S

u
b
m
it

1. Introduction
Ubiquitous Wi-Fi and mobile data that is on offer has made internet an integral part
of our daily lives. With so much free public Wi-Fi that is available from different
sources like airports, restaurants, libraries etc. the insatiable thirst for data is met.
Right? Yes, the Wi-Fi is free of course, but it is also generally unencrypted. This
means the users privacy is at risk. An eavesdropper can easily access the personal
data of the user when connected to such a network. Some of the other issues we
faced is that the websites continuously track our browsing patterns to rake in some
profits at the expense of our privacy. Courtesy Edward Snowden, we now know how
the Government monitors our online activities all the time. Apart from these privacy
invasions, there are also geographic restrictions. This is a scenario where the
Government of a certain country denies its general public from accessing certain
websites. Isnt there a fix to all these issues? Isnt there anyway to can keep our
privacy intact?
Well, of course there is the TOR browser that enables anonymous communication
thus fixing the issues discussed previously. The next question that immediately
arises is that if TOR is for an average internet surfer? On the downside a TOR
connection can be extremely slow - even slower than the most sluggish internet
speeds at times. Since, TOR offers such high levels of anonymity its a haven for
many crude, illegal activities. An average Joe can stumble upon some raw,
uncensored stuff on the internet that might keep him away from TOR for good.
Another silly fix to the issue would be avoid connecting on the public Wi-Fi
altogether. However, due to the impracticality of this fix we could as well use a
Virtual Private Network (VPN) to provide an anonymous, encrypted network.
Generally this paid for VPN service routes the internet traffic through a server that is
not our point of origin.
In this project we set up a free OpenVPN server on a relatively inexpensive piece of
hardware called the raspberry pi. This approach tunnels all the local traffic through
the raspberry pi which in turn routes it to the internet. Other than fixing all the
security issues, VPNs also allow users to connect on the public network as if they
were connected on the private one.

2. VPN and OpenVPN

2.1 VPN
VPN stands for Virtual Private Network. VPN extends private network across public
network or shared network like internet. Using VPN, we can send and receive data
across public network as if the devices are connected in the private network. Thus
VPN provides anonymity. It means even though the public or shared network is not
secured we can get secured network with VPN. VPN provides Security,
Confidentiality, Integrity and Authentication which are most important factors in any
form of communication. VPN is created in a way that it enables point-to-point
connections through the use of dedicated connections, virtual tunneling protocols.

VPN allows corporate employees to securely access the corporate intranet while
travelling outside their office. Using VPN, we can connect to proxy servers so that
one can protect their personal identity. We can deploy VPN connectivity on routers
for additional security and encryption of data transmission by using various
cryptographic techniques.

2.2 OpenVPN
OpenVPN is an open-source software application that implements virtual private
network (VPN) techniques for creating secure point-to-point or site-to-site
connections in routed or bridged configurations and remote access facilities. For Key
Exchange VPN uses custom security protocol that utilizes SSL/TLS. VPN is capable of
traversing firewalls and network address translators. For authentication between
users OpenVPN uses certificates, pre-shared secret keys or username/passwords.
OpenVPN uses for encryption and authentication. It uses HMAC for additional
security. OpenVPN provides 256-bit encryption using OpenSSL. OpenVPN not only
supports IPv4 but also it fully supports IPv6. OpenVPN can run over TCP and UDP
transports.
OpenVPN is available on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX, Mac OS X,
and Windows XP and later. It also works on mobile phones running on IOS, Windows,
Android.

3. Hardware required

Raspberry pi (Model 2B) This model of the raspberry pi comes with a quad core
Broadcom BCM2836 CPU with 1GB RAM, 40 pin extended GPIO, micro SD slot, micro
USB power source, an Ethernet port, 4 USB ports and a full size HDMI port.
8 GB class 10 micro SD with Raspbian (Debian-based computer operating system)
written on it.
Wireless adapter To connect the raspberry pi to the internet wirelessly.
HDMI display
A keyboard

4. Setting up the server side

4.1.
Changing the default raspberry pi username and
password
Power on the Pi and enter the default username and password pi and raspberry
respectively. If this username-password combination is left at default anybody with
access to raspberry pi could mess with the server.

4.2.

Enable ssh on the Pi

This step is optional, but can be done to remotely connect to the raspberry pi by
typing in the following command sudo raspi-config and enabling ssh on the
advanced options dialogue box.

4.3.

Updating the Pi

Update system packages and upgrade the installed packages to their latest version
on the pi by using sudo apt-get update and sudo apt-get upgrade

4.4.

Assigning static local IP address to the Pi

The outbound traffic has to be routed out to the internet via the server. For, this
reason the server (raspberry pi) needs to have an address that doesnt change each
time we connect to the network. Type the command ifconfig to get the current IP
address on the raspberry pi. We set our router up to assign the pi the IP that it
showed up on running the ifconfig command. An alternative approach would be
hardcoding the static IP address to the pi by running sudo nano
/etc/network/interfaces command. We now reboot the pi by running sudo reboot
command for the changes to take effect.

4.5.

Installing OpenVPN on the pi and key generation

The Raspbian OS comes with the OpenVPN package preinstalled which can be
unpacked by typing in sudo apt-get install openvpn command. Now type in command
sudo apt-get install openvpn in the terminal to install the package that produces the
server client key pair (using RSA). A copy of the
Easy-RSA has to be made in
/etc/openvpn/easy-rsa/ by using the command cp r /usr/share/easy-rsa/*
/etc/openvpn/easy-rsa/ as a root user. Now, type cd/etc/openvpn/easy-rsa to change
directory. Type nano /etc/openvpn/easy-rsa/vars and make changes as shown in the
terminal screenshot

4.6.

Provide authentication to the clients

Build root certificate and root certificate authority on the server to prove itself to the
client that its authentic (it is actually who it claims to be). This is done by changing
directory to easy-rsa by typing
cd /etc/openvpn/easy-rsa and then running the
following commands source ./vars to run the vars document that was modified in the

beginning. Followed by ./clean-all just to ensure that any previous attempts at

creating certificates are cleaned and ./build-ca is run creating certificate with server
name and user name on it.

4.7.

Keys for each individual user

Now that we have created a certificate and generated a key for the server, we need
to create keys for each of the clients so that the server client pair would share a
unique pair of keys. For, demonstration and simplicity we have just created one
client and called it pc. The servers name raspi. This is done by using the following
command ./build-key-pass pc

This ensures that we have both server client certificates and key pairs. After
changing directory to keys by typing cd keys and to ensure that the keys would
work for all clients and for encryption, we type in openssl rsa in pc.key -des3 -out
pc.3des.key
In the process on creating the client keys and certificates we would be asked for a
passphrase. We need to remember this in case it is asked for in the future.

4.8.

Building Diffie-Hellman

Now that the server client pair has established a unique key pair, to establish an
end-to-end data encryption we need to generate an identical key that is used for

both encryption and decryption. This is done by using Diffie-Hellman Key exchange.
After typing in cd.. and ./build-dh we can see a recurring pattern of . and +

To provide our server additional security against certain attacks like the Denial of
Service attack we use hash based message authentication code (HMAC) so that the
server wouldnt authenticate any client without the pre-shared key. This is
implemented using the command openvpn --genkey --secret keys/ta.key

4.9.

Server configuration

Now, we would require our server (Raspi) to do a bunch of things like tunneling the
traffic through port 1194 and looking for the server client keys and certificate in a
specific folder. Setting the router as DNS and encrypting the data with AES 128 in
CBC mode. We edit the configuration of the server by using the command nano
/etc/openvpn/server.conf where we type in the following (an open-source code found
on GitHub modified according to server name and pi IP)
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/raspi.crt
key /etc/openvpn/easy-rsa/keys/raspi.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.0.20 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"
push "redirect-gateway def1"
client-to-client

duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20

After saving this server configuration, we have to let all the traffic flow through the
server. So, type nano/etc/sysctl.conf and make the following changes.

This change of uncommenting is applied using sysctl p

4.10.

Breach the Raspbian firewall

Due to the server configuration the client that connects to the server would get an
IP in the 10.8.0.0/24 for the tunnel. Since our subnet is at 192.168.0.0/24 we need
to make use of NAT in the following format. First we type nano /etc/firewall-openvpnrules.sh and editing the openvpn-rules as
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.20
Like windows OS having an inbuilt firewall the Raspbian OS has a firewall inbuilt too.
This firewall doesnt allow all the traffic to flow through it. In order to get the traffic
flowing through the server, we should breach the firewall using the following set of
commands
chmod 700 /etc/firewall-openvpn-rules.sh
chown root /etc/firewall-openvpn-rules.sh
nano /etc/network/interfaces

4.11.

Individual client profiles

Automate the client side of things to save us a lot of work by running the
following script after typing sudo nano /etc/openvpn/easy-rsa/keys/Default.txt in the
terminal window.

Up next is the script that automates the whole process. This was a code written
by Eric Jodoin that sets up the client profiles. After typing nano /etc/openvpn/easyrsa/keys/MakeOVPN.sh enter

#!/bin/bash
# Default Variable Declarations
DEFAULT="Default.txt"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".3des.key"
CA="ca.crt"
TA="ta.key"
#Ask for a Client name
echo "Please enter an existing Client Name:"
read NAME
#1st Verify that client's Public Key Exists
if [! -f $NAME$CRT]; then
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
exit
fi
echo "Client's cert found: $NAME$CR"
#Then, verify that there is a private key for that client
if [! -f $NAME$KEY]; then
echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY"
exit
fi
echo "Client's Private Key found: $NAME$KEY"
#Confirm the CA public key exists
if [! -f $CA]; then
echo "[ERROR]: CA Public Key not found: $CA"
exit
fi
echo "CA public Key found: $CA"
#Confirm the tls-auth ta key file exists
if [! -f $TA]; then

echo "[ERROR]: tls-auth Key not found: $TA"

exit
fi
echo "tls-auth Private Key found: $TA"
#Ready to make a new .opvn file - Start by populating with the default file
cat $DEFAULT > $NAME$FILEEXT
#Now, append the CA Public Cert
echo "<ca>" >> $NAME$FILEEXT
cat $CA >> $NAME$FILEEXT
echo "</ca>" >> $NAME$FILEEXT
#Next append the client Public Cert
echo "<cert>" >> $NAME$FILEEXT
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >>
$NAME$FILEEXT
echo "</cert>" >> $NAME$FILEEXT
#Then, append the client Private Key
echo "<key>" >> $NAME$FILEEXT
cat $NAME$KEY >> $NAME$FILEEXT
echo "</key>" >> $NAME$FILEEXT
#Finally, append the TA Private Key
echo "<tls-auth>" >> $NAME$FILEEXT
cat $TA >> $NAME$FILEEXT
echo "</tls-auth>" >> $NAME$FILEEXT
echo "Done! $NAME$FILEEXT Successfully Created."
#Script written by Eric Jodoin
\ No newline at end of file

4.12.

Escalating the root privileges

We give the script of Eric Jodoin the permission to run by typing cd

/etc/openvpn/easy-rsa/keys/
Chmod 700 MakeOVPN.sh gives the script root privileges and ./MakeOVPN.sh
executes it .Then we need to escalate root privileges on the server to copy over
some of the vital files over to the client side. This is done by the command

chmod 777 to copy the required files on the client device. These privileges are
undone by using chmod 600 to prevent any unauthorized access to the files on
the server. The script executes to give the following output

5. Setting up the client side

Now that the server is up and running, we install the winscp on windows machine
that we are using as client. We also need to install OpenVPN on the client and
download the files such as client certificates, keys and pc.opvn on the client.

On running the OpenVPN GUI we notice the change in public IP addresses as

follows:
Public IP before VPN connection

Public IP after VPN connection

6. Problems faced and important milestones.

To successfully set up the raspberry pi as VPN server, we have to assign it a static
private as well as a public IP. In large organizations like the universities, this aspect
causes a little trouble since the networks available across the campus is not
assigned a static public IP and thus no question of assigning it a private IP since the
network and subnet would keep changing continually. Few of the commands for the
terminal werent as encounter on the references and getting the raspberry pi to
pump out all the client traffic through it was also an area of concern. Network
Address Translation was a little tricky in particular. That said, setting up the client
side of things was the trickiest bit.
In this project we wanted to set up a model of a VPN server to provide us with
anonymity and privacy and learn how a VPN actually works. We successfully did
what we set out to do, in terms of project outcome and also learnt that we could
access our private network from anywhere on the internet using a Virtual Private
Network.

7. Conclusion
The ever growing concern of keeping the privacy and online anonymity intact is kind
of addressed in this project. We now have an anonymous end to end encrypted
connection set up for a particular client that changes its IP address and has all the
data encrypted using the AES-128 standard(We could set up any number of clients
for this server since OpenVPN is compatible across all OS Platforms). This is a good
measure to keep the intruders and eavesdroppers at bay. Government online

surveillance and geographic restrictions imposed on clients can also be overcome

using this approach. It should be kept in mind that any scheme that involves Public
key cryptography is vulnerable to Man In the Middle (MItM) attack and VPN is no
different.

8. References
1) http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-webbrowsing/
2) https://github.com/rmurray2/RPI-TLS-VPN/blob/master/server.conf
3) https://gist.github.com/laurenorsini/10013430
4) https://openvpn.net/index.php/open-source/documentation/howto.html
5) http://pclosmag.com/html/Issues/201309/links.html
6) http://www.bbc.com/news/technology-33548728
7) http://elinux.org/RPi_Hardware