OpenVPN:Raspberry Pi Auto Connect

This guide walks through setting up a Raspberry Pi to automatically connect to the OpenVPN server when it boots. This assumes the Raspberry Pi is being set up from scratch with only the OS installed.

• Raspberry Pi with Raspberry Pi OS installed (Raspberry Pi OS Lite or Desktop)

• SSH access to the Raspberry Pi (or physical access with keyboard/monitor)

• OpenVPN client configuration file (.ovpn) from the server administrator

• Network connectivity on the Raspberry Pi

First, ensure your Raspberry Pi is up to date:

sudo apt update
sudo apt upgrade -y

Install OpenVPN and other necessary tools:

sudo apt install -y openvpn network-manager-openvpn resolvconf

Note: The network-manager-openvpn package is optional but can be useful for GUI-based management. The resolvconf package helps manage DNS resolution when connected to the VPN.

You need to obtain the .ovpn configuration file for your Raspberry Pi from the server administrator. This file contains:

• Client certificate

• Client private key

• CA certificate

• TLS-Crypt key

• Server connection details

Common file locations on the server: /root/<client-name>.ovpn

You can transfer the file using one of these methods:

Method 1: Using SCP (from your local machine)

scp <username>@<raspberry-pi-ip>:/path/to/client.ovpn ~/client.ovpn

Method 2: Using SFTP

sftp <username>@<raspberry-pi-ip>
put /path/to/client.ovpn ~/client.ovpn
exit

Method 3: Copy and paste (if you have the file contents)

Create the file manually:

nano ~/client.ovpn

Paste the contents and save (Ctrl+X, then Y, then Enter).

Copy the .ovpn file to /etc/openvpn/client/:

sudo cp ~/client.ovpn /etc/openvpn/client/client.conf

Note: OpenVPN looks for .conf files in /etc/openvpn/client/, so we rename it to client.conf. If you have multiple VPN configurations, you can use descriptive names like raspberry-pi.conf.

Ensure the configuration file has the correct permissions:

sudo chmod 600 /etc/openvpn/client/client.conf
sudo chown root:root /etc/openvpn/client/client.conf

Enable the OpenVPN client service to start automatically on boot:

sudo systemctl enable openvpn-client@client.service

Note: The service name format is openvpn-client@<config-name>.service, where <config-name> is the name of your .conf file without the extension. Since we named it client.conf, the service is openvpn-client@client.service.

Start the OpenVPN service immediately (without rebooting):

sudo systemctl start openvpn-client@client.service

Check that the service is running:

sudo systemctl status openvpn-client@client.service

You should see output indicating the service is active and running.

OpenVPN should automatically reconnect if the connection drops, but we can enhance this by modifying the configuration file.

Edit the configuration file:

sudo nano /etc/openvpn/client/client.conf

Add these lines at the end of the file (if they're not already present):

== Auto-reconnect settings ==
keepalive 10 120
persist-key
persist-tun
resolv-retry infinite

Explanation:

• keepalive 10 120: Sends a ping every 10 seconds, restarts if no response for 120 seconds

• persist-key: Keeps trying to read key files if they're temporarily unavailable

• persist-tun: Keeps the TUN/TAP interface open across restarts

• resolv-retry infinite: Keeps trying to resolve the server hostname if DNS fails

Save and exit (Ctrl+X, then Y, then Enter).

Apply the changes:

sudo systemctl restart openvpn-client@client.service

Verify that the VPN interface (typically tun0) is up:

ip addr show tun0

You should see output showing the VPN interface with an IP address in the VPN subnet (e.g., 10.8.0.x).

Verify that traffic is being routed through the VPN:

ip route show

You should see routes indicating traffic is going through the tun0 interface.

Test connectivity to the VPN server:

==== Ping the VPN server (adjust IP based on your VPN subnet) ====
ping -c 4 10.8.0.1

View OpenVPN logs to ensure everything is working:

sudo journalctl -u openvpn-client@client.service -f

Press Ctrl+C to exit the log viewer.

