Rate this post

Questo post è stato tradotto e adattato da qui. Tutti meriti vanno all’autore originale e nel suo blog ci sono una miriade di altre cose interessanti. L’ho riportato qui per comodità. Invece di installare OpenVPN passo passo che pur non essendo particolarmente complicato è abbastanza lungo e noioso utilizzeremo PiVPN. Nel sito ci sono tutte le spiegazioni e pure ulteriori indicazioni su cosa fa o non fa ma essenzialmente installa OpenVPN con la configurazione più comune.

pi@pihol We 1 come e-server: This installer will server ! PI VPN Autoinate Insta er transform your Raspberry pi into an OpenVPN

pi@pihol e-server: Initiating network interface Static IP Nee e The pi VPN is a SERVER so it needs a properly. In the next section, you can choose settings (DHCP) or to manually edit STATIC IP ADDRESS to function to use your current network them.

pi@pihol e-server: Choose An Interface (press space to select) et 0 avan a e ) w1anO available

E’ meglio avere un indirizzo statico per il nostro Raspberry 

pi@pihol e-server: Calibrating network interface Static IP A ress Do you want to use your current network settings as a static address? IP address: Gateway : 192 .168 .1.27/24 192.168.1.1

pi@pihol e-server: IP information FYI: IP con Ict It is possible your router could still try to assign this IP to a device, which would cause a conflict. But in most cases the router is smart enough to not do that. If you are worried, either manually set the address, or modify the DHCP reservation pool so it does not include the IP you want. It is also possible to use a DHCP reservation, but if you are going to do that, you might as well set a static address.

Scegliamo fra gli utenti disponibili

pi@pihol e-server: parsing User List Choose a local Loca users user that will hold your ovpn configurations.

pi@pihol e-server: Choose : C loose A user ihole

pi@pihol e-server: Security Updates unatten e upgra es Since this server will have at least one port open to the internet, it is recommended you enable unattended-upgrades. This feature will check daily for security package updates only and a ly them when necessary. It wi NOT automatically reboot the server so to fully apply some updates you should periodically reboot.

pi@pihol e-server: Security Updates unatten e Do you want to enable unattended this server? upgra es upgrades of security patches to

pi@pihol e-server: Debi an GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permi tted by applicable law. Last login: Fri Jan 13 11:22:15 2017 from 65.sub-174-194-134.myvzw.com <a href=

Scegliamo UDP a meno che non ci siano casi particoalri.

pi@pihol e-server: Choose a protocol . TCP. UDP ) TCP Protoco please only choose TCP if you know why you need

Per motivi di sicurezza si può pure scegliere una altra porta invece che quella standard 1194.

pi@pihol e-server: De au t OpenVPN Port You can modify the de aunt OpenVPN port. Enter a new value or hit 'Enter' to retain the default 11948

pi@pihol e-server: Specify Custom Port Con 1 rill Custolll Port Nulli er Are these settings correct? 11948 PORT :

 2048 per la chiave basta e avanza…. 

pi@pihol e-server: Setup OpenVPN Encryption Strengtl Choose your desi red level of encryption: This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications it is recommended to use 2048 bit. If you are testing or just want to get through it quicker you can use 1024. If you are paranoid about . pick 4096. 2048 ( ) 1024 ) 4096 Use 2048- It Use 1024-bit Use 4096-bit encrypti on . encrypti on . encr t ion. . things... then grab a cup of joe and Recommen e eve Test level. paranoid level .

pi@pihol e-server: Setup OpenVPN The server key, generated . Server In or-illation Di ffie-He1 Iman key, and HMAC key will now be

Qui il processo dura alcuni minuti.

pi@pihol e-server: . CA Complete. Note: using Easy-RSA confi guration from: ./vars Generating a 2048 bit RSA private key writing new private key to '/etc/openvpn/easy-rsa/pki/private/server . key.e5HJAq4 xqN ' Usin confi guration from /etc/openvpn/easy-rsa/openss1-1.O. cnf Checæ that the request matches the signature Signature ok The Subject's Distinguished Name is as follows :ASN.1 12: 'server' commonName Certificate is to be certified until Jan 11 18:43:01 2027 GMT (3650 days) Write out database with 1 new entries Data Base Updated Note: using Easy-RSA confi guration from: ./vars Generating DH parameters, 2048 bit long safe prime, This is going to take a long time generator 2

Se non abbiamo un IP internet fisso bisogna iscriversi a quei servizi tipo noip.

pi@pihol e-server: pu Will clients use a public IP or IP or DNS DNS Name to connect to your server? ) DNS Entr Use t •s pu Use a ublic DNS

Fra i DNS provider può pure essere scelto pi-hole in locale se presente ma attenzione che serve un surplus di configurazione.  

You can safely install pivpn on the same raspberry pi as your pi-hole install. If you point your openvpn clients to the IP of your pi-hole for DNS (so they get ad blocking etc) then you will want to be sure to edit your /etc/dnsmasq.conf file too allow dns resolution from the vpn interface. look for this line: listen-address=127.0.0.1, 192.168.1.2, 10.8.0.1 Note your listen-address may just contain 127.0.0.1, the next IP should be the local IP of your pi-hole and the final IP, 10.8.0.1 is the PiVPN vpn interface. If you set this and have your vpn clients use 192.168.1.2 (in my example) as their DNS then you will get ad blocking over your VPN connections.

pi@pihol e-server: Select select the DNS provider for your VPN Clients. Custom. Goog e openDNS Level 3 DNS . WATCH Norton Cus tom To use your own,

pi@pihol e-server: Make it so. Now Run The Insta at 1 on Conw ete! run 'pivpn add' to create the ovpn profiles. pivpn help' to see what else you can do! install log is in /etc/pivpn.

pi@pihol e-server: Re oot It is strongly recommended you reboot after installation. you like to reboot now? Woul d

Effettuiamo un update, upgrade per essere sicuri che tutto sia  a posto ed ora possiamo creare i nostri file opvn da traferire sui client . Utilizziamo il comando ‘pivpn add’.

pi@pihol e-server: <a href=

Fare bene attenzione a tutti i parametri richiesti che poi servono per la connessione. I client ufficiali possono essere trovati qui per  Android ma in generale sul sito OpenVPN.

Infine bisogna ricordarsi di aprire sul router la porta 1194 o l’altra precedentemente settata.

Revision List

#1 on 2017-Feb-02 gio  02:28+7200