Do you have a route push to your LAN (I take it the VPN server is on the lan?)
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 192.168.0.0 255.255.255.0"
Once added you should be able to ping something on the LAN side from the Pixcel.
If not - UFW needs configuring I allo all traffic from the VPN to LAN
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"
If so it might be less trouble to just install PiVPN on it and be done.
I used it before I realized my router had OpenVPN capability built in and it was a breeze to set up. I never had to do anything like you guys are discussing above. It just worked.
I have a procedure written up that I followed if you want to go that route.
Here is the write-up for a complete install from a blank SD card to having it running and connected on your phone. Obviously, feel free to skip any parts youāve already done.
Install Openvpn using PiVPN
- Burn image Raspbian-Stretch-lite (or whichever you choose - I used Stretch at the time)
- Enable SSH:
you need to know the drive letter of the SD card where you burned Raspbian on the PC
open command prompt on the Windows PC
substitute your drive letter for <drive letter> (use the first > but not the <> around the drive letter)
echo><drive letter>:\ssh
- Update Raspbian:
$ sudo apt-get update
$ sudo apt-get upgrade
- Modify raspi-config:
$ sudo raspi-config
- Password
- Localization options ā time zone
- Interfacing options ā SSH
- Advanced options ā expand file system
reboot the Pi
- Setup a static IP
$ sudo nano /etc/dhcpcd.conf
- Edit /etc/dhcpcd.conf as follows:
Add the following after "#here is an example which configures a static address, routes and dns".
interface eth0
static ip_address=192.168.1.4/24
static routers=192.168.1.1
static domain_name_servers=192.168.1.1 8.8.8.8
save & reboot
- Set up a Key for encrypting SSH:
Generate key using puttygen
Create a new .ssh directory (if not already created by defaultā¦)
$ mkdir .ssh
Change permissions on .ssh to 700 (if not done by defaultā¦)
$ chmod 700 .ssh
Create a file called āauthorized_keysā using nano
$ nano ~/.ssh/authorized_keys
Copy the key from puttygen:
ssh-rsa the-really-really-long-key-created-by-puttygen-goes-here
(using the same password as on RPi)
- Save file
- Change permissions of āauthorized_keysā to 600
$ chmod 600 ~/.ssh/authorized_keys
- Restart SSH service
$ sudo service ssh restart
- Exit putty session
- Open saved session info & add key to āauthā under SSH
- Change ssh to not allow password login
$ sudo nano /etc/ssh/sshd_config
Add the following line
PasswordAuthentication no
- Save
- Restart ssh service
$ sudo service ssh restart
- Get rid of iv6
$ sudo nano /etc/sysctl.conf
Add:
net.ipv6.conf.all.disable_ipv6=1
- Save file
- Commit changes
$ sudo sysctl -p
- Setup duckdns
create a dynamic dns name (using duckdns)
your_domain.duckdns.org
token = your_token
- install duckdns
$ mkdir duckdns
$ cd duckdns
$ nano duck.sh
create an update script by entering the following:
echo url="https://www.duckdns.org/update?domains=your_domain&token=your_token" | curl -k -o ~/duckdns/duck.log -K -
- save file
- change permissions on file
$ sudo chmod 700 duck.sh
- set it to update the public ip every 5 minutes
$ sudo crontab -e
Pick default editor (selection 1)
Add line:
*/5 * * * * ~/duckdns/duck.sh >/dev/null 2>&1
- Save file
- Test the file
$ ./duck.sh
$ cat duck.log
Should see āOKā
- Install PiVPN:
$ curl -L https://install.pivpn.io | bash
follow on screen prompts
$ sudo apt-get upgrade
- Add client:
$ openvpn add
copy .ovpn file to phone
install āopenvpn connectā app on phone
open openvpn app on phone and select .ovpn file
connect
The only thing not in here is opening the correct port on your router. I picked a really high numbered port for better anonymity.
Now the next question: I notice when I connect, I can access internal stuff via IP but not using host names. Is that because I have to set OpenVPN to use my internal DNS? What would the command for that be?
Thanks @Robbrad. I managed to alter server.conf to point to the internal DNS as primary (verified by seeing the filter rules working) but that didnāt help resolve local host names. Do I need to list those one by one somewhere? I just want to be able to write āhassioā instead of the IPā¦
So a follow up question on pivpn setup: Iāve been running this successfully for a while now, and Iāve generated various .ovpn files for three laptops, few android phones and a travel router. Every device connects ok, but one of the laptops for some reason cannot see any internals, like accessing hassio:8123 or a NAS server. Connection is ok, public IP is my home IP and I canāt for the life of me figure why only that one laptop doesnāt work. Itās a standard Windows 10 Home, nothing special set up in any way. All other clients can access these resources as expected. Any clues?
Iām quite new to VPNs in general and I was wondering whether it is possible to act as a client on a VPN service like NordVPN and access HA via that route instead of creating a server on the Pi?
Currently Iām using a private NordVPN on my laptop, and I know I can use the same NordVPN on RPI via OpenVPN (as a client). As mentioned I am new to this so please let me know if this is a very dumb idea, if I use NordVPN on my phone as well when not at home would it be possible to connect to my RPI via that route (when choosing a dedicated VPN server)? Or is the only way to connect to HA remotely via this route, hosting a OpenVPN server.
The key difference here is inbound vs outbound. Nord vpn is an outbound service - it masks your traffic from your isp to the internet. It purely for securing your outbound traffic. Your sort of accessing the internet from the nord vpn network. Hence why your public ip would change. Vs accessing from your home network.
Running a local vpn is much the same but itās in the other direction. Your vpnāing into your home network so it appears as if your on your home network. By doing this your accessing the internet from your home network rather than say your mobile network.
Think about it like this. Vpn to nord makes you on nord. If you vpnāed back to home you would be back on your home lan.