Reboot to verify the VPN connects automatically:

sudo reboot

After the Raspberry Pi reboots, SSH back in and verify:

==== Check service status ====
sudo systemctl status openvpn-client@client.service

== Check VPN interface ==
ip addr show tun0

== Check routing ==
ip route show

If the VPN doesn't connect automatically on boot, check:

1. Service Status:

   sudo systemctl status openvpn-client@client.service

1. Service Logs:

   sudo journalctl -u openvpn-client@client.service -n 50

1. Network Timing: The VPN service might be starting before the network is ready. Check if network-online.target is enabled:

   sudo systemctl enable NetworkManager-wait-online.service
=== Or for systemd-networkd: ===
   sudo systemctl enable systemd-networkd-wait-online.service

If tun0 doesn't appear:

1. Check if OpenVPN is running:

   ps aux | grep openvpn

1. Check configuration file syntax:

   sudo openvpn --config /etc/openvpn/client/client.conf --verb 4

1. Verify TUN/TAP module is loaded:

   lsmod | grep tun

  If not loaded, load it:

   sudo modprobe tun

If DNS isn't working after connecting:

1. Check DNS settings:

   cat /etc/resolv.conf

1. Install resolvconf if not already installed:

   sudo apt install resolvconf

1. Restart the OpenVPN service:

   sudo systemctl restart openvpn-client@client.service

If the connection drops frequently:

1. Check network stability:

   ping -c 10 <vpn-server-ip>

1. Review keepalive settings in the configuration file

1. Check firewall rules that might be blocking OpenVPN traffic

1. Review server logs on the VPN server for any issues

If you see permission errors:

1. Verify file permissions:

   ls -l /etc/openvpn/client/client.conf

  Should show -rw------- (600) and owned by root:root

1. Check directory permissions:

   ls -ld /etc/openvpn/client/

If you need multiple VPN configurations:

1. Copy additional .ovpn files to /etc/openvpn/client/ with different names:

   sudo cp ~/vpn2.ovpn /etc/openvpn/client/vpn2.conf

1. Enable the additional service:

   sudo systemctl enable openvpn-client@vpn2.service
   sudo systemctl start openvpn-client@vpn2.service

To use custom DNS servers when connected to the VPN, add to your configuration file:

dhcp-option DNS 8.8.8.8
dhcp-option DNS 8.8.4.4

To route only specific traffic through the VPN (split tunneling), modify the configuration file to remove or comment out:

==== Redirect all traffic through VPN (remove or comment this line) ====
== redirect-gateway def1 ==

Then add specific routes:

route 192.168.1.0 255.255.255.0

1. Protect Configuration Files: The .ovpn file contains private keys. Ensure it has restrictive permissions (600) and is owned by root.

1. Regular Updates: Keep your Raspberry Pi OS and OpenVPN client updated:

   sudo apt update && sudo apt upgrade -y

1. Firewall: Consider configuring a firewall (ufw) to allow only necessary traffic.

1. Monitor Logs: Regularly check OpenVPN logs for any suspicious activity.

After completing these steps, your Raspberry Pi will:

• Automatically connect to the OpenVPN server on boot

• Automatically reconnect if the connection drops

• Maintain the VPN connection as long as the device is powered on

Key Files:

• Configuration: /etc/openvpn/client/client.conf

• Service: openvpn-client@client.service

• Logs: journalctl -u openvpn-client@client.service

Useful Commands:

• Start VPN: sudo systemctl start openvpn-client@client.service

• Stop VPN: sudo systemctl stop openvpn-client@client.service

• Restart VPN: sudo systemctl restart openvpn-client@client.service

• Check Status: sudo systemctl status openvpn-client@client.service

• View Logs: sudo journalctl -u openvpn-client@client.service -f