2025-09-29

Setting Up a Home VPN on Your Raspberry Pi: The Ultimate Guide

Deploying a Secure Home VPN with OpenVPN on Raspberry Pi

For users who prefer the robust, widely-supported protocol of OpenVPN, setting up a private home VPN on a Raspberry Pi remains a highly effective solution. This guide walks you through the installation using PiVPN and provides specific instructions for accessing the configuration files and deploying them on popular travel routers like the GL.iNet Mango (GL-MT300N-V2) or Opal (GL-SFT1200).

Prerequisites

  • A Raspberry Pi (3B+ or newer recommended), running Raspberry Pi OS Lite.
  • SSH access to the Pi.
  • Access to your router’s administrative settings for port forwarding.
  • A GL.iNet travel router (Mango or Opal) to serve as the remote client.
  • A Dynamic DNS (DDNS) hostname configured if you do not have a static public IP address. (See my previous post: How to Set Up No-IP Service for Your Home Network.


Step 1: System Preparation and Static Local IP

Ensure your Pi is up to date and has a permanent local IP address. This static address tells your main router where to direct incoming VPN connections.

  1. Update Your System: Log into your Pi and execute:
    2. sudo apt update
sudo apt full-upgrade -y
  2. Set a Static Local IP Address: Configure your Pi to use a fixed IP address outside your router's default DHCP range (e.g., use 192.168.1.50 if your router uses 192.168.1.100-200 for DHCP).


Step 2: Install and Configure PiVPN (OpenVPN)

We use PiVPN to automate the creation of the OpenVPN server, including certificates and encryption settings.

  1. Execute the Installation Script:
    2. curl -L [https://install.pivpn.io](https://install.pivpn.io) | bash
  2. Follow the Dialogue Prompts:
    • Confirm the static IP address set in Step 1.
    • Select VPN Protocol: Choose OpenVPN when prompted.
    • Select Port: Use the standard OpenVPN port, 1194 (UDP), unless you need to change it.
    • Public IP or DNS: Input your DDNS hostname (e.g., myhomevpn.ddns.net) or choose 'Public IP' if you have a static address.
    • DNS Provider: Choose your preferred public DNS service (e.g., Cloudflare or Google).
    • Security: The installer will generate the server certificates.
    • You will be prompted to reboot. Confirm to reboot.


Step 3: Configure Router Port Forwarding

You must instruct your home router to forward external VPN requests (on port 1194 UDP) to your Raspberry Pi’s internal static IP address.

  1. Log into your router’s web interface.
  2. Navigate to the "Port Forwarding" or "NAT" settings.
  3. Create a new forwarding rule:
    • External Port: 1194
    • Internal Port: 1194
    • Internal IP Address: The static IP of your Raspberry Pi (e.g., 192.168.1.50)
    • Protocol: Set this to UDP.
  4. Save and apply the settings.


Step 4: Generate OpenVPN Client Profiles

Create the .ovpn configuration file needed for your GL.iNet router client and any other devices (phones, tablets, laptops) that will connect.

  1. Add a Client: Log back into your Pi via SSH (after the reboot) and run:
    2. pivpn add
  2. Enter a descriptive name for the client (e.g., glinet_opal or joes_iphone).
  3. The .ovpn configuration file will be generated and saved in the /home/pi/ovpns directory.
  4. We will now set up a network share to easily retrieve this file.


Step 5: Setup Network Share (Samba) to Access Files

To easily transfer the .ovpn file to your computer and then into cloud storage (OneDrive, Dropbox, iCloud) for sharing, we will set up a Samba share on the Pi.

  1. Install Samba:
    2. sudo apt install samba samba-common-bin -y
  2. Set Samba Password: Set a password for the 'pi' user to access the share:
    3. sudo smbpasswd -a pi

    (Enter a secure password, different from your system password if desired.)

  3. Configure Samba Share: Edit the Samba configuration file:
    4. sudo nano /etc/samba/smb.conf
  4. Scroll to the very bottom of the file and add the following section to share the OpenVPN configuration folder:
    5. [OpenVPN_Configs]
path = /home/pi/ovpns
writeable = yes
browseable = yes
valid users = pi
  5. Save the file (Ctrl+O, then Enter) and exit the editor (Ctrl+X).
  6. Restart Samba Service:
    7. sudo systemctl restart smbd
  7. Retrieve the Configuration File: Access the share from your computer using your network file explorer (e.g., Finder on Mac, File Explorer on Windows) via the Pi’s static IP (e.g., \\192.168.1.50 or smb://192.168.1.50). Copy the [clientname].ovpn file and move it into your desired cloud folder (OneDrive, Dropbox, etc.).


Step 6: Configure Mobile, Tablet, and PC Clients

The .ovpn configuration file retrieved in Step 5 is used by OpenVPN client applications on virtually any operating system to establish the connection. Official OpenVPN apps are available for all major platforms, including phones, tablets, laptops, and personal computers.

  1. Install the OpenVPN Client App: Download and install the official or recommended OpenVPN client application for your specific device (iOS, Android, Windows, macOS, Linux).
  2. Import the Profile:
    • Transfer File: Use the cloud service (OneDrive, Dropbox, etc.) or a direct connection to transfer the [clientname].ovpn file to the device you wish to connect.
    • Import: Open the OpenVPN client app and select the option to "Import Profile" or "Import File." Choose the .ovpn file you just transferred.
  3. Connect: Once imported, activate the connection toggle or button within the OpenVPN app to establish the secure tunnel to your home network.


Step 7: Configure the GL.iNet Router (Client)

Finally, deploy the OpenVPN configuration onto your GL.iNet travel router (Mango or Opal).

  1. Access Router Interface: Connect to the GL.iNet router (via Ethernet or WiFi) and open its web management panel (usually http://192.168.8.1).
  2. Navigate to VPN Settings: Go to the "VPN" section and select "OpenVPN Client."
  3. Upload Configuration: Click the option to import an OVPN file. Upload the [clientname].ovpn file you retrieved in Step 5.
  4. Connect: Once the file is imported, click "Connect." Your GL.iNet router will now tunnel all its traffic (and the traffic of any device connected to it) back through your Raspberry Pi home VPN.
-
Labels: