Installing PiVPN
- Part 1: Enable SSH
- Part 2: Install Pi-Hole
- Part 3: Install PiVPN
- Part 4: Create a Full-tunnel user in PiVPN
- Part 5: Create a Split-tunnel user in PiVPN
- Part 6: Setup PiVPN Endpoint Device
- Part 7: Remove PiVPN user/client
So I already have PiHole installed at home and it works great to block ads at home. But if you’re not at home, how do you to block ads? What about if you want to access resources you have at home (i.e. – printers, file storage, remote support of non-tech-savvy family) while you are away? Well the answer is PiVPN.
You’ve probably heard of VPN services before or you might already use one. They are common for work places to use, to connect back to your office. As well as for individuals looking to bypass geo-location filters when you are overseas, to make it appear that you are in the U.S.
VPN actually stands for virtual private network. What that means is that when you connect to a VPN, you are essentially creating a secure encrypted tunnel from your device to the network on the other side. A VPN prevents “snooping eyes” from seeing the actual network traffic that crosses the wire, meaning that you only you and the other end know what you are doing. The caveat to that, depending on how your VPN is set up, is that the internet traffic on your device will appear to be coming from the network you are VPNed into and that will be visible to the ISP. So don’t think that just because you setup a VPN on your Raspberry Pi at home that you can blindly surf the Internet and download illegal torrents without consequence, because you’d be wrong. The best use case, in my opinion, for setting up a VPN, or in our case PiVPN, is to access your files and storage when you’re not at home.
Lets get started with setting up PiVPN.
As a prerequisites, make sure that you have already installed and setup PiHole.
Open a terminal window or SSH into your Raspberry Pi (RPi)
Enter the following command:
curl -L https://install.pivpn.io | bash
By running the above command essentially piping the curl command to bash, the RPi will automatically download and run PiVPN.
A cautionary note about piping curl to bash – Basically, be sure you trust the source, because you’re essentially letting them run whatever they want on your device!
The PiVPN Automated Installer should appear. Click ‘Ok’.
The installer will need to apply a static IP address to your Raspberry Pi. This is a PiVPN requirement. If you’re running PiHole, you should already have a static IP assigned to your device. If you don’t… go fix that now, and come back.
If you do already have a static IP address assigned at this screen, click ‘No’.
Comment on the above step… Even if you set a static IP on the device, if that IP is within the DHCP reservation pool, the DHCP server (the router, for most people) could theoretically still assign that IP to another device. That should never happen for an always on device, but if you take it offline for a while or switch routers it could happen.
So when setting static IP addresses, take a look into your network’s settings and assign addresses outside of the DHCP pool’s range. This will help prevent the possible scenario i just mentioned above.
The next screen shows your current network settings and confirms that you want to use it as your static address. Click ‘Yes’.
The next screen is just a warning of what could happen with an IP conflict if the RPi does not have a static IP address and is using DHCP. We’re all set though using a static IP, so click ‘Ok’.
Next we will choose the user which we’ll install PiVPN under…
Click ‘Ok’.
Then choose the desired user, and click ‘Ok’ again.
We want to install WireGuard. So on this screen, select it and click ‘Ok’.
*If you need, or wish, to install OpenVPN to meet you needs then that option is available. My recommendation – If this is your first time setting up a VPN, stick with the default – WireGuard.
Wait and watch the status bar complete….
Select your default port. I am going to leave mine set to the default value “51820”. Click ‘Ok’.
Confirm the port, click ‘Yes’.
Because PiHole is already install, PiVPN detects it and offers to set that as our desired DNS. This is what we want, so click ‘Yes’.
This next screen asks how we will be connecting remotely to our PiVPN.
Most of us do not have a static “external” IP given to us by our ISP. So with that in mind, we do not want to use the public IP address that is shown.
We want to use a Dynamic DNS (DDNS) service. The best example of this type of DDNS service is No-IP (noip.com). This type of service allows you to run a client within your network that will go out and check what your external IP is, and then update No-IP with that address any time it changes. Dynamically updating the DNS record that you have setup with the DDNS service provider.
Note: This DDNS value can be changed later if your DDNS public name ever changes, though you would need to update your user/client endpoints to use the updated name.
Since we already have DDNS set up, we will be chooseing “DNS Entry – Use a public DNS”. Click ‘Ok’.
Enter your DDNS public DNS name. Click ‘OK’.
Confirm your entry. Click ‘Yes’.
The generation of the encryption keys are the next step. Click ‘Ok’.
We will want to acknowledge the ‘Unattended Upgrades’ page. It’s just letting us know that we should enable this feature and have the RPi automatically check for and install security updated for us daily. Note, that it will not automatically reboot the RPi, so we’ll need to do that manually from time to time. Click ‘Ok’.
Click ‘Yes’
Wait and watch the status bar complete….
Click ‘Ok’. PiVPN has now been installed! Woohoo!!!
We will still need to add our users/profiles before we can log in.
Click ‘Yes’ to reboot your RPi. Then ‘Ok’ again to initiate the reboot.
Now we need to log into our router.
We will need to setup a port forwarding. We need to forward port 51820 to our Raspberry Pi.
This will allow traffic both ways between the Internet and your PiVPN.
Note: If you skip this port forwarding step, you will not be able to connect remotely to your PiVPN.
Next Article in this series: Part 4: Create a Full-tunnel user in PiVPN
Thank you so much for this tutorial – very, very well done. Thumbs UP!
2 quick questions:
1. I have installed PiHole on a separate pi (I have a few…), is there a line I could edit to enter the IP address of my PiHole, how can I integrate it once connected to my home, it is not detected by PiVPN upon install.
2. I have PiVPN installed, followed your instructions to a T. Where I’m confused is the next step to connect from my phone or tablet… I have not been able to find a tutorial for using the Wireguard client – seems they all need to work with a paid service, which I’m not interested in. It’s for home, not a business.Tried the QR Code, looks like it’s working, but then how do I connect to the tunnel to reach my home servers on the cell network for exemple.
Thanks.
Hope this helps Denis…
1) During the install of PiVPN, right after specifying the port, it asks about DNS. If it’s installed on an RPi with Pi-Hole it will auto-detect that Pi-Hole is installed and ask if you want to use that as your DNS for PiVPN. In your case, because you are running your Pi-Hole on a separate RPi, that is the step where you would have specified the IP address of the Pi-Hole RPi. I’d have to look up where you’d change that post-install as idk right off hand.
2) Kinda a long answer, but if everything is working, skip to the third part…. First part: So you’d have to have some sort of dynamic DNS (DDNS) service, there are a variety of services out there (and i’m not endorsing any of them) like noip.com just to name one. You’d have to run some sort of client service on your network that would periodically check your “home” ip address and then update it if ISP ever changes it. That way “example.noip.com” could point to your home IP address. Second part: you need to enable port forwarding on your home router. You would enable port 51280 (wireguard’s default port unless you changed it during install) to forward to you PiVPN RPi. That would then allow the vpn traffic on port 51280 to flow (in simple terms) as “example.noip.com”->Home Router->PiVPN, this “makes” the complete tunnel. Third part: Install the wireguard app from your device’s app store. Scan the QR code which will automagically configure all of the settings for you. Turn it on, and if part one and part two of this long winded answer are working, then you should be able to reach your “home” network. Aside from if you choose to pay for a DDNS provider, there should be no extra costs.
Okay… An answer for your first question. Rerun “curl -L https://install.pivpn.io | bash” and on the screen that popups choose reconfigure your PiVPN. It’ll walk you thru all the setups screens again. When you get to the DNS option page, scroll all the way down to the ‘Custom’ option at the very bottom of the list.
Hi,
Thanks a ton for your instructions.
I am confused about the port forwarding bit. My router asks for and internal and external port. Which one will be 51820 and what will the other be? And should the IP address be the static one? In your example 192.168.1.254?
Thanks!
It can be the same port. If you set up the rpi to use 51820 then you will want to tell your router to redirect external port 51820 to internal port 51820. The IP address that it should get will be that 192.168.1.254.
Hope that helps.