
How to Make a Raspberry Pi VPN Server - FoxMulder23
https://www.electromaker.io/tutorial/blog/raspberry-pi-vpn-server
======
maweki
The author suggests the following use cases: Mask your IP address, Hide from
snooping ISPs, Extra security on public Wi-Fi, Unblock geo-restricted content,
Connect to your home network from anywhere

Snooping ISPs, public IP, and geoblocking are not prevented by a VPN server in
your home network, which the author does not warn about.

The other two cases work if you make your VPN server accessible from the
internet, which the author also does not expand upon or even mentions.

It's a good tutorial but the question about VPN servers is often now how, but
where. And this question is not asked.

~~~
Sohcahtoa82
Thank you!

Other than DNS or other traffic filtering, do you gain _anything_ by using a
VPN on a Raspberry Pi on your home network?

~~~
rikkus
If you use your own VPN to home then you can access everything on your home
network without setting up port forwarding, if you have stuff like that. I
used to but not these days.

You could also have the PI run a VPN client and connect to a privacy-promising
VPN service, effectively ‘bouncing’ off home.

Not sure if that is even technically possible without pain, or why you
wouldn’t connect directly to the privacy-promising VPN.

~~~
joezydeco
This has some possible use for using streaming devices when traveling abroad.

On a recent trip I tried using IPvanish with a FireTV stick and Amazon
detected the VPN, most likely from a blacklisted set of IP addresses.

Using your own home IP should hopefully prevent that from happening.

~~~
mbreese
_Some_ streaming devices. My IP TV service doesn't work through a VPN back to
my home. It acquires location information from GPS (or other location
sources), not the IP address. I had wanted to watch something from my home
town broadcast channel while visiting family in another state. Turns out that
wasn't possible.

~~~
milankragujevic
Wait, someone bothered to put GPS checking? Awful, that's absolutely not
required to license a channel, AFAIK only regular IP-based checks are enforced
by channel networks to the distributing ISPs.

Was this on a smart phone / tablet or TV/STB? I used a similar thing to let my
parents watch TV from my account --
[https://news.ycombinator.com/item?id=22052333](https://news.ycombinator.com/item?id=22052333)

I'm not sure why an ISP would limit the physical location, and also how would
that work if they have users in another state?

I've heard about WISPs putting GPS locks on their CPE devices, but that's
pretty useless too, they're setup to connect to one tower only, if you move
it, it won't see the tower and won't connect to anything, so ... ??

~~~
jdsnape
In the U.K. this is done by BT for users of their sport app, so the channels
can only be streamed in the U.K. I think this was a requirement of the rights
holder (the sports bodies).

~~~
milankragujevic
Yes, sports are a different thing altogether, the rights holders have
draconian rules because piracy is so widespread.

Ironically, a TV show that my ISP's content division made, which is free for
it's users, was the most downloaded torrent (in Serbia) in the second half of
2019. I did an analysis of the IPs of everyone who downloaded it, a
significant percentage (~20%) were from that ISP.

Basically, people risk fines and warning letters by pirating a TV show that is
free for them (cable ISP that doesn't sell Internet without TV, any and all TV
packages come with a smart phone app and website where you can watch your
channels + a free VOD catalog) because the restrictions on device type,
bootloader integrity, IP address are so draconian.

The ISP, of course, looses in the end, because it's users were also uploading
the TV show to other torrent clients of non-users, which is lost potential
revenue.

------
pw6hv
I would never suggest OpenVPN when there is something like Wireguard. I
switched to WG few years ago and the performance boost on a old Raspberry Pi
v1 was astonishing since it has much lower requirements wrt to the CPU.

~~~
w0utert
It's also way easier to setup, and it covers all basic VPN needs for almost
all home-VPN use cases.

I remember spending a whole day configuring OpenVPN, lots of packages,
certificates, key files, no clue what half of the things I was doing were for.
I also didn't particularly like the OpenVPN iOS client. Setting up WireGuard
took less than an hour, every step of the process made sense, and it allowed
me to remove a whole lot of cruft from my server.

~~~
milankragujevic
I have the opposite experience. Setting up OpenVPN is as easy as:

wget [https://git.io/vpn](https://git.io/vpn) -O vpn.sh

* inspect the file manually for malware etc.*

sudo bash ./vpn.sh

You enter your IP, port, protocol, client name and it generates a .ovpn file
that you import into any client and it just works.

If you need to revoke a client or add another one, re-run the script and it
will ask you what to do. It can also uninstall itself safely.

I still haven't managed to setup WireGuard.

OpenVPN gets about 40 Mbps for me on the Pi, but my upload is less, so I don't
need more. On a VPS, it gets about 90 Mbps.

~~~
w0utert
For things that run on my home server I like to at least have the impression I
know what I'm installing and how it is configured, so a magic script like you
referred to is not really an option.

