Why bother?
Everyone wants your data all the time. Personal privacy is being eroded, as users are being tracked, traffic is being shaped, and an astonishing amount of “metadata” is being collected and correlated. In the midst of all the scary privacy news in the past few years, I figured it was becoming indefensible to be without a VPN. The price for most of the products in the market is extremely reasonable and without even worrying about nation states, it keeps a significant portion of my browsing information out of the hands of my ISP. Whether the ISP is looking at traffic for traffic shaping concerns, selling “anonymized” data, or policing content infringement, I can’t imagine there being a single upside to exposing my data. With that said, I signed up for NordVPN (referral link). It was well reviewed, and a reasonable price – 3$/month on a 2 year subscription.
Raspbian
The Raspberry Pi runs Raspbian a version of Debian (which is also what Ubuntu is based off). I find this extremely handy, because it means there’s a wealth of information available. Unfortunately, I was unable to find precisely the guide I was looking for, hence this. Debian (and therefore Raspbian) uses systemd to manage its services, which is ultimately where this is headed.
Set up
There are a couple pretty straightforward pieces here:
- Install OpenVPN
- Set up NordVPN
- Set up authentication with NordVPN
- Make it work
- Try it out
0. What’s your IP address right now?
How are we going to know if this worked? We’ll want to validate that our public IP address has changed. Note that this is different from your private LAN IP, which usually looks something like 192.168.1.23. I think one of the easiest ways to check the computer’s current public IP is to do something like (obviously executed on the Pi itself):
$ curl ipinfo.io/ip 37.48.80.202
Write this down somewhere, and we’ll compare later.
1. Install OpenVPN
This one is super easy:
$ sudo apt install openvpn
2. Set up NordVPN
Almost as easy. You can look at NordVPN’s instructions here, but this really pollutes your /etc/openvpn folder, which I’ve found to be an annoyance. I made a folder to store them.
$ cd /etc/openvpn $ sudo mkdir nordvpn $ cd nordvpn $sudo wget https://nordvpn.com/api/files/zip--2017-05-25 03:37:32-- https://nordvpn.com/api/files/zip Resolving nordvpn.com (nordvpn.com)... 104.20.17.34, 104.20.16.34 Connecting to nordvpn.com (nordvpn.com)|104.20.17.34|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 4113709 (3.9M) [application/octet-stream] Saving to: ‘/etc/openvpn/nordvpn/zip’ /etc/openvpn/nordvpn/zip 100%[=======================================>] 3.92M 53.5KB/s in 56s 2017-05-25 03:38:31 (71.8 KB/s) - ‘/etc/openvpn/nordvpn/zip’ saved [4113709/4113709] $ sudo unzip -q zip
At this point your zip /etc/openvpn/nordvpn folder should be chock full of (~2048?) ovpn files for the various NordVPN servers. Time to choose one! Which one is totally dependent on your goals – latency, speed, privacy, security etc. Picking one arbitrarily, copy it over:
$ cd /etc/openvpn $ sudo cp nordvpn/sk2.nordvpn.com.tcp443.ovpn . $ ls sk2.nordvpn.com.tcp443.ovpn nordvpn update-resolv-conf
As a checkpoint, to make sure everything is working so far, you can starting the VPN client up (you’ll need your NordVPN credentials here). Try running:
$ sudo openvpn sk2.nordvpn.com.tcp443.ovpn Thu May 25 03:55:37 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016 Thu May 25 03:55:37 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08 Enter Auth Username: ********************* Enter Auth Password: ******************** Thu May 25 03:56:23 2017 WARNING: --ping should normally be used with --ping-restart or --ping-exit Thu May 25 03:56:23 2017 NOTE: --fast-io is disabled since we are not using UDP ... <a bunch of logging messages> ... Thu May 25 03:56:30 2017 Initialization Sequence Completed
It should be self explanatory, but if you see:
Thu May 25 03:57:38 2017 AUTH: Received control message: AUTH_FAILED Thu May 25 03:57:38 2017 SIGTERM[soft,auth-failure] received, process exitin
You’ve presumably made a mistake with your credentials, or your account isn’t active.
3. Set up your NordVPN authentication
Obviously it sucks a little to have to type in your username and password every time you want to start your VPN connection. If the server is private it’s nice to bake the authentication credentials right in. Disclaimer: there’s probably something objectionable about this, feel free to comment if there’s a better way. You can use your favorite editor here, so long as it ends up the same:
$ sudo nano .secrets
This is the format – username followed by a newline followed by password. If you haven’t used nano before, hit Ctrl + x to exit, then y to confirm you want to keep your changes, then finally Enter to actually exit.
Now open up your configuration file: sudo nano sk2.nordvpn.com.tcp443.ovpn
And find the line that says auth-user-pass. Append the absolute path of the .secrets file you just created to this line. It’ll end up looking something like: auth-user-pass /etc/openvpn/.secrets
Then save and exit. This makes it so OpenVPN automatically looks in .secrets when it goes to authenticate with the NordVPN server.
4. Make it work: .ovpn != .conf
This one is extremely subtle if it’s you’re not really sure what you’re doing – which is likely if you’re reading this. OpenVPN automatically sets up a daemon for every .conf file it finds in /etc/openvpn – note that I have said .conf. We have .ovpn files. The last step here is to “convert” the file. All that means in this context is renaming it…
$ sudo mv sk2.nordvpn.com.tcp443.ovpn sk2.nordvpn.com.tcp443.conf
And you should be good to go!
5. Try it out
Hopefully everything has come together now. I think the most convincing way to try this out is with a good ol’ sudo reboot, wait for the unit to come back up, followed by $ curl ipinfo.io/ip – you should now get a different IP address from what you had in step 0.
$ curl ipinfo.io/ip 209.171.60.102
Technically Rural 