Usurping the BTHomeHub with a Raspberry Pi: Part 5 - Inbound OpenVPN

In Part 4 we configured our Raspberry Pi router to maintain a number of OpenVPN tunnels and to route through them selectively. Now we'll look at the steps needed to allow connection to our LAN via OpenVPN. Although helpful, as the HomeHub doesn't provide VPN connectivity, this stage doesn't really count as Usurping the BTHomeHub.

The steps are almost completely identical to those performed when Installing Open VPN on Debian. We're going to have to NAT connections though, as the HomeHub is a little stupid and we can't add static routes to it (so if we're connected to the VPN and accessing the Internet, it won't know where to route the response packets).

What we'll do, though, is only NAT if the connection isn't to something on the LAN.


Install OpenVPN

Let's get OpenVPN installed (assuming you haven't already installed it - you will have if you followed Part 4 - Using a VPN to Tunnