS Config.tblk/Contents/Resources/config.ovpn'
        2013-02-06 17:12:28 us=51614 mode = 0
        2013-02-06 17:12:28 us=51622 show_ciphers = DISABLED
        2013-02-06 17:12:28 us=51630 show_digests = DISABLED
        2013-02-06 17:12:28 us=51637 NOTE: --mute triggered...
        2013-02-06 17:12:28 us=51655 255 variation(s) on previous 5 message(s) suppressed by --mute
        2013-02-06 17:12:28 us=51665 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on Oct 20 2012
        2013-02-06 17:12:28 us=51790 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
        2013-02-06 17:12:28 us=57425 Need hold release from management interface, waiting...
        2013-02-06 17:12:28 us=170179 MANAGEMENT: Client connected from 127.0.0.1:1337
        2013-02-06 17:12:28 us=193148 MANAGEMENT: CMD 'pid'
        2013-02-06 17:12:28 us=193319 MANAGEMENT: CMD 'state on'
        2013-02-06 17:12:28 us=193434 MANAGEMENT: CMD 'state'
        2013-02-06 17:12:28 us=193559 MANAGEMENT: CMD 'bytecount 1'
        2013-02-06 17:12:28 us=193680 MANAGEMENT: CMD 'hold release'
        2013-02-06 17:12:28 us=194013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
        2013-02-06 17:12:28 us=194109 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
        2013-02-06 17:12:28 us=197891 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
        2013-02-06 17:12:28 us=198041 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
        2013-02-06 17:12:28 us=198136 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
        2013-02-06 17:12:28 us=198256 LZO compression initialized
        2013-02-06 17:12:28 us=198489 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
        2013-02-06 17:12:28 us=198653 Socket Buffers: R=[196724->65536] S=[9216->65536]
        2013-02-06 17:12:28 us=198763 MANAGEMENT: >STATE:1360192348,RESOLVE,,,
        2013-02-06 17:12:28 us=296005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
        2013-02-06 17:12:28 us=296186 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
        2013-02-06 17:12:28 us=296286 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
        2013-02-06 17:12:28 us=296376 Local Options hash (VER=V4): '504e774e'
        2013-02-06 17:12:28 us=296459 Expected Remote Options hash (VER=V4): '14168603'
        2013-02-06 17:12:28 us=296535 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
        2013-02-06 17:12:28 us=296617 UDPv4 link local: [undef]
        2013-02-06 17:12:28 us=296694 UDPv4 link remote: :443
        2013-02-06 17:12:28 us=296792 MANAGEMENT: >STATE:1360192348,WAIT,,,
        RWed Feb 6 17:12:28 2013 us=403875 MANAGEMENT: >STATE:1360192348,AUTH,,,
        2013-02-06 17:12:28 us=404042 TLS: Initial packet from :443, sid=c0206280 1ab42cc2
        RWRWRWRWed Feb 6 17:12:29 2013 us=613197 Replay-window backtrack occurred [2]
        RWRWRWRWRWRWRWRWed Feb 6 17:12:30 2013 us=236383 VERIFY OK: depth=1,
        2013-02-06 17:12:30 us=237082 VERIFY OK: nsCertType=SERVER
        2013-02-06 17:12:30 us=237178 VERIFY X509NAME OK:
        2013-02-06 17:12:30 us=237255 VERIFY OK: depth=0,
        RWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWRRRRWRWed Feb 6 17:12:32 2013 us=696030 NOTE: Options consistency check may be skewed by version differences
        2013-02-06 17:12:32 us=696253 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
        2013-02-06 17:12:32 us=696421 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
        2013-02-06 17:12:32 us=696583 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1542'
        2013-02-06 17:12:32 us=696741 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
        2013-02-06 17:12:32 us=696888 NOTE: --mute triggered...
        2013-02-06 17:12:32 us=697321 9 variation(s) on previous 5 message(s) suppressed by --mute
        2013-02-06 17:12:32 us=697479 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
        2013-02-06 17:12:32 us=697638 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
        2013-02-06 17:12:32 us=697861 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
        2013-02-06 17:12:32 us=698019 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
        WWed Feb 6 17:12:32 2013 us=698285 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
        2013-02-06 17:12:32 us=698474 [October-Group-VPN] Peer Connection Initiated with :443
        RWed Feb 6 17:12:33 2013 us=201563 MANAGEMENT: >STATE:1360192353,GET_CONFIG,,,
        2013-02-06 17:12:34 us=375369 SENT CONTROL [October-Group-VPN]: 'PUSH_REQUEST' (status=1)
        2013-02-06 17:12:34 us=491530 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 10.10.50.0 255.255.0.0,route 10.10.50.1,topology net30,ping 15,ping-restart 60,ifconfig 10.10.50.6 10.10.50.5'
        2013-02-06 17:12:34 us=491756 OPTIONS IMPORT: timers and/or timeouts modified
        2013-02-06 17:12:34 us=491853 OPTIONS IMPORT: --ifconfig/up options modified
        2013-02-06 17:12:34 us=491943 OPTIONS IMPORT: route options modified
        2013-02-06 17:12:34 us=492154 ROUTE default_gateway=192.168.101.1
        2013-02-06 17:12:34 us=492433 TUN/TAP device /dev/tun0 opened
        2013-02-06 17:12:34 us=492531 MANAGEMENT: >STATE:1360192354,ASSIGN_IP,,10.10.50.6,
        2013-02-06 17:12:34 us=492639 /sbin/ifconfig tun0 delete
        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
        2013-02-06 17:12:34 us=498556 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
        2013-02-06 17:12:34 us=498753 /sbin/ifconfig tun0 10.10.50.6 10.10.50.5 mtu 1500 netmask 255.255.255.255 up
        2013-02-06 17:12:34 us=503706 /sbin/route add -net 192.168.101.1 255.255.255.255
        add net : gateway 192.168.101.1
        2013-02-06 17:12:34 us=507376 /sbin/route add -net 0.0.0.0 10.10.50.5 128.0.0.0
        add net 0.0.0.0: gateway 10.10.50.5
        2013-02-06 17:12:34 us=509669 /sbin/route add -net 128.0.0.0 10.10.50.5 128.0.0.0
        add net 128.0.0.0: gateway 10.10.50.5
        2013-02-06 17:12:34 us=511751 MANAGEMENT: >STATE:1360192354,ADD_ROUTES,,,
        2013-02-06 17:12:34 us=511962 /sbin/route add -net 10.10.50.0 10.10.50.5 255.255.0.0
        add net 10.10.50.0: gateway 10.10.50.5
        2013-02-06 17:12:34 us=514896 /sbin/route add -net 10.10.50.1 10.10.50.5 255.255.255.255
        add net 10.10.50.1: gateway 10.10.50.5
        2013-02-06 17:12:34 us=519574 GID set to nobody
        2013-02-06 17:12:34 us=519757 UID set to nobody
        2013-02-06 17:12:34 us=519858 Initialization Sequence Completed
        2013-02-06 17:12:34 us=519978 MANAGEMENT: >STATE:1360192354,CONNECTED,SUCCESS,10.10.50.6,
        2013-02-06 17:12:40 *Tunnelblick: This computer's apparent public IP address changed from 50.76.81.125 before connection to after connection
        2013-02-06 17:14:26 *Tunnelblick: Disconnecting; 'disconnect' button pressed
        2013-02-06 17:14:26 *Tunnelblick: Disconnecting using 'killall'
        2013-02-06 17:14:26 us=310834 event_wait : Interrupted system call (code=4)
        2013-02-06 17:14:26 us=311443 TCP/UDP: Closing socket
        2013-02-06 17:14:26 us=311623 /sbin/route delete -net 10.10.50.1 10.10.50.5 255.255.255.255
        route: must be root to alter routing table
        2013-02-06 17:14:26 us=315519 ERROR: OS X route delete command failed: external program exited with error status: 77
        2013-02-06 17:14:26 us=315736 /sbin/route delete -net 10.10.50.0 10.10.50.5 255.255.0.0
        route: must be root to alter routing table
        2013-02-06 17:14:26 us=318596 ERROR: OS X route delete command failed: external program exited with error status: 77
        2013-02-06 17:14:26 us=318750 /sbin/route delete -net 192.168.101.1 255.255.255.255
        route: must be root to alter routing table
        2013-02-06 17:14:26 us=321549 ERROR: OS X route delete command failed: external program exited with error status: 77
        2013-02-06 17:14:26 us=321710 /sbin/route delete -net 0.0.0.0 10.10.50.5 128.0.0.0
        route: must be root to alter routing table
        2013-02-06 17:14:26 us=324686 ERROR: OS X route delete command failed: external program exited with error status: 77
        2013-02-06 17:14:26 us=324920 /sbin/route delete -net 128.0.0.0 10.10.50.5 128.0.0.0
        route: must be root to alter routing table
        2013-02-06 17:14:26 us=327484 ERROR: OS X route delete command failed: external program exited with error status: 77
        2013-02-06 17:14:26 us=327618 Closing TUN/TAP interface
        2013-02-06 17:14:26 us=328040 SIGTERM[hard,] received, process exiting
        2013-02-06 17:14:26 us=328167 MANAGEMENT: >STATE:1360192466,EXITING,SIGTERM,,

