My experience with Pivpn, openvpn for Raspberry Pi

Feb 14, 2018

0 comments

Pivpn is an opensource project for making it easy to transform your Raspberry Pi into a VPN server.

It is very easy to install:

$ curl -L https://install.pivpn.io | bash

Follow the wizard and you will be having a VPN server in no-time. The only thing I changed was creating a stronger key: 4096 bit.

But in the end it did not work, so I started debugging. First I checked for sockets:

# ss -tulpn
0      128              *:22         *:*     user:    (("sshd",pid=506,fd=3))

But it looks only ssh port is open, however here is a catch, ss does not show open UDP ports (openvpn uses UDP) on ARM devices, this is a bug. So another tool to see open sockets is netstat.

# netstat -tunap
...
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           3176/openvpn
...

So openvpn is running and the socket is open. Next I looked at the strace output, by running openvpn manually on my Raspberry Pi:

# strace /usr/sbin/openvpn --verb 11 --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid

And it kept spitting out these lines over and over:

poll([{fd=5, events=POLLIN|POLLPRI}, {fd=4, events=POLLIN|POLLPRI}], 2, 10000) = 0 (Timeout)
poll([{fd=5, events=POLLIN|POLLPRI}, {fd=4, events=POLLIN|POLLPRI}], 2, 10000) = 0 (Timeout)
lseek(3, 0, SEEK_SET)                   = 0
write(3, "TITLE\tOpenVPN 2.4.0 arm-unknown-"..., 134) = 134
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
write(3, "TIME\tTue Feb 13 19:53:44 2018\t15"..., 41) = 41
write(3, "HEADER\tCLIENT_LIST\tCommon Name\tR"..., 175) = 175
write(3, "HEADER\tROUTING_TABLE\tVirtual Add"..., 89) = 89
write(3, "GLOBAL_STATS\tMax bcast/mcast que"..., 44) = 44
write(3, "END\n", 4)                    = 4
lseek(3, 0, SEEK_CUR)                   = 487
ftruncate(3, 487)                       = 0

First I thought there was something wrong with my time but then I saw the string "ROUTING TABLE", I was hoping I did not need to edit my iptables but I had to add these 2 lines to forward the vpn tunnel.

-I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -j ACCEPT

And it worked! Conclussion blame manual written iptables!

1