Raspberry Pi Home Server: Part 11, OpenVPN

Article Obsolete

A new version of this series has been published. Please refer to the new index for updated articles and ordering. This article is kept for historical reference, but should be considered out of date.

Note: This article is part of a series. See the Index for more information.

Self-promotion: I’ve recorded this series as a screencast for Pluralsight:
If you have a Pluralsight subscription, please consider watching it. Thanks!

Updates: EasyRSA is no longer installed as part of openvpn, but you can install it through apt-get just like anything else. Just add “easy-rsa” to the list of things to install early on. It will end up in a different place as well, so the command to copy the scripts is now “sudo cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa”

The export variables at the bottom of vars have moved around a little, there’s now only one copy of your email address, and CN is commented out at the very bottom by default. Just fill in the variables that are present, and leave CN commented out.

Now that the whole house is humming along, sharing files, downloading things, and backing everyone up, you might be wondering if there’s anything left that the Raspberry can do for you. The answer is yes. In this article, we’ll set up the Raspberry Pi to act as an OpenVPN server, allowing you to access your home network from anywhere. OpenVPN is an open-source, cross-platform, virtual private networking (VPN) application. VPNs let you route internet traffic through a secure, encrypted channel, back to a network that you trust and/or control. You may have used one in order to securely access resources on the network at your office when you’re on the road. Developers sometimes use them to simulate traffic coming into their network from outside for testing. You can add these same abilities to your home network so that you can get to your stuff from work, or a hotel, or anywhere else with internet access. Running your own VPN means that no matter where you get an internet connection from, you are effectively “at home”. You don’t need to worry about fellow patrons at the coffee shop listening in on your network traffic because the traffic between you and your VPN is highly encrypted.


Once again, I didn’t invent this stuff. Most of the information about how to set up OpenVPN comes from a whitepaper by Eric Jodoin of the SANS institute. That whitepaper was later paraphrased and simplified in a pair of posts by Lauren Orsini. Both are excellent reading, and go into far more depth about how all this stuff works than I plan to. I’m just putting it into the same format as the other posts in the series, and organizing them in a logical progression, building on top of the previous posts in this series.


In order to connect to your home network’s VPN when you are away from home, you are going to need either a static IP address, or a dynamic IP resolution service like www.no-ip.org. My home router updates no-ip automatically, so I have not set up a program on the Raspberry Pi to do this. Other tutorials exist out there to handle this part.

Internet security

Warning: The explanation that follows is super-non-technical™, and probably wildly inaccurate in many important ways. I am not a security or cryptography expert, but this is, in layman’s terms, how internet security works. When you visit your bank’s website, and something in your address bar turns green, or grown a little lock, it means that someone at the bank went to some authority that we’ve all agreed to trust, and got a certificate that says “Yup these guys are the bank alright”, and installed it on the web server you’re talking to. As long as you trust the people that made the certificate to only give it to the company that paid for it, and as long as you trust the bank to only install the certificate on their own servers, then you have a way to prove that the server you’re talking to belongs to the company you think it does, or at least a company that the authority vouched for. Although I’m sure you trust your own word that the Raspberry Pi Home Server that you’ve been building is your own, your other computers are still going to want proof that the thing on the other side of the internet is your server, and not someone else pretending to be your server. That’s kind of the whole point of this exercise, after all. Since you trust yourself, you can act as your own “certificate authority” and make your own certificates. You then install your homemade certificates on both the server and the client, and they use that certificate to encrypt traffic back and forth between them.

Install OpenVPN

First things first, you’ll need to install the OpenVPN software onto the Raspberry Pi. You’ll also need the OpenSSL package in order to secure your connection later on. Installing both is as simple as…

sudo apt-get install openvpn openssl

That’s the easy part. Now comes the configuration. The installer has created some sample configuration files for us, and they’ll form the skeleton of the configuration. Copy the entire directory of sample configuration files like this:

sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa

Open the vars file for editing.

sudo nano /etc/openvpn/easy-rsa/vars

Find the “EASY_RSA” entry, set it as follows:

export EASY_RSA="/etc/openvpn/easy-rsa"

Move to the bottom of the file, and change the defaults that are defined there to match your location and network. This will save you some time later on when you are asked to provide this information again for each user you set up. Mine looks like this:

export KEY_CITY="Columbus"
export KEY_ORG="Home"
export KEY_EMAIL=melgrubb@…

Explaining the next few settings is a little out of my depth, but I’ll try to explain to the best of my understanding.

export KEY_CN=RPHS
export KEY_OU=RPHS
export PKCS11_PIN=1234

Most of these can be anything you want, but the KEY_CN setting must be unique, so if you’re going to make more than one VPN server, give them different values. I’ve chosen to make my “Common Name” (CN) the same as the name of the server. KEY_NAME will affect the name of the resulting key file, but is otherwise arbitrary. The organization unit (OU) setting is not important for a small home network, so I’ve just gone ahead and used the server name again. Basically, you can just make all of these values the same thing, and you’ll be just fine. The last two settings have to do with smart cards, which we’re not even going to get into. Close Nano, saving the file (ctrl-x, y, enter)

Become a certificate authority

In order to create certificates, you’ll need… wait for it… a certificate. In this case, it’s a “root certificate”. This is the kind of thing that one of the trusted authorities out on the web would have. The “easy-rsa” package you installed earlier can generate such a certificate for you. Run the following commands to set up a key server. Notice that the “sudo su” command is being used here. You’re going to stay in “god mode” for pretty much the remainder of this post.

cd /etc/openvpn/easy-rsa
sudo su
source ./vars

This last command will prompt you for a lot of values, fortunately, you set up reasonable default values above, so you can just hit enter to accept them. image

Note: Newer installations will say “Generating a 2048 bit RSA private key”. This default has changed since I originally published this article. Pay attention to what your installation says because you’ll need to know this in a minute. Also, 2048-bit keys take a LOT longer to generate, so your screen is going to look quite different than this screenshot.

When that finished, enter the following command, accepting the defaults again. You’ll get a couple extra questions this time. Make sure the “challenge password” is blank, and accept any other defaults.

./build-key-server RPHS

Answer yes to the “Sign the certificate?” and “commit?” prompts. image

Generate keys

You may be able to just take your bank’s word for it that they are who they say they are, but VPN servers like, the one we’re building, want proof of the client’s identity as well. They won’t let just anyone in. You need to give a key to each device or user you want to allow to connect to the VPN server. You have a decision to make at this point. You could generate a unique key for each individual device that you want to connect via VPN, or you could take a shortcut and generate a key for each user. The difference is whether you expect to need to connect more than one device at the same time. If you don’t need to connect more than one device per user at the same time, generate a key named for the user. If you think users will need more than one device connected at the same time, I’d suggest naming the key after the device.  Whichever you decide, generate a key like this:

./build-key-pass NAME

Accept the defaults again, leaving the challenge password blank. The PEM password, is the password you’ll need to connect using the key. Pick something nice and strong, but also something you won’t forget. If you want to be really paranoid, you could randomly generate one and keep it in a password safe. The choice is yours. Leave the challenge password blank again. Sign and commit the certificate when prompted. image Almost done.

cd keys
openssl rsa -in NAME.key -des3 -out NAME.3des.key

Use the same password as you did before. You’ll have to enter it three times. Technically, the first time is a different password, but how are you supposed to keep them straight?

cd ..

You may need to wait a while for this last step. Sometimes you get lucky, and this step is short. sometimes you’re unlucky, and it takes a long time. You never know what kind of wait you’re in for up front. When it’s done, generate a hash-based message authentication code (HMAC). This is yet another layer of protection, and helps to prevent denial of service (DOS) attacks.

openvpn --genkey --secret keys/ta.key

Configure OpenVPN Server

Now it’s finally time to edit the OpenVPN configuration and tie up the loose ends.

nano /etc/openvpn/server.conf

You’ll notice that the editor is totally blank. That’s because this file doesn’t exist yet. Paste in the following text, substituting your own values for the highlighted values. You’ll need your Raspberry Pi’s IP address, the IP address of your router, and the name you used above when calling build-key-server.

Note: I have also highlighted the 8th line, where it says “dh2048.pem”. Older installations defaulted to a 1024-bit key, so you will need to adjust this if you’re working with an older installation. If you’re installing it for the first time, however, this should say 2048 these days. Just make it match what the build-ca step said above.

local 192.168.1.XXX # YOUR PI'S IP ADDRESS
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/RPHS.crt
key /etc/openvpn/easy-rsa/keys/RPHS.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem.pem
# server and remote endpoints
# Add route to Client routing table for the OpenVPN Server
push "route"
# Add route to Client routing table for the OpenVPN Subnet
push "route"
# your local subnet
push "route" # YOUR PI'S IP SUBNET
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS
push "dhcp-option DNS" # YOUR ROUTER'S IP ADDRESS
# Override the Client default gateway by using and
# rather than This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
user nobody
group nogroup
persist-tun status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

Exit nano, saving your changes (ctrl-x, y, enter) Next, you need to allow the Raspberry Pi to forward IP traffic, which it does not do by default.

nano /etc/sysctl.conf

Find the line that says “Uncomment the next line to enable packet forwarding for IPv4”, and uncomment the line immediately after it.

# Uncomment the next line to enable packet forwarding for IPv4

Exit Nano, saving your changes (ctrl-x,y,enter), and force a reload of the settings.

sysctl -p

Configure Firewall

The Raspberry Pi has its own firewall, which must be configured to allow the VPN traffic through. Create a script file to automate the opening of the appropriate ports.

nano /etc/firewall-openvpn-rules.sh

Copy in the following text, substituting your own Raspberry PI’s IP address where highlighted.


iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to-source 192.168.1.XXX

Change the permissions on the file you just created so that it can be executed, and assign ownership to the root user.

chmod 700 /etc/firewall-openvpn-rules.sh
chown root /etc/firewall-openvpn-rules.sh

This script file needs to run every time the Raspberry Pi boots up in order to do us any good. Edit the /etc/network/interfaces file.

nano /etc/network/interfaces

Find the line that configures the wired ethernet port. If you are running your server wirelessly, then you’ll need to adjust accordingly. Insert a new line, indented underneath so that the result looks like this:

iface eth0 inet dhcp
    pre-up /etc/firewall-openvpn-rules.sh

This will ensure that the firewall rules are applied to that network interface even before it has started up. Reboot the Raspberry Pi so that the rules are applied.

sudo reboot

Generating client keys

Connecting a VPN client to a remote server takes a bit of configuration, too. The OpenVPN client has to know where the server is, and it has to have a copy of the keys we generated earlier. All of this configuration gets wrapped up into a file with a .ovpn extension. You can create these by hand if you like, but Eric Jodoin, the author of the original SANS.org article was kind enough to write a script to do it for us. Create the script file.

nano /etc/openvpn/easy-rsa/keys/MakeOVPN.sh

This is a new file, so it will be totally blank. Paste in the following:


# Default Variable Declarations 
#Ask for a Client name 
echo "Please enter an existing Client Name:"
read NAME 
#1st Verify that client's Public Key Exists 
if [ ! -f $NAME$CRT ]; then 
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT" 
echo "Client's cert found: $NAME$CR" 
#Then, verify that there is a private key for that client 
if [ ! -f $NAME$KEY ]; then 
echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY" 
echo "Client's Private Key found: $NAME$KEY"

#Confirm the CA public key exists 
if [ ! -f $CA ]; then 
echo "[ERROR]: CA Public Key not found: $CA" 
echo "CA public Key found: $CA" 

#Confirm the tls-auth ta key file exists 
if [ ! -f $TA ]; then 
echo "[ERROR]: tls-auth Key not found: $TA" 
echo "tls-auth Private Key found: $TA" 
#Ready to make a new .opvn file - Start by populating with the default file 
#Now, append the CA Public Cert 
echo "" >> $NAME$FILEEXT 
echo "" >> $NAME$FILEEXT

#Next append the client Public Cert 
echo "" >> $NAME$FILEEXT 
echo "" >> $NAME$FILEEXT 
#Then, append the client Private Key 
echo "" >> $NAME$FILEEXT 
echo "" >> $NAME$FILEEXT 
#Finally, append the TA Private Key 
echo "" >> $NAME$FILEEXT 
echo "" >> $NAME$FILEEXT 
echo "Done! $NAME$FILEEXT Successfully Created."

Exit Nano, saving your changes (ctrl-x,y,enter) Once again, because this is a script, permissions will have to be altered to allow it to run.

chmod 700 /etc/openvpn/easy-rsa/keys/MakeOVPN.sh

Create the Default.txt file to hold the default values the script will use. The casing isn’t important, but it must match what was specified at the top of the script file. I’m keeping the capitalized “D” just to keep it the same as anyone else who followed Eric’s instructions.

nano /etc/openvpn/easy-rsa/keys/Default.txt

Paste in the following, substituting your public IP address for the highlighted text. If you don’t have a static public IP address, you can use a dynamic name from a service like DynDNS or no-ip here as well. The “1194” is the standard port number OpenVPN uses, adjust as needed to match your network configuration.

dev tun
proto udp
resolv-retry infinite
ns-cert-type server
key-direction 1 
cipher AES-128-CBC
verb 1
mute 20

Exit Nano, saving your changes (ctrl-x,y,enter) Execute the script to create a .ovpn file. Remember to use the user or device name you chose earlier when creating the client key. cd /etc/openvpn/easy-rsa/keys ./MakeOVPN.sh The result is a NAME.ovpn file in the /etc/openvpn/easy-rsa/keys folder on the Raspberry Pi. That’s great, but we need the key on the client machine. You can copy the file using a secure copy program like WinSCP, copy it to a flash drive and move it by hand, or any other number of ways to move a file around. Since this is my own private home server, I’m going to put the file on the data share, at least temporarily. Once the key is installed and working on the client, I’ll delete it from the server.

cp /etc/openvpn/easy-rsa/keys/NAME.ovpn /mnt/data/

Keys like this aren’t something you should leave lying around. On the other hand, you should probably have a backup of them somewhere. If you put them on a flash drive, go put it in a safe or something. Don’t let anyone get a hold of your keys, or they have a free pass into your home network, and you may not even notice it. You can always go back and generate new keys, delete the compromised ones, and continue on, of course.

Port forwarding

Before you’ll be able to connect to your home network from outside, you’ll need to set up your router to forward all traffic on port 1194 to the Raspberry Pi. I can’t tell you how to configure the firewall on your router at home because I don’t know what kind of router you have. An excellent resource that may have information specifically for your router is http://portforward.com/.

Client configuration

I’m using the OpenVPN client for Windows, but the instructions should be similar for other platforms. You can download open-source clients for Windows, and source tarballs for other systems from here. Note: Don’t try to download client software from the links on the front page of the OpenVPN site or you’ll just end up with “SecureTunnel”, a paid-subscription-based system that lets you do exactly what you’re already set up to do on your own. Get the .ovpn file that you generated on the Raspberry Pi over to the computer you’re going to connect from, and put it in the OpenVPN config folder. For Windows users, this should be C:\Program Files\OpenVPN\config.

Connecting the client

You’ll need to be somewhere other than on your own network for this next part. Otherwise you’re seriously crossing the streams, shutting down the containment grid, etc. Disconnect from your home network and tether yourself to a phone or something before continuing. Run the OpenVPN GUI application. It should have created a shortcut in your start menu for Windows 7 users, or on your app list for Windows 8 users. Run it, and it should pick up on the .ovpn file and open a connection. You’ll be prompted for the password you created earlier, and if everything is configured correctly, the OpenVPN icon in your notification area should turn green, and you’ll be effectively connecting to the outside world as part of your home network. There are, of course, many issues you could run into when using a VPN. Most of them are explained pretty well on the HowTo page of the OpenVPN site. One of the more vexing problems is that of disambiguating IP addresses between your home network, and the network you are connected to. See “Numbering Private Subnets” for more information.

What’s next

With this article complete, you’ve built a home server that’s covering all of the essentials. From here on out, we’ll be adding bells, whistles, fringe on top, etc. In the next post, we’ll add the LAMP stack, which forms the basis for most Linux-based web projects. If you want to run a website, a blog, or just a few web applications, you’ll probably need this.

This entry was posted in Computers and Internet, Home Server, Raspberry Pi and tagged . Bookmark the permalink.

106 Responses to Raspberry Pi Home Server: Part 11, OpenVPN

  1. Pingback: Raspberry Pi Home Server: Index | MelGrubb.ToBlog()

  2. Pingback: Raspberry Pi Home Server: Part 10, CrashPlan | MelGrubb.ToBlog()

  3. Skoda says:

    Hi Mel. I’m reading this and have one doubt about “ifconfig “. This are point to point tunnels aren’t they? Actually if I would ask you can you connect simultaneously from two remote devices using the above config what would your answer be?

    For instance if I have two remote Windows PC’s, can they be connected to the Raspberry VPN server simultaneously? Which IP address would remote systems get? Can you test it?

    Thank you

    • Mel Grubb says:

      I believe it is possible to get OpenVPN set up so that more than one connection is possible. I didn’t go into it, myself, because all I needed was the one connection since I’m the only one who would be using it. The way I have set it up in this tutorial only supports a single connection, and the internal IP will always be the same.

  4. stickyfly says:

    Quick Q here…in the server.conf are you using the real IP of the PI or the subnet of the PI such as

    • Mel Grubb says:

      I’m using the IP address of the PI in both of the spots marked in the file. They are highlighted above in this article. I know there are a ton of configuration options, and you can put your VPN on a different sub-net than your normal network clients, but that’s really beyond the scope of what I was doing. I just needed to get one person (me) onto the home network occasionally in order to reset or tweak something.

  5. Worked right up until I rebooted then could no longer ssh into the pi to complete the process. I have tried openvpn following instructions on about 10 different webpages and can never get it to work. Do you have to have the pi have a wired connection(not possible for me as mine are all used )? So frustrating! I have spent hours on this to no avail. I wish they would make it easier.

    • Mel Grubb says:

      Mine is wired, since its permanently placed next to the drives. I suppose there could be some interaction or incompatibility with a particular wireless dongle. I couldn’t say for sure, though, since I haven’t tried it myself.

    • Mel Grubb says:

      In order to troubleshoot the issue, I would recommend moving something temporarily so that you can plug the Pi in directly. If everything works wired, but not wireless, then I’d start googling for your particular wireless dongle’s model number and OpenVPN. Hopefully you find something.

  6. Grosir Tas Rajut KAAY says:

    Asking questions are truly nice thing if you are not understanding something
    totally, except this post gives nice understanding even.

  7. Excellent way of describing, and good piece of writing to get facts about my presentation subject
    matter, which i am going to deliver in college.

  8. Pingback: Raspberry Pi Home Server: Part 10, CrashPlan | MelGrubb.ToBlog()

  9. elite kody says:

    whoah this weblog is magnificent i love reading your posts.

    Keep up the good work! You understand, many
    people are hunting round for this info, you can aid them greatly.

  10. Awesome, tried 2 other tutorials, but no cigar. This one finally did it for me. Very understandable, even for a Linux noob like me, thanks!

  11. Alex says:

    I can connect VPN interphase via windows 7 desktop (ie…get green connection icon), but do not gain access to VPN server. At the client or PI server I can ping and receive packets, but not when I ping or it times out. So, I think the PI server is connecting with the VPN server but I don’t think I am receiving anything back from the PI server. I have port 1194 udp open, but still no joy. Any suggestions what could be the problem?

  12. Carlos says:

    It’s the best tutorial I read. Congratulations!!

  13. Pingback: The Raspberry Pi Home Server – Part 1 | UnaX.dk

  14. Hi Mell it’s me again 🙂

    I followed your VPN tutorial to the letter, but when I run the OpenVPN Gui, I get asked a password.
    This should not happen, should it ? I thought that’s what the .ovpn file was for.

    However when I try the password I setup it kicks me out.
    Any idea ?

    • Hmm. I know what the problem is, but how to fix it ?

      When I got home I saw my pi had frozen trying to start the virtual private network daemon. I had to hook up a keyboard to continue, because ssh wasn’t loaded up yet.

      I got the following error:

      [FAIL] Starting virtual private network daemon: server failed !
      [FAIL} startpar: service(s) returned failure: openvpn … failed !

      Any idea what could be wrong ?


  15. No I did not start it succesfully before unfortunatly :(, after the sudo reboot in your guide it froze 😦

    • By the way did I have to do ‘sudo su’ after the reboot to be in ‘god mode’ again?

      I didn’t. I just added ‘sudo’ in front of the rest of the lines in your guide.
      Could that have been problematic ? If so how can I undo all the steps in your guide
      to start over fresh ?

      Sorry for the n00bish questions, but I don’t now that much about Linux 😦 )

      • Mel Grubb says:

        I don’t have it in front of me at the moment, but from what I recall, you shouldn’t need to go into good mode after rebooting. I’d check if there’s anything in the log files. You may have to do a search to find out where they are. I’m on my phone and won’t be home tonight, so I won’t be able to look into it right away.

  16. No hurry ! It’s not that important. Below the openvpn.log:

    At the bottom are some errors:

    Wed Mar 11 20:54:56 2015 OpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 pa$
    Wed Mar 11 20:54:56 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executab$
    Wed Mar 11 20:55:08 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent$
    Wed Mar 11 20:55:08 2015 Control Channel Authentication: using '/etc/openvpn/easy-rsa/keys/ta.key' as a OpenVPN static key f$
    Wed Mar 11 20:55:08 2015 TUN/TAP device tun0 opened
    Wed Mar 11 20:55:08 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Wed Mar 11 20:55:08 2015 /sbin/ifconfig tun0 pointopoint mtu 1500
    Wed Mar 11 20:55:08 2015 GID set to nogroup
    Wed Mar 11 20:55:08 2015 UID set to nobody
    Wed Mar 11 20:55:08 2015 UDPv4 link local (bound): [AF_INET]
    Wed Mar 11 20:55:08 2015 UDPv4 link remote: [undef]
    Wed Mar 11 20:55:08 2015 Initialization Sequence Completed
    Wed Mar 11 20:55:24 2015 event_wait : Interrupted system call (code=4)
    SIOCDELRT: Operation not permitted
    Wed Mar 11 20:55:24 2015 ERROR: Linux route delete command failed: external program exited with error status: 7
    Wed Mar 11 20:55:24 2015 /sbin/ifconfig tun0
    SIOCSIFADDR: Operation not permitted
    SIOCSIFFLAGS: Operation not permitted
    Wed Mar 11 20:55:24 2015 Linux ip addr del failed: external program exited with error status: 255
    Wed Mar 11 20:55:24 2015 SIGTERM[hard,] received, process exiting
  17. Stephen Wass says:

    im getting the same error as walkeroftheday…..any suggestions?

  18. Stephen Wass says:

    how did you remove all the configuration files? after i purged open vpn they were still there when i installed the new one

  19. wilydiver says:

    Has any one had a problem using Open Vpn on a windows 8 computer, but have no problems accessing Open Vpn on your phone or tablet using an android OS? It has to be a security issue with windows but I can’t find it. Anyhelp or suggestions would be greatly appreciated.

    • Mel Grubb says:

      When I write the article, it was using a Windows 8 machine, so I can say that it works. It’s a complicated setup process though, so any number of things could go wrong. If you could describe the problem, maybe it will sound familiar to someone who’s been there.

  20. wilydiver says:


    Thanks for the response and thank you for the great set of tutorials, they are awesome! I have learned a lot and enjoyed my new server immensely. My problem is when I try to initiate the handshake with the Open VPN program on my laptop I get the time-out error. What really perplexes me is that I can access my server via Open VPN through my phone and tablet with no problem. I am reluctant to change my configurations on my router or VPN file because I know they work. I think it has to be something with the configuration or security in windows 8.1. I have tried turning off the firewall, anti-virus but nothing seems to help.

    Here is a shot of the log

    Sat Apr 18 17:41:20 2015 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 19 2015
    Sat Apr 18 17:41:20 2015 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
    Enter Management Password:
    Sat Apr 18 17:41:31 2015 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
    Sat Apr 18 17:41:31 2015 Control Channel Authentication: tls-auth using INLINE static key file
    Sat Apr 18 17:41:31 2015 UDPv4 link local: [undef]
    Sat Apr 18 17:41:31 2015 UDPv4 link remote: [AF_INET]
    Sat Apr 18 17:42:31 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sat Apr 18 17:42:31 2015 TLS Error: TLS handshake failed
    Sat Apr 18 17:42:31 2015 SIGUSR1[soft,tls-error] received, process restarting
    Sat Apr 18 17:42:33 2015 UDPv4 link local: [undef]
    Sat Apr 18 17:42:33 2015 UDPv4 link remote: [AF_INET]

    Best Regards

  21. Adam J. Walters says:

    So…. What steps do I need to follow to add additional users to connect to the server?

    Thank you.

    It took me two months to get my VPN going but this guide was the helpful of anything I found online!

    • Mel Grubb says:

      Look at the section titled “Generate Keys”. There are instructions there for generating keys by device or by user. I’ve only been using it “by device”, myself, but this section should be what you need.

      • Adam J. Walters says:

        In nine or so years am I to repeat the entire process as the certificate will expire at that time? Can I use it w/ expired certificates? I know I have a long time before I need to worry but I was ripping hair trying to get the firewall to work so that I could see my server side lan from a remote client. Your guide was the best! I hope and pray that in ten years your blog is still up!

  22. Adam J. Walters says:

    In nine or so years am I to repeat the entire process as the certificate will expire at that time? Can I use it w/ expired certificates? I know I have a long time before I need to worry but I was ripping hair trying to get the firewall to work so that I could see my server side lan from a remote client. Your guide was the best! I hope and pray that in ten years your blog is still up

    • Mel Grubb says:

      I guess I wasn’t imagining this one server staying up that long. In a couple years, I assume we’ll be up to the Raspberry Pi 4, or some other miniature computer, and I will have moved on to that. I’ve already upgraded from a B to a B+, and now a 2B. I can’t help myself. New things are shiny. Also, I imagine that OpenVPN will have been supplanted by something else in that time.

      If you’re still running the same server in nine years, then I guess you’d just have to run through the certificate creation steps again. You’d skip the installation steps, and just pick up at the configuration stage.

      This is also one of those things that you could consider optional. I piles all these functions on the one Raspberry Pi just to see how much it could take, and I haven’t been disappointed. If I were being more practical, though, I’d have left the OpenVPN part to my router. With the dd-wrt firmware for my router, I could distribute the workload a bit, and let the router handle the OpenVPN part. I haven’t gotten around to flashing my router, but I probably will at some point.

  23. kkprince says:

    Should I open port 1194 on TCP or UDP?

  24. dillon1337 says:

    After forwarding the port on my router, I was required to open the port on my Pi with “nc -l 1194”. Just posting this for anyone else that can’t see into the Pi after following these instructions.

    Thanks for the great tutorial!

  25. Joe says:

    In the step “Become a certificate authority”, when I enter the ./build-ca command I don’t receive any questions about information, and when I enter the ./build-key-server [NAME] command I don’t receive a prompt to sign the certificate. In both cases the output is:

    Please edit the vars script to reflect your configuration,
    then source it with “source ./vars”.
    Next, to start with a fresh PKI configuration and to delete any
    previous certificates and keys, run “./clean-all”.
    Finally, you can run this tool (pkitool) to build certificates/keys.

    I’m still pretty new to Linux and just got this Raspberry Pi the other day, so I apologize if this is an obvious fix.


    • Mel Grubb says:

      Well, I’m going to guess that you either left one of the settings in the “vars” file unset, or didn’t actually run the “source vars” step. I’ve never intentionally skipped either part just to see what would happen, but the error message is clearly indicating one of those two possibilities.

  26. Joe says:

    Thanks for the reply! Looks like I had accidentally duplicated one of the lines in vars. Fixed it, and the rest of the steps went perfectly. Thanks again, I didn’t even know where to start. Works great!

  27. Nate says:

    Great write-up! I’m having a bit of a tough time here though. I’ve gone through this a couple times and I keep getting a TLS error. Any ideas on how I could fix this?
    Aug 24 4:03:20 PM: State changed to Connecting
    Aug 24 4:03:20 PM: Viscosity Windows 1.5.9 (1373)
    Aug 24 4:03:20 PM: Running on Microsoft Windows 10 Pro
    Aug 24 4:03:20 PM: Bringing up interface…
    Aug 24 4:03:20 PM: Checking reachability status of connection…
    Aug 24 4:03:20 PM: Connection is reachable. Starting connection attempt.
    Aug 24 4:03:20 PM: OpenVPN 2.3.7 Windows-MSVC [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jul 10 2015
    Aug 24 4:03:20 PM: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
    Aug 24 4:03:21 PM: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Aug 24 4:03:24 PM: WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
    Aug 24 4:03:25 PM: UDPv4 link local: [undef]
    Aug 24 4:03:25 PM: UDPv4 link remote: [AF_INET]XX.XXX.XX.XXX:1194Aug 24 4:04:24 PM: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Aug 24 4:04:24 PM: TLS Error: TLS handshake failed
    Aug 24 4:04:24 PM: SIGUSR1[soft,tls-error] received, process restarting
    Aug 24 4:04:24 PM: State changed to Connecting

    • Mel Grubb says:

      Off the top of my head, I’d double-check that the IP address you put in Default.txt is your house’s EXTERNAL IP address (or dynamic IP name), not the 192.168 address inside your house. After that, check that your router is forwarding port 1194 to the Pi.

      • Ewin Hong says:

        Hi Mel,
        Great video on Pluralsight. But I do not understand why the TLS is not working as shown in the copy of my log below. I set the port forwarding on my router. I also followed the nat-rules.sh from the pluralsight video. I feel that I am super close, but I get this.

        iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT –to-source 192.168.1.xxx

        Mon Dec 07 22:39:52 2015 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 4 2015
        Mon Dec 07 22:39:52 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
        Enter Private Key Password:
        Mon Dec 07 22:39:59 2015 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
        Mon Dec 07 22:39:59 2015 Control Channel Authentication: tls-auth using INLINE static key file
        Mon Dec 07 22:39:59 2015 UDPv4 link local: [undef]
        Mon Dec 07 22:39:59 2015 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194 (not 192.168…)
        Mon Dec 07 22:40:59 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
        Mon Dec 07 22:40:59 2015 TLS Error: TLS handshake failed
        Mon Dec 07 22:40:59 2015 SIGUSR1[soft,tls-error] received, process restarting

  28. @ArduinoGuy says:

    Mel – OUTSTANDING tutorial! I followed it to the letter and reinstalled my OpenVPN service on my Pi. It had completed successfully the ReadWrite tutorial in Jan 2015, but had to reinstall and this time the ReadWrite instructions didn’t work for me. But your instructions were perfect. The only issue I had was that the “cp /etc/openvpn/easy-rsa/keys/NAME.ovpn /mnt/data/” command didn’t work for me … the Pi couldn’t copy the files. So I used the ReadWrite chmod commands (first with 777 and then with 600) to unprotect the OpenVPN folder, copy the profiles with WinSCP, then reprotect the folder. Thanks, again, for an outstanding tutorial. @ArduinoGuy

  29. Bob says:

    Thank you for this, I’ve been following other recipes on how to get the VPN up and running, but yours was the clearest and most concise.

  30. schwendi says:

    Maybe I am just missing something, but when I come to the point where I have to move the NAME.ovpn file I get “no such file or directory” as feedback. I checked the name several times and when I look at the keys directory via “ls” there is not a single .ovpn file

    So, what did I miss? Do I have to do something to run the Script besides the cd command, thats hidden in the Text?

  31. scottvoyles says:

    Hi Mel, excellent series you’ve got here, I’m really learning a bunch. I was wondering your thoughts on the intrinsic benefits of using the Pi over my router’s own VPN capabilities. I can’t find any articles where people really compare the two. I’m wondering if the way to go for me is simply use my router’s VPN capabilities, lightening the load of the Pi. What sorts of questions should I be considering? Many thanks!

    • Mel Grubb says:

      If your router can do it, I’d let the router handle it and spread out the work a bit. The Raspberry Pi can do a lot of things, and it can do them well, but the more it tries to do at the same time, the more they all suffer. Also, OpenVPN isn’t as universally supported as some of the on-router options.

  32. Mel, I am trying this on a new RPi 2. WHen I install the OpenVPN and OPenSSL packages it all works okay, but when I try the cp -r /usr/share/doc/openvpn/examples…. command, there is no easy-rsa folder at that location. Has something changed with the latest OpenVPN or am I missing something?

    • Mel Grubb says:

      Without running through it all again, I don’t think I could make s good enough guess. It’s possible that something has changed with the distribution. I won’t have a chance to look before next weekend, unfortunately. Try looking around the directories by hand and see if it’s changed locations. I’ll hopefully be building a new server using the new Raspbian Jessie image next weekend to see what’s changed or broken. If you find the files, out a step that was missed, please let me know.

      • From what I have found, EasyVPN is no longer part of the OpenVPN project, but has been separated out. The current Master branch on the project is version 3.0. So it now appears that you need to install it separately. I’m just new enough with this to not want to try a lot of “discovery” without some sort of previously working model, or I will mess things up 🙂

        I am not really sure what files I am looking for.

      • Ian says:

        I think its something to do with the Jessie Raspian…. it worked fine for me on Wheezy but now im on Jessie its not installed the easy-rsa like it did before and i cant find anything online to help.

    • Ian says:

      found them….

      they are in /usr/share/easy-rsa

      so at the beginning instead of “sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ” etc etc etc copy from /usr/share/easy-rsa

      hope that helps.

  33. Ian says:

    hi – weird one here…..

    I have followed your tutorial twice now, and each time i reboot after setting it up, its like the whole install has disappeared… the /etc/openvpn folder and subfolders no longer exist…

    this has happened twice now!

    any ideas?

