Raspberry Pi and OpenVPN: How-to Set Up OpenVPN Mac and iOS Clients

Raspi_Colour_R

Connecting to a VPN from a public Wi-Fi access point is much safer.  This guide will walkthrough how to set up a Mac and iOS client to connect to a VPN server running on a Raspberry Pi.

Requirements For This Walkthrough

Materials

  1. Local network
  2. Mac or PC
  3. Raspberry Pi  running Raspbian “wheezy” with an OpenVPN server setup 
  4. HDMI Cable (*optional)
  5. Keyboard (*optional)
  6. Mouse (*optional)
  7. Monitor with HDMI input (*optional)

*If the Raspberry Pi is set up as a headless machine, you will not need a monitor, keyboard, or mouse–just another computer, which would be used to access it remotely over the network via SSH.

Downloads

  1. OpenVPN for iOS
  2. Tunneblick (OS X)

Knowledge, Skills, and Abilities

  1. Ability to naviagate throughout a computer OS
  2. Knowledge of basic computer terminology
  3. Ability and confidence to enter commands in the Terminal, adjusting them to suit your enviornment, if necessary
  4. Familiarity with core networking concepts
  5. Basic understanding of Public Key Infrastructure

Setting Up OpenVPN Clients

This how-to sets is a direct continuation of my OpenVPN server how-to.  The server should be set up and ready.

OpenVPN Client Configuration (iOS)

Setup A Client Config File

Copy A Sample Config File

Make a copy of the example config file and then edit that.

cd /etc/openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
sudo cp /etc/openvpn/client.conf /etc/openvpn/client1.conf

Edit the Client Config File

vi /etc/openvpn/client1.conf

You can use the following commands to view the settings without all of the comments:

cat client1.conf | grep -v "#" | tr -s '\n'
cat client1.conf | grep -v "#" | grep -v ";" | tr -s '\n'

There are only three changes (in bold) to make in this file.  The first is the line that readsremote my-server-1 1194  .  It needs to be changed to the RPi’s IP address or domain name if using a Dynamic DNS service.  After the change, your file should like this:

remote myhomenetwork.net 1194

The second change is to comment out the lines referring to the location of the keys

# ca ca.crt
# cert client.crt
# key client.key

Finally, we are going to use inline references to the keys and certificates as opposed to packaging them up together.  Copy and paste each in the appropriate area:

<ca>
-----BEGIN CERTIFICATE-----
# insert base64 blob from ca.crt
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
# insert base64 blob from client1.crt
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
# insert base64 blob from client1.key
-----END PRIVATE KEY-----
</key>

The Client File Should Look Similar to This When The Changes Are Complete

client
dev tun
proto udp
remote myhomenetwork.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
# ca ca.crt
# cert client1.crt
# key client1.key
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----
KJhdiuhJOkjNJKNNoiNIENJNSDFWEnSDNFSNDFonkjNSDfonSDOFnOnfOoiNDnSKLNfSNDflkNSDfgSDfnSLDKfnSndfsdnfLSNDflNFLSNFSNDkjsDNfNSFNSDFkjnsDFnSPVJOSNFoNoSNoNonLDNlOIOIJoiOJOIJfknkjnelspivnounewuoinybvytonirngonwoinNFOINWFOWENFNWEOFNWEIFNDOINSKJDCNOIWENIOFGSDFISBFJSHDBFLSDBFIUWBFISBFHBFKJSDBFKSDBFKSDBFKJNFKJSDBFKJSDBNFKJSDNFKSNVOINIDNFOIFIJWNFKJSDBFGKJSDBFKSJDBFKJSDKSDJBFKJSBFKJSDBFKJSBDFKJSBDFKJSDNONVO=
-----END CERTIFICATE-----
<ca>
<cert>
-----BEGIN CERTIFICATE-----
KJhdiuhJOkjNJKNNoiNIENJNSDFWEnSDNFSNDFonkjNSDfonSDOFnOnfOoiNDnSKLNfSNDflkNSDfgSDfnSLDKfnSndfsdnfLSNDflNFLSNFSNDkjsDNfNSFNSDFkjnsDFnSPVJOSNFoNoSNoNonLDNlOIOIJoiOJOIJfknkjnelspivnounewuoinybvytonirngonwoinNFOINWFOWENFNWEOFNWEIFNDOINSKJDCNOIWENIOFGSDFISBFJSHDBFLSDBFIUWBFISBFHBFKJSDBFKSDBFKSDBFKJNFKJSDBFKJSDBNFKJSDNFKSNVOINIDNFOIFIJWNFKJSDBFGKJSDBFKSJDBFKJSDKSDJBFKJSBFKJSDBFKJSBDFKJSBDFKJSDNONVO=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
KJhdiuhJOkjNJKNNoiNIENJNSDFWEnSDNFSNDFonkjNSDfonSDOFnOnfOoiNDnSKLNfSNDflkNSDfgSDfnSLDKfnSndfsdnfLSNDflNFLSNFSNDkjsDNfNSFNSDFkjnsDFnSPVJOSNFoNoSNoNonLDNlOIOIJoiOJOIJfknkjnelspivnounewuoinybvytonirngonwoinNFOINWFOWENFNWEOFNWEIFNDOINSKJDCNOIWENIOFGSDFISBFJSHDBFLSDBFIUWBFISBFHBFKJSDBFKSDBFKSDBFKJNFKJSDBFKJSDBNFKJSDNFKSNVOINIDNFOIFIJWNFKJSDBFGKJSDBFKSJDBFKJSDKSDJBFKJSBFKJSDBFKJSBDFKJSBDFKJSDNONVO=
-----END PRIVATE KEY-----
</key>

