Skip to main content

Raspberry Pi OpenVPN Client

Some places, if you read my blog at: are Nazis on blocking traffic.  Even traffic that nobody should block (like secure VPNs).  

So if you want to get around a crazy fireawall, or get around interception of your traffic, you could use an SSH tunnel, like I gave instructions for in that post. 

But, some devices (like iPads, iPhones, etc) won't let you connect to your own VPN,  (iPads and iPhones can't have a tap device), so there is no solid way to secure their traffic through a hostile network.

Raspberry Pi to the rescue!  

Here's how to set up a Raspberry Pi to be an OpenVPN Client to an OpenVPN server (your own, or a service like HideMyAss, etc), and have the Raspberry Pi serve up it's own wireless Access Point and pump all its packets out through the OpenVPN tunnel, so that all your devices (computer, phone, tablet, etc) can connect through the tunnel securely!  Here's how I did it:

I had already set up my home router (a dd-wrt flashed router) to be an OpenVPN server with the instructions at:

To get around crazy firewall rules, I moved my then standard UDP port 1194 VPN (which was blocked by the Man) to TCP Port 443, which would appear to be normal HTTPS traffic.  The instructions to do that are on the bottom of that blog (just swap udp to tcp, and 1194 to 443).  This will provide a slower tunnel than a UDP tunnel, as I'm wrapping TCP in TCP, but it is a way around stupid firewalls.   

Next was to set up the Raspberry Pi.  
Using the instructions at: I set up my Raspberry Pi as an AP.  Next, I needed to set it up as an OpenVPN Client.

This involved just doing an apt-get update, and an apt-get install openvpn.  

Then, I put the ca.crt, client.crt, & client.key certificates in a folder called 'keys', and connected to my OpenVPN with the script:

openvpn --remote  443 tcp --client --ca /path-to-keys/ca.crt --cert /path-to-keys/client.crt --key /path-to-keys/client.key --nobind --dev tap0 --persist-tun --persist-key --reneg-sec 1200 --verb 5 --ifconfig

This will connect you to the OpenVPN server, but will ONLY route VPN Subnet traffic to that VPN (Normal Internet traffic will NOT go through the VPN).

If you want ALL of your traffic to go through the VPN, change the OpenVPN script a little to add "--redirect-gateway def1" at the end, like so:

openvpn 443 tcp --client --ca /path-to-keys/ca.crt --cert /path-to-keys/client.crt --key /path-to-keys/client.key --nobind --dev tap0 --persist-tun --persist-key --reneg-sec 1200 --verb 5 --ifconfig --redirect-gateway def1

(In the above, is the Raspberry VPN IP address, and is the VPN Gateway address).  This will route all of the Raspberry Pi's traffic through the VPN.  
However, this still left any Wireless Clients unable to connect to the Internet.  To fix that, you'll also need to update the Pi IPTABLES so that it routes all the wlan clients to the tap device. 

You can do that by running the below script, which I named


echo "Changing IPTables"
iptables -F
iptables -X

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i wlan0 -j ACCEPT
iptables -A OUTPUT -o wlan0 -j ACCEPT

iptables -A POSTROUTING -t nat -o tap0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -j ACCEPT
You might ask how I run a script in the Pi while I'm ssh'd into it, and already running my OpenVPN script.   I use 'screen' to do that.  I LOVE screen, so if you haven't tried it before, this would be a great opportunity to see it's power.   Screen isn't installed by default on the Pi, so I installed it with 'apt-get install screen'   Then, after I ssh into my Pi, I run:

screen bash

and a screen terminal will pop up.  I run my first script with:


then, after I've seen it establish a good VPN Tunnel, I disconnect from that screen terminal with 'ctrl+a' then 'd'

If I wanted to see the screen terminal list, I could type 'screen -list' but I usually just run my firewall script, which exits cleanly, by typing:


Then I return to my screen terminal with 'screen -r' to watch my OpenVPN script (in case it runs into problems)

That was it!  Sometimes getting work done, like checking on the home security cameras, getting files off of the home NAS, having my phone gets its email, allowing for Magic Jack calls (a bit slower, but better-than-nothing), etc. isn't all that hard!  You just gotta be smarter than da Man.   

Happy VPN'ing!


Popular posts from this blog

ADS-B plotting with Kali (and other SDR goodies)

Recently I wanted to try some Software Defined Radio stuff.   
I had a RTL-SDR, FM+DAB, DVB-T USB Stick Set with RTL2832U & R820T. that I got from:
But, even though this dongle would break out FM radio stations, and ATC frequencies (like the local Ground Control, tower, and even ATIS), which was cool, it wouldn't break out ADS-B.   
Thus, I bought a Vantech Green Mini RTL2832U R820T DVB-T SDR DAB FM USB DIGITAL TV Tuner Receiver RTL-SDR Project + DAB dongle Tuner MCX Input from Amazon, and tried this.  
This dongle was able to listen to the 1090MHz frequency required for ADS-B (as it goes from 25MHz to 1700MHz).  There were tons of Windows programs out there for breaking out and plotting ADS-B Mode S broadcasts, but not many for Linux.  
For Kali Linux, here's how I got it running and plotting planes around my home:
0) before you start, you should do an apt-get update to ensure you hav…

atftpd vs tftpd-hpa

Recently I was trying to tftp files from a Windows computer to a Kali box.   One version of Windows worked, but another didn't.    After much troubleshooting, here were my symptoms:

I could tftp a file from-to any Kali box from-to another Kali box
I could NOT tftp files to a specific Windows 7 box from any Kali box
I could NOT tftp files to a Chrooted-Ubuntu-Chromebook box from a Kali box

After MUCH troubleshooting, going through every setting in atftpd, it seemed like it literally was a client OS problem.  Different clients simply would not download files---unacceptable.

Thus, I switched to tftpd-hpa.   To install:
apt-get install tftpd-hpa

files go to/come from /srv/tftp, but it needs to be a tftp user. Thus, I needed to:
chroot -R /srv/tftp

Also, if you want to be able to put files ON the tftp server (from a client), you need to modify /etc/default/tftpd-hpa:
change "TFTP_OPTIONS="--secure" to "TFTP_OPTIONS="--secure --create"

I also changed the IP li…

Temper Temperature monitor on a Beaglebone Black

Beaglebone Black as a temperature monitor:

Recently I wanted to monitor the temperature of my shed.  I thought I'd use a small computer such as a Raspberry Pi or a Beaglebone or Odroid.

My Raspberry Pi boxes were all in use, so I grabbed my Beaglebone, which was doing nothing.

I flashed it with the Debian9.32018-03-054GB SDIoTimage, but that seemed like it was running lots of bloatware and the ethernet interface wouldn't take a static IP with /etc/network/interfaces.

So I went with the Debian9.32018-01-284GB SDLXQTi image instead.  I still had the same problem, that lots of junk was running, and I couldn't configure my interface by modifying /etc/network/interfaces

So my first step was to get rid of all the bloatware.  If you're using a Raspberry Pi or something, you can skip this and just go to the second step below

STEP 1--Remove Blotatware from Beaglebone Black:

With some searching, I came across this post:…