OpenVPN ======= OpenVPN: Open source commercial software implementing a virtual private network (VPN). Uses a custom security protocol, SSL/TLS for key exchange, and preshared keys (easiest), passwords or certificates (feature rich and robust) for authentication on a per-client basis, so clients don't get to share credentials, all of that on top of UDP or TCP. See https://openvpn.net/community-resources/openvpn-protocol/ for details. OpenVPN fully supports IPv6 as protocol of the virtual network inside a tunnel and the OpenVPN applications can also establish connections via IPv6.[18] It has the ability to work through most proxy servers (including HTTP) and is good at working through network address translation (NAT) and getting out through firewalls. The server configuration has the ability to "push" certain network configuration options to the clients. These include IP addresses, routing commands, and a few connection options. OpenVPN offers two types of interfaces for networking via the Universal TUN/TAP driver. It can create either a layer-3 based IP tunnel (TUN), or a layer-2 based Ethernet TAP that can carry any type of Ethernet traffic. OpenVPN can optionally use the LZO compression library to compress the data stream. Port 1194 is the official IANA assigned port number for OpenVPN. Newer versions of the program now default to that port. OpenVPN's use of common network protocols (TCP and UDP) makes it a desirable alternative to IPsec in situations where an ISP may block specific VPN protocols in order to force users to subscribe to a higher-priced, "business grade," service tier.[example needed] When OpenVPN uses Transmission Control Protocol (TCP) transports to establish a tunnel, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire. If this becomes untrue, performance falls off dramatically. OpenVPN can be extended with third-party plug-ins or scripts, which can be called at defined entry points.[23][24] The purpose of this is often to extend OpenVPN with more advanced logging, enhanced authentication with username and passwords, dynamic firewall updates, RADIUS integration and so on. The plug-ins are dynamically loadable modules, usually written in C, while the scripts interface can execute any scripts or binaries available to OpenVPN. In the OpenVPN source code[25] there are some examples of such plug-ins. Don't touch that unless you have a really good idea what you are doing. OpenVPN has been integrated into several router firmware packages allowing users to run OpenVPN in client or server mode from their network routers. A router running OpenVPN in client mode, for example, allows any device on a network to access a VPN without needing the capability to install OpenVPN. VPNs shield network traffic between endpoints (and the networks local to them) from observation by outsiders. <--> denotes untunnelled connections. Every station along the way can view source and destination addresses even when traffic contents is encrypted. If payloads are not encrypted, stations may change contents. <==> denotes tunnelled connections. Stations along the way can retrieve source and destination address, i.e. addresses of endpoint and VPN server, but not the destination. No VPN: Endpoint <--> ISP <--> Internet <--> Destination Your own VPN server: Endpoint <==> ISP <==> Net <==> VPN Server <--> Destination A private VPN service: Endpoints <==> ISPs <==> Internet <==> VPN Server <--> Dest. Installation on a Pi used to be somewhat tedious: install, configure OpenVPN, figure out EasyRSA, create tunnel configurations. Thanks to http://www.pivpn.io, this has become considerably easier: curl -L https://install.pivpn.io | bash A walkthrough is here: https://www.sitepoint.com/setting-up-a-home-vpn-using-your-raspberry-pi/ Preparation: - make sure the Pi of choice has a static IP address. Servers typically do, clients don't. - having a public static IP address helps. If that's not an option, sign up with a dynamic DNS provider. - choose a DNS provider for your clients. PiVPN contains a list of the well-known ones. The installer asks if security patches should be automatically applied. Autonomously installing patches potentially capable of isolating a server is a bad idea, because they eventually will. The default OpenVPN port is 1194. Expect that port to be scanned by potential intruders. Might be a good idea to pick something different. Elliptic curve encryption is the latest encryption scheme. Enable this unless your client doesn't support it. The longer the encryption, the harder it is to decrypt data for an unwanted listener. Calculating long keys takes time. It's time well spent. If possible, specify the server's public address (the one that clients are to connect to) as an IP address, to keep clients from falling for DNS spoof attacks. The server should be good to go once you see a blurb saying: Installation Complete! Now run 'pivpn add' to create the ovpn profiles. Run 'pivpn help' to see what else you can do. The install log is in /etc/pivpn. PiVPN is helpful: ::: Control all PiVPN specific functions! ::: ::: Usage: pivpn [option] ::: ::: Options: ::: -a, add [nopass] Create a client ovpn profile, optional nopass ::: -c, clients List any connected clients to the server ::: -d, debug Start a debugging session if having trouble ::: -l, list List all valid and revoked certificates ::: -r, revoke Revoke a client ovpn profile ::: -h, help Show this help dialog ::: -u, uninstall Uninstall PiVPN from your system!