Install the Config File to an iOS Device

Download the OpenVPN app

In order to use OpenVPN, the app needs to be downloaded to an iOS device.

Rename the Config File’s File Extension

Rename the file to client1.conf  to client1.ovpn

mv client1.conf client1.ovpn

Email the Config File to Yourself, or Use Dropbox/Google Drive, etc.

In order to setup the OpenVPN connection on the iOS device, the configuration file needs to be accessible from iOS.  Any of the file sharing/syncing apps should work, or you can simply email the file to yourself.  Once it is on the device, just touch it and choose to open it using OpenVPN.

OpenVPN Client Configuration (OS X)

Setup A Client Config File

Follow the steps above to make a new config file, but stop at the step where the certificate/keys are commented out.  Instead, provide the path to those keys.  The config file should look like this.

client
dev tun
proto udp
remote myhomenetwork.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

Copy the four files required by OS X and Tunnelblick to another computer:

/etc/openvpn/easy-rsa/keys/client1.conf 
/etc/openvpn/easy-rsa/keys/ca.crt 
/etc/openvpn/easy-rsa/keys/client1.cert 
/etc/openvpn/easy-rsa/keys/client1.key

Below are the commands for doing it via SCP.

scp /etc/openvpn/easy-rsa/keys/client1.conf <usename>@<remotehost>:/Users/Shared
scp /etc/openvpn/easy-rsa/keys/cca.crt <usename>@<remotehost>:/Users/Shared
scp /etc/openvpn/easy-rsa/keys/client1.cert <usename>@<remotehost>:/Users/Shared
scp /etc/openvpn/easy-rsa/keys/client1.key <usename>@<remotehost>:/Users/Shared

Reference this great chart from openvpn.net to see what files need to go where:

Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES
client2.crt client2 only Client2 Certificate NO
client2.key client2 only Client2 Key YES
client3.crt client3 only Client3 Certificate NO
client3.key client3 only Client3 Key YES

Bundle the OpenVPN Files Together To Make Them Compatible With Tunnelblick

Copy all four of the required file onto the Desktop or some other convenient folder.

openvpn_rpi_tunnelblick_files_required

Create a new folder calledclient1 .

openvpn_rpi_tunnelblick_ne_folder

Move the four files into the new folder.

openvpn_rpi_tunnelblick_move_file_into_folder

Rename the folder to client1.tblk

openvpn_rpi_tunnelblick_renaming_folder

Confirm the usage of the .tblk  file extension.

openvpn_rpi_tunnelblick_extextension

The folder is converted into a single file, which can be double-clicked and will open in Tunnelblick.

openvpn_rpi_tunnelblick_converted_to_file

Simply use to menubar item for Tunnelblick to connect the to VPN.

Leave a Reply