Setting up a Home VPN Server Using Your Raspberry Pi

By Patrick Catanzariti
We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now


It’s IoT Week at SitePoint! All week we’re publishing articles focused on the intersection of the internet and the physical world, so keep checking the IoT tag for the latest updates.

One part of working with the Internet of Things is the difficulty of connecting to devices in your home when you aren’t in your home network. I face this difficulty every week when travelling around — I need to run tests and build Internet of Things demos, yet I’m not home to do so! I decided to turn my Raspberry Pi into a VPN so I could connect to my home network remotely. Here’s how you can do the same thing using an OpenVPN installer called PiVPN.

You can run through the following tutorial using either the terminal on your Pi or using SSH to connect to your Raspberry Pi remotely. If you aren’t quite sure how to SSH into your Raspberry Pi, I have a short guide on how to SSH into a Raspberry Pi which might help! If you don’t have a static IP address set up on your Pi, I’d recommend working directly on your Pi (otherwise, it’s likely your IP addresses will change during the process to a static IP and kick you out of your SSH session!).

Starting the Install Process

To get started, we run the following command in our Pi’s terminal (either via SSH or directly on the Pi):

curl -L | bash

Important Note: This command parses a random script downloaded from the web directly into your Pi’s bash. That can be incredibly dangerous if you don’t trust the installation source, as it will run whatever code you give it straight away. I haven’t gone through and vetted their bash command line by line (I trust them!) but it is available to look through on their GitHub account (under within the auto_install folder) if you have any concerns.

Running that command will open a slightly nicer looking, text-based GUI that starts with a simple prompt:

Initial automated installer prompt

Once you’ve hit Enter, you’ll be taken to another screen which will point out that a static IP address is important for this VPN service to work: if you don’t have a static IP for your Pi, your router won’t have an IP address to forward VPN functionality to. Don’t have a static IP on your Pi? Don’t worry — the automated installer will set up a static IP for you soon.

Screen telling you to have a static IP

Hit Enter to go to the next screen:

Ethernet or Wi-Fi selection

Be careful on this screen: hitting Enter will take you to the next screen, rather than making a selection in the two radio button options. I made this mistake during the install process, and it gets messy to restart the install process to change it!

In the interface selection, you can choose whether you’d like to set the VPN up on your ethernet connection (eth0) or your Wi-Fi (wlan0). I personally choose Wi-Fi as my Pi isn’t close to my router. If you can connect the Pi via ethernet, this will be much better for speeds! To choose an option, move your selection with the arrow keys and select it with the Spacebar. Then click Enter to go to the next screen.

Confirmation of current IP address screen

This screen confirms your current IP address for the Pi. I personally wanted to change my Pi’s IP to something more memorable, so I clicked the arrow key to move my selection to <No> and hit Spacebar to select it. I then hit Enter to go to the setup to change my Pi’s static IP.

Entering desired IP address

In this screen, you’ll enter in the static IP address you’d like your Pi to have. I chose Once you’ve got the IP address you’d like, hit Enter.

IP address of the gateway

In this screen, you’ll need to enter in the IP address of your router or default gateway. This will depend on your network setup, but a lot of the time this will be If you aren’t sure, try entering whatever IP address you enter to get to your router’s config page in your browser. Once you’ve got this entered in, hit the Enter key.

Confirmation of IP address

Hit Enter on this screen to confirm your IP address settings are correct. They should look similar to my ones above if your home network is set up to the defaults of most home networks. If not, chances are high that you already know your own settings.

Settings confirmed

The visual GUI style interface will then disappear and you’ll see in the terminal that your settings are confirmed in the text shown. Wait a bit as it performs these actions to set a static IP and so on. If you’ve SSHed in and just changed your IP address … chances are, this is where you’ll get stuck, because your connection will get dropped! If this happens to you, run through the process again, but connect to the static IP you set up this time around.

Once PiVPN’s network setting adjustments are done, it will bring you back to a nicer looking screen.

User selection start screen

This screen above is just notifying us that we will soon choose our VPN’s local user. Hit Enter to begin and move to the next screen.

Choosing Pi user

In this screen, if your Pi is set to defaults you’ll likely only have one option — the pi user. If that’s the case, hit Enter! If you’ve got a custom user set up and want to set things up through that, select that user via the arrow keys and hit Spacebar. Then once that user is selected, hit Enter.

Unattended upgrades explanation

This next screen is advising you of something that’s incredibly important to pay attention to! Setting up your Pi as a VPN means it will have a port open to the wider internet. This comes with serious responsibility: if security issues arise, your Pi is potentially open for anyone to access. Access to your Pi as a VPN means something incredibly dangerous depending on how your network is set up. It likely means access to your whole home network. For this reason, PiVPN recommends turning on unattended upgrades, which will automatically update security packages at the very least. It is important to note it is still your responsibility to watch for security vulnerabilities in the press and keep an eye out for strange activity on your network. You can set up most routers to show logs of connections and so on; keep an eye on these things and more.

Do you want unattended upgrades question

So, for the unattended upgrades question, you’ll likely want to say yes — unless you know what you’re doing in terms of maintaining your Pi’s updates. Once you make that decision, the fancy UI screen will disappear.

Looking up updates

Here it’s checking for potential updates via apt-get. After this process, it will notify you if there are updates you should do after installation. In my case, it found 143 updates on my rather old and upgraded Pi! After this whole process of getting the VPN running, run sudo apt-get upgrade to ensure your Pi is secure in the immediate future.

It then also checks if OpenVPN is installed on your Pi. If not, it begins that process! That should bring up the following screen:

Setting the default VPN port

This screen is part of the OpenVPN install process. You can choose which port to run your VPN through on the Pi. I left it as is — at port 1194 — and hit Enter.

Confirming VPN port

Check that the port entered looks correct, then hit Enter once more.


In the screen above, we’re choosing our desired level of encryption. The larger the encryption, the longer it will take to run and set up — but the more secure it will be. I stuck with 2048-bit as recommended and hit Enter. I wouldn’t recommend dropping to 1024-bit, but if you’d like super thorough encryption, you could go up to 4096-bit.

Default values notification

Now, this screen above just tells us that the next one is going to show the default values for the security certificate info. It lets you know you don’t need to change them as you and the clients who connect are the only ones who’ll see them. It speaks the truth. You don’t need to worry about changing these. Hit Enter to go to the next screen.


Not only do you not need to worry about changing them, I couldn’t see a way to change the values in this screen either. Look through them and then click Enter.

Are these values correct

It will ask if those values are correct, just hit Enter once more.

Alert for key generation

Next, it lets you know that it’s about to generate your encryption keys. Click Enter.

Generating encryption keys

It will then leave the slick UI and bring you back to the terminal, where it begins key generation. It will take a while to generate — longer if you chose 4096-bit encryption!

Still generating

A really long time …

And even now still generating

Definitely grab some tea or coffee while this runs.

Public IP or DNS

Once it’s done, it will ask whether or not you’ve got a public DNS entry you’d like to use, or whether you’d like to use an IP address. This part is entirely up to you. Your IP address is the public facing IP that you have on the web from your ISP. It’s the one that appears if you go to services like Some ISPs give a static one that won’t change, others will change it intermittently.

With my own ISP, there’s no guarantee it will remain the same, so I registered with No-IP — a service that allows you to link a free web address they provide (such as to your public IP. If your IP changes, you can change the value with No-IP.

If you want to use the IP address provided by your ISP, leave it as is and hit Enter. Otherwise, navigate to “DNS Entry” with your keyboard, hit Spacebar and then hit Enter to go to the next screen.

Public DNS Name

If you chose “DNS Entry”, you’ll be prompted with the screen above. Add your URL as I’ve done above. If you chose “IP address”, it’ll ask for that instead.

Choosing DNS provider

Next, you’ll be asked to select the DNS provider you’d like to use for your VPN. This can be important if the reason you’re looking to have a VPN is for privacy: whichever DNS provider you choose will have visibility over requests made by the VPN. If you’re looking for a completely private VPN, you’ll want a more private DNS solution. In my case, I’m not using it for that purpose and left it as “Google”, hitting Enter to continue on.

Success screen

With that, you’ve successfully run through the installation! Click Enter to pass through the congratulatory screen but take note that we’ll need to run pivpn add as it says!

Reboot option

Choose Yes to reboot your Pi! You may need to select it with the keyboard as with other selections earlier.

Final terminal bits and pieces

It should do its final bits and pieces and then restart your Pi.

Remember to Update!

Remember — now you’ve completed the whole process of getting the VPN installed, run the following command to ensure your Pi is secure in the immediate future:

sudo apt-get upgrade

Once that is all updated, we can feel safe enough to set up a client for VPN access!

Setting up Your First VPN Client

From this point, you’ve got an OpenVPN instance running on your Pi through PiVPN. However, to access the VPN from other computers and devices on the network, it will need a client that these devices can connect through. To add this client, we enter the following command:

pivpn add

It will ask you for a name for the client. Call it whatever your heart desires. It will also ask for a passphrase: this is the password for accessing the VPN through this client. Don’t forget this one — as you otherwise won’t be able to connect to your VPN server using this client!

Once you’ve done that, it will generate an .ovpn file for that client. You’ll need this to log in on each client device.

OpenVPN Clients

There are a range of OpenVPN clients you can download to use on various platforms. You can find them at Those aren’t the only ones available; I personally used Tunnelblick on my Mac.

Port Forwarding

One area that will be different for everyone is port forwarding on your router. You need to set up forwarding on your router for the port you set up for the VPN (by default, it was 1194). We want any requests to that port to go to your Pi’s IP address. This setup is different for every router; however, you can find out more about the process of port forwarding here. Look up “port forwarding” and your router name to find out how to do this for your own router. Be careful when updating router settings!

FTPing Your Key

The easiest way to copy across files from your Pi is using SFTP. You can do this using FTP programs like Filezilla. There are official docs on how to use FTP with Raspberry Pi here. Once you’ve connected to your Pi, copy across your key from /home/pi/ovpns:


Connecting to Your Pi’s FTP

Once you’ve got everything set up, open up your OpenVPN application on your device and load up the .ovpn file you’ve downloaded from the Pi. Upon loading it, it will ask for the passphrase you set: enter that in, and it should run through and connect you!


Now that you’ve successfully connected to your home network via a VPN, you should be able to access devices on that network with ease. For example, if you’ve got a local web server on that network, you should be able to visit web pages running on that server using its local network address. Likewise, if you try to connect to an IoT device on the network from your VPN-connected device using its IP address, it should now work!

If you have any tips for setting up a VPN over Raspberry Pi, tips on securing a Raspberry Pi better on the open web, or additional ideas on what’s possible after a VPN is set up, I’d love to hear them! Let me know in the comments below, or get in touch with me on Twitter at @thatpatrickguy.

We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now
  • TariAkpodiete

    oh, i LIKE this!

    • Patrick Catanzariti

      Me too! My VPN server has been running for about a month now with no problems. Loving it!

      • Sven

        many thanks Pat !! I threw my Pi-1 in the drawer after failing miserably with the BBC Click version of this. so much simpler with much less chance of human error and just about zero Linux knowledge required.
        PiVPN up and running, Great Job.

  • To me the real winner here is the installation process. Very nice. Something you don’t see in the stock OpenVPN server installer for both Linux and Windows. You’re stuck manually editing the config, routes and generating encryption/auth keys just to get a base install.

    • Patrick Catanzariti

      Yeah, from the other times I’ve set up VPNs on Linux installs and VPS builds, this makes things easier and because it’s a private home VPN server, so much of the process is fine with defaults for the base install. Makes life much easier!

  • Patrick Catanzariti

    To be totally honest with you, I’m not entirely sure what ports those run on. It’d be worth looking into whether OpenVPN plays well with those services, as that’s what PiVPN is basically installing onto your Pi. If the ports might cross over, you’d need to ensure you choose a different port in the install process. Otherwise… I think it’d be okay — but I couldn’t say for sure. I’d personally recommend doing a bit of double checking and understanding what OpenVPN would install on your Pi before going ahead with it. I ran the process on a Pi without too much already running but a web server and it seemed to be ok.

  • Strange, I’ve installed this and wasn’t ever prompted to enter my hostname as seen here:

    Any ideas?

    • Patrick Catanzariti

      That’s really strange! I’m afraid I don’t have a Pi on me as I’m travelling at the moment, so I can’t double check this… it really should give you that prompt though :/

    • I wasn’t prompted for my hostname, either.

  • Patrick Catanzariti

    I’m glad you worked out how to get it running! Thanks for leaving that link to help others :)

  • Patrick Catanzariti

    Thanks for the link! It’s definitely a risk, just like almost every other application and script on the internet which you haven’t built yourself. I mention the potential risk of running a random bash script in the article and agree with you — it’s a risk each person needs to weigh up before running it on their Pi.

    For me, the installation process and everything using PiVPN just simplified things and made it much quicker for a simple home VPN solution. The code is all available on GitHub to look through and audit for anyone who is concerned, and the OpenVPN packages are also relatively simple to follow. I’ve installed VPNs via those methods too, however PiVPN is just a bit more convenient so I felt it was worth an article :)

  • Hi! I’m getting “TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) TLS Error: TLS handshake failed” when I try to connect with it.

    I’m using a Mac with Tunnelblick and a raspberry pi I bought yesterday loaded with Raspbian installed using NOOBs.

    What should I do with it?

    • Patrick Catanzariti

      A similar suggestion to Jerry above is all I can think of — have you adjusted the settings on your home router to allow for the VPN port traffic to go through to it?

  • Jerry Steele

    I follow the instructions and take all the defaults. The Pi side looks like the example. I cannot connect on the client side. I get the “ConnectionRefusedError: 10061: No connection could be made because the target machine actively refused it..” error. What am I doing wrong? HELP?????

    • Patrick Catanzariti

      I’m not sure what it could be, I haven’t had that message before :/ What VPN program are you using to try to connect?

      • Patrick Catanzariti

        Have you adjusted the settings on your home router to allow for the VPN port traffic to go through to it?

    • Jerry Steele

      I’m using OpenVPN Client.
      I don’t have a router connected. I am going from my ethernet port thru a cable to the Pi. I wanted to get a connection first and then add to the system.

  • Jerry Steele

    I follow the instructions and take all the defaults. The Pi side looks like the example. I cannot connect on the client side. I get the “ConnectionRefusedError: 10061: No connection could be made because the target machine actively refused it..” error. What am I doing wrong? HELP?????

  • Jerry Steele

    I’m still trying… I’ve never set up a VPN before, so please bear with me.
    The first IP that the script asks for, you set it to, is that the IP address for wlan0? So if I complete the setup, reboot, and do an ifconfig, wlan0 will have an IP of If not, who gets

    The next IP,, is the public IP that is accessed by the client? Who gets that IP? eth0? After the setup, reboot, and an ifconfig, eth0 will have Do I have to change /etc/network/interfaces?

    Thanks for your help….

  • Jerry Steele

    OK, I found what I was doing wrong. I was opening the OpenVPN client with the gui box that asks the server, etc. I didn’t see the file option on the client.ovpn file to launch with openvpn. Once I launched it with that, all was good.

    Now to the reason I was trying to do this….. I have a customer that has their private intra-plant network setup with public IP addresses. The person who did this is long gone. There are now over 300 devices on this network across 2 subnets. This network is used for control systems and data acquisition systems to talk to each other. I need the ability to access the network from offsite if they have a problem.

    All the solutions I have tried so far work until I try them with the public ips. Then they fail. Any ideas???

    – Jerry

  • Jerry Steele


  • Vincent Ward

    Hey, gone through this install but when I try to access the VPN (Both over LAN and from internet) OpenVPN comes up with “Process Started and then Immediately Exited” or “No Connection Could be Made Because the Target Machine Actively Refused it.”
    What are the possible reasons for this??

    • Jerry Steele

      I had that problem too if I used the OpenVPN client and used the connection profiles. When I right clicked the .ovpn file in file manager and clicked the option to open the file with OpenVPN, it connected. Is that similar to the problem you are having?

  • Chris Hague

    Is it possible to connect to the VPN using an iPhone?

  • Bethany James

    When I go to add a client, I get an error when it tries to generate a key after I create a client name and password.

    • One of the comments below said “I found what I was doing wrong. I was opening the OpenVPN client with the gui box that asks the server, etc. I didn’t see the file option on the client.ovpn file to launch with openvpn. Once I launched it with that, all was good.”

      Is that maybe what you were having an issue with? :/

  • me

    That’s the better for openvpn i have seen on the web…and i have test lot with a lot of error and don’t really works.
    Well, very well.

  • Stephen Goncalves

    Nice work. Very nice indeed.

  • bill steiner

    I added the port forwarding to 1194 and get a good openvn connection with Tunnellblick but fails on getting internet connection

  • Marvin

    I did a mistake in the part where I needed to change to use dyndns or ip address. What can I do at this point ?

    • I don’t have access to my PiVPN set up to give it a go but I think that the command for re-running the options was to type this into your command line: pivpn

  • Kem Tekinay

    Nice post! I did this yesterday before I found this, and it would have helped. You outlined the steps nicely.

    I didn’t get asked the hostname either (and I did it twice) so I used the public IP address and OpenDNS, then manually edited the file at /etc/openvpn/easy-rsa/keys/Default.txt to replace that IP address with the dynamic DNS hostname. This is what will be copied into the client configuration files when you create a new client profile.

    Now I just have to figure out how to get the OpenVPN web interface running.

    • Thanks for contributing with your findings on all this :) Did you get it all working a-okay?

  • Kem Tekinay

    To change the certificate values, use the spacebar to mark the fields you want to change, then press return. You will be asked for the value of each marked field in turn, if that matters to you.

  • Dozer

    Hi , nice guide but i have problem !?

    OpenVPN works like everything !!! just now i cant ping or install packages on RPi ?

  • Jeff Powell

    Problem: “Critical: Unable to locate configuration file to set static IPv4 address!”
    Solution: sudo apt-get install dhcpcd

    • Brian

      This didn’t work for me using debian jessie (but thanks for pointing me in the right direction). I had to use “sudo apt-get install dhcpcd5” to get by this error. Some users may have to uninstall the original dhcpcd if installing dhcpcd5 doesn’t work for them.

  • whitecollar16

    Does the Raspberry Pi traffic run through the vpn also? If not can I set it up as a client?

  • nishit patel

    hey guys!! I am stuck on the Waiting for the Server…and it dose not move ahead from it. any suggestions??

  • Gintautas Jankauskas

    Hi, very useful information. But now I need to change VPN Port. I selected 443 port, but now I need other like 1194. How I can edit this information. If after editing require regenerate certificate key?

  • bidyut das

    dear sir
    I have local web-server http:// :/Page?parameters with rest-api like put, post, get http api’s….this works perfectly on local network ….will creating vpn help me to access my webserver while I m out of local network….thx

  • Neil Kamulkar

    Hi, I have installed PIVpn and answered all the question properly but some how i cannot connect to the VPN box … what all ports are to be open on the box is it only 1194 or some other ports that have to be open

  • Cold Fish

    Please help. I ran the initial curl command. I don’t understand the vertical line and then the red bash. Was that supposed to be part of the command? I don’t have a vertical line like that on my keyboard so I’m a little lost. Anyway, after I ran the command a bunch of text appeared and then it gave me the command prompt again. No GUI. What did I do wrong? And yes, I know I don’t have a very firm grasp on all this, but I’m trying. Please advise.

    • It’s all part of the command, your keyboard will have the | (vertical line/pipe) symbol on it somewhere, but if not you can just copy the command from here and paste it into your terminal.

  • Rob Harkin

    I have completed the install and can successfully connect my clients using the profiles that are created. Does this actually install OpenVPN Access Server on the Pi that is usually accessible from https://:943/admin ?

  • Colin Gilker

    i am not sure about what client software install…

  • cghera

    I am interested in creating a VPN on my home but what I need is a device that will connect to the internet and provide VPN service and also connect to a separate network switch and allow inbound traffic only to that (lets say it is a separate server not connected to the internet). Is this possible with this solution? I understand that connecting the Pi on my router using a single interface (e.g wireless) will then give access to any other device attached on the router. Am I right? Is it possible to restrict access to the router inner network and give access on a different network connected to the ethernet port?

  • David Bateman

    imported the profile from my rpi to the application on my device, when i try to connect it doesnt ask for my passphrase and so doesnt connect, i am using OpenVPN Connect on my windows pc.

  • Brian Miller

    using this will I have internet access via the gateway on the remote site?