I used this guide to configure OpenVPN [1], which you could almost publish as
a paperback ;-)

[1] [https://www.digitalocean.com/community/tutorials/how-to-
set-...](https://www.digitalocean.com/community/tutorials/how-to-set-up-an-
openvpn-server-on-ubuntu-18-04)

~~~
milankragujevic
Well, you could always open the script.

It's magic in that it does everything itself, it's not a black box.

It's only 460 lines with whitespace and comments, including the files it's
writing to the filesystem.

------
fooblat
Shouldn't this article be called How To Make A Debian VPN Server? I don't see
anything particularly raspberry pi specific in the article.

~~~
Nursie
This has irritated me for about a decade! Probably unreasonably.

Rasberry Pi was not the first ARM dev board with linux, and most of the "Make
your Pi do X!" recipes out there would more reasonably be described as "How to
set up your linux server do X", but that's not cool, and had no Pi, so ...

Grrrr mumble mumble, yes I know I'm an old curmudgeon.

~~~
alias_neo
I think the reason is that is that Pi has brought Linux in the flavour of
Debian to the general public, many won't understand the concept or importance
of an OS or how it can be portable; It's Raspberry Pi's "Software".

The second and more likely reason is that Raspberry Pi are keywords that help
get you in the hands of your target audience, I'm guilty of it on my blog. If
you're running a Debian server on x86, you're probably not the target audience
for a "simple" VPN tutorial.

------
intpx
curl -L [https://install.pivpn.dev](https://install.pivpn.dev) | bash

fuck fuck fuck no. this whole site should be blacklisted

~~~
universenz
Can you elaborate for a terminal/linux layman?

~~~
g82918
It immediately runs a script from a site in a bash instance. The script could
do anything like exploit some zero day like shellshock or other vulnerability.
They would prefer the user read the script first. Most people won't read it
either way, but if people don't just pipe it to bash other people will feel
like it is more secure. If the script is served over http then there are also
ways of replacing it by some mechanisms without you knowing as well which can
add danger.

------
mikece
What kind of speed can one expect? I've got gigabit fiber and really do get >
950Mbps in both directions. Would this throttle me to 200Mbps? I can't imagine
I would be getting full-speed connectivity.

~~~
vardump
> Would this throttle me to 200Mbps?

RPi4 is plenty fast for full gigabit VPN performance. Its ethernet interface
should also easily reach 950 Mbps. Although it's a different matter whether
current VPN software can take full advantage of it. My guess is not.

There's some handicap due to lack of useful crypto HW in RPi4. But if multiple
cores are used, it should easily reach 1 Gbit speeds. VideoCore VI could
theoretically also be used for crypto acceleration, although I haven't heard
anyone doing it — yet.

Edit: Just tried "openssl speed -multi 4 aes-256-cbc" on RPi4.

aes-256 cbc 224787.70k 243743.77k 250572.29k 251253.42k 253684.39k 252919.81k

In other words, 2 Gbit/s CPU based AES-256 performance.

~~~
Havoc
>RPi4 is plenty fast for full gigabit VPN performance.

Even if it could do a theoretical gigabit...you'd still be sharing that up &
down.

I suspect you could get a good 700ish with a USB 3 gigabit dongle though. I
ran a rpi4 as router/fw that way for a couple months (250 internet so never
found out where the limits are)

------
moralsupply
I use a small pc instead of an rpi for tunneling vpn connections:

[https://www.ebay.com/itm/264458765771?ViewItem=&item=2644587...](https://www.ebay.com/itm/264458765771?ViewItem=&item=264458765771)

An i7 4500U with 8GB ram and 128GB SSD costs around $300, but you can get a
decent setup for $180

~~~
pheug
Yeah, these micro pcs are really nice, thinking of getting one like that
myself. But rpi4 costs an order of magnitude less ($35), it's in a different
price class I'd say.

~~~
Jaruzel
Micro PCs also still have higher power requirements. For running costs, you
can't beat a small ARM board (like Pi or its clones)

------
jethro_tell
>keep your ISP from snooping

So that someone else's ISP can snoop. It's a tradeoff I guess but just to be
clear that someone is able to snoop that traffic, you're just moving from your
provider to someone elses provider.

~~~
arbitrage
By all means then, let's do nothing, because someone else might do something.