    • Mel Grubb says:

      That is not one I’ve heard before. It’s always possible that a recent update to openvpn has invalidated my guide, but I’d have to go through it all again to be sure. I’m hoping to do that this weekend. I’ll post an update if I find anything.

      • Ian says:

        I figured it out as a corrupted SD Card! it kept reverting to 26th Aug each time i rebooted – I found a few articles about when SD cards go bad, they “stick” to a certain point – i even placed the card in a windows laptop and tried to add a file only for it to disappear once i reinserted the card!

        Your guide is spot on so don’t worry – i think its just my sd card – which i have now replaced ( it was always a bit dodgy, only booting 1 in 6 times successfully )

  34. Hi, I have watched your Pluralsite course and really enjoyed it and I found it most helpfull.

    Have you hear of Softether (https://www.softether.org/)? It creates a VPN like openVPN but it is much simpler to setup than OpenVPN – https://gist.github.com/jhenkens/11190151 has a couple of scripts which do all the work. It also has windows admin app to allow remote configure rather than all that confg file editing.

    Also, On the RPHS front, have your heard of RamLog – A small utility which make the log files go to ram first and then onto SD Card which can save lots of write cycles.

    Could you do a blog post on using your RPHS as an Email Server (SMTP/IMAP/Web Client) using PostFix, PostFixAdmin, Dovecot, RoundCube)?

    Thanks for your hard work.

    Peter Tewkesbury

    • Mel Grubb says:

      If I were to cover another VPN, it would probably be something more like ikev2 or l2tp, the sort of thing built into most smartphones. The biggest inconvenience with openvpn has been that phones don’t understand it, at least not without a lot of work. Android may be different, I don’t know. As for the email server. I’m sure it could be done, but it’s a little beyond the needs of most home users and requires you to have your own domain. I’ve set up my server to use Gmail to send me notifications when needed, which does the trick for me.

  35. Hi,

    Softether VPN Server can be accessed via Android and Windows / Windows Phone with no client VPN software required and the setup scripts make it super easy to install and configure It supports l2tp, OpenVPN and other protocols as well.

    As for the email, I am running my email server on a Raspberry pi using a No-IP dynamic DNS service by settings the MX record on my account (Free account) and I can get email in and out.


  36. I was able to find good advice from your blog posts.

  37. Tim says:

    Have you any advice on how to set this up for a chromebook?
    I have been using this for windows machines for smetime and with great success but I think the setup may have to be different for chromebooks?

  38. S.Callan says:

    Hi Mel,

    I have read through your blog but keep getting “Sun Jan 10 15:44:49 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sun Jan 10 15:44:49 2016 TLS Error: TLS handshake failed” whenever I try to connect to my VPN via OpenVPN. As such, I was wondering if you had any advice on what might be causing it?

    My public IP is correct and static and everything seems to be correct .

    • Mel Grubb says:

      Any number of things can cause this. It’s not a very specific error message. I’ve seen this one myself, and it was because I’d used the internal IP address (192.168…) when setting up the Default.txt file instead of the external IP address of my router. Closed firewall ports could cause this error too. Basically it just means “no one answered my request”. I’d go through the article again very carefully double-checking each step. You will most likely find some small detail like internal vs external IP address. I’m currently rebuilding my real home server using the Jessie image, so if I find anything truly wrong, I’ll update the article.

      • s.callan says:

        Thank you for the quick reply.

        I doubled checked the default.txt file and it is set to the public (external) IP address of my router. Also my router ports are port forwarding to 1194.

        If you could think of anything else that could be causing this issue, I would be grateful for some additional pointers.

        On a side note, as I am trying to access the VPN from my home computer, while on my home network – could that cause the issue?

    • skilbjo says:

      I think line this needs to be changed in server.conf to use 2048.pem instead of dh1024.pem , which may be related to the new debian release :

      dh /etc/openvpn/easy-rsa/keys/dh2048.pem

  39. Pingback: OpenVPN Server on OSMC Pi | 2ells Blog

  40. Andy says:

    Thanks for the great tutorial (I’m in the middle of the Pluralsight course now and it’s wonderful!). Quick question, though…I’m currently using a Raspberry Pi B+. If I decide to upgrade to a RPi 2, can I use the same certs in the easy-rsa directory, or will I need to regenerate everything from scratch? Sorry if it’s a noob question, but this part of the Pluralsight course was by far the most difficult and I would hate to have to do it over again if I didn’t have to.

    • Mel Grubb says:

      I’ve swapped as cars between current models before, but not on a system running openvpn. I don’t think the keys are tied to the hardware, so I think it should work just fine, but please let me know what you find out. If there is a problem, I still don’t think you’d have to re do everything, just perhaps generate a new set of keys, which is pretty easy using the scripts.

      • Andy says:

        Thanks for the reply! Also, it’s good and odd to hear a fellow Ohioan teaching a Pluralsight course! (Lived in Akron my whole life)

  41. jeff89179 says:

    I have followed your instructions, but I am left with the following message when i run /etc/init.d/openvpn start
    [….] Starting virtual private network daemon: serverEnter Private Key Password:

    I have successfully made one of these following your instructions before and i never got this message. restarting openvpn service always resulted in success.


    also, running nmap -p U:1194 [ipaddress] comes back with no results.
    changing the port to tcp instead and running nmap -p 1194 [ipaddress] worked on a previous attempt ONLY AFTER adding…
    iptables -I INPUT -p udp -m udp –dport 1194 -j ACCEPT
    …to firewall-openvpn-rules.sh and restarting openvpn service (that was on Jessie, now i’m trying on Wheezy again). I have not been able to replicate the original successful VPN server.

  42. jeff89179 says:

    also, in the /etc/openvpn/server.conf file…
    which cert and key are being referenced? the ones made with ./build-key-server? or the ones made with ./build-key-pass?

    • Mel Grubb says:

      I’ll have to work through the instructions again myself to see if something has changed… again. Things change a lot in the pi world.

      • jeff89179 says:

        that they do.
        thank you. i appreciate it.
        this will be my weekend work.

        the Enter Private Key Password issue may be a bug with Wheezy and may be fixed in Jessie, but then that brings me to the same kinds of issues i was having…

        While on Jessie with OpenVPN, the iptables rules seemed to load, but the OpenVPN service wouldn’t accept them until the service was restarted. This got me thinking about how to go about scripting a delayed service restart after boot. Or instead just delay OpenVPN service from starting altogether.

        I will try this weekend with Raspbian Jessie.

  43. Craig says:

    This seems to have fixed my problem with OpenVPN not starting correctly at boot on Jessie:


    The path to the edited file was slightly different for me: /lib/systemd/system/openvpn@.service

  44. Very good article thanks. It is worth to mention about length of diffie-helman key in server.conf file. If we generate 2048 bit diffie-hellman we need to change this in this line as well:

    dh /etc/openvpn/easy-rsa/keys/dh1024.pem

    otherwise we’ll get Connection timeout error in our OpenVPN app while trying connect to the server

  45. Cmh62 says:

    Mel – I followed your excellent how-to above last year and have been enjoying my home based Pi VPN ever since! Unfortunately while on vacation recently, my house lost power in a storm so the Pi VPN server lost power without being shut down properly. Now the Pi VPN server doesn’t respond to connection attempts from outside my home network. I’m not a Linux or Pi expert, so I’m hoping you can suggest what files or settings or something else to check so that I don’t have to rebuild the entire server from scratch. Thanks for any and all advice and for your wonderful how-to.

    • Mel Grubb says:

      Well that’s not much to go on, really. Are the other functions working, or is this a dedicated VPN server? If everything else is working, or VPN is this Pi’s only job, then you could try reinstalling OpenVPN. I’m not sure if keeping the existing key files around will work or not, but I would suspect it would. One thing that changed since the original article is the recommended key length. Current installations default to a 2048-bit key, which will take a LOT longer to generate. If you reinstall, you’ll also need to adjust the “server.conf” file to match. On the 8th line, change dh1024 to dh2048. This is only if you do a new install, though. Otherwise, can you tell me any more about what its complaint is?

      • cmh62 says:

        Thanks for the response, Mel. The Pi is ONLY running the VPN software as described in your how-to. When I tried to connect to it with my Android phone or my iPad (both running the OpenVPN client) after the power outage, the client software searches out the permanent dns service (I used duckdns.org) and then displays the “waiting for server to respond”. It doesn’t get a response from my Pi VPN server so it tries a few more times then times out. I know this isn’t much to go on but thought I’d ask here if there were any obvious Linux command line commands to issue to check connections or active VPN server running or or or … again, my aplogies but I’m not a Linux guru. I’m willing to go back through the entire installation again but was hoping there were a few “obvious” things to check first. Thanks if you have any suggestions.

  46. Mel Grubb says:

    The four things I can think of off the top of my head are:
    1) The port forwarding on the router has stopped working. I wouldn’t expect that from a power outage, but let’s work from the outside in.
    2) The Pi’s own firewall has stopped letting the traffic in. Just work through that section of the post again, checking all of the files that got edited there.
    3) OpenVPN didn’t auto-start. Check the status of the service.
    4) The Pi didn’t get the same IP address as it had before the power outage. Have you either set up a static IP address on the Pi, or given it a permanent IP lease on your router? Check “ifconfig”, and see what address the Pi has. Does it match what the router is forwarding the OpenVPN traffic to?

    There’s also the possibility that the sudden power outage just plain corrupted the SD card. Did you make a backup? Can you restore that? It might also be worth looking into adding a UPS. I made a couple posts about using a UPS with Network UPS Tools (NUT). You can even run several Pis off the same UPS, allowing them to shut themselves down gracefully when the power goes out.

    • cmh62 says:

      Mel – thanks for the great suggestions. Port forwarding was still set up fine. There was no issue with the Pi’s firewall. OpenVPN service was still running fine. And the pi reported the same IP address still that the router was told to assign to it. But, I finally figured out the issue so now have a 5th one you can recommend to others in the future.

      It turns out that my dynamic DNS service (the very good and free DuckDNS.org) did not know that my ISP had changed the IP address assigned to our house. I have to assume this happened very close to the power outage in my area of where I live. Before this issues, I’d never had any problems with my dynamic DNS knowing the public IP address of my house … I had successfully installed the proper script file as instructed by DuckDNS (duckdns.sh) into the right folder and had cron regularly running that script every 5 minutes to keep DuckDNS updated on my home’s public IP address. I assume that the power outage interrupted this process, but I can’t explain why (especially once I rebooted the pi once I returned from vacation). I confirmed that the script contents were still accurate and that cron had the script properly entered in it’s list of services to run. Anyway, I executed the script manually at the command prompt today and DuckDNS.org instantly knew my home IP address again. I just confirmed that I have access from outside my network.

      If you or any of your OpenVPN users/fans know why and how the power outage could cause a cron job to stop running automatically once a pi is restarted after a power outage, I’d love to hear it.

      Thanks again for your outstanding series on the pi!

  47. Bob Sexton says:

    Mel: Your tutorial has been great. I have my server running on my net with two hard drives. However, I can’t get past the certificate building step for Open VPN. I have skipped from Samba to VPN. Is there anything in the DLNA/BitTorrent/CrashPlan steps that could affect this? Here is the error I keep getting when I try to build the certificate.

    root@RPiServer:/etc/openvpn/easy-rsa# ./build-ca
    error on line 198 of /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
    1995774048:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 198

    • Mel Grubb says:

      I have not seen this error, and I just re-did my own OpenVPN two weeks ago, so unless they’ve updated since then and broken something, I don’t have anything off the top of my head. I did do a quick search on the error message and found a number of people saying that the script needs another key added at the end. Add the following variable down where the other keys are defined at the bottom of the vars file.

      export KEY_ALTNAMES=”foo”

      Foo can be anything, I guess. Then go back and start at the “source vars” step again. Let me know if that clears it up.

  48. Bob Sexton says:

    That was indeed the problem. Thanks for finding that. I don’t think I would ever have been able to ferret that out of the net.

  49. Glen Boggis says:

    My windows 10 laptop receives IP address, and can ping the RPi on and also open WebMin on, but no connectivity to any network resource (including the RPi itself) on the home LAN 192.168.0.x IP range. Also there is no routing (cannot ping any other 192.168 ip, nor resolve dns, nor browse internet).

    RPi 3, Windows 10. W10 client is on a non 192.169.0 subnet (I think it’s on 192.168.43.x so no client LAN vs server LAN ip subnet conflicts)

    • Mel Grubb says:

      Name resolution not working is perfectly normal. As for the lack of routing in general, I’ll have to try a few experiments. There is one thing that is always a problem with 192.168… addresses, though. If the network you’re connecting FROM is also using 192.168… addresses, they’ll get in the way. You seem to have already addressed this though. I usually only use the VPN to connect and make a change, or retrieve a file that’s on the server itself. I know for sure that I’ve connected to my own router (, through the VPN, though.

      • Glen Boggis says:

        Thanks for the update – I was hoping that 192.168.43.x (client laptop gets via DHCP from a tethered 4G phone) would cause no conflict with my home LAN 192.168.0.x.

        I modified nat-rules.sh as per this: https://www.raspberrypi.org/forums/viewtopic.php?f=36&t=95988

        iptables -A INPUT -i tun+ -j ACCEPT
        iptables -A OUTPUT -o tun+ -j ACCEPT
        iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
        iptables -I FORWARD -i tun0 -o eth0 -s -d -m conntrack –ctstate NEW -j ACCEPT
        iptables -A INPUT -i eth0 -m state –state NEW -p udp –dport 1194 -j ACCEPT
        iptables -A FORWARD -i tun+ -j ACCEPT
        iptables -A FORWARD -i tun+ -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
        iptables -A FORWARD -i eth0 -o tun+ -m state –state RELATED,ESTABLISHED -j ACCEPT
        iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT –to-source 192.168.XX.X

        The problem here is that I do not truly understand what these commands do, and as such am worried about deviating from your tutorial (also from the pluralsight course). I am starting to wonder whether it was necessary and may revert to your one-line script from the tutorial and try again.

