
Raspberry Pi VPN Server: Build Your Own Virtual Private Network - sr2
https://pimylifeup.com/raspberry-pi-vpn-server/
======
oneplane
I'm not sure that making 'security' easy in this style helps people. Say you
set this up, and you get yourself that nice cosy feeling of security, how does
that compare to reality? People used to buy anti-virus software to buy
'security' and it turned out to not really help against actual problems like
zero-day malware. Now, we get VPNs and people that don't actually know what
they are or how they work or what they're for install and 'use' them (for lack
of a better term) and get that sense of security with no backing. How is it
secure for them? Is it still secure after one month? Was it secure to begin
with?

Security isn't a thing that you 'buy' or 'add', it's something that you 'do'
and 'know'.

Using a VPN server and a VPN client doesn't do anything other than getting
traffic from A to B over a presumed hostile network. Ideally using
asymmetrical encryption to make sure the keys don't have to travel the
network. Then, you sure probably use that tunnel to send all traffic, not just
your p2p or http traffic. Using DNS over the normal network and your 'secret'
stuff over the tunnel still exposes what you are doing and actually makes you
more suspicious since you now look like you are trying to hide things (and
doing a bad job at it). And what about firewalls, WebRTC hacks, routing tables
etc. that now expose your network setup to any software you execute (be it an
application or a webpage), or applications that don't honor your VPN setup and
route packets wherever they want to. What about your OS routing stuff
elsewhere? What about that Pi not being setup correctly and you happily using
it but still leaking a ton of traffic over the visible network? A user of an
easy VPN setup will not know and be covered by a false sense of security.

Even if you have perfect instructions and set it up perfectly initially, you
would still be vulnerable down the road as new problems arise and mitigations
might be available but unknown due to a user not actually knowing what it is
or what they are doing.

~~~
sr2
As a single hop proxy, VPNs are pretty limited in terms of the OPSEC they
provide. Personally I only ever use them to route traffic over hostile
networks, and spoof my geolocation to access geo-blocked content. That's all
they should be used for[1]

They for obvious reasons should not be used for anonymity[2] although for some
this is the sole reason they use a VPN. I think, since they are a single hop
proxy, that chaining VPNs together and buying subscriptions anonymously with
tumbled Bitcoins/Monero is the only way you might get anonymity, but the
overhead and potential for things to go wrong is massive. Things like Tor
already solves many of these obstacles and provides reasonable OPSEC,
providing you use it correctly.

[1]:
[https://gist.github.com/joepie91/5a9909939e6ce7d09e29](https://gist.github.com/joepie91/5a9909939e6ce7d09e29)

[2]: [http://blog.hidemyass.com/2011/09/23/lulzsec-
fiasco/](http://blog.hidemyass.com/2011/09/23/lulzsec-fiasco/)

~~~
yzz
Yet even tor is fairly compromised in that the evidence presents that it has
already been tapped by the NSA, and even using it puts you on a watchlist
irregardless of your actions.

~~~
throwaway47861
Yet again, the charming HN audience shows their true colors by downvoting
people who have no proof of what they claim, while conveniently forgetting
that if anyone had a proof of what you said they'd be in a secret court, and
then prison -- for a long time.

~~~
jen_h
That's a bit hyperbolic, methinks - Angwin & Tigas aren't in secret court or
prison! [https://www.propublica.org/article/heres-one-way-to-land-
on-...](https://www.propublica.org/article/heres-one-way-to-land-on-the-nsas-
watch-list)

~~~
throwaway47861
The tinfoil guy in me says they know nothing important then. ;)

Being a bit more serious, thank you for the link, it was enlightening. Kudos.

------
7ewis
I personally use Streisand [1] hosted on a t2.micro using the AWS Free Tier.
Some people also recommend Algo [2]. Both have all their code open sourced on
GitHub.

I do have a Pi too, but after all these new laws where ISP's can sell your
Internet history etc. I think it's nice to be able to hide traffic from them
too.

[1] - [https://github.com/jlund/streisand](https://github.com/jlund/streisand)

[2] -
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

------
ryanlol
The Pi is far too slow to do more than a couple of MB/s of vpn traffic so
hosting a VPN server on it feels like a rather pointless exercise.

A bit more expensive but at least 100x faster option would be
[https://www.amazon.com/Supermicro-A1SRi-2558F-Intel-
Fanless-...](https://www.amazon.com/Supermicro-A1SRi-2558F-Intel-Fanless-
Server/dp/B016VHBA7C/)

And I suppose something like [https://www.amazon.com/Firewall-Micro-Appliance-
Gigabit-Bare...](https://www.amazon.com/Firewall-Micro-Appliance-Gigabit-
Barebone/dp/B01GIVQI3M/) or maybe [https://www.amazon.com/Solana-Tech-pfSense-
firewall-router/d...](https://www.amazon.com/Solana-Tech-pfSense-firewall-
router/dp/B01D6I5VV0/) would be an OK cheaper alternative.

