Configurar Openvpn

[Paul]

SameProblem here, I have updated my RV325, and basically created new openvpn users, exported the config into Tunnelblick (I am on osx but I have the same problem with Android) and no matter what I do I cannot get any connection.

I struggled to start OpenVPN server too but at the end I managed to run it. Also I needed to reset mu configuration anyway because I was upgrading from 1.1.1.xx firmware. Here I have a couple of points for attention:

I remember when I discovered port forwarding for the first time 16 years ago - I was amazed I could open a port on my router and point it to a device on the LAN side of my router. I had many services I was running on my LAN which I wanted to access, I even ran my own web server, opening port 80 for the web server and port 22 so I could ssh in and administer it. I then opened my routers port for web administration. My defining achievement and ultimately my undoing was opening my RealVNC(password protected) port on my home PC so I could control my pc from elsewhere!

An example of this(Looking at the diagram above) is if Home Assistant is running on Server (192.168.0.14) to access Home Assistant you would navigate to :8123 LAN side and if you opened port 8123 on the router to point to the Server you could, from the WAN side, access :8123. When this happens you router knows to forward traffic from the requesting WAN device to the internal server (Port Forwarded)

An alternative to port forwarding is SSH tunneling - This is good because it is encrypted - but you need to have ssh open to the world and running on a server and you need to tunnel each port you want to connect too.

e.g I have my iPhone on LTE or a public WIFI and search for show my ip in Google - it will show my LTE or public wifi IP but if I connect to my VPN I will see my home routers external IP

Want to access the Internet safely and securely from your smartphone or laptop when connected to an untrusted network such as the WiFi of a hotel or coffee shop A Virtual Private Network (VPN) allows you to traverse...

I would advise running OpenVPN on a different port to the default one and this is the port you will need to open on your router to allow VPN connections inbound to your network. Also choose the build-key-pass path route for the client.

Preliminaries This tutorial is inspired by the Linode documentation. First of all, we have to install the OpenVPN package and some extra tools. sudo apt update sudo apt upgrade sudo apt install -y iptables-persistent openvpn easy-rsa echo 1 >...

Once complete go to somewhere remote and connect to your new VPN, open Home Assistants local IP address or any other service on your LAN - you can also use show my IP to test your public IP of your device changes to you home LANs IP

Great write up and explanation! Thank you! Before diving into the secondary guides, is there any downside to the VPN? Does it affect any components or cause a slow down in connecting to HA? What about if you are already using duckdns and https? Are there any adjustments that need to be made in that respect? Lastly, how resource intensive is OpenVPN? I.e. can I run it on the same pi as HASS (and pihole, etc) or does it need a standalone machine? Thank! Sorry for all the questions

And the latest addition was now HomeAssistant - easypeasy, nothing to add from what I had in place before, it just works. From my PC, my mobile phone and my tablet - especially with something like an OpenVPN Client for Android.

A combination of those two lines of thought got me searching the web. I found lots of tutorials for setting up a VPN server on a Pi, in fact it seems that this is one of those projects that many tout the Pi as being ideal for.

Specifically I found PiVPN (based on OpenVPN) which does seem to wrap almost all of the set up into a script. I also found a few tutorials for setting up PiVPN and as well, it is hosted on GitHub. All of which led me to think it could be a legitimate option.

Firstly fantastic to hear and to be honest this is the objective I set out to do - just get people to dip their toe into this and think about what they wanted / understand how a VPN was a sound choice - yep following the guide will get results but exploration is also recommended.

Overall this is something that takes time to setup but is worth it once done - as you will be able to do so much with it with some security piece of mind (in that only the VPN server is open on your router)

There is no verification that what you downloaded is actually what you intended, or that it has not been compromised in some way. I would not trust any site that tried to get you to do this, let alone something related to security.

@Robbrad

Rob, i just want to say thank you for taking the time to put this together and sharing it with the community.

I recently learnt how to set up reverse proxy and configured my set up as such.

However, it seems this is not sufficient and vpn may be the way forward.

No problem - depending on where you plan to do this - as long as your not logging in as root you probably already have a SUDO user - and it will be the user you use for your PI. If not and it is root (scary) then - login as root and do the following

A Virtual Private Network (VPN) allows you to traverse untrusted networks as if you were on a private network. It gives you the freedom to access the internet safely and securely from your smartphone or laptop when connected to an untrusted network, like the WiFi at a hotel or coffee shop.

When combined with HTTPS connections, this setup allows you to secure your wireless logins and transactions. You can circumvent geographical restrictions and censorship, and shield your location and any unencrypted HTTP traffic from untrusted networks.

OpenVPN is a full featured, open-source Transport Layer Security (TLS) VPN solution that accommodates a wide range of configurations. In this tutorial, you will set up OpenVPN on an Ubuntu 22.04 server, and then configure it to be accessible from a client machine.

Note: If you plan to set up an OpenVPN Server on a DigitalOcean Droplet, be aware that we, like many hosting providers, charge for bandwidth overages. For this reason, please be mindful of how much traffic your server is handling.

The first step in this tutorial is to install OpenVPN and Easy-RSA. Easy-RSA is a public key infrastructure (PKI) management tool that you will use on the OpenVPN Server to generate a certificate request that you will then verify and sign on the CA Server.

Once these programs are installed and have been moved to the right locations on your system, the next step is to create a Public Key Infrastructure (PKI) on the OpenVPN server so that you can request and manage TLS certificates for clients and other servers that will connect to your VPN.

These are the only two lines that you need in this vars file on your OpenVPN server since it will not be used as a Certificate Authority. They will ensure that your private keys and certificate requests are configured to use modern Elliptic Curve Cryptography (ECC) to generate keys and secure signatures for your clients and OpenVPN server.

Configuring your OpenVPN & CA servers to use ECC means when a client and server attempt to establish a shared symmetric key, they can use Elliptic Curve algorithms to do their exchange. Using ECC for a key exchange is significantly faster than using plain Diffie-Hellman with the classic RSA algorithm since the numbers are much smaller and the computations are faster.

Background: When clients connect to OpenVPN, they use asymmetric encryption (also known as public/private key) to perform a TLS handshake. However, when transmitting encrypted VPN traffic, the server and clients use symmetric encryption, which is also known as shared key encryption.

There is much less computational overhead with symmetric encryption compared to asymmetric: the numbers that are used are much smaller, and modern CPUs integrate instructions to perform optimized symmetric encryption operations. To make the switch from asymmetric to symmetric encryption, the OpenVPN server and client will use the Elliptic Curve Diffie-Hellman (ECDH) algorithm to agree on a shared secret key as quickly as possible.

Note that on your OpenVPN server there is no need to create a Certificate Authority. Your CA server is solely responsible for validating and signing certificates. The PKI on your VPN server is only used as a convenient and centralized place to store certificate requests and public certificates.

Note: If you choose a name other than server here, you will have to adjust some of the instructions below. For instance, when copying the generated files to the /etc/openvpn directory, you will have to substitute the correct names. You will also have to modify the /etc/openvpn/server.conf file later to point to the correct .crt and .key files.

In the previous step you created a Certificate Signing Request (CSR) and private key for the OpenVPN server. Now the CA server needs to know about the server certificate and validate it. Once the CA validates and relays the certificate back to the OpenVPN server, clients that trust your CA will be able to trust the OpenVPN server as well.

This option will help ensure that your OpenVPN server is able to cope with unauthenticated traffic, port scans, and Denial of Service attacks, which can tie up server resources. It also makes it harder to identify OpenVPN network traffic.

Although you can generate a private key and certificate request on your client machine and then send it to the CA to be signed, this guide outlines a process for generating the certificate request on the OpenVPN server. The benefit of this approach is that you can create a script that will automatically generate client configuration files that contain all of the required keys and certificates. This lets you avoid having to transfer keys, certificates, and configuration files to clients and streamlines the process of joining the VPN.

3a8082e126