That's a race to the bottom.

~~~
jethro_tell
If you find that necessary, feel free to do that, but do it as a conscious
choice.

I've worked in datacenters that hosted VPS providers, that had Verizon and
Centurylink/L3 as their cross connects. Here's a nice list of Tier1 internet
providers, these guys are going to do the bulk of transit for most data
centers.
[https://en.wikipedia.org/wiki/Tier_1_network#List_of_Tier_1_...](https://en.wikipedia.org/wiki/Tier_1_network#List_of_Tier_1_networks)

There's still going to be direct connect at the various peering points, so in
this case, you'll get a direct connect from your provider to say google, but
that's already in a TLS connection and google already has your IP address or
probably your specific street address as does your VPN provider. So I'm not
sure what the point is. You'll get the same thing for amazon and netfilx and
facebook but again, all TLS and I don't know that you're gaining much since
you've already got a positive ID on you with the tracking these days. If, in
fact, they don't have a positive id, They'll have one pretty quickly and
perhaps tag you to a VPN IP which they will know is a VPN because the positive
tracking has matched you with your CC and your real address as well as all the
other people connecting through said VPN from geographically disparate
locations. Basically if you sign into a single account over your VPN, then the
cats out of the back and if you don't then the cat is PROBABLY out of the bag.

I check out these VPS providers that pop up here and there but there's never a
mention of their transit, they are just using whatever the datacenter has, and
most of them have the same backbone providers as the last mile. So, while this
may be necessary for some people, You'll often see people make this decision
thinking it grants the privacy when it doesn't really change that part of
their situation.

I think it can be a dangerous part of discussion since it's not clear to most
people what's actually happening.

------
DocG
We are using this at the office. We and our clients often use IP restriction
to servers as first line defense, so Pi in the office lets us access office
static IP while outside.

This has helped tremendously and is super easy to set up.

Bonus is while traveling we can access services without firewalls from our
home country and everyone sees us as "still in the office". This includes
clients, government, banks, etc. Additionally while using it we are not
detected to be using VPN so far.

------
winrid
I'm so glad I setup my own vpn as a backup before going to China. NordVPN
didn't work there on any WiFi network.

~~~
ngcc_hk
It is against their law to use vpn. Hence 1 person “solution” is not a real
solution dealing with totalitarian state. But as any individual you should do
two. One this. The other one somehow get a political solution if available to
you.

~~~
downrightmike
Or go with something that can do a bunch of different solutions:
[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)
Streisand sets up a new server running your choice of WireGuard, OpenConnect,
OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also
generates custom instructions for all of these services. At the end of the run
you are given an HTML file with instructions that can be shared with friends,
family members, and fellow activists.

~~~
winrid
I'm not sure this is what they meant by political solution?

------
ngcc_hk
If you open up your home using vpn server, would it be more danger as every
server on the net is hacked continuously.

~~~
dsr_
If that's the extent of your knowledge about server security, then, yes, this
is not for you.

You need to understand firewalls and routing first.

------
srmatto
For better performance and more flexibility I'd recommend an ESPRESSObin v7
over a Pi. 3xGbE ports and a dedicated topaz switch offer something much more
akin to a true router than the Pi.

[http://espressobin.net/](http://espressobin.net/)

~~~
Grimm665
Do you know if Debian/Armbian is working on Espressobin? Last time I played
with one, I couldn't get Armbian loading and went with Arch instead, following
this tutorial:

[https://blog.tjll.net/building-my-perfect-router/#part-
two-s...](https://blog.tjll.net/building-my-perfect-router/#part-two-software)

------
Rafuino
Noob question, but is it possible to run both a VPN server and continue
running Pihole on a RPi 4?

~~~
DavideNL
Yes, definitely!

Pihole is basically just a "pimped" dns server.

So, to rephrase your question: _" is it possible to run both a VPN server and
continue running a dns server?"_

~~~
w0utert
It works like a charm indeed, I run the WireGuard client on all my devices
(laptop, phone, tablet) in on-demand activation mode (VPN activates whenever I
leave my home WiFi), and configured them them to use the PiHole server as DNS,
so I have ad-blocking on all my devices, all the time. I don't perceive any
kind of negative effect on network performance (it helps to have fiber with
symmetric up/down speeds for this setup)

~~~
lobeze
Is it possible to set it up like this: I want to use mullvad VPN, so my
IP/location is obfuscated, but still to have PiHole? So something like I
connect my laptop and mobile to my router -> RPi -> mullvad VPN -> internet.
If it is, how can I achieve it?

~~~
pheug
With Wireguard you set DNS server IP directly in the config file, it is not
negotiable over the connection. So you can edit the config to set it to your
pihole's ip. Or remove the DNS line altogether and then it won't touch your
DNS settings at all.

------
segmondy
I had a raspberry pi vpn server. serveed traffic over UDP, used port knocking
to open it up. blocked everything else, worked pretty good, but damn SD cards
kept dying. :-/

~~~
LeoPanthera
The Pi is notorious for murdering SD cards, but if you use an "endurance"
card, which are often sold for use in dashcams, you should find it lasts a lot
longer.

~~~
Jaruzel
If you 'dd' the sd card over to a usb key, and add 'program_usb_boot_mode=1'
to the config.txt, you'll get a more robust filesystem and a speed-up bonus as
well.

~~~
aweiland
This does not yet work on the Pi 4. However you can keep /boot on the SD card
and move / to an external USB SSD.

------
nspassov
The author barely mentions anything about security of the server setup. I
would at least run some online security checks for open ports, etc.

------
numlock86
> On public, unprotected Wi-Fi, a VPN adds a layer of security by masking your
> IP address.

Haha, WTF did I just read?

~~~
moooo99
To be fair. The claim that it makes you more secure by masking your IP is
wrong. But securing you connection in public Wi-Fi networks is probably the
main VPN use-case for the average user.

------
Whatarethese
Dont follow this. Set up Wireguard on your Pi. The best way to do it.

------
gerdesj
I use a VPN to "go home", regardless of where I am in the world.

There are many uses for VPNs and we have to be careful about why we use them.

