OpenVPN Server on Raspberri Pi

This is written in Raspberry Pi/Raspian Wheezy.

I've added a second page showing the connection in action as I VNC my home desktop over VPN.

When I'm away from home, I need to be able to access some of my home computers. In the past I ssh'd into my always-on small computer, which in the past was an unSlung NSLU2, and, is now a Raspberry Pi (the B with 4 USB ports).

That allows me to easily do rather simple things like tansfer files up or down, or, check on MythTV. For that, I ssh in to Pi, WOL Myth, and tunnel MythWeb over another ssh connection. That means more than one port being forwarded at the router—one for each computer I connect to.

OpenVPN sounds like a simpler method, as only one port is needed. I can open a VPN connection and do everything else from there. So far, my tests are giving satisfactory results, but it wasn't easy getting there.

It was easy enough to get OpenVPN installed and running on PI. Connection to Pi—easy. But connecting to other computers on the network was more difficult. Or, it may be that there is a lot of confusing and partial information on the Internet. Tap or tun? That seemed to be a major issue. "Routes" and static routing on the gateway was also confusing/misleading. Of course, I had to allow for the fact that my slow DSL was part of the frustration.

Finally, after a few attempts, I have it working by combining a few things I found during my searches - and it appears that's it's real easy.

I will restate my mission. I simply need a connection from my travelling laptop into my home network. I do not need to access my travelling laptop from my home network (after all, I'm not at home).

The method here allows me to do everything I need, plus, I can browse the web from my traveller with the source address being my home connection.

Summary of network:

Internet—6/1 AT&T to ARRIS NGV589 modem/router/access point. NAT to LAN router - address provided 192.168.1.64. LAN router NAT's network on 192.168.11.0/24.

Raspberry Pi—192.168.11.158. OpenVPV server default at 10.8.0.0.

Mythtv—192.168.11.126.

Desktop computer—192.168.11.76.

More details

Modem—I switched DSL services while I was experimenting. I had old/slow DSL with a modem feeding the public address to my router, and, I was forced to switch to Uverse. The provided Arris is a combo unit with the wireless off, and, only one address available to the LAN. I know that results in double-NAT, but, it hasn't caused a problem so far.

LAN router—gets 192.168.1.64 from the modem and provides 192.168.11.0/24 to the LAN. LAN device addresses are reserved and there's a couple of forwarded ports, but nothing else.

Pi—gets 192.168.11.158, and, runs OpenVPN full time providing 10.8.0.0. Pi does some other small tasks like being syslog server for router logs and handles waking MythTV when required for recording. It's definitely not strained, even when handling VPN.

MythTV—is at 192.168.11.126. It does NOT run OpenVPN. It's normally off, and, PI WOL's it for recording. As part of shutdown it sends the next recording time to Pi.

Desktop computer—is at 192.168.11.76. It does NOT run OpenVPN. It's normally off, and, PI WOL's it, if needed.

My testing, so far, has been from my laptop connected to the Internet through my Internet-On-The-Go hot spot. While VPN'd in, I have ssh/sftp'd in to the Pi, and, transferred files, and, did the MythTV WOL (from the Pi), and, accessed MythWeb. That is via the http server on MythTV and permits status checking, and, schedule adjustment.

I have VNC's into the desktop. I run x11vnc server on the desktop, and, TightVNC viewer on the laptop. It works OK (for me).

I've also browsed the Internet, and, that worked acceptably well for routine activities, with an IP check showing my connection being my home network.

Using Htop to monitor the Pi's CPU activity, I found the max % was in the 25-35 range while doing most things, so it definitely wasn't being overworked. That may be due to the relatively slow speed of my connection.

One other thing—I have a dynamic connection and do not use a dynamic DNS service. One of the things Pi does is locally check my public IP several times a day, and, sends an email to my phone when it changes. I use a script to send the address to my laptop's /etc/hosts. That is why the remote in the .ovpn is a name + port.

The files I added/modified while setting this up. I don't know if they are "right", but they do make it work.

# rasp2 192.168.11.158/10.8.0.1 local 192.168.11.158 dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/rasp2-server.crt key /etc/openvpn/easy-rsa/keys/rasp2-Server.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig 10.8.0.1 10.8.0.2 # # push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 192.168.11.1" # push "redirect-gateway def1" client-to-client duplicate-cn keepalive 10 120 tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 cipher AES-128-CBC comp-lzo user nobody group nogroup persist-key persist-tun status /var/log/openvpn-status.log 20 log /var/log/openvpn.log verb 3

client dev tun proto udp remote tedhouse 1194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ns-cert-type server key-direction 1 cipher AES-128-CBC comp-lzo verb 1 mute 20 <ca> -----BEGIN CERTIFICATE----- MIIDljCCAv+gAwIBAgIJAO6As/U4hZAdMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYD VQQGEwJVUzELMAkGA1UECBMCQ0ExEDAOBgNVBAcTB0FuYWhlaW0xETAPBgNVBAoT YSWQvCbkjk00XfW2eNWatyptt2PAVRCtYaHgish3zRfBx4rUTJyCgFAFgTv5lf4G yNUrg0qQpIIVAOnSC1oIc3qhDmUYdAu1wfJURDn8e8MsHVG72BFCTgkARvexR1uG 9UM3gBPZLdWzk7DOYJPCIKB3fAVnXtYPZn0odGYyXMwV99P0wUz91Jgx2DLZr335 fVfqKqzT0xaGf7jBfHUVM1XaXbQJHk1ySDQkipF56TWcMMzDbxvBfXh2fvBKw8c2 oifQVH10zfVUy366BZlypGgACvppNlE8asdplOGcu2Y1lYwXLlRb13v2kDpngtFL 7GCUY4BQ63f4GmgcryREqDFydD0j893T1brHUDtYgB7hUhhC7iWd0UyiGiVEUTyZ GmgcryREqDFydD0j893T1brHUDtYgB7hUhhC7iWd0UyiGiVEUTyZ0kCKwhqXjKvy 3T1brHUDtYgB7hUhhC7iWd0UyiGiVEUTyZ0kCKwhqXjKvyx1GmgcryREqDFydD3f Z5Bul93S6tmppLL7GCUY4BQ63f4GmgcryREqDFydD0j893T1brHUDtYgB7hUhhC7 cGmv5VeZ5Bul93S6tmppLL7GCUY4BQ63f4GmgcryREqDFydD0j893T1brHUDtYgB 0GA1UdDgQWBBTULBd3l+lOk08y4hAJ9g0/EONddzCBxAYDVR0jBIG8MIG5whqXjK BgNVBAgTAkNBMRAwDgYDVQQHEwdBbmFoZWltMREwDwYDVQQKEwhzcGFyZXJlcDEN MAsGA1UECxMEcmFzcDEOMAwGA1Uq7lATAJGtmDIxDDAKBgNVBCkTA1RvbTEhMB8G CSqGSIb3DQEJARYSc3BhcmVyZXBAeWFob28uY29tggkA7oCz9TiFkB0wDAYDVR0T BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCUG2s8/EShRDwXqz2q8WkY3yieuFh2 oPgeMJAEhrTk5ZxXpYQNxJcBRPgx0aTSgQ2bVnmP96hzscuYndHkGB/xep/VgFng Rbq7S7kRt6UaPxQAhmtmUps4UTMsvntcfBwVHn3GJhAD6NBsyUGxqwB1ZUfVY6Qn EyjAFNduZv== -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- MIID4DCCA0mgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdBbmFoZWltMREwDwYDVQQKEwhzcGFyZXJl cDENMAsGA1UECxMEcmFzcDEOMAwGA1UEAxMFcmFzcDIxDDAKBgNVBCkTA1RvbTEh MB8GCSqGSIb3DQEJARYSc3BhcmVyZXBAeWFob28uY29tMB4XDTE2MTEwMzAxMDkz NFoXDTI2MTEwMTAxMDkzNFowgZExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEQ nolfayfseifUrgojkin5OtlikneumneshenlithunBypolwyFresangoalvobmen ErsaymNewimichoHevVeshAdEwbAdkeosEapHeigpoivdeensibyirajnidbugly shlauvyeurrUbrOldIrriashkodooshefjejpyskAdLafdacicZvLikneumneshe .uJl?q{)fna]~c@dtk:'lirHkDD9'wjKK"y%hZ7T[9Mz)JltY1MC?