Hero Image

Openvpn ubuntu core on raspberry

Steps to setup easy-openvpn on Ubuntu Core

This gist is to accompany a more wordy blog post which covers everything in much more detail. These are the easily copy/pastable steps.

For this you will need:-

  • Raspberry Pi 2 or 3, PSU, keyboard, LAN connection, HDMI cable and display
  • Laptop/desktop computer - mine is running Ubuntu 18.04 but anything with SSH will do
  • Micro SD card and adapter to attach to the computer

Install Ubuntu Core on Raspberry Pi

Download Ubuntu Core 16

$ wget http://cdimage.ubuntu.com/ubuntu-core/16/stable/current/ubuntu-core-16-pi2.img.xz

Create an account in the store

While the image downloads, visit https://login.ubuntu.com to create an account if you don't already have one.

Copy image to SD card

This will destroy everything on the SD card. Mine is under /dev/mmcblk0 but yours may differ.

$ xzcat ~/Downloads/ubuntu-core-16-pi2.img.xz | sudo dd of=<drive address> bs=32M
$ sync

Ubuntu Core setup

On the Raspberry Pi

Pop the newly written SD card into the Pi and boot with a keyboard, LAN and HDMI display attached.

                    GNU GRUB  version 2.02~beta2-36ubuntu10

 │*Ubuntu Core 16                                                             │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 │                                                                            │

      Use the ^ and ┴ keys to select which entry is highlighted.
      Press enter to boot the selected OS, `e' to edit the commands
      before booting or `c' for a command-line.

Wait for it to boot.

Press enter to configure.

          Ubuntu Core

          Configure the network and setup an administrator account on this all-snap Ubuntu Core system.

                                                        [ OK     ]

Press enter.

          Network connections

          Configure at least one interface this server can use to talk to other machines, and which preferably
          provides sufficient access for updates.

            eth0     >  Will use DHCP for IPv4, currently has address:
                        Has no IPv6 configuration, currently has addresses: fe80:5054:ff:fe12:3456,
                        B8:27:EB:44:AF:C2 Raspberry Pi Foundation

                                                         [ Done   ]
                                                         [ Cancel ]

Down arrow to [ Done ], then press enter.

          Profile setup

          Enter an email address from your account in the store.

                                 Email address:    _

          If you do not have an account, visit https://login.ubuntu.com to create one.

                                                         [ Done   ]
                                                         [ Cancel ]

Enter email address and arrow down to [ Done ], then press enter.

          Configuration Complete

          This device is registered to [email protected].

          Remote access was enabled via authentication with SSO user <popey>.
          Public SSH keys were added to the device for remote access.

          [email protected] can connect remotely to this device via SSH:

              ssh [email protected]

                                                         [ Finish ]

Press enter.

Ubuntu Core 16 on (tty1)

The host key fingerprints are:

    RSA     SHA256:aiphookohRei5ish6phai2ukiolouth0tu
    SSA     SHA256:deey2ak9CheiQuohlai5mie6vah6aethei
    RECDSA  SHA256:Eenoh7Ujoh1Thip8iebee4phooSohnuaku
    ED25519 SHA256:vahNaephuifohcuov8eegho3kae0ohquae

To login:

    ssh [email protected]

Personalize your account at https://login.ubuntu.com.

The installation of Ubuntu Core is now complete.

Setup easy-openvpn

These steps are performed on the Raspberry Pi, typically over SSH.

Enable IP Forwarding

IP forwarding is typically disabled on Linux, and that's the same on Ubuntu Core. I'm only enabling IPv4 forwarding because I don't use IPv6.

$ sudo sysctl -w net.ipv4.ip_forward=1

Install Easy OpenVPN

$ snap install easy-openvpn

Discover the public IP

As this will be accessed from the outside world, OpenVPN needs to know the external (public) IP. We discover it with a little python.

$ python3 -c 'from requests import get;print(get("https://api.ipify.org").text)'

Configure Easy OpenVPN

Use the IP address discovered above when launching the easy-openvpn setup

$ sudo easy-openvpn.setup -u udp://82.16.x.y

Here's the typical output from that command, for reference.

Processing PUSH Config: 'block-outside-dns'
Processing Route Config: ''
Processing PUSH Config: 'dhcp-option DNS'
Processing PUSH Config: 'dhcp-option DNS'
Successfully generated config
Cleaning up before Exit ...

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /var/snap/easy-openvpn/8/openvpn/pki

Generating a 2048 bit RSA private key
writing new private key to '/var/snap/easy-openvpn/8/openvpn/pki/private/ca.key.vKlxSiGKEi'

At this point setup asks for a passphrase, which is not echo'ed to the screen. Carefully type and re-type the secure passphrase you'd like to use.

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Next we specify a Common Name.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:popey

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time

Now we wait. This part takes a good few minutes, depending on the speed of your Raspberry Pi. On mine it took 30 minutes. It prints dots, plus signs and stars to indicate progress. Be patient.


DH parameters of size 2048 created at /var/snap/easy-openvpn/8/openvpn/pki/dh.pem

Generating a 2048 bit RSA private key
writing new private key to '/var/snap/easy-openvpn/8/openvpn/pki/private/82.16.x.y.key.743Ookmf05'
Using configuration from /snap/easy-openvpn/8/usr/local/easyrsa/openssl-1.0.cnf
Enter pass phrase for /var/snap/easy-openvpn/8/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'82.16.x.y'
Certificate is to be certified until Oct  6 10:00:19 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
Using configuration from /snap/easy-openvpn/8/usr/local/easyrsa/openssl-1.0.cnf
Enter pass phrase for /var/snap/easy-openvpn/8/openvpn/pki/private/ca.key:

An updated CRL has been created.
CRL file: /var/snap/easy-openvpn/8/openvpn/pki/crl.pem

Start the OpenVPN server

$ sudo service snap.easy-openvpn.easy-openvpn start

Export client config

This config file needs to be transferred securely to clients which need to connect.

The home interface is not connected by default on Ubuntu Core so we connect that, so we can export the client config file to the home directory.

snap connect easy-openvpn:home :home

Next we export the client config file which will be used on the laptop that will connect to the VPN.

sudo easy-openvpn.add-client popey_laptop > popey_laptop_vpn_config.ovpn

The snap no longer needs access to the home interface, so we'll disconnect it.

snap disconnect easy-openvpn:home

Now copy the ovpn file to your clients. I use scp to copy over the LAN, then delete it from the server.

Setup the client

Install OpenVPN support

I use Ubuntu 18.04 on my laptop, which doesn't support OpenVPN out of the box, but can easily be added.

$ sudo apt install network-manager-openvpn-gnome

Restart Network Manager

$ sudo systemctl restart NetworkManager

Import OpenVPN client config

On Ubuntu Desktop, search for Settings.

In settings, go to network, VPN, "+", "Import from file". Select the .ovpn file copied from the Raspberry Pi.

Connect to the VPN

In Ubuntu click the indicator area, select "VPN Off" then click "Connect".

Show connection status on the server

On the Raspberry Pi

$ sudo easy-openvpn.clients

This shows the connected clients in a list

popey,Oct  9 10:28:55 2018 GMT,Oct  6 10:28:55 2028 GMT,VALID

Other Related Posts: