This blog entry started off back in 2019 as a simple comment on the amazingly useful PiVPN and has branched out a lot since then – now covering the WireGuard and the unassociated ZeroTier.
Before we start, here is a link to the various sites for PiVPN, Pi-hole and ZeroTier for those who like to dive straight in and need no introduction. Personally before I started all of this, the idea of a VPN terrified me. Along the way, this blog entry by Marc Stan helped me a lot.
PiVPN is a Raspberry Pi installer for OpenVPN (and more recently – in addition, WireGuard), whereas Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Like many people I find the subject of secure VPNs to be torturous. I’ve covered backups elsewhere since discovering the absolute importance of being able to do them easily but only recently have I discovered the fun and security relevance of having my own domain blocker to stop some of the ads coming in (Pi-hole). as well as a secure VPN so I can access my stuff at one location, securely when I and my non-existant support team are not there.
After months of casual investigation into VPNs I stumbled across PiVPN. For the majority out there who are turned off by the subject… this is REALLY, REALLY easy and the PI does a great (though not stunningly fast on OpenVPN) job of being a VPN server while doing other jobs like home control. It also easily handles Pi-hole and hence can do blacklisting and whitelisting for your whole network.
While out in Spain for the summer back in 2018 I originally (easily) installed PiVPN onto the Raspberry Pi 3 board (using Raspbian Stretch ) I used to control my home (and which was hence active 24-7) and more recently I’ve moved to Raspberry Pi 4 – after upgrading all my Raspberry Pi kit in Spain and the UK to Raspbian Buster. Go to the “Marc Stan” link above and you’ll see this is a no-effort-or-skill install. Oh, your router, you need to direct ONE port to the RPi – there is a “normal” default port but you can use any port you like. The link also describes Pi-hole – here it is.
Pi-hole is very easy – PiVPN needs a “client” on your phone, Android TV or PC for OpenVPN. This needs a “certificate” but you can forget that as it is handled by the installer (don’t know why I even mentioned it).
Once PiVPN is installed on the RPi with OpenVPN, type (as user pi) “openVPN add”, add a password and a certificate is automatically generated. This is just a text file which you can copy to your mobile phone, computer etc. for the OpenVPN client. There really is nothing more to it than that.
When in Spain, I had previously communicated with my kit in the UK on the mobile using lots of open ports – hardly secure and no good for acessing the BBC iPlayer while away from the UK… so next I put the OpenVPN “client” on my UK RPi so I could access it from any of my machines in Spain with only one port redirection on the router. Sorted.
I then did the reverse and installed PiVPN in Spain. So now, instead of having a shedload of open ports for various control and monitoring systems remotely, I only needed the one port open. All of this software is free – PiVPN is a great project as is Pi-hole!
Putting PiVPN together with Pi-hole makes the investment in a Raspberry Pi a no-brainer – especially if that same RPi is running the home control and (for example) heating control etc. No reason you could not do ALL of this on a Pi3 but I’m playing safe as I want the controller to do a LOT so today I use RPi4. As I update this blog on my Windows 10 PC – Pi-hole has reduced the incoming traffic on the web by a large margin without me noticing any missing stuff. While on the road one day in the UK, late winter, I had the VPN client running on my mobile and watched the stats as Pi-hole protected my phone, reliability 100% – check out this YouTube video – oh, and updating Pi-hole is as simple as typing “pihole -up” without the quotes.
How things change – July 2020 and I was back in Spain – and after many months of reliable operation, I found myself unable to reliably VPN to either my Spanish or UK installations thanks to PiVPN changes. To cut a LONG story short, at some point the OpenVPN setups had updated automatically and would no longer work.
On a hunch I uninstalled PiVPN on my Pi here in Spain and reinstalled, adding new ovpn clients files to my phone and elsewhere. Worked a TREAT. Sadly this would not work for my UK installation thousands of miles away.
Thankfully, before I’d left the UK earlier in July (MUCH later than planned thanks to the pandemic) I’d installed the device-to-device VPN Zerotier on advice from Mr Shark. This led me to a very early start two mornings in a row to access my UK PC which only stays on for a very short time every day. Once in, I could update PiVPN on my UK Pi and was once again in business. Beats taking a flight (especially right now – at the time of updating, the UK government has implemented new quaranteen restrictions on people coming in from Spain)!
