First of all, some background. Why would you want to do this?
A use would be for people that often find themselves abroad and need a UK (or wherever you’re based) based IP address to access services like BBC iPlayer or your bank account and are happy to connect back into your own home broadband IP. Another option would be when sitting in a coffee shop, and you just don’t trust that free wifi access point, or the look of the people that are already sitting there, potentially ready to sniff our your details.
It’s also a potential way of saving some coin if you’re currently buying Mifi units and sim cards.
What is a VPN Server and how does this differ from me using a VPN provider I can subscribe too?
A VPN Server is a piece of software running on a piece of hardware that allows you to connect directly to the network that the server is connected too and make your end device, no matter where you are in the world, appear that it is in that location. You may already use a VPN at work when you’re remote working in order to access resources on your company network. The principle is the same.
For example if you set this up in your own home and connected it up to your home router. You could install some VPN client software on your phone or laptop, connect to the profile you’ve set up on your device, and once connected, it would appear that your device was connected to your home broadband, even thou you were using public wifi in a coffee shop or Hotel. Which is the main reason people do this, for security so that when using those public wifi hotspots you can create a private tunnel to your home network and securely use that as your internet exit point and safely enter passwords into other sites and what not without a potential cybercriminal trying to sniff out your network packets and intercept precious information. You’d also have access to all the files you have shared on your home network easily, if you were into such things.
A VPN subscription service you subscribe too will do the same job in providing you a different IP address and also providing unfiltered internet access (if your ISP blocks certain sites, then you’ll still be blocked from those sites using a Private VPN server) The VPNs you subscribe too will have a finite number of IPs they allocate to be based in the UK, and like an ISP, these IPs are registered to the VPN provider, if the service you want to use has already had a number of customers using the IP address, or know the IP belongs to a VPN provider they will potentially suspect foul play and could boock your accounts.
So why won’t you have these problems on a home VPN, well because the IP address you’ll be showing from is your home broadband IP, be it Virgin Media, BT, PlusNet, Sky etc. NOT a VPN provider, and if the IP address at the location of your VPN server hardly ever changes, then even better.
If you want to do some further reading on VPNs first, this Wikipedia article may help: https://en.wikipedia.org/wiki/Virtual_private_network
Hopefully that all makes sense, so what do you need to get this going.
- A Raspberry Pi, I recommend the following kit, it comes with everything you need for £50: https://thepihut.com/collections/raspberry-pi-kits-and-bundles/products/raspberry-pi-3-starter-kit
- I think the Pi kit only comes with a MicroSD card. So if your computer does not read microSD cards, you’ll need a MicroSD card adapter if your computer has a SD card slot, such as STOREINBOX 1 X TF MicroSD to SD Memory Card Reader Adapter Converter Connector if it doesn’t have an SD card reader, then you need a USB adapter, something like Camera Lightning SD Card Reader, YooGoal OTG USB Micro SD Card Adapter for iPhone iPad Mac Android
- A monitor or TV that supports HDMI, you’ll actually only need this for about 5 minutes as we’ll set up a way of connecting to the Pi from your computer to make life easier.
- A USB Keyboard for the first 5 minutes of setup.
- Putty – or any program that allows you to to SSH into the Pi from your main computer to make setting up easier: http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html?
- WinSCP or any other file transfer program that allows file transfers over an SSH connection if you already have one installed: https://winscp.net/eng/download.php
- OpenVPN client software for the device you’ll be using to connect to the VPN Server with:
Android/iOS: Download from the app stores on your device.
- A Dynamic DNS name for where your Pi will be kept. We’ll go through this during the setup below.
Let’s get on with the installation. Ideally this needs to be done at the location of where you’re going to install the Raspberry Pi, and also take a device with you to test it all works ok. A laptop will work best.
The rest of this guide is going to assume you are using a Windows laptop. If you’re on a Mac or a Linux based system, I am going to assume you’re clever enough to work out how to do the below with alternative methods where required. After all, it just works, right?
- First things first we need to download an operating system for our Raspberry Pi. We want the Lite version of Raspbian, which at time of writing is called Raspbian Jessie Lite, download the zip file from this page: https://www.raspberrypi.org/downloads/raspbian/ (It’s possible the name Jessie will have changed with a newer version, either way, just download whatever is the lite version.
- Open the zip file and you should see something like the below:
- Copy the .img file from within the zip file to the desktop of your computer so it’s easy to find.
- Download a piece of software called Win32 Disk Imager from here and install it onto your computer: https://sourceforge.net/projects/win32diskimager/
- Insert the MicroSD card into your laptop either via an available microSD card slot, or an adapter
- Run Win2DiskImager (It installs into a folder called Image Writer if you can’t find it) Make sure the device selected is your SD card on the right, Click the blue folder to locate the img file you copied to the desktop in steps 2/3 and it should look something like the below (I’ve blanked out my username)
- Click on Write, click yes to confirm and wait for the Write Successful Message
- At this point I’m going to assume you’ve put the Pi in the provided case! Insert the MicroSD into the slot on the front. Connect the provided Ethernet cable to the Pi and the router, connect a HDMI cable to the Pi and a monitor/TV, connect keyboard to the Pi and connect the power cable to a plug socket and the Pi, it should automatically start up.
- A whole bunch of text will whizz across the screen, eventually you’ll be asked to enter a username, enter pi as the username and raspberry as the password.
- Once logged in, type sudo raspi-config
- On these screens use the cursor keys (arrow keys) to move up and down, press enter to select. Select 2 to change the User Password. Press OK and enter a new password followed by enter and then confirm it and press enter. You’ll receive a confirmation message saying the password has been changed. DON’T FORGET IT! Press OK(If you are majorly security conscious, you can also change the username from the default pi, but it’s a bit of a long winded process, if you want to do it, here’s how: https://www.modmypi.com/blog/how-to-change-the-default-account-username-and-password )
- Press down to Advanced Options and press Enter. Scroll down to select SSH and press Enter. Press left arrow to select Yes to enable the SSH server. This will allow us to continue the setup from a laptop or another device and to easily transfer a file off the Pi later. Once enabled press on OK.
- Scroll down and choose Finish
- At the terminal prompt typeifconfigThe 2nd line down should give you the local IP address that the router has assigned to the RaspBerry Pi. It will be something along the lines of 192.168.0.12
Make a note of this.
- Disconnect the monitor/TV and the keyboard, we no longer need them.
- Back on your Windows laptop type cmd in the search box and press enter, type in
ipconfigYou’re looking for a local IP that’s pretty similar to the one you’re Pi has, so 192.168.0.X in this instance, under that the third line will be the default gateway. In my case. 192.168.0.1
- Type the address of the default gateway into your web browser, and login to the router, if you haven’t changed the default username and password to log into the router it’s usually found on the side or the bottom of the router.
- We now need to do two things. Now every router is different so I can only guide you in the right direction. You may need to go into the advanced settings area of the router to find them. First we need to find the DHCP options on the router and set a DHCP reservation. On the DHCP reservation screen it should already tell you what devices are connected to the network. Select the Raspberry Pi, which in my example above had the IP of 192.168.0.12 from step 14, and then select Add reservation then apply or save. This will ensure that whenever the router gets rebooted, the Raspberry Pi will always be assigned the same local IP address. We need it to always have the same local IP address so the router knows where to forward the VPN packets to. Speaking of which…..
- Find the options on the router for Port Forwarding
You’ll likely need to give the rule a name, call it VPN Server
For the start port and end port enter 11948
For the Protocol select UDP
For the IP address we need the local IP of the Pi, which we have just reserved to always be in my example, 192.168.0.12, obviously enter the correct IP address for your Pi as per steps 14 and 18. Click to apply or save.
- We’ve now got all the router configuration done and initial configuration of the Pi.
- Now launch Putty, if you haven’t downloaded it yet the link is in item 6 of what you need
- Enter the IP address of the PI and press Open
- On first connection you’ll get something like the below
- Login as pi and the password you changed it too in step 11.
Copy the below text:
curl -L https://install.pivpn.io | bash
Then right click anywhere in putty for it to automatically paste in, press Enter. The VPN Server software will begin installation.
- Just a quick side-note, running a command like this is dangerous. Basically what the command being run is doing is going to http://install.pivpn.io and parsing the data then running it in the command line. If you run a similar command from an untrusted source you can do some damage and it is very dangerous to do so. You can type https://install.pivpn.io in your browser to see the exact commands being run.
- Once its finished downloading, press ok
- It will tell you, you need a static IP address, we’ve already sorted this by assigning a DHCP reservation in step 18. Press OK.
If it asks what connection to use, use eth0 (If you have a Raspberry Pi 1 or 2, it will not ask you this question, as only the Raperry Pi 3+ has wired and wireless on board)
- When it asks if you want to use current network settings for a static IP select Yes, then select OK as it warns us again about router config, we already did it. Step 18.
- Press ok to choose a local user
- Select Pi and then OK
- It now tells us about automatic updates press ok
- Select Yes to enable automatic updates and wait for the process to finish.
- Next it will ask about protocol. Select UDP and press OK
- Change the port number to 11948 (as that’s the port number we forwarded too in Step 19) We changed it from the default port to enhance security. Changing your port won’t turn your server into Fort Knox but it will not show up in default port scans of your external IP Address assuming the attacker is scanning default ports only. Press OK once you’ve added the 8 to the end.
- Press Yes to confirm the setting is correct.
- Press OK to set the encryption level to 2048, and then OK again to generate the security key. This will take a minute or so.
- On the next screen we have a choice to make, if your external IP NEVER changes even after rebooting the router, you can choose to use the Public IP address. If it does change, or you’re not sure. Then press down to highlight DNS entry, then press space to select it, and then press enter.
- At this point it asks us for the name of the public DNS. So we better go set one up…..
- I recommend signing up to http://freedns.afraid.org/ it’s free and pretty simple to use. The only problem is it will not auto update should the external IP of your router change, but we can solve that easy enough by just googling ‘what is my ip’. Anyway…Click to setup an account and fill in all the required fields. You’ll need to login to the site at least once every 90 days to keep your account active.
- Once you’ve setup your account and logged in, on the left menu click subdomains
Leave the type as A
In subdomain type something easy to remember such as MyHomeBroadband
Choose a domain
Enter the destination IP. This is the external internet facing IP address of your internet connection, simply type ‘what is my ip’ into google and it will tell you. Type in that address as the destination IP
Enter the captcha code requested and click Save!
So we’ve now created a free DNS entry called something like Myhomebroadband.chickenkiller.com
- Go back to your Raspberry Pi VPN Server setup screen and enter whatever you choose as the DNS entry in step 40. In the example above you would type myhomebroadband.chickenkiller.com then press enter
- Confirm it is correct and there are no typos. Press Enter
- For the DNS provider (this is a different type of DNS, don’t worry about understanding) just leave it at google and press enter
- It will now advise us we need to run pivpn add from the command line to set up our OpenVPN certificate. Press Enter
- We are advised to reboot however first. Press left arrow to Yes, and press Enter, and enter again to reboot the Pi.
- Our Putty connection will drop off. Close Putty.
- Wait about 30 seconds, and relaunch Putty and connect again as you did in step 22.
- Login to the Pi again with the username (pi) and password you entered in step 11.
- Copy the below code:sudo apt-get upgradeand then right click anywhere in Putty to paste it in, and press Enter
- Press Y to confirm installation of updates and press Enter.
- Updates to the Raspberry Pi OS will begin downloading and may take a minute or two. At some point the screen will stop and notify you of certificates that will be updated, it’s not clear here, but you need to press enter a few times to scroll down, and then eventually q to quit.
- The downloaded updates will then install, again this will take a few minutes.
- Once you’re back at a [email protected] prompt, copy the below text:pivpn addAnd right click anywhere in Putty to paste it and press Enter
- You’ll be asked for a name for the client, Call it something that’s easy to identify, such as Myhomebroadband
- Enter the password for the client, now this password you’ll be asked for every time you connect to the VPN, so make it something secure and something you’ll remember.
- Confirm the password by entering it again.
- The key will get created.
- Now we need to get the key off the Raspberry Pi so we can use it on our devices. Open WinSCP, if you haven’t downloaded and installed it, the link is in item 4 of what you need at the top of the doc.
- In the hostname, type in the IP of the raspberry pi and click login.
- If asked about the security key, press OK to accept/save
- Enter username and password as you have been doing for Putty.
- It should auto log you into the pi users home folder. Go into the ovpns folder and you should see the ovpn key file you created in step 57. Right click it and choose download. Choose where to save it too such as my documents or the desktop.
- Install the OpenVPN client software on your device, I’m going to use Windows as an example. The link for the installer is in item 8 in the items you need at the top of this doc.
- Once its installed you should have an item in your system tray that looks like this:
you may need to click on the up arrow in the system tray if a number of items start up with the system.
- Right click the icon, and choose import file
- Browse to where you saved the key file from step 62.
- You should now have the option to connect when you right click the icon.
- Now before we test, whilst connected to your wifi again google ‘what is my ip’ and make a note of the IP address, it should still be the same external IP that we pointed our free DNS service too in step 40.The best way to test is to disconnect now from your wifi, if you have a phone or mifi unit that allow data sharing, fire that up and connect to the hotspot the mifi or phone creates.Again, google what is my IP, and you should now be on an IP address provided by the phones network.Right click the openVPN icon in the taskbar and click connect.When prompted enter the password you choose in step 56.All being well you should connect to the VPN network.
Google what is my IP again and you should find you are back on the IP address of your home broadband.
So there you have it, whilst connected to the wifi of a separate network (in this case the phone network) by connecting to the VPN software you now have the IP address of your home broadband and it’s as if you are connected to that network. In essence what’s happened is you’ve created a private tunnel from the phone network into your home broadband and your internet traffic is now going via that tunnel.
Automating external IP address changes from the Pi
If you knows that your IP address is likely to change quite often, or you’re getting fed up manually changing to new IP addresses, then the process can be automated. This is a little bit more complex, but again is no more difficult than following the instructions above, pressing the right keys and ensuring the data you enter is correct. The guide below is going to assume you used http://freedns.afraid.org/ for your dynamic DNS
- Log into http://freedns.afraid.org/ and then click onto Dynamic DNS on the left, and scroll down to the subdomain we want to automate, to the right should be a link called direct URL. Click onto it, and now copy the link that is in your address bar, it will be something along the lines of:https://freedns.afraid.org/dynamic/update.php?UkJOMlNLa3RWaXd5OjE0MjkxNTEzPaste the address bar link into Notepad for safe keeping
- Whilst still logged into afraid.org choose subdomains on the left, click into the subdomain you wish to set up automation for, and then change the destination to 127.0.0.1. Enter the captcha code and press save.We are changing it on purpose to an incorrect entry to test our automation works.
- Still logged into afraid.org click onto preferences on the left, make a note of your UserID, as we’ll also need that later.
- SSH into your Raspberry Pi’s local IP address using Putty (or locally if it’s connected to a monitor and a keyboard) and enter the username and password to log into the Pi
- Copy the below code into the Pi
sudo apt-get install ddclient
Press Y and enter to continue when prompted to install the ddclient
- Press the down arrow to select other and then press Enter
- When prompted for the Dynamic DNS Server enter the followingafraid.org
- For Dynamic Update protocol press enter to select dyndns2
- For the username enter the userID you obtained from Step 3 and ensure you enter it all in lowercase
- Enter the password you use to login into afraid.org (CaSE SensiTiVe)
- Verify the password
- When asked for what network interface to use, type:weband then press enter
- Enter the full address of your DynDNS name such as myhomebroadband.chickenkiller.comand then press enter
- More packages will be installed, when complete you’ll be back at a terminal prompt
- Copy the below textsudo nano /etc/ddclient.confand right click anyhere in Putty to paste it in, press enter
- You’re now in a text editor, use the arrow keys to move around and edit the file so it looks like the below, lines that don’t exist, enter them. Note the address of our DNS name need to be followed by a # and then all of the text that was AFTER the ? in step 1, also ensure the password remains inside the pair of ‘ ‘ :
# Configuration file for ddclient generated by debconf
- To save the file press CTRL+X, and then press Y, followed by enter
- To test everything has worked ok, copy the following text:sudo ddclient –daemon=0 –noquiet –debugRight click anywhere in putty and press enter
You should get some output, the main thing we are interested in is the final line, it should say SUCCESS: updating myhomebroadband.chickenkiller.com: good: IP address set to xx.xx.xx.xx (where xx is obviously your external IP)
To prove it worked, log back into afraid.org and you should see that the IP address of the subdomain has been updated from the incorrect entry we put in (127.0.0.1) to the correct one.
- Now we know it works, we want it to autostart whenever the Pi rebootsCopy the following codesudo nano /etc/rc.local
and right click anywhere in Putty and press enter.
- Press the arrow down key in the text editor until you see the line exit 0Copy the following textecho Starting ddclient . . .
sudo ddclient -daemon=600 -force
Ensure the green cursor is on the line above exit 0, then right click anywhere in putty to paste in the code.
The bottom of the file should now look like the below:
echo Starting ddclient . . .
sudo ddclient -daemon=600 -force
- Press CTRL+X, followed by Y, and then Enter.
- To test it works, let’s repeat step 2 and log into afraid.org and set the IP of our subdomain back to 127.0.0.1
- After you’ve changed the IP back to 127.0.0.1, copy the following code:sudo rebootand right click anywhere in Putty and press Enter, the Pi will reboot.
- If you’ve got a monitor plugged into the Pi, you should see the linestarting ddclientand
SUCCESS: updating myhomebroadband.chickenkiller.com etc……….
amongst the boot up text
- Understanding what we’ve done.
Installed some client software onto our Pi that runs a ‘what is my ip’ query every 10 minutes
If the external IP address has changed from what is in the record of the Pi, it will automatically update the IP to the new one in our DynDNS provider.
Meaning our down time to connect to our VPN should be no longer than 1hr and 10 minutes. Why an extra hour? It may take time for your ISP to notice that the record has been updated, and it may take an hour for their own DNS servers to catch up.
The easy way to test, would be from a command prompt on your Windows computer type in:ping myhomebroadband.chickenkiller.comIf it’s still bringing back the old address compared to what’s stored in afraid.org, then you’re at the mercy of waiting for your ISP to catch up.
Creating a Kill Switch
What’s a kill switch and why do we need one?
Let’s say for whatever reason your internet goes down whilst you are connected into it via the VPN link we have created. You might be in the middle of doing something. Once the VPN link is dropped, your Internet will fall back to its regular connection, and at the same time exposing your real IP address. You may even get kicked off the site as they suddenly notice the change of IP address as a security precaution. It might not be the end of the world, but this could cause you some grief.
So by creating a kill switch, if the VPN link goes down, all outbound internet traffic from our device gets disabled, and like the Internet at your house, your device will just think’s that it’s totally lost its connection to the Internet. The guide below actually limits it by application, so you can tie your preferred web browser to the VPN, whilst the rest of the OS is ok.
How to do it?
For the moment, I recommend you follow this guide and use Comodo Firewall, just be aware to untick some of the boxes during installation if you don’t want some of the extra crap installing. It’s likely you’ll find the progam annoy you to begin with but once it learns it bugs you less. If you’re just installing this on one machine then it’s not really a massive problem. If anyone suggests some better methods in the comments, then I’ll gladly add them: https://www.bestvpn.com/blog/10218/build-your-own-vpn-kill-switch-in-windows-comodo/
I’ve followed the guide and XYZ doesn’t work?
Something is wrong (obviously) it’s probably easier to just start again from step 1. If you still come across the same problem, post on the comments with as much information as possible, screenshots will help (although blank out any usernames,passwords and external IP addresses) and either myself or someone else will try and help.
How do I reboot the Pi?
If you can SSH into it, simply log in and issue the command sudo reboot
If you can’t access the Pi’s terminal at all, ask someone to unplug it, wait 30 seconds and plug it back in.
I’ve manually changed my DynDNS but the Pi isn’t auto updating it?
The Pi will only update the record if it is different from what’s in its own record, if it doesn’t see that the external IP has changed from when it last checked, then it doesn’t actually talk to the DynDNS provider to update it, so it has no clue that you manually changed it at the DynDNS provider side. The only way to fix this, is to use the –force command. If you’ve got local access or SSH access to the Pi then simply issue the command
sudo ddsclient –force
Or if you can’t get any access to the Pi remotely, you’ll need to ask someone in the location of where it’s hosted to unplug it, leave it 30 seconds and plug it back in. The –force command has been issued as part of the startup script, so it will always do a forceful update on boot up even if the address has not changed.
Majority of this guide has been lifted from http://kamilslab.com/2017/01/22/how-to-turn-your-raspberry-pi-into-a-home-vpn-server-using-pivpn/ and modified to include initial setup of the Pi and more detail about SSH and setting up the client. Above guide has more screenshots which you might find useful.
*The Amazon product links in this article are affiliate links.