      • 

        That’s cool!

        The warnings are about differences in the client and server config. You specify some options in the client vpn config, that are not properly set on the server. It isn’t a big deal, you can either remove them from the client or add the right ones to the server as well.

      • 

        Hi Remi

        Many thanks, it did help a little, I have read your other posts too before asking anything else so I’m not repeating anything you’ve already posted about.

        Just one last question, I’ve turned off the firewall completely. The only obstacle I have is that I currently have a bthomehub2 which doesn’t support static routes.

        Does this mean openvpn is an impossibility?

        It connects fine internally and browses the internet, however when I use my phone as a hotspot to simulate a remote connection, the vpn client connects but no internet browsing ability.

        I’ve port forwarded all traffic on 443 to the raspberry pi openvpn server and added the route like you said to server.conf. I’m just under the impression that perhaps the traffic is getting lost due to the lack of a static route.

      • 

        Hi Mat,

        Feel free to ask questions when something is not clear!

        I think you’re right. Without a static route, your router does not know what to do with the 10.8.0.0/24 OpenVPN network. Traffic will be sent to the default gateway where it is dropped.

        If you cannot add a static route, you can use a small trick to get it to work. You use iptable’s MASQUERADE (NAT) function, to translate your OpenVPN network (probably 10.8.0.0/24) to the address of the Pi on your local network. All hosts on your local network, then ‘see’ the OpenVPN clients as if it was the Pi. While this might not be ideal, it at least makes things work because this way you no longer need the static route.

        Run this command on the Pi, and test again with your phone:
        sudo iptables -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

        Let me know if this solves your problem! If it does, we’ll need to create something that runs this command when the Pi boots because it is not persistent like this.

      • 

        Hi Remi

        Thanks so much, your solution has ended 2 months of frustration for me, it certainly did work with masquerade. However, initially I with your command I was getting a response of:

        11:04:06 $ sudo iptables -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
        iptables: No chain/target/match by that name.

        So after a little more research I thought it might be because of the iptables_nat module not being loaded or even perhaps masquerade. A quick:

        lsmod | grep ip

        Solved that by telling me that these were indeed loaded. So digging further into the error that I originally got back, I was able to find I was missing a little part and run your suggestion by adding -t nat to the start of the command as follows:

        sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

        This succeeded without errors and after connecting via my phone hotspot, I got my home network ip and was able to browse the internet.

        Tunnelblick seems to be stuck on *Tunnelblick: openvpnstart: etc etc.

        Viscosity seems a little more polished and works without errors, so I think I will stick with that.

        As per your previous post, is there something I could do to ensure this is persistent when I reboot the pi?

        I can’t thank you enough for your help.

