Table of Contents
- PiVPN Wiki
PiVPN Wiki
What boards/OSes does PiVPN support?
PiVPN runs at least on the following boards:
- Raspberry Pi models (1/2/3/4/Zero) running Raspbian Stretch, Raspberry Pi OS Buster (32-bit), Ubuntu Server 20.04 Focal Fossa (32-bit and 64-bit).
- All SBC's running DietPi. This is currently: Odroid C1, Odroid C2 (arm64), Odroid XU3/4, Pine A64, NanoPi NEO, NanoPi NEO Air, NanoPi M1.
- Most servers running a Debian or Ubuntu based distro.
What About Octopi?
https://github.com/guysoft/OctoPi/issues/373 OctoPi doesn't play well with PiVPN installer as they use a git wrapper that blocks it from running as root user. To disable the git wrapper please do: sudo rm /root/bin/git
Testing
You can install from test branch via curl -L https://test.pivpn.io | TESTING= bash
Non-interactive installation
You can run the PiVPN installer from within scripts using the --unattended
command line option provided with a .conf file. You can find examples here.
curl -L https://install.pivpn.io > install.sh
chmod +x install.sh
./install.sh --unattended options.conf
It's not required to specify all options. If some of them are missing, they will be filled with defaults or generated at runtime if it can be done unambiguously. For example if you have just one network interface, such interface will be used but if you have more, the script will stop.
If not specified, IPv4addr
and IPv4gw
default to the current network settings, pivpnHOST
to the public IP, pivpnSEARCHDOMAIN
to empty. Rest of the default options are in the examples.
The options provided must make sense in relation to each other, for example you can't use TWO_POINT_FOUR=1
with pivpnENCRYPT=2048
.
Latest changes into master branch?
To know what has changed in the master branch read: https://github.com/pivpn/pivpn/blob/master/LatestUpdate.md
Uninstall
If at any point you wish to remove PiVPN from your Pi and revert it to a pre-installation state, such as if you want to undo a failed installation to try again or you want to remove PiVPN without installing a fresh Raspbian image, just run pivpn uninstall
.
My ISP doesn't give me a static external IP address, so my servers IP address keeps changing!
You will need a dynamic DNS service and a hostname. If your IP address changes, your hostname will then automatically point to the new IP address. Some free dynamic DNS services are http://noip.com, http://freedns.afraid.org/ or https://www.duckdns.org/.
DynDns
Refer to: https://help.dyn.com/ddclient/
apt-get install ddclient
and then this is my example conf in /etc/ddclient.conf
# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf
ssl=yes
protocol=dyndns2
use=web, web=checkip.dyndns.com, web-skip='IP Address'
server=members.dyndns.org
login=username
password='password'
mydyn.domain.com
If you use a namecheap domain your ddclient setup can be found here.
OpenVPN Technical Information
Info on TLS
'Modern' OpenVPN (2.x, using the TLS mode) basically sets up two connections:
The 'control channel'. This is a low bandwidth channel, over which e.g. network parameters and key material for the 'data channel' is exchanged'. OpenVPN uses TLS to protect control channel packets. The 'data channel'. This is the channel over which the actual VPN traffic is sent. This channel is keyed with key material exchanged over the control channel. Both these channels are duplexed over a single TCP or UDP port.
--tls-cipher controls the cipher used by the control channel. --cipher together with --auth control the protection of the data channel.
And regarding security, OpenVPN uses encrypt-then-mac for its data channel, rather than mac-then-encrypt like TLS. All the CBC-related issues you hear about are due to the combination mac-then-encrypt + CBC. This means that AES-CBC for the data channel is perfectly fine from a security perspective.
(And there is no GCM support for the data channel yet. That will arrive in OpenVPN 2.4.)
If I wanted to specify ciphers, this is the list I'd use (I think):
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
Tutorials
Here is a decent video tutorial. Note: I don't think you'd have to do anything with iptables as he shows. This shows connecting with Windows client.
Further Help
Check any closed issues with the information label!