Raspberry PI owners should make sure access to their Pi from the internet is secure. It's possiblet o use ssh tunneling but the most secure and universal method is to use OpenVPN. That way all ports on Pi can be accessed from a remote client via the internet in a secure way. The following article describes how to install and configure OpenVPN on Pi and how to install and configure an OpenVPN client to access your Pi from the internet on a secure way. This configuration uses the simple variant which only allows one client at a time to connect and is suffient in most cases. The client configuration description covers Linux and Windows7.

Following variant is configured very quickly and in general is sufficient but has some restrictions to keep in mind:
 
1) One client can connect at the same time only 
2) The secret key has to be store in plaintext on the server and client
3) If the key is lost a new key has to be generated immediately
4) The secure key has to be transfered to the client on a secure channel
 
Configuration consists of following steps:
 
1) Register a dynamic DNS name
2) Installation and configuration of OpenVPN on PI
3) Installation and configuration of OpenVPN client on a Linux or Windows client
4) Forward the OpenVPN port on your local router
5) Enable the OpenVPN port of the Pi firewall
 
Register a dynamic DNS name
 
In order to access your pi from the internet with the same name you have to have a router which supports dynamic DNS and you have to order a dynamic updateable hostname. Most prominent provider is dyndns . But there are also other providers available. After successful registratiion you have to configure your router to register the actual internet IP to the provider. Consult your router manual.
 
Installation and configuration of OpenVPN on PI
 
Install OpenVPN with
sudo apt-get install openvpn 
 
Now change in to the OpenVPN config directory and generate the secret key
sudo bash -c "cd /etc/openvpn; openvpn --genkey --secret static.key"
 
Now you have to create /etc/openvpn/tun0.conf with your favorite editor with following contents:
dev tun0
ifconfig 10.0.0.1 10.0.0.2
secret static.key
 
or just execute the following command:
sudo echo -e "dev tun0\nifconfig 10.0.0.1 10.0.0.2\nsecret /etc/openvpn/static.key" > /etc/openvpn/tun0.conf
 
10.0.0.1 is the IP of your server and 10.0.0.2 is the IP of the client.
 
Start OpenVPN now with
sudo service openvpn start
The OpeneVPN server will now be started every time you reboot the raspberry.
 
You now can check whether the OpenVPN network is available
ifconfig tun0
 
and should get following result
pi@raspbmc:~$ ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.0.0.1  P-t-P:10.0.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:634 errors:0 dropped:0 overruns:0 frame:0
          TX packets:518 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:82048 (80.1 KiB)  TX bytes:592159 (578.2 KiB)
 
Installation and configuration of OpenVPN Clients on a Linux or Windows Client
 
Linux:
Install OpenVPN with
sudo apt-get install openvpn
 
In order to be able to access your Pi from the internet you have to use a dyndns service where you have to register the actual IP of your router at home. The example uses pi.mydndns.org which has to be adapted accordingly.
 
Create file /etc/openvpn/tun0.conf with the following contents (update your dyndns name accordingly):
remote pi.mydyndns.org
dev tun0
ifconfig 10.0.0.2 10.0.0.1
secret static.key
 
or just execute the following command (update your dyndns name accordingly):
sudo echo -e "remote pi.mydyndns.org\ndev tun\nifconfig 10.0.0.2 10.0.0.1\nsecret static.key" > /etc/openvpn/tun0.conf
 
Now copy /etc/openvpn/static.key from the server to your client into directory /etc/openvpn
 
Start the OpenVPN client
sudo service openvpn start
 
 
You now can check whether the OpenVPN network is available
ifconfig tun0
 
and should get following result
pi@raspbmc ~ $ ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.0.0.2  P-t-P:10.0.0.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
 
Windows:
Install OpenVPN according this description or this description.
 
Now create on the client in directory "C:\Programm Files\OpenVPN\config\“ a file called pi.opvn with the following contents (update your dyndns name accordingly):
remote pi.mydyndns.org
dev tun0
ifconfig 10.0.0.2 10.0.0.1
secret static.key
 
Copy file /etc/openvpn/static.key from the server to the client into "C:\Programm Files\OpenVPN\config\“.
 
Start OpenVPN client with the OpenVPN-Gui now by selcting the previously created config file pi.opvn.
 
Forward OpenVPN port on your local router
 
OpenVPN uses port 1194. You have to configure your local router to forward port 1194 to your raspberry. Pls check the routers manual for instructions. Usually you have to forward port 1194 to the IP address of your raspberry and use the same portnumber 1194. Don't forget to configure your router to register the actual external IP adress at your dynamic DNS provider. 
 
Enable OpenVPN port on PI firewall (required only on raspbmc)
 
Edit file  /etc/network/if-up.d/secure-rmc and finally the file has to have following content (Lines in red are new):
 
logger -t iptables "Configuring ip tables for interface $IFACE"
if [ "$IFACE" != "lo" ]; then
    NETMASK=$(get_subnet $IFACE)
    iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
    iptables -A INPUT -p udp --dport 1194 -j ACCEPT
    iptables -A INPUT -s $NETMASK -i $IFACE -j ACCEPT
    iptables -A INPUT -i $IFACE -j DROP
fi
 
How to access raspberry pi:
Now you can access IP 10.0.0.1 from your client which is the openvpn IP of your raspberry. If you want to access the PI webserver just enter http://10.0.0.1 in your clients browser. All ports on the pi and access to windows shares or nfs works also as long as you use the IP 10.0.0.1
 
Additional Links
 
OpenVPN static mini howto

Add comment

Spam Kommentare sind sinnlos !
Vor der Publizierung wird jeder Beitrag auf Spam geprüft. Leider dauert es deswegen bis ein Kommentar sichtbar wird. Dafür erhält aber kein Subscriber Spam eMails.
Die eMail ist optional und nicht öffentlich sichtbar. Sie ist notwendig um eMail Benachrichtigungen zu Antworten auf Kommentare zu erhalten und wird u.U. genutzt um offline zu kommunizieren.

Spam comments are useless !
Any comment will be reviewed first and checked for spam. Unfortunately this delays the publishing of comments but will protect subscribers from spam.
eMail is optional and hidden and is required get update notifications for any comments and may be used to contact you offline


Comments   

0 #6 antonfrank 2015-01-05 01:20
great post, really love it!
greets, Wilfried
Quote
0 #5 framp 2014-06-25 21:24
If the OpenVPN server is up and running you can use any openvpn client to connect to the server. Is your server in your local network connected to an internet router? Then you have to setuo a dynamic DNS and create port forwarding rules in your router in order to get to your OpenVPN server.
Quote
0 #4 Enzo 2014-06-25 12:17
I don't have a PI, I have an ATV running Crystalbuntu 2.0...
I followed the instructions "Installation and configuration of OpenVPN on PI" which seem to have worked as I get the tun0 result you describe. But where do I go from there? As far as I can tell, I am not actually connected through the VPN, as an IP address call still gives me my current location's IP address.
Quote
0 #3 framp 2014-06-24 21:27
Not sure I get your question. You setup your pi to open a vpn and connect from a client using the dynamic DNS name.
Quote
0 #2 Enzo 2014-06-22 23:21
Hi, bit of a newb here...
I followed your instructions and all seems to work as you describe. But how do I connect to openVPN using my credentials (user/pass) and connect the atv through openVPN to a country's IP? i.e usa, UK etc.
Cheers
Quote
0 #1 Enzo 2014-06-22 23:19
Hi, bit of a newb here...
I followed your instructions and all seems fine. But how do I configure openVPN to use my credentials (user/pass) and connect the atv to a country's IP? i.e. usa, UK etc...
Cheers
Quote