      • 

        Hi Mat,

        Sorry, I posted that too quick I guess.. well done you figured it out 🙂

        Using ‘iptables-save’ and ‘iptables-restore’ you can save and restore the iptables rules. In the past, I found it to work best to create a small shell script and place it in ‘/etc/network/if-pre-up.d’. Just before the network interface is brought up, the iptables rules will be restored. The idea is to do the same when the interface goes down (use the ‘/etc/network/if-post-down.d’ folder to place the script in). Using these thechniques, you can create something and have fine control over it.

        However, I recently heard about a tool called ‘iptables-persistent’ that makes life easier. Here’s the description:

        iptables-persistent - boot-time loader for iptables rules:
        Current iptables rules can be saved to the configuration file /etc/iptables/rules.v4. These rules will then be loaded automatically during system startup.

        Sounds like what we want :-). Now, all you have to do is:
        sudo apt-get install iptables-persistent

        During install, the program asks to save both ipv4 and ipv6 iptables rules. Do you need to make changes later on, you need to save them before this package restores them. This is how:

        iptables-save > /etc/iptables/rules.v4

        About Tunnelblick, I’ve used it for years, and it has been great, but since Mountain Lion it doesn’t work too well for me. I switched to Viscosity last summer and I really like it. Well worth the $9 if you ask me!

        Have fun and take care!

  4. 

    Would you consider adding a tutorial on certificate revocation as it applies to OpenVPN?

  5. 

    I used OpenVPN in bridged mode, i.e:
    # Trying to use the DHCP server itself so all the routing mess is left off
    server-bridge 192.168.1.1 255.255.255.0 192.168.1.221 192.168.1.231

    Of course I did the rest as well (summarizing):
    # The routes given to other private subnets
    push “route add -net 192.168.1.1 netmask 255.255.255.0 dev tap0” # IP and SUBNET of local network
    # Unknown if this will work, but the router is the real DNS anyway
    push “dhcp-option DNS 192.168.1.1”

    Then, isn’t the following true and simple in my setup?
    # If enabled, this directive will configure
    # all clients to redirect their default
    # network gateway through the VPN
    push “redirect-gateway”

    • 

      Hi,

      I’d suggest changing
      push “redirect-gateway”

      to

      push “redirect-gateway def1”

      This keeps the local network reachable (for example the DHCP server).

  6. 

    Hi Remi,
    As others have noted, your post is probably the most sensible and nicely written on to explain the intricacies of setting up OpenVPN for secure browsing. Unfortunately, I managed to mess it up, and now I must also come to you for assistance on this matter. 🙂

    My situation is a bit unique in the sense that I have an OpenVPN server in the form of an old Router running TomatoUSB VPN sitting behind a standard router.
    The Tomato VPN server is configured with a static IP 192.168.1.2 as a client of my primary router on 192.168.1.1. It has DHCP disabled, and it’s wifi off.

    The openVPN is configured with a PKI cert and I have a client which is able to connect from within the LAN, however once connected, none of the internet traffic from the VPN client goes anywhere. I believe I probably need to somehow tell the VPN to push traffic from the VPN clients to 192.168.1.1 but I’m not exactly sure how.

    I have the following entries in my server configuration:

    push “redirect-gateway def1”
    push “route 192.168.1.0 255.255.255.0”

    Thanks to the tomato firmware I have decent control over the routes defined on the Tomato router, but the primary router is not so accessible.

    Thanks,
    Ed

    • 

      Hi Ed,

      Glad you like the posts 🙂 I think you need to tell the real router in your network (192.168.1.1) about the network of the OpenVPN clients. Right now, the router does not know where to send this traffic to.

      You should route the 10.8.0.0/24 network (OpenVPN clients) to 192.168.1.2 (OpenVPN server). Depending on the router, this has to be done in a GUI or on the command line. Let me know if you need help setting this up.

      I suppose it will work once you do this. If it doesn’t, tell me what goes wrong, what error you’ve got etc and I’ll do my best to help!

  7. 

    Mr. Bergsma,

    Good afternoon. I’m fascinated with this capability and have endeavored to mimic it. However, I have one significant difference. I’d like to have my linux box which sits behind my router/firewall both function as the OpenVPN server and route the packets via tunnel appropriately through my LAN router. I.e., I have a router that must run NAT without any static routes installed – that is, unless, you know how to setup static routes and NAT on the same router (Engenius 9250) – I have to disable NAT to enable static routing on the router.

    Here’s my private network provided by the router: 10.66.77.0/24. Gateway address: 10.66.77.1.
    Here’s my OpenVPN network on the linux box: 10.8.0.0/24. Linux server on LAN is 10.66.77.4, IP for OpenVPN on Linux is: 10.8.0.1.

    I have successfully connected from my IOS devices (using Guizmopenvpn on jailbroken iphone/ipad – works great!). I.e., I can ping the openvpn server once connected (tested over 3G connection), but, as you would expect, I can not browse through the router to the Internet because the packets aren’t getting out.

    I performed both the “sysctl -p” and “sudo route add -net 10.8.0.0/24 gw 10.66.77.1” commands plus pushed the DNS servers in the server.conf.

    Again – pretty sure its a routing issue. Any ideas of HOWTO?

    Thank you,
    Dane

  8. 

    Update 1: I read a bit more on this post and performed the following actions from the linux openvpn server:

    1. sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    2. Apt-get install iptables-persistent did not work (apparently that file is no longer available?) so I added it to a file: /etc/network/if-up.d which executes iptables-restore < /etc/firewall.conf

    Now I can connect over 3G (to test) and authenticate with my openvpn server and ping the router. However, browsing still does not work.

    Any ideas on what I am leaving out?

    – thanks
    Dane

  9. 

    I’m curious about this comment:

    It’s also possible to configure the ‘Send all traffic over VPN connection’ on the server-side instead of the client. Both has pros and cons, of course.

    Would you please expand on the advantages and disadvantages of these two techniques of routing DNS traffic:

    push “redirect-gateway def1”

    versus

    push “dhcp-option DNS 8.8.8.8”

    Presumably, redirecting DNS traffic through the VPN is more secure because there’s no DNS linkage. But, as I understand, it prevents a DHCP lease renewal and therefore may result in loss of the local connection.

    If I’ve understood the tradeoff correctly, then is there anyway to maintain a connection to the local DHCP server and yet restrict all but renewal requests from routing to it?

    Finally, what happens if both re-direct and push dhcp-option are specified as shown below?

    Thank you for your help.

    – nello

    Tomato v1.28.0000 MIPSR2-102 K26 USB AIO

    # Automatically generated configuration
    daemon
    server 10.10.50.0 255.255.255.0
    proto udp
    port 443
    dev tun22
    comp-lzo adaptive
    keepalive 15 60
    verb 3
    push “route 10.10.49.0 255.255.255.0”
    push “dhcp-option DOMAIN OctoberGroup.local”
    push “dhcp-option DNS 10.10.49.1”
    push “redirect-gateway def1”
    tls-auth static.key 0
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status
    # Custom Configuration
    push “route 10.10.50.0 255.255.0.0”
    user nobody
    group nobody
    persist-key
    persist-tun
    ping-timer-rem
    verb 3

    # Client Configuration
    client
    proto udp
    remote 443
    dev tun
    nobind
    ca ca.crt
    cert nello.crt
    key nello.key
    ns-cert-type server
    tls-remote October-Group-VPN
    tls-auth ta.key 1
    user nobody
    group nobody
    persist-key
    persist-tun
    comp-lzo
    verb 6
    mute 10
    mute-replay-warnings

  10. 

    Remi:

    I using a Raspberry PI and your instructions. Thanks to you I am 97.3% successful.

    From my iPhone I can connect into the RasPI via OpenVPN. I can even launch a VNC terminal from my iPhone to see the RasPI in all it’s color GUI glory and run programs.

    I CANNOT, however, get the the chrome browser on the iPhone to connect to a webpage (ex: whatismyip.com). At first I thought is may be the DNS setup, but I tried to go to google.com via a direct IP (http://74.125.224.72/) and still could not connect to the website.

    Any hints?

    Many thanks!

    • 

      Hi!

      This sounds like a routing issue.

      Did you enable routing on the Pi? See the part about the sysctl setting ‘net.ipv4.ip_forward’.

