This recipe describes how to cook up a Raspberry Pi as a VPN server to provide secure access to your network via a public internet connection.
The ingredients are:

  • Raspberry Pi
  • 8GB SD card with Raspian Lite
  • Internet connection
  • Local network connection with static IP (not DHCP)
  • Access to your modem/router

Preparing the Pi

From a fresh install of Raspian Jessie Lite (April 2017 version):
Boot RaPi and log into the console with username "pi" and password "raspberry".
The following instructins assume a working internet connection.
Prepare the RaPi with the following commands:

sudo touch /boot/ssh
sudo adduser yourname
sudo adduser yourname sudo
sudo deluser pi
sudo mv /etc/sudoers.d/010_pi-nopasswd /etc/sudoers.d/010_yourname-nopassword
sudo nano /etc/sudoers.d/010_yourname-nopassword

You now in the file nano editor: change the user name pi to yourname. Ctrl-O to save and then Ctrl-X to exit the editor.

sudo apt-get update
sudo apt-get dist-upgrade
sudo reboot

Your Pi will now perform a reboot. Log in via the console or via your local network using ssh.
Your RaPi is now up-to-date with the latest software.

OpenVPV Setup

You can find many different tutorials of varying complexity levels on the web but I found the simplest way to install OpenVPN on your Pi is by using PiVPN. To start the installation use the following command:

curl -L | bash

Follow the prompts and accept most of the default values.
Based on the STO principle I would recommend changing the default port number (1194) to a number between 10000 and 50000 - write it down!
Installation doesn't take very long but generating the security certificate can take some long time.
You will have the option of using a static public ip or DNS - using a free dns provider will work if your public Ip address is dynamic or if your ISP decides to change you static IP address.
Reboot at the end of install process and log back in to generate the client configuration:

pivpn add

Very important: Pick a very secure password! If someone gets hold of your client computer or the ovpn file the only thing left between a hacker and your network.

Transfer the ovpn file to your client computer:

scp ./client.ovpn This email address is being protected from spambots. You need JavaScript enabled to view it..x.x:~

The above secure file transfer example will work on Apple OS X or Linux clients and will place the ovpn in user's home directory.

Next we need to add a few rules with these commands:

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
iptables-save > /etc/iptables/rules.v4

The netmask refers to the VPN tunnel address range. Check to see it matches the address in /etc/openvpn/server.conf "ifconfig" line.

This concludes the installation of OpenVPN.

OpenVPN V2.4 and above

From V2.4 checking of security certificate expiry has changed. To check openvpn version:

openvpn --version

An expired certificate will produce the following error in /var/log/openvpn.log:

VERIFY ERROR: depth=0, error=CRL has expired C=……

To check the security certificate expire date: 

openssl crl -in /etc/openvpn/crl.pem -text

To generate a new certificate and replace the old one:

cd /etc/openvpn/easy-rsa
./easyrsa gen-crl
mv pki/crl.pem /etc/openvpn

Default certificate expiry days is only 180 days
To get a longer expiry add to /etc/openvpn/easy-rsa/vars:

set_var EASYRSA_CRL_DAYS   18250

Before releasing your server into the wild install a certificate with an appropriate expiry date.

Router/Modem configuration

This part of the configuration is very specific to your hardware.
You need to know the [static] IP address of your RaPi and find the port forwarding setup in your router configuration. The port number used here should be the same as what you have chosen in the OpenVPN setup. Enable forwarding of UDP traffic from this port to the same port number on your RaPi IP address.
Activate the new configuration and your OpenVPN server is ready rock and roll.

Client Configuration

For Apple OS X install tunnelblick.
After installation drag the ovpn file into the tunnleblick window and press "connect", after you enter the password you should see the connection established.



OBDII is a great tool to give technicians access to many vehicle parameters which are interesting and sometimes even useful for diagnostic purposes. Applications range from free to $$ and vary in features and the number and type of parameters they can read. A little while ago I purchased a ELM327 WiFi OBDII module from eBay. The module looked exactly the same as another one I had seen in use but mine didn't work.

WiFi OBDII module (ELM327)


The WiFi access point "WiFi_OBDII" would appear and sometimes I could connect to WiFi but then failed at various points when the actual OBD software was trying to connect. Once it had been plugged in for a few minutes the WiFi connection could no longer be found. 

WiFi_OBDII connection error

The eBay seller sent me another unit but it exhibited the same symptoms so he refunded my purchase cost and let me keep the two modules. I purchased another module, from another eBay supplier and it worked fine. Now that I had two faulty modules I set my mind on fixing the faulty modules.


A simple optical comparison between the two modules showed the non-working modules were missing a solder bridge on the WiFi submodule pin header:

Faulty module
Working Module

The fix is easy: solder a bridge between the two pins on the faulty module.


The modules are now working but I suspect there is another problem still to be resolved.

The voltage regulators on the main board can only deliver a low current (~100mA) according to the data sheet. The WiFi submodule data sheet mentions operating current of up to 200mA.
I suspect the design of this board requires good quality regulators which can tolerate an overload situation. There is no visible difference in these components between working and non-working boards but I guess the non-working boards have a very cheap regulator (fake brand) which can cause the output voltage to collapse at sporadic intervals and temporarily interrupt the WiFi connection.