PiVPN: Simplest setup of OpenVPN

Simplest OpenVPN setup and configuration,

designed for Raspberry Pi.

SIMPLE ::: Yes, that's it! It is *almost* that simple. To elaborate a little more, you will want to install Raspbian on a Raspberry pi. Strongly recommend using the latest Jessie Lite image but the normal Jessie image will work as well. Preferrably enable ssh access and then begin.

There is a (now slightly outdated) guided walkthrough of the install available here.

More information is also available on the PiVPN GitHub

FLEXIBLE ::: Think if you can figure out how to do this yourself you'll have more options? This installer is no slouch! It'll allow you to customize your VPN port, certificate details, key encryption strength, client DNS server, and more! Even if you are an expert, the options presented within are a perfect foundation for any openvpn server installation. Although this is geared toward running on a $35 Raspberry Pi, the installer will work just as well on an Ubuntu Server running Trusty Tahr 14.04.

MANAGEABLE ::: Installation is finished, now what do you do? No worries, we've got you covered! Provided free of charge on your server is a new 'pivpn' command. Simply run pivpn and you are presented with all of the available options. Easily add client profiles (OVPN), revoke them, list the ones you created, etc. There is also an option to completely remove everything the installer did with the 'pivpn uninstall' command. So you can experiment with pivpn with no fear of irreversible changes to your server.

SECURE ::: Even though this installer makes everything so trivial, it doesn't mean it gives you trivial security settings. Everything has been upgraded right out of the box beyond the default settings to harden the security of the server and client. Starting with offering you the ability to enable unattended-upgrades which will automatically patch your server with security updates. Next the server configuration will only use the latest TLS 1.2 protocol. Both the data and control channels use upgraded AES and SHA256 encryption and hash algorithms. Options are pre-configured to verify your server certificate to battle MITM attack vectors. All this and more are configured out of the box by the pivpn installer. This is a detailed level of hardening you'll have a difficult time finding elsewhere.



There are quite a few various scripts that in some way install openvpn for you. This project in particular began from the code by StarshipEngineer to help make installing OpenVPN on a raspberry pi as simple as it can be. This is still the striving goal today (see Why This Is Important just below). However, even with the solid foundation provided by StarshipEngineer, I had recently come across the Pi-Hole project and saw just how easy an installation can be! So I took the scripts from StarshipEngineer, the framework and functions from the pi-hole project, and merged them into what you now see as PiVPN. I then added a ton of functionality, failsafe checks, hardened security, etc.... This should be bar none, the simplest and fastest way to setup an OpenVPN server on your raspberry pi that leaves you with an extremely secure configuration. I've made a few additions and tweaks as well to help make managing the OpenVPN server even easier after install. Everything can be managed by using a new 'pivpn' command on your system. This includes adding new client certs, revoking them, and completely uninstalling the pivpn. There is a lot more that can be added and I hope the suggestions and improvements can be contributed by the community at large.

Why This Is Important

There are a few driving factors that make this very important to me and I believe the community at large. In this post Snowden era where our privacy and security is infringed upon, not only by bad actors but potentially by those whom we thought should be protecting these very ideals, it is necessary for normal citizens to take matters into their own hands. The trouble with this, many times, is that if you are not very technical you may not know how to begin. I believe the EFF has helped lower a barrier of encrypted sites with their Let's Encrypt initiative. Allowing many to now have their sites on encrypted channels. To me, the next logical step here is also ensuring the pipe you are using is as secure as possible. This not only could include unknown networks at airports, Starbucks, generic public hot-spots; but also your ISP. To that end I'd like to make sure these scripts also work on a Debian Jessie image from an Amazon free tier server. It is important that more and more people have access to protecting their traffic online. It's clear others won't hand you this protection. PiVPN tries to make it easier for you to grab. Enjoy!

Technical Information

Great news! OpenVPN is undergoing a security audit. This means that at the end of the audit, this software we all rely on to help protect the security of our traffic will be in even better shape. Here is an article announcing the audit.

In regards to PiVPN, this means that once OpenVPN 2.4 is released we will make every effort to have PiVPN use this version. This way we gain the security fixes that will come post audit. At that time we will also be able to use the better EC (elliptic curve) ciphers in creating certificates which should be more secure and also less taxing on clients.

For more information on PiVPN be sure to check the PiVPN Wiki

It could also be helpful to browse closed Issues with the Information or Question tag.

Blogs / Video's About PiVPN

The links below showcase some good write ups and tutorials that use PiVPN. Some other decent information may also be contained regarding VPNs and security in general. If you find you have more questions on this area then read and/or watch some of the below!

Articles / BlogsVideo Guides

Frequently Asked Questions

There is a FAQ available on the Github page. Be sure to also check the PiVPN Issues section and especially the closed ones as your question may already be answered!

Miscellaneous How-To's for OpenVPN Management

The 'pivpn' command::: Control all PiVPN specific functions!:::::: Usage: pivpn [option]:::::: Options:::: -a, add [nopass] Create a client ovpn profile, optional nopass::: -c, clients List any connected clients to the server::: -d, debug Start a debugging session if having trouble::: -l, list List all valid and revoked certificates::: -r, revoke Revoke a client ovpn profile::: -h, help Show this help dialog::: -u, uninstall Uninstall PiVPN from your system!


Contributions are Welcome and Encouraged!

The PiVPN installation code is available on github. Please be sure to check out any issues especially with the 'help wanted' label.