Raspberry PI owners should make sure access to their Pi from the internet is secure. It's possiblet o use ssh tunneling but the most secure and universal method is to use OpenVPN. That way all ports on Pi can be accessed from a remote client via the internet in a secure way. The following article describes how to install and configure OpenVPN on Pi and how to install and configure an OpenVPN client to access your Pi from the internet on a secure way. This configuration uses the simple variant which only allows one client at a time to connect and is suffient in most cases. The client configuration description covers Linux and Windows7.

Following variant is configured very quickly and in general is sufficient but has some restrictions to keep in mind:
 
1) One client can connect at the same time only 
2) The secret key has to be store in plaintext on the server and client
3) If the key is lost a new key has to be generated immediately
4) The secure key has to be transfered to the client on a secure channel
 
Configuration consists of following steps:
 
1) Register a dynamic DNS name
2) Installation and configuration of OpenVPN on PI
3) Installation and configuration of OpenVPN client on a Linux or Windows client
4) Forward the OpenVPN port on your local router
5) Enable the OpenVPN port of the Pi firewall
 
Register a dynamic DNS name
 
In order to access your pi from the internet with the same name you have to have a router which supports dynamic DNS and you have to order a dynamic updateable hostname. Most prominent provider is dyndns . But there are also other providers available. After successful registratiion you have to configure your router to register the actual internet IP to the provider. Consult your router manual.
 
Installation and configuration of OpenVPN on PI
 
Install OpenVPN with
sudo apt-get install openvpn 
 
Now change in to the OpenVPN config directory and generate the secret key
sudo bash -c "cd /etc/openvpn; openvpn --genkey --secret static.key"
 
Now you have to create /etc/openvpn/tun0.conf with your favorite editor with following contents:
dev tun0
ifconfig 10.0.0.1 10.0.0.2
secret static.key
 
or just execute the following command:
sudo echo -e "dev tun0\nifconfig 10.0.0.1 10.0.0.2\nsecret /etc/openvpn/static.key" > /etc/openvpn/tun0.conf
 
10.0.0.1 is the IP of your server and 10.0.0.2 is the IP of the client.
 
Start OpenVPN now with
sudo service openvpn start
The OpeneVPN server will now be started every time you reboot the raspberry.
 
You now can check whether the OpenVPN network is available
ifconfig tun0
 
and should get following result
pi@raspbmc:~$ ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.0.0.1  P-t-P:10.0.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:634 errors:0 dropped:0 overruns:0 frame:0
          TX packets:518 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:82048 (80.1 KiB)  TX bytes:592159 (578.2 KiB)
 
Installation and configuration of OpenVPN Clients on a Linux or Windows Client
 
Linux:
Install OpenVPN with
sudo apt-get install openvpn
 
In order to be able to access your Pi from the internet you have to use a dyndns service where you have to register the actual IP of your router at home. The example uses pi.mydndns.org which has to be adapted accordingly.
 
Create file /etc/openvpn/tun0.conf with the following contents (update your dyndns name accordingly):
remote pi.mydyndns.org
dev tun0
ifconfig 10.0.0.2 10.0.0.1
secret static.key
 
or just execute the following command (update your dyndns name accordingly):
sudo echo -e "remote pi.mydyndns.org\ndev tun\nifconfig 10.0.0.2 10.0.0.1\nsecret static.key" > /etc/openvpn/tun0.conf
 
Now copy /etc/openvpn/static.key from the server to your client into directory /etc/openvpn
 
Start the OpenVPN client
sudo service openvpn start
 
 
You now can check whether the OpenVPN network is available
ifconfig tun0
 
and should get following result
pi@raspbmc ~ $ ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.0.0.2  P-t-P:10.0.0.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
 
Windows:
Install OpenVPN according this description or this description.
 
Now create on the client in directory "C:\Programm Files\OpenVPN\config\“ a file called pi.opvn with the following contents (update your dyndns name accordingly):
remote pi.mydyndns.org
dev tun0
ifconfig 10.0.0.2 10.0.0.1
secret static.key
 
Copy file /etc/openvpn/static.key from the server to the client into "C:\Programm Files\OpenVPN\config\“.
 
Start OpenVPN client with the OpenVPN-Gui now by selcting the previously created config file pi.opvn.
 
Forward OpenVPN port on your local router
 
OpenVPN uses port 1194. You have to configure your local router to forward port 1194 to your raspberry. Pls check the routers manual for instructions. Usually you have to forward port 1194 to the IP address of your raspberry and use the same portnumber 1194. Don't forget to configure your router to register the actual external IP adress at your dynamic DNS provider. 
 
Enable OpenVPN port on PI firewall (required only on raspbmc)
 
Edit file  /etc/network/if-up.d/secure-rmc and finally the file has to have following content (Lines in red are new):
 
logger -t iptables "Configuring ip tables for interface $IFACE"
if [ "$IFACE" != "lo" ]; then
    NETMASK=$(get_subnet $IFACE)
    iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
    iptables -A INPUT -p udp --dport 1194 -j ACCEPT
    iptables -A INPUT -s $NETMASK -i $IFACE -j ACCEPT
    iptables -A INPUT -i $IFACE -j DROP
fi
 
How to access raspberry pi:
Now you can access IP 10.0.0.1 from your client which is the openvpn IP of your raspberry. If you want to access the PI webserver just enter http://10.0.0.1 in your clients browser. All ports on the pi and access to windows shares or nfs works also as long as you use the IP 10.0.0.1
 
Additional Links
 
OpenVPN static mini howto
Add comment
Note
eMail is hidden and not visible to the public. It's used to inform you about new comments.