%4gSpr4R/X6 5VhMI9r6`m:Y:!r~U4H(aX$4{eQYxg])Q!;$"?3rG;V"wj{<3Q@P,3DoB:Ub!cV5 ups)v[eNpvM8dPq3bw6jLbB{,M+SJQ(OaRn%!F[fgncW(FIky&Xh7(.4J!''W[,Z 020YpSBHRuvotsbS9seoefyq9f4ulCQtEWC46PsBaL4C32jQw1xuRTvSKaTkvPna ykAEnErAF39EgtjLVTN0ofih50eSPUBFkoyCkkzEDKgwzqxX0u6LGwf0ZvLZvLik pFKhOO6S3gV9G6wKHwaTAV75NIqVXFFRRebgZ7ceFyS9fH4r1WBNqn0opZikAFGa 09BmHHZyUJddPnmU0IR0ulsObnhelheHakDyilkimelbOjyinLeOmFirOndIt8ik 1WNo9vJFaJBDAf4Zs2nlvqb-R1bOT1Oh4akXvYiiuD72FvNl6C-FcTig2T79LgOL aMW4kb86A19PZSisDfGHLWA5lhGkl198rNTGXFWEyjAFNduZvLqVq7lATAJGtm7b EwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBBQUA A4GBAEJFlKLpkIrjsS5xQ1oUc0B23jpBwcBg5MoD9Ui17Oj1qNSYUrTfyEvPnS22 oCtG3KJYnSeQdgwam9EBGC2/w6yseK+WgE1VulnNa0Eq8cs9Ex/gRhpEGNbIkV/K NvU+3Of1NRa0frY/jmkRu0wITaTji+Bzndhm68fHKW7HIm3Z -----END CERTIFICATE----- </cert> <key> -----BEGIN ENCRYPTED PRIVATE KEY----- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5CSn+D+hLMgCAggA nolfayfseifUrgojkin5OtlikneumneshenlithunBypolwyFresangoalvobmen ErsaymNewimichoHevVeshAdEwbAdkeosEapHeigpoivdeensibyirajnidbugly shlauvyeurrUbrOldIrriashkodooshefjejpyskAdLafdacicZvLikneumneshe 020YpSBHRuvotsbS9seoefyq9f4ulCQtEWC46PsBaL4C32jQw1xuRTvSKaTkvPna ykAEnErAF39EgtjLVTN0ofih50eSPUBFkoyCkkzEDKgwzqxX0u6LGwf0ZvLZvLik pFKhOO6S3gV9G6wKHwaTAV75NIqVXFFRRebgZ7ceFyS9fH4r1WBNqn0opZikAFGa 09BmHHZyUJddPnmU0IR0ulsObnhelheHakDyilkimelbOjyinLeOmFirOndIt8ik 1WNo9vJFaJBDAf4Zs2nlvqb-R1bOT1Oh4akXvYiiuD72FvNl6C-FcTig2T79LgOL aMW4kb86A19PZSisDfGHLWA5lhGkl198rNTGXFWEyjAFNduZvLqVq7lATAJGtm7b Xb-1xqwwGZG8Lqf5thIXw4kIJA9XXUw7mRpDK8fWfzS0wPW9wTpdxB04l0LCcDTd 4ZKLIpmGjJYYRz60k1spk4vvCuMWuaV5QhVBJUKb2r6i8NcmatOJRT9FjQMHMVux h9IoEUYMAPTnHpO9gcmUPoYpfCLqPIhBF0LvQVl68MqxvfN5EvwOgtqtc1pHkxhN 3nEqgIVs7JOJUgk1fhU9PtCxnV0X8lmBMlK1X8dvEDp1dhraoGzgbD8QW58cDqxC cHoAm+Rg5JoqvwYXNUE9LYhSGuJCGWMZlafdDEPqS8/vGczm6SxcSDM7 -----END ENCRYPTED PRIVATE KEY----- </key> <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- 1efab24ae455e3e81dc811e8f81e684d cd02604c4f53957f4b82cbab1a85d8e2 CN9apOXfpdEEqKOGqJdCb8MOIZYPK8r7 hK2gOFdS46SBAjElbCJcLxnXiaG6PTmi zRY5NnlJKbj9AcFaOrUlFiKhY8wGu2Ys Lxb2MT4zaBcmoM3cb62E3d78uNTb0yGy ALAPc1fspi6SDKpNYVxg0WlSta9MiIrM 0PZf4lXgAuq9EQGzTqDqYTGJ9so7PR3l ssXbu2mHHw15ydpIGaF5rQBTwRJJ451O wnzxEZ7yjdiHRUdZm4ZaF3Zn3veoZHcN HQgi0wSm6XCSwef4EYZJx1M6qBcXUxgL Hpgnpkob67MuH7haNi6ZHnskXOdDQDfw rHvei7UgZi6fOoBgfwPGO1IVyahhpzul 6ad22704ecb5453b7edfdadc6d33512f 7dd3329f8c3017140067c5f528e4dce9 0e98e7286313da216857bb7f9d6451e2 -----END OpenVPN Static key V1----- </tls-auth>

One of my references was:
http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing/
But, I am using a different /etc/openvpn/server.conf, and, I am using persistent iptables rather that the /etc/firewall-openvpn-rules.sh — /etc/firewall-openvpn-rules.sh combo, Note one of the rules I list above matches the one in the article.