Install OpenVPN Access Server on Raspberry Pi

Introduction

In this document we’ll show you how to install OpenVPN Access Server on a Raspberry Pi single-board computer. You can also use these steps as a reference for installing OpenVPN Access Server on other single-board computers on the ARM64 platform such as Orange Pi or Rock Pi. Note that Access Server performance is highly dependent on the CPU and network capabilities of your platform.

What's covered

  • How to create a bootable microSD card with Ubuntu Server 20.04.
  • How to install and launch OpenVPN Access Server.
  • How to sign in to the Admin Web UI.
  • How to connect VPN clients.

Before you begin

OpenVPN Access Server is available for Ubuntu 20.04 LTS ARM64. Note that Raspbian 10 (Buster) is not supported.

You’ll need:

  • A microSD card (8 GB or more recommended — 4 GB is possible).
  • A computer with a microSD card drive, or an SD card drive and a microSD card adapter.
  • A Raspberry Pi 4, 400, or CM4 (A Raspberry Pi 3 will be fairly slow, and Raspberry Pi 2 and older can’t run 64-bit software and so aren’t compatible)
  • Internet access
  • A monitor with an HDMI input (optional)
  • A microHDMI-HDMI cable (optional)
  • A USB keyboard (optional)

Install the Ubuntu image on the SD card

The first step is to install Ubuntu Server 20.04 on your Raspberry Pi and connect it to the network. Follow this tutorial, but skip step 5 (you don’t need to install a desktop):
How to install Ubuntu Server on your Raspberry Pi.

Note: The steps given in the tutorial will erase all existing content on your microSD card. If you already have Ubuntu 20.04 LTS ARM64 running on your Raspberry Pi board, you can skip the tutorial.

Boot Ubuntu server on the Raspberry Pi

Step 4 in the Ubuntu installation tutorial instructs you to “Boot Ubuntu Server”. This section repeats some of that information.

Refer to the appropriate section for your setup — choose between connecting directly with a keyboard and monitor or connecting to a headless server.

Connect directly with a keyboard and monitor

Prior to turning on your Raspberry Pi, ensure the keyboard is plugged in and the monitor is connected using the mini-HDMI port. Insert the SD card into your Raspberry Pi and switch it on. 

Note: Watch the boot process on screen. During the first boot, you must wait for the cloud-init tool to complete its configuration before trying to sign in.

Once cloud-init finishes, sign in using “ubuntu” as both the login ID and the password. At the prompt, change the password to something more secure.

Connect remotely (headless)

Insert the SD card into your Raspberry Pi and switch it on.

To connect, you’ll need:

  • The IP address of the Raspberry Pi on your local network
  • An SSH client

To determine the IP address of the Raspberry Pi,  look at your router’s DHCP client list to try to identify the device, or alternatively run the arp command to locate the device using its network interface MAC address.

On Ubuntu and macOS:

arp -na | grep -i “[beginning of MAC address]”

On Windows:

arp -a | findstr [beginning of MAC address]

For the MAC address, depending on theRaspberry Pi version, you can try to use one of the following:

  • “b8”
  • “dc”
  • “e4”

And, the output should return the IP address of your Raspberry Pi.

On Ubuntu and macOS, use the installed SSH client. Open a terminal and run the following command:

ssh ubuntu@[Raspberry Pi IP address]

On Windows 10, if you don’t already have an SSH client, you can use PuTTY or OpenSSH.

To connect with PuTTY:

  1. Open the PuTTY app.
  2. Enter the IP address of the Raspberry Pi in Host Name (or IP address).
  3. (Optional) Enter a name for the connection in Saved Sessions and click Save.
  4. Click Open.
  5. Read through the security prompt and click Yes to add the server host key to the registry cache.

To connect with bash (Ubuntu) on Windows:

  1. Open the bash app.
  2. Run the SSH command: ssh ubuntu@[Raspberry Pi IP address]

Once connected, enter “ubuntu” for the login ID and the password. At the prompt, set a new password and then reconnect with the SSH command and the new password.

Install OpenVPN Access Server

Set a time zone

First, you must set the time zone on your Raspberry Pi. It’s important that the time and date on your server are accurate for any certificate generation and verification as well as the time-based functionality of Google multi-factor authentication (MFA). To set the date and time, run these commands with root privileges:

apt update
apt -y install tzdata
dpkg-reconfigure tzdata

Provide internet access

OpenVPN Access Server can function entirely within an environment without internet access. However, without such access, VPN clients cannot connect over the internet. This document assumes the Raspberry Pi is connected to a private network that has Internet access through a router connected to the internet.

We recommend using a firewall with your network setup, such as those that are included in most internet routers. Access Server requires ports TCP 443, TCP 943, TCP 945 and UDP 1194 to be forwarded from the public internet to the private IP address of the Access Server on your Raspberry Pi behind the firewall.

Add the OpenVPN Access Server repository to your Raspberry Pi by from our Download OpenVPN page, click the Ubuntu icon, and choose Ubuntu 20 [arm64] in the modal that opens.

After installing the openvpn-as package, the initial configuration runs. Step through the script (if you select all default values, you can easily make changes later using the Admin Web UI rather than in Linux). Take note of the Admin UI and Client UI addresses at the completion of the configuration, and then set the password for the openvpn admin user by running this command with root privileges:

passwd openvpn

For more details refer to Finishing Configuration of Access Server.

Sign in to the Admin Web UI

Use your Admin UI address to connect to the Admin Web UI. Typically, the Admin Web UI  is located at the address of your Raspberry Pi with /admin/ appended, for example https://192.168.70.222/admin/. 

In a web browser, enter the URL and click through the security message. The security message appears because Access Server uses a self-signed certificate. You have the option of loading your own valid certificate in the web interface later on.

Sign in with the openvpn user and the new password. After reading and accepting the EULA, the first screen is Activation management, where you can paste your subscription key. 

You can use up to two concurrent connections to test every Access Server feature for free.  Grab a free activation key from our website. Then, paste the key and click Activate. When you’re ready for more connections, it’s easy to increase your connections on our site and the change reflects automatically on your Access Server.

The next step is to set up a fully qualified domain name (FQDN) such as vpn.example.com, which resolves to the public internet IP address of your Access Server. You can then configure that FQDN in your Access Server as the address to which your VPN clients connect. Once you have this address you can input it into the Hostname or IP address field in the Network Settings page in the Admin Web UI. After setting this up, your VPN clients will then know how to reach your Access Server from the public internet.

Connecting VPN clients

The final step is to connect VPN clients to your Raspberry Pi running OpenVPN Access Server. Download the pre-configured clients directly from the Access Server’s Client UI:

  1. Enter the IP address or FQDN of your server into a web browser. 
  2. Sign in as a user
  3. Download the OpenVPN Connect app for your OS and install it.

OpenVPN Connect is our free VPN client. Your Client UI provides pre-configured OpenVPN Connect apps to download. You can also choose to download only a connection profile and import it into a VPN client such as OpenVPN Connect or any other compatible OpenVPN client program.

Once you download and install the app, open it and click the user profile to connect.

Helpful resources

We provide free support as well as technical guides on our site. Here are some helpful resources: