Building Your Own Raspberry-Pi VPN

Raspberry-Pi VPN – Introduction

In this post, I’m going to cover how to build your own VPN server, using a Raspberry-Pi.

Making your own Raspberry-Pi VPN is relitavely simple by following this tutorial . As great as the tutorial is, it’s missing several security configurations which I shall discuss below:

1. Change ‘nopasswd’ config file to require a password

Straight out of the box, escalating your privileges to the super-user (su) doesn’t require a password. Change your sudo config settings to require a password.

sudo nano /etc/sudoers.d/<nopasswd filename>

Now that you’re in the text editor, remove ‘NOPASSWD’, so it looks like this:

Save your changes. From this point onwards, you should now have to enter your current user password to gain root privileges.

2. Update your Raspberry-Pi

sudo apt-get update && apt-get upgrade -y

3. Changing your default user passwords

I’m sure we can all agree that not changing your default passwords on any device is a terrible idea! Change your default passwords.

a. 'sudo su' - You will be prompted for your user password.
b. 'passwd' - You will be to enter a new UNIX password.
c. 'passwd pi' - This is to change the password of your user 'pi'.

It’s really important that you set a strong password and DO NOT use the same password between users! You can read more about this here: 

4. Strengthening your SSH configuration

By default, SSH configuration is weak, because it only requires a single password for any user (legitimate or attacker) to connect to the service. Single passwords are vulnerable to a brute force or dictionary attack. It’s far better to impliment key based authentication. With key based authentication, even if a users password is compromised, an attacker is still unable to access the service without the correct key.

Generating a key pair on your host machine
ssh-keygen -b 2048
Enter the name you wish to call the keys (sshpi)
Enter your key password (Enter a strong password)
Generating SSH key pairs

More on key pairs here.

Place your sshpi.pub key in the ‘authorised_keys’ file in the folder ‘.ssh’ of your Raspberry-Pi

cat sshpi.pub
Public Key

Copy all of the text, starting from ‘ssh-rsa’ to the very end. Paste it into your ‘authorised_hosts’ file in the ‘.ssh’ folder of your Raspberry-Pi.

echo "PASTE sshpi.pub KEY HERE" >> authorised_hosts

Now that you’ve added your public key, you need to change ssh config to remove the password option.

nano /etc/ssh/sshd_config > Password Authentication no > remove hashtag


SSH is now set up for certificate based authentication only.

ssh -i sshpi <username>@<IP ADDRESS>

Placeholder – More to follow…