In Part 4 we configured our Raspberry Pi router to maintain a number of OpenVPN tunnels and to route through them selectively. Now we'll look at the steps needed to allow connection to our LAN via OpenVPN. Although helpful, as the HomeHub doesn't provide VPN connectivity, this stage doesn't really count as Usurping the BTHomeHub.
The steps are almost completely identical to those performed when Installing Open VPN on Debian. We're going to have to NAT connections though, as the HomeHub is a little stupid and we can't add static routes to it (so if we're connected to the VPN and accessing the Internet, it won't know where to route the response packets).
What we'll do, though, is only NAT if the connection isn't to something on the LAN.
Let's get OpenVPN installed (assuming you haven't already installed it - you will have if you followed Part 4 - Using a VPN to Tunnel Connections to Specific IPs
apt-get install openvpn
Although we installed OpenVPN in Part 4, we didn't configure the server as it was acting as a client. So let's configure it now
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
By default, OpenVPN will hand out IP's in the 10.8.0.0/24 subnet. We'll change this to 192.168.28.0/24
# Find server 10.8.0.0 255.255.255.0 and change to
server 192.168.28.0 255.255.255.0
Save and exit (Ctrl + X,Y)
Now we need to create some keys and certificates
mkdir easy-rsa/keys -p
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* ./
# Set these to suit
Save and exit, now we'll generate the keys
cp server.crt server.key dh1024.pem /etc/openvpn
# Setup a TLS Key
openvpn --genkey --secret ta.key
Next we need to configure OpenVPN to use the keys;
# Make sure your keys are defined as server.crt and server.key (should probably already be).
# Also make sure the following lines exist
tls-auth ta.key 0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.1.250
Save any changes and exit. The first line implements HMAC authentication (which can help stave off DoS attacks), the second tells clients to route all traffic over the VPN, and the third tells clients to use our DNS server. - Some versions of Windows may have issues with this.
Configuring Network Address Translation
As stated above, if the address a client is trying to contact is off-LAN we want to NAT, if it's on the LAN then we won't. So we need to add a rule to iptables.
iptables -t nat -A POSTROUTING -s 10.14.0.0/24 -d '!' 192.168.1.0/24 -j MASQUERADE
Enabling the service
Let's start OpenVPN and then configure it to start at boot
service openvpn start
update-rc.d openvpn defaults
Configure Port Forwarding
Although our server is up and running, we won't be able to connect to it externally as the NAT firewall on the HomeHub will block our connection. Helpfully, it doesn't have a profile for OpenVPN so we'll need to create one. Log into the web interface of the HomeHub and perform the following steps
Settings --> (Enter Password) --> Advanced Settings --> Click 'Continue to Advanced Settings' *grumble* --> Port Forwarding --> Supported Applications --> Add new game or application
Use the following settings
- Game/application name: OpenVPN
- Protocol: UDP
- Port Range: 1194, 1194
- Translate To: 1194,1194
Click 'Add', then 'Apply'
Select 'OpenVPN' as the application, and set the device to match the hostname of your Raspberry Pi (mine is RaspPirouter, yours will be whatever you set in Part One), Then Click 'Add'.
Finally, click 'Apply'
Configure a Client
We should, in principle, now be able to connect to the VPN from the outside world. In reality, though, we've not actually configured a client so let's do that now
When we created our keys, we also created one for a client called 'client1'. We now need to get a copy of those keys onto our client (let's assume it's a laptop). We can use scp to grab the data
ben@laptop:~ mkdir VPNs
ben@laptop:~ scp root@rasppirouter://etc/openvpn/easy-rsa/keys/client1.* ./
ben@laptop:~ scp root@rasppirouter://etc/openvpn/easy-rsa/keys/ca.crt ./
ben@laptop:~ scp root@rasppirouter://etc/openvpn/ta.key ./
Now we need to create a config file
remote [HOME IP OR FQDN] 1194
tls-auth ta.key 1
We set up a Dynamic DNS Client in Part Three, so hopefully you should be able to enter something like example.no-ip.com as your FQDN.
Now, we should be able to connect to the VPN from the outside world. Connections should also be subject to the various routing rules we implemented in Part Four.