      Remi

      • 

        Remi:

        Is it possible my keys ‘expired’? Just a thought on why my VPN connection may be failing. I generated them some time ago with the method you described.

      • 

        Remi:

        Okay. Back on track from the 2-3 comments right above this.

        My keys are good. For reasons unknown to me
        sudo /etc/init.d/openvpn start
        would not run the VPN. I had to point to the conf file with:
        sudo openvpn –config server.conf

        Not sure why, but maybe that isn’t important anyway (?). Connecting via the RasPI VPN is solid again and I’m back on trying to get a browser allow web surfing.

        Adding the line
        net.ipv4.ip_forward = 1
        prevents the VPN from running with the error
        “Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf”

        If I comment the net.ipv4.ip_forward = 1 line the VPN runs without error.

        My server.conf file reads as below. I would be thankful for any opinions:

        port 443
        proto tcp
        dev tun
        ca easy-rsa/1.0/keys/ca.crt
        cert easy-rsa/1.0/keys/server.crt
        key easy-rsa/1.0/keys/server.key # This file should be kept secret
        dh easy-rsa/1.0/keys/dh1024.pem
        server 10.40.40.40.0 255.255.255.0
        ifconfig-pool-persist ipp.txt
        client-to-client
        #net.ipv4.ip_forward = 1
        push “redirect-gateway def1”
        push “dhcp-option DNS 8.8.8.8”
        push “dhcp-option DNS 8.8.4.4”
        keepalive 10 120
        comp-lzo
        persist-key
        persist-tun
        status status.log
        verb 3

  11. 

    Hi Remi, great blog you have! Running Openvpn is driving me a little bit crazy.

    If I connect from the local network, everything runs smooth but not from outside. I’m using Openvpn for Android as client.
    I can connect to the openvpn server but can’t seem to browse the internet. No traffic passes through apparently.

    I have a pretty standard setup, here is ifconfig tun0:

    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:228 errors:0 dropped:0 overruns:0 frame:0
    TX packets:292 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:24069 (23.5 KiB) TX bytes:201642 (196.9 KiB)

    Here is my the output of netstat -rn:

    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 eth0
    10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
    10.8.0.0 192.168.0.46 255.255.255.0 UG 0 0 0 eth0
    10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
    192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

    My server config is:
    ev tun
    proto udp
    port 1194
    ca /etc/openvpn/easy-rsa/keys/ca.crt
    cert /etc/openvpn/easy-rsa/keys/server.crt
    key /etc/openvpn/easy-rsa/keys/server.key
    dh /etc/openvpn/easy-rsa/keys/dh1024.pem
    user nobody
    group nogroup
    server 10.8.0.0 255.255.255.0
    persist-key
    persist-tun
    status /var/log/openvpn-status.log
    verb 3
    client-to-client
    push “redirect-gateway def1”
    #set the dns servers
    push “dhcp-option DNS 8.8.8.8”
    push “dhcp-option DNS 8.8.4.4”
    push “route 192.168.0.0 255.255.255.0”
    log-append /var/log/openvpn
    comp-lzo

    The local IP address of my server is 192.168.0.46

  12. 

    Hi,

    I just want to give you many thanks for this great post! I have been struggling with openvpn settings a long time and with this article it was done in almost 10 minutes!

Trackbacks and Pingbacks:

  1. Building an economical OpenVPN server using the Raspberry Pi « Remi Bergsma's blog - January 2, 2013

    […] Secure browsing via untrusted wifi networks using OpenVPN and the Raspberry Pi […]

  2. Secure browsing on iOS (iPhone/iPad) using OpenVPN and the Raspberry Pi « Remi Bergsma's blog - March 13, 2013

    […] lot of people seem interested in safe browsing over untrusted wifi and using a Raspberry Pi with an OpenVPN server to accomplish that. In this blog post, I’ll […]

  3. Secure browsing via Raspberry Pi | 0ddn1x: tricks with *nix - May 7, 2013

    […] https://blog.remibergsma.com/2013/01/27/secure-browsing-via-untrusted-wifi-networks-using-openvpn-and… […]

What do you think?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s