~~~
fps
The Ubiquiti Edgerouter Lite or Edgerouter X is cheaper and able to handle
gigabit network traffic, and can terminate OpenVPN.
[https://www.amazon.com/Ubiquiti-EdgeMax-EdgeRouter-
ERLite-3-...](https://www.amazon.com/Ubiquiti-EdgeMax-EdgeRouter-
ERLite-3-Ethernet/dp/B00CPRVF5K) or [https://www.amazon.com/Ubiquiti-
EdgeRouter-Advanced-Gigabit-...](https://www.amazon.com/Ubiquiti-EdgeRouter-
Advanced-Gigabit-
Ethernet/dp/B00YFJT29C/ref=pd_lpo_vtph_147_lp_t_3?_encoding=UTF8&psc=1&refRID=YB6Z561WMQYMTSXB5H5C)
but honestly so can any consumer grade router capable of running open-wrt.

~~~
rbritton
I have personally tried OpenVPN on an EdgeRouter PoE. The OpenVPN version in
the current EdgeOS is fairly old and also has zero hardware support, so like
the sibling post mentioned, it kills the bandwidth. It was something like 1
Mbit for TCP and 10-15 Mbit for UDP.

------
nodesocket
I've seen quite a few guides and blog posts using OpenVPN, but very few show
how to setup native Cisco ipsec which works out of the box with macOS and iOS
without any 3rd party software to configure.

Thus, here is a blog post I wrote a bit ago on how to setup a dedicated native
Cisco ipsec pi:

[https://blog.elasticbyte.net/setting-up-a-native-cisco-
ipsec...](https://blog.elasticbyte.net/setting-up-a-native-cisco-ipsec-vpn-
server-using-a-raspberry-pi/)

~~~
Mister_Snuggles
I've gone a similar route for my VPN needs, though instead of using a script I
configured StrongSwan directly. I skipped the whole L2TP thing since the only
things I care about routing are IP packets and IPSec does that just fine. I
tried OpenVPN for a bit, but the iOS app felt like it was main an ad for
Private Internet Access and turned me off of it.

My VPN needs are, roughly:

\- Remote access to my home network from my phone/laptop/tablet. This is
mainly to check on my security cameras, but being able to access my NAS and
everything else is a nice bonus. I can even turn my Philips Hue lights on and
off via my VPN connection.

\- Remote access to VMs running on a rented machine at Joe's Data Center.
Basically the same scenario as above, but with different stuff on the other
side of the tunnel.

\- Seamless integration of my home network with the remote one. This is where
things get fun. Basically, custom routes on my router tell it to send packets
destined for the remote subnets to the VPN server, plus some custom dnsmasq
configuration routes DNS requests for remote machines to the appropriate
server.

Honestly, the only thing that bugs me about my setup is that I can't figure
out what the secret sauce is to get Windows 10's native VPN client to connect
to my servers. I'm pretty sure that my certificates are missing something that
Win10 needs in order to use them, but I haven't figured out what it is yet.
Fortunately, this isn't something I need right now, but it would be nice to
get it working.

~~~
stock_toaster
Similarly, I've been meaning to try iked in OpenBSD to get a simple ikev2 vpn
endpoint set up.

~~~
Mister_Snuggles
Same here. I'm looking at eventually replacing my router with an OpenBSD box
and having it handle the VPN stuff.

My servers are primarily FreeBSD, but I wouldn't recommend doing IPSec on it.
FreeBSD 10 doesn't enable IPSEC by default, so you have to recompile the
kernel to use it. FreeBSD 11 enables IPSEC but does not enable IPSEC_NAT_T
(NAT Traversal, basically IPSec encapsulated in UDP), so you need to recompile
to use it since many clients end up being behind NAT at some point.

My ideal setup would see OpenBSD gateways in front of my FreeBSD servers, but
in some cases that isn't possible. I'll probably end up creating small OpenBSD
VMs on the FreeBSD hosts to do the VPN work.

~~~
stock_toaster

      > FreeBSD 11 enables IPSEC but does not enable IPSEC_NAT_T
    

FWIW I heard that FreeBSD 11.1 (already in 11-Stable) is going to removed
IPSEC_NAT_T as a tunable, and it will be effectively enabled by default.

I wanted to create an openbsd vm (on bhyve) too, but there is some weird issue
with openbsd 6.1 and bhyve passing through some funky cpu flags it shouldn't
be that causes openbsd to panic. Apparently passing -w to bhyve works, but I
haven't tried it yet.

~~~
Mister_Snuggles
> FWIW I heard that FreeBSD 11.1 (already in 11-Stable) is going to removed
> IPSEC_NAT_T as a tunable, and it will be effectively enabled by default.

Sweet!! I guess I'll hold off on upgrading my boxes until 11.1 lands.

> I wanted to create an openbsd vm (on bhyve) too, but there is some weird
> issue with openbsd 6.1 and bhyve passing through some funky cpu flags it
> shouldn't be that causes openbsd to panic. Apparently passing -w to bhyve
> works, but I haven't tried it yet.

Good to know - thanks!

------
adampie
Running it with Pi-Hole ([https://pi-hole.net/](https://pi-hole.net/)) makes
it a pretty sweet set up.

------
tonysdg
How much extra security does this actually provide over a subscription-based
VPN service? I mean, yeah, I control the physical hardware (assuming my
apartment doesn't get busted in), but it means I have to make sure everything
is configured properly/patched/etc. Is it really worth all that extra effort?
I'm legitimately curious here.

~~~
driverdan
It depends on your risk profile. If you're using it to bypass NetFlix region
controls a VPN service would be fine. If you're using it to circumvent an
oppressive regime with extreme consequences you should control the hardware
yourself.

------
equalunique
I built my own IPSec IKEv2 VPN using OpenBSD 6 and a BeagleBone Black. It
worked really well and I would do it again. It replaced a FreeBSD 11 Raspberry
Pi Model B which had only been doing NAT and VLANs. Never ran into issues with
either. I do prefer the OpenBSD pf syntax as well as the ease with which
OpenBSD facilitates IKEv2.

------
MickelC
[https://arstechnica.com/gadgets/2017/05/how-to-build-your-
ow...](https://arstechnica.com/gadgets/2017/05/how-to-build-your-own-vpn-if-
youre-rightfully-wary-of-commercial-options/?comments=1) here is a guide on
building you own vpn. If you are unable to built it then use a paid vpn
service. Ivacy vpn is the right option which is cheap and effective.

------
akoster
A quick setup script for raspbian:
[http://www.pivpn.io/](http://www.pivpn.io/)

------
cmsimike
I've been using PiVPN[0], which sets up a VPN server for you, but also wraps a
lot of the admin commands (creation and revocation of certs, for instance) in
easier-to-remember commands.

[0] [http://www.pivpn.io/](http://www.pivpn.io/)

~~~
teddyfrozevelt
That's what this article is using too.

------
qrbLPHiKpiux
Am I correct that some security experts don't necessarily trust open vpn
because of its reliance on TLS?

~~~
lucb1e
I'm pretty sure you can find an expert in any field (provided enough
'experts', which for TLS there certainly are) who will have a given opinion on
the topic.

I myself am not entirely happy with the way TLS works. It invites for bad
configurations and in our pen testing reports, it is _extremely_ rare to see
setups that do not have some recommendation. I have yet to see one, but I'm
sure someone in the office will have seen a "perfect" setup on some odd
assignment (once again: given enough samples, you'll find one...). And then
there's the fact that almost all TLS connections use endpoints written in
memory-unsafe languages, which has caused its fair share of vulnerabilities.
(Alright, maybe a lot more than its fair share.)

But the notion that OpenVPN is bad just because it relies on TLS is mildly
ridiculous. The only reason I could agree with "let's move OpenVPN off of TLS"
is because too much relies on one protocol. Then again, that makes it an
_extremely_ well-vetted protocol, which is one of the things that makes it so
good, and it's a fairly versatile protocol. Most of the important parts can be
swapped out with a configuration change.

------
ex3ndr
Does anyone know VPN service (NOT self-hosted server) that could help
establish small private networks for multiple PCs without public IP? Right now
i should to setup OpenVPN in DigitalOcean, but i really prefer to pay for
service here.

------
mercora
Does someone know how much bandwidth this is able to handle?

~~~
ryanlol
[https://news.ycombinator.com/item?id=14435139](https://news.ycombinator.com/item?id=14435139)

Like 3MB/s maybe? Even that is pretty optimistic however. The older Pi
wouldn't even do a MB/s

~~~
zapt02
As a OpenVPN client, the Pi handles 10MB/s without breaking a sweat. It's a
quad core computer after all.

------
__ddd__
Came to say that case is sweet.

