Marko Apfel - Afghanistan/Belgium/Germany

Management, Architecture, Programming, QA, Coach, GIS, EAI

  Home  |   Contact  |   Syndication    |   Login
  187 Posts | 2 Stories | 201 Comments | 4 Trackbacks


Twitter | LinkedIn | Xing


Post Categories



Enterprise Library


SQL Server




How about a secure access from outside into the own home network? So we can maintain machines, change configurations, getting files, .. from where ever we are. For this we let a VPN tunnel be established between a local RPi in our network to a hosted server. If this hosted server that offers a web based console we only need a web browser to access our own resources at home.

The idea of the project comes from my colleague Michael and I like to thank him for the first inputs to get that running.

Starting point

Instead of mess up your official hosted server I can only recommend to start with one of the cheap offers to start. I take for such server playgrounds, which has a real nice package for only $5 per month. But in reality you pay only cents, because only running systems count. So my account, initially charged with $5 has still more than $4 for further tests.

But beside this, they also make it so easy to get a new machine up. For the creation you only define the name, choose the “hardware” specification and select the operation system – and seconds later you receive a mail with the credential and the information, that your machine is up and running. Amazing!

In case you are interested in testing this provider, let me know. Currently I can send you an invitation with a value of $10 or use this link (be aware, they request your credit card details, but don’t charge from it. it is only for future business with you and you can delete the details later). $10 - that’s enough for a long time play period.


Preparing the server

For this sample I choose a Debian based machine with the smallest hardware specification in New York.

btw: having a server somewhere outside your residence country, it offers you some interesting benefits. Why? Because you get an IP which let the surfed page not track where you really come from – you obfuscate the one your router gets from your provider – and location based services could offer you other things. 
So far I found the following:

  • Cheaper flight tickets
    Typical price watching portals try to offer you the prices from the area you come from, but the prices vary. offered my a 10% better offer for the same connection by another location.
  • Avoid blocked YouTube videos
    In Germany the GEMA (and others) let YouTube block a lot videos because of licensing issues ( Notably for videos with music you end up in “Dieses Video ist in Deutschland leider nicht verfügbar” (“Unfortunately, this video is not available in your country.”).

Okay – so let’s take this configuration now:


And not a half minute later your machine is online with a public IP address (here and after a few minutes you get the mail with your credentials.


Connect to the new server, update it and install OpenVPN

Now ssh to this machine, confirm the following question with yes and update your password. Use the IP and password you get via mail.

ssh root@ 

Let’s update the installation with

apt-get update

and install OpenVPN with

apt-get install openvpn

Creating the certificates and keys

The OpenVPN package contains some nice scripts (called easy-rsa) to create all the certificate stuff we need later. So let’s copy that stuff to a place with easier access and go to this folder.

cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

cd /etc/openvpn/easy-rsa/2.0/

There is a file which contains the default properties for further certificate creations. So we adjust the content for our needs

nano vars

the last lines contain some export commands and that’s the place where we have to specify our values

export KEY_CITY="Freising"
export KEY_ORG="Private"
export KEY_EMAIL=""
export KEY_CN=Private
export KEY_NAME=Private
export KEY_OU=Private

After saving the file and quitting nano we source these variables

source ./vars

and clean our environment for the new certificates and keys


We don’t have certificates from a Certificate Authority so we create our own ones.
Therefore we start by faking us an own Certificate Authority


You see during the input that the default values are taken from our exported ones.

This creates some files below the “keys” folder


    -rw-r--r-- 1 root root 1306 Dec  5 13:49 ca.crt
    -rw------- 1 root root  920 Dec  5 13:49 ca.key


Time to create the keys for our OpenVPN server. You see the same game with default values here. At the end you confirm the two questions with “y”.

./build-key-server OpenVpnServer

We get some new files under the key folder


    -rw-r--r-- 1 root root 4002 Dec  5 13:53 OpenVpnServer.crt
    -rw-r--r-- 1 root root  712 Dec  5 13:53 OpenVpnServer.csr
    -rw------- 1 root root  916 Dec  5 13:53 OpenVpnServer.key


With the next command we create the Duffie Hellman stuff. On the Digital Ocean server this is done in seconds. I did the same on a Raspberry Pi for a similar project and had to wait around half an hour. So you can image how powerful the Digital Ocean equipment is!


which creates the next file


    -rw-r--r-- 1 root root  245 Dec  5 13:57 dh1024.pem

Creating the keys for the client

Later we need the keys for our client so let create them now too. The name of our Raspberry Pi will be alarmpi, so we use this name for key too. Again you have to confirm the last two questions with “y”.

./build-key AlArmPi

The next set of files was created


    -rw-r--r-- 1 root root 3870 Dec  5 14:08 AlArmPi.crt
    -rw-r--r-- 1 root root  704 Dec  5 14:08 AlArmPi.csr
    -rw------- 1 root root  912 Dec  5 14:08 AlArmPi.key


Again we copy the necessary files to a place with easier access in further steps

cp /etc/openvpn/easy-rsa/2.0/keys/ca.* /etc/openvpn/

cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/

cp /etc/openvpn/easy-rsa/2.0/keys/OpenVpnServer.* /etc/openvpn/

Later we copy the client relevant stuff via scp to our Raspberry


Under /usr/share/doc/openvpn/examples/sample-config-files/ you can find a zipped configuration file for the server.

You can unzip it end use it as a template or documentation for the content we paste in the next step

gunzip -d /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz

But for now to make it easy, lets start with a simplified own one starting from the scratch

nano /etc/openvpn/server.conf

Paste the following content into it

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/OpenVpnServer.crt
key /etc/openvpn/OpenVpnServer.key
dh /etc/openvpn/dh1024.pem
cipher BF-CBC
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
push "dhcp-option DNS"
keepalive 10 120
max-clients 10
user nobody
group nogroup
status openvpn-status.log
log /etc/openvpn/openvpn.log
verb 6

lets activate IP forwarding via

echo 1 > /proc/sys/net/ipv4/ip_forward

and modify the routes

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

Now we can start our OpenVPN server

openvpn /etc/openvpn/server.conf &

check the last line of the log file

tail /etc/openvpn/openvpn.log

if everything is fine you see the last words


    Initialization Sequence Completed


additionally you can check the existence of the new /etc/net/tun device. This is our device for the tunneled traffic.


But be aware it can take a while to see it!


    tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
              inet addr:  P-t-P:  Mask:


Our OpenVPN server is now up and running and we can switch to the client configuration.


Preparing the client

For this tutorial the Raspberry Pi get a complete fresh Arch Linux for ARM distribution. Unfortunately the Arch Linux team provides no up to date image. So we use the latest one ( and let the pacman package manager make the update for us.

After burning the image an SD card and booting the RPi you can ssh that machine via

ssh root@alarmpi.local

It is important that server and client have around the same date and time. So first at all let’s set the clock of the system

timedatectl set-timezone Europe/London

timedatectl set-time "2014-12-05 20:02"

Be aware, Digital Ocean’s server run in UTC. So I try to use Europe/London to have the same time. For sure this is not the right way, but it works.

Otherwise I got errors by starting the service (SSL3_GET_SERVER_CERTIFICATE:certificate verify failed).


And next, let’s update the installation. This will download a lot (more than 100MB), because our image is from JUN 2014 and therefore a little bit outdated. Confirm all questions with “Y”.

pacman -Syu

and install openvpn

pacman -S openvpn

Yes, both sides – the server and the client – are using the same package. The used configuration during startup of the openvpn decides whether to act as a server or client.

Now check the availability of the client-side tun device

test ! -c /dev/net/tun && echo openvpn requires tun support || echo tun is available

You should get that output


    tun is available


Now we have to copy the key files from our server to the client. Again, use the IP of your server

scp root@ /etc/openvpn/

scp root@ /etc/openvpn/

scp root@ /etc/openvpn/

Now we have the necessary files on our Raspberry


    AlArmPi.crt          100% 3891     3.8KB/s   00:01   
    AlArmPi.csr          100%  708     0.7KB/s   00:00   
    AlArmPi.key          100%  920     0.9KB/s   00:00


On a Arch Linux system you can find the samples for client configuration files here:


But again we start from the scratch.

nano /etc/openvpn/client.conf

And paste these lines

dev tun
proto udp
remote 1194
resolv-retry infinite

ca /etc/openvpn/ca.crt
cert /etc/openvpn/AlArmPi.crt
key /etc/openvpn/AlArmPi.key
ns-cert-type server
verb 3
log /etc/openvpn/openvpn.log


Start the client-side of OpenVPN

openvpn /etc/openvpn/client.conf &

and check again the last lines of the log file

tail /etc/openvpn/openvpn.log

if everything is fine you see again these last words


    Initialization Sequence Completed


If you see this message


    You must define TUN/TAP device


reboot your Raspberry

shutdown -r now

Verify the configuration


With traceroute it is easy to see the hops of our communication. To use is we have first to install the package

pacman -S traceroute

and then we can trace our traffic with


This should produce something like


    traceroute to (, 30 hops max, 60 byte packets
     1 (  261.505 ms  
     2 (  262.644 ms  
     3 (  261.967 ms 
     4 (  262.589 ms 
     5 (  262.931 ms


Outside visible IP

There are some of these “what is my IP address” services available, which shows you the IP of you entry-point to the internet. Usually that is the IP your router got. But with tunneled traffic it should be the IP of our OpenVPN server – the IP of our Digital Ocean server. Let’s check this.

Therefore we install a console based browser.

pacman -S w3m

and then we check our outside visible IP with


In one of the first lines you see the interesting output


    Your IP:


This is exactly what we expect – the IP of our Digital Ocean’s server and not the IP of our internet provider.

posted on Friday, December 5, 2014 1:11 PM