Tag Archives: openvpn

Moving a self-hosted OpenVPN server to a new server

So the Raspberry pi v4 launched recently, I thought the gigabit ethernet and the ram boost to 1gb (2gb & 4gb also available) would be a good upgrade for my self-hosted OpenVPN server , I had previously seen on the pivpn github issues that moving to a new server can be achieved with just one command!

I installed the Raspbian Buster Lite image and then installed OpenVPN via this command

 curl -L https://install.pivpn.io | bash 

Before starting its wise to stop the openvpn server first! (on both servers)

 sudo systemctl openvpn stop 

Then to copy the files over

scp -pr openvpn/* root@[ip]:/etc/openvpn/

HT: scp – https://www.computerhope.com/unix/scp.htm

I knew i had a little more work to do, my setup does not benefit from having a fixed IP address, so i have a couple of python scripts running via cron to monitor for a change in the public IP address and then update a DNS record so that my VPN setup still works, so i had some additional tasks around copying over the cron tasks and the python scripts.

I ran the scp command and it immediately failed, ah looks like a permission problem, so i ran it again with ‘sudo’ first – this had some limited success but curl.pem and the easy-rsa/pki files through up some interesting errors, after some googling of those errors the pki files/certificate were set to permission 600, they had to be changed to 644 – also the only real way of copying these files over In the end was by enabling the root account on the raspberry pi (not covered here.)

Exporting and the importing the cron tasks was straightforward.

On the ‘old’ server run this command from the bash command line

sudo crontab -l > cron.bak

then on the new server its (after you have done a remote copy via scp – see above)

 sudo crontab cron.bak 

The python scripts were also copied over using scp – i experienced some ownership/permission issues but a quick chmod sorted that out.

I changed the hostname of the new pi to match the old one (sudo raspi-config), and configured the new pi with the old PI ip address.

 sudo nano /etc/dhcpcd.conf 

Thinking i was home and dry i attempted a connection via wifi and happy days!, it connected, but then i realised the internet was not accessible – this lead me to needing to do something on the new pi/setup that is not on the old one.

I believe this issue is caused by me running pihole on another Raspbery pi!

this was ultimately fixed by editing the file /etc/rc.local and adding these two lines after fi but before exit 0

/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE

wifi and bluetooth are not needed and can be disabled by adding two dtoverlay= lines to the config.txt file.

 sudo nano /boot/config.txt 

dtoverlay=pi3-disable-wifi
dtoverlay=pi3-disable-bt

Good luck if you decide to do the same, in hindsight creating new profiles may have been easier, but i have issued some family openvpn client/profiles that would be difficult to update.