In the process we realised that, as the RPi4 is active 24-7, a great idea would be to run a VNC session on the Pi (I use Mobaterm as I’ve detailed elsewhere) to access my IOT gadgets by name – using their web interfaces (which are not exposed to the outside world). Good but I’ve not used TightVNC for some time – and while having that available on the RPi4 constantly is simple to implement – I noted that SEVERAL guides out there are either out of date, incomplete or just WRONG – and that prompted me to update this blog entry.
Mr Shark pointed me to THIS guide without which I could have wasted many hours – that got me up and running. THIS guide for example is incomplete and while it gets TightVNCServer running it does NOT correctly set it up to run automatically from power-up – some other guides are worse, using utterly outdated methods of setting up services which no longer work.
I am using PiVPN – and having recently replaced a decent Draytek router here in Spain (thanks to lightning) with a rubbish TP-Link V7 (which does not handle mDNS or internal domains) – I found I needed to use Pi-hole to handle all DHCP in here as it DOES handle mDNS. Why? I need to access my Tasmota and other devices by name rather than IP address for ease of use.
So, now I was up and running I checked out the previously unused VPN server (again OpenVPN) on my Synology Diskstation back in the UK and after disconnecting from PiVPN, turned on the DS version. That worked but was no good for watching the BBC iPLAYER in Spain as it did not force all traffic through the UK (hence no iPlayer and Netflix shows more movies in Spanish than English – all of this applies to those of you who spend their time split between any two or more countries). A quick call to Synology support led to a slight setting change which sorted that.
Result… the Synology VPN server is much faster than the Raspberry Pi OpenVPN VPN as you can imagine – which, while not important generally, means faster i-Player access on limited bandwidth – but of course you have to have a Synology Diskstation for that. I have an inexpensive one (DS14+) with 2 hard disks operating as one (RAID) all of which has operated reliably for several years. As for the photo – I’ve no connection to Synology – I’m just greatful for their support for an old device.
So now, I had two VPN solutions – but what about this ZeroTier? Well, that is just for device to device access, isn’t it? Erm, no. I’ve not yet figured out how to access the i-Player in the UK using ZeroTier but thanks to comments from helpful readers in here, a little work and this link, I’m starting to take a liking to ZeroTier because (as well as device-to-device use) it give me remote access to my devices in a “device to network” configuration – see comments – and makes a great backup for the full VPN solutions – again (with in this case the limit of up to 100 devices) free to use.
WireGuard update November 20, 2020
Things change and I’ve now updated PiVPN to use WireGuard (no effort involved) which is not only smaller than OpnVPN but much FASTER – so although the Diskstation is still king, PiVPN using WireGuard is fast enough that I can justify bringing the Synology here to Spain while leaving a decent VPN on the Pi in the UK. I’ve been checking out the BBC iPlayer, YouTube and other stuff and I’m no longer getting indecipherable Spanish ads on YouTube and both iPlayer and YouTube produce decent HD when running back to the UK with WireGuard.
Following information on the web, I simply took my existing PiVPN installations and updated as such:
curl -L https://install.pivpn.io | bash
I left dhcp settings as before. I left the user as before. I selected the (now default) WireGuard option
I noted the default port of 51820 and added a port forward on my router. I left the dNS provider as PiVPN-is-local-provider to make good use of Pi-hole.
Now, the instructions I found for adding a client file were out of date and (using “boris” as a client file name) suggested:
pivpn add boris
It is now:
pivpn wg add boris
As you have a choice of WireGuard or OpenVPN!
As user pi I discovered a boris.conf had been placed into /home/pi/configs (a new folder). You can then use that boris.conf with WireGuard clients which are freely available for PC, MAC, Android etc
You CAN edit the config file – removing IP6 config for example or changing the name or port. The SERVER config master file can be found in /etc/wireguard.wpg0.conf and that can be edited by user ROOT.
WireGuard really is that easy – easier than OpenVPN in fact.
The guy who’s videos I watched to get to grips with WireGuard is called SPACEREX. I suggest subscribing to his video channel. Interesting chap, humble and to the point without the usual unanswerable “hi guys how are you doing” and other filler material seen on so many videos. Best investment of a couple of hours I’ve made in ages.