        I also changed server.conf: commenting out line 1:
        #local 192.168.0.XXX # YOUR PI’S IP ADDRESS
        I found this on another tutorial site. With the line left in the script, openVPN service does not start when the rPi does, but “sudo service openvpn restart” gets it going. With the line commented out the service starts with the boot-up. Most odd. (rPi model 3)

  50. Glen Boggis says:

    Probably should have specified — none of the above changes have fixed the lack of routing!

  51. Hamir Mahal says:

    Hello Mel,

    Would you by any chance be able to help me get OpenVPN running between my Pi and Windows 10 machine? I followed your instructions on the Pluralsight to the letter, substituting my own external IP, Pi IP, and names and passwords as necessary, but I get the generic “TLS handshake failed” error that a few other people have mentioned. My Netgear router has dd-wrt, so I went to the services-> VPN tab to enable an OpenVPN client, added my Pi’s address at, used port 1194, the default, used TUN as the tunnel device (the only two options are TUN and TAP), and I used UDP as the tunnel protocol (the only options are UDP and TCP). I’ve tried different combinations of TUN/TAP and UDP/TCP, but I get the same “tls error: tls key negotitation failed to occur within 60 seconds” error message each time. This is when I disconnect from my home Wi-Fi, unplug the Ethernet cord on my laptop, and connect to my Apple iPhone’s wireless hotspot. My Pi is connected via Ethernet, and is running just fine on its own and when connected through Putty.

    By the way, the server.conf file in your post above has a line of code saying, “dh /etc/openvpn/easy-rsa/keys/dh2048.pem.pem”, and in my server.conf file on the pi I changed it to “dh /etc/openvpn/easy-rsa/keys/dh2048.pem”, without the extra .pem. I don’t know if truncating the extra .pem makes a difference on the successfulness of the OpenVPN connection.

    I was able to fix my crashplan not starting issue after installation in the previous module. Even though when I typed “sudo service crashplan start” after a successful install, I received the error message “Failed to start crashplan.service: Unit crashplan.service failed to load: No such file or directory.”, I simply did a reboot and did the exact same command again and this time received a successful confirmation that Crashplan was running. I’m able to use it to backup files on the Pi and my main laptop now, which is nice.

    Thank you for your help.



    • Mel Grubb says:

      The extra “.pem” would be a typo. I’ll have to get that fixed. The first thing to try, if you haven’t already, it to restart the Pi. I know it made a difference when I was setting this up. Restarting after completing the installation seems to be necessary. If I could make a suggestion, though. dd-wrt has its own built-in OpenVPN support. If you can use that, I would just to distribute the workload across multiple devices that are there already anyway. You CAN put all of the items from this blog series on one Raspberry Pi, but it’s not going to like it very much. Some programs, like CrashPlan, tend to hog the memory, and make things harder on other things. The reason it works in general is that the odds of you re-indexing the media collection while in the middle of backing up a bunch of other computers is rather low. Still, I recommend distributing whatever you can. My CrashPlan has its own dedicated server (The CrashPi). Everything else is running on my main server, though.

      Speaking of CrashPlan? Code42 pushes out regular updates to CrashPlan now, and every time they do, it stops working, and you have to repeat all the patch steps, replacing .so files, re-establishing symbolic links, etc. It’s really gotten to be a major pain. It used to go up and stay up, but that’s no longer the case. Be prepared to have to hold its hand and fix it on a regular basis, unfortunately. This is a more recent development, and didn’t make it into the PluralSight course, even with the last round of updates I pushed out.

  52. Hernan Rizzuti says:

    Hi Mel,

    I’m following your tutorial on PluralSight (which is great by the way) and I’ve got to the point of creating client key but I keep getting the error below…

    root@raspberrypi:/etc/openvpn/easy-rsa# ./build-key-pass xxxxx
    Please edit the vars script to reflect your configuration,
    then source it with “source ./vars”.
    Next, to start with a fresh PKI configuration and to delete any
    previous certificates and keys, run “./clean-all”.
    Finally, you can run this tool (pkitool) to build certificates/keys.

    Not sure whether i need to follow the instruction in the error message. I did some research and in places it says that it’s a permission issue. Not too sure. Any suggestions?

    • Mel Grubb says:

      Walk back through the instructions in the course or on the blog. A couple steps back, there was a section that included the command “sudo su”, which puts you in a semi-permanent root state. It looks like you’re still in that state, judging by what you copied in above. That’s good. The next thing after “sudo su” was “souce ./vars”. Make sure you’ve done that. If you have, then back up a few more steps to where you edited the vars file with “sudo nano /etc/openvpn/easy-rsa/vars”, and filled in the export values at the bottom. Note: the values may be slightly different, or in a different order in the current version. For instance, the email address doesn’t appear twice anymore. Those should be all the steps to make it happy.

      To recap:
      1) Edit the vars file, and fill in appropriate defaults
      2) “sudo su” to act as the root user
      3) source the vars file to make it “stick” for the duration of this particular session as root
      4) “./build-key-server NAME” to build the key server
      5) “./build-key-pass NAME” to build the named key

      and then continue on with the instructions. My guess is that you may have dropped out of being root at some point, and although what you copied above shows you being root, you have to have “sourced” the vars file within the same session or it doesn’t stick. Leaving and re-entering root mode will have forgotten what you “sourced”.

  53. Craig says:

    Is anyone else having problems with this setup recently? I have had this set and working for a long time. I didn’t change anything, but something now is broken. I have tried reinstalling from scratch, but still am unable to connect. I also tried installing using port 443/TCP. Maybe something with a recent Jessie update?

    • Cmh62 says:

      Mine is still working fine. The only issue I have is that my automatic updating of my home’s IP address to duckdns.org isn’t working so I have to update that manually when the home’s IP address changes.

      • Craig says:

        I figured out that my ISP switched to a ‘carrier NAT’ (?) system of assigning private (not public) IP address due to the high cost of remaining IPv4 addresses. I’m not sure if openVPN will be compatible. If anyone has any ideas, I’m looking for help! Thanks.

  54. zoldeak says:

    HI ! NICE job
    i need a litle help.. i tired follow you,but….(doesn’t success)
    my log file is contains this

    “Options error: Unrecognized option or missing or extra parameter(s) in zoltan.ovpn:17: —BEGIN (2.4.3)
    Use –help for more information”.

    what does it means, can you help me???

    sorry my English I’m Hungarian(46).

    THX, i’m waiting for your answer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s