December 16, 2013 7:58 pm

This guide will install Airprint and OpenVPN allowing you to use AirPrint from one local network to a remote network over a VPN connection. You must be on a local network running the VPN server, however your iOS device does not need to be on the VPN network to access the printer(s).

This guide assumes you already have installed Raspbian, Raspbmc on a Raspberry Pi or Ubuntu on a Desktop machine. Cups install is not necessary on Ubuntu. You should be able  to open a web browser on the Ubuntu machine and type “localhost:631” to get to the web admin without any additional configuration. I am using “tun” instead of a “tap” interface since I also want to be able to connect iOS devices to the VPN. OpenVPN on iOS does not yet support “tap.”

Install the software.

sudo apt-get update
sudo apt-get install cups cups-pdf openvpn
sudo usermod -aG lpadmin pi #Do not use for Ubuntu
sudo /etc/init.d/cups start
sudo nano /etc/cups/cupsd.conf

The line that reads “Listen localhost:631” needs to be changed to “Port 631”

“Allow All” needs to be added right be to the line that reads “Order allow,deny” in one place, “Restrict access to server…”

“Allow @Local” needs to be added right below the lines that read “Order allow,deny” in two places:

  1. Restrict access to the admin pages…
  2. Restrict access to configuration files…

Hit <control-x> to exit nano editor and enter line below to restart cups.

sudo /etc/init.d/cups restart

You can now use a web browser to configure and manage printers. Enter the IP address of your Raspberry Pi into your browsers address bar followed by “:631”.


Select the Administration page and be sure server settings are set as shown below. Enter your username and password if asked and ignore the warning message if there is one.


Before we do too much more printer setup though we might want to finish setting up the VPN connection. The keys, certificates and configuration files need to be generated on one computer and then moved to each computer securely. The key generation computer does not need to be any one in particular and doesn’t even need to be one that is actually going to use the VPN. On my last install, I had problems downloading easy-rsa directly so I just manually downloaded from and placed everything in the “2.0” folder in the /etc/openvpn/easy-rsa directory using ftp. You may choose to clone the git instead or run easy-rsa from another platform. Tunnelblick on the Mac (The latest beta required for Mavericks) comes with easy-rsa installed. You can access it by opening the “VPN Details…” menu from Tunnelblicks menu, clicking the Utilities icon, and then clicking “Open easy-rsa in Terminal.” On the Pi or Ubuntu, I use “sudo bash” to make sure I have access to run the scripts, however I don’t think this is necessary if using a Mac with Tunnelblick. Use “cd” to get to the easy-rsa directory if needed.

sudo nano vars

Change “KEY_SIZE” to 2048 and edit the export fields at the end of the file to set the defaults for when you build your keys. When you run the build key scripts, you will be prompted to enter each item. You can just hit enter if you want to use the default value. You need to answer “y” to the last two prompts.

source vars
./build-key-server server
openvpn --genkey --secret ta.key

Then build keys for every client you want to connect to your server. Use a unique “clientName” each time you build a key.

./build-key clientName
./build-key-pass clientName2 #For password protected keys.

server.conf file:

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
;user nobody
;group nogroup
status openvpn-status.log
verb 3
mute 20

client.conf file. Edit “your.server.ip” and “YourClient” to match the names of your files and the domain name of your server:

dev tun
proto udp
remote your.server.ip 1194
resolv-retry infinite
;user nobody
;group nogroup
ca ca.crt
cert YourClient.crt
key YourClient.key
ns-cert-type server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

Copy server.conf, server.key, server.crt,  ca.crt, dh2048.pem, and ta.key to /etc/openvpn on the server.

/etc/init.d/openvpn start

Copy YourClient.conf, YourClient.key, YourClient.crt,  ca.crt, and ta.key to /etc/openvpn on each of your clients. You should have generated unique .key and .crt files for each one. For some reason I had to use the following command to get OpenVPN working on the clients, then exit OpenVPN with which stopped the connection.  Then the command used on the server would work to get the clients working. I’m not sure but it may have had something to do with the different names on the configuration files.

sudo OpenVPN client.conf #using the name of your .conf file

You need to make sure your clients IP address on the VPN network does not change so you can always reliably connect to the printers, so create a directory in your /etc/openvpn directory called ccd

sudo mkdir /etc/openvpn/ccd

Into this directory you are going to put a file for each client hosting printers matching the client name.

sudo nano /etc/openvpn/ccd/YourClient

Into the first file put:


The next file will be:


allocating 4 IP addresses for each assigned address. Use “sudo service restart” to first restart your server and then your clients.

We can now finally configure the printers, so open the cup web configuration page by going to the IP address of one of the computers/Raspberry Pis that has a printer connected or a wireless printer on the same local network. Add your printers by clicking the Administration page and then clicking add printer. Ignore the warning message. You will need to use your user password to add the printer. Remember to set the printer as shared. Drivers take a long time to list on the Raspberry Pi, so be patient. Once you have completed this, you will be able to use AirPrint, and Printing from desktop/laptop computers locally, but we need to configure more for this to work over the VPN connection.

Connect to one of the remote computers cups interface the same as the local one. When you add the printer, select “Internet Printing Protocol (http).” The printers address will be something like this:

…where “YourOfficejet” is the name of the printer hosted on

Once this printer has been added to the remote network, you will be able to AirPrint remotely even if the iOS device is not signed in to the VPN itself. You can still download the iOS OpenVPN client if you wish to use it for other purposes, but it is not necessary. Printing using a Raspberry Pi as a print server is slower, relaying through two over the internet, even slower, so this is not likely to be useful for very large documents.

Helpful hint 1: If you have a printer connected to an Airport Express or Extreme, you will be able to add the printer, however printing will always fail. To add one of these printers locally the address will look something like this:


…where should be the IP address of your own Airport Express/Extreme. The addressing set on the remote computer will however be set the same as first shown, since you will be relaying it to the other print server.

Helpful hint 2: After you have confirmed that the VPN is working properly, you can remove the semicolons in the configuration files, before “group nogroup” and “user nobody” on non Windows systems to improve security a bit.

My currently running configuration uses a Next Unit of Computing running Ubuntu as the main server with a few Raspberry Pi clients. Using faster client computers might help with printing speed, however my current configuration seems to work fast enough for me. ?

Categorised in: ,

This post was written by Tom


  • Greate article. Keep posting such kind of info on your site.
    Im really impressed by your blog.
    Hello there, You’ve performed a great job.
    I’ll certainly digg it and for my part suggest to my friends.
    I’m confident they will be benefited from this site.

  • Paulo says:

    Dear Tom,
    Thanks in advance for your excellent tutorial. However, I have done everything you explain, but from my iPhone after openvpn connection, I can’t see my airprint printer. Locally it’s 5 stars, but on vpn, I can’t see that printer 🙁

    • Tom says:

      To troubleshoot, you are going to want to test every step of the connection to see where it fails. Can you print from the second Raspberry Pi using Cups to print a test page? Did you make sure that the second Raspberry Pi has the printer set to shared?

  • Paulo says:

    Tom, I have done 😉

    5 stars!!!

    Maybe if you update your tutorial, just to add that we really need 2 rpi at least rpi… And one thing that I was expecting, and so far I can’t achiev, it’s to send printing trough a vpn based on a 3G connection (when we are outside a range of both networks of the 3 rpi).

    • Tom says:

      I thought I had mentioned that. I’ll look over the tutorial and make it clearer that there needs to be two. If you are printing from a computer though, the print settings are usually more editable than from a smartphone or tablet and it will work with only one Raspberry Pi if you set up the computer as a VPN client. It all depends on whether you can set the printer up manually using an IP address.

      • Paulo says:

        But Tom, on one iPhone with vpn connection trough 3G, can you see any air printer?
        If yes, can you explain how?
        Cause I only can see airprinter if I’m logged on a wifi within the first or second rpi… When I turn off the wifi on that network, and I log me in VPN based on a 3G connection, I can’t see… It’s really important to be able based on a 3G connection under vpn 🙁

        • Tom says:

          No, it doesn’t work. You could look for a printing app on the app store that supports setting a printer by IP address. I have done that in the past, but it end up being rather limited. All printing has to be done from within the app. The one that I used was called Print n Share, but I think their marketing is a bit shady. They have several versions and it can be confusing what features are supported. If you buy one that doesn’t support what you want to do, you might end up having to buy a completely different app made by the same company. Look through the options carefully before you purchase.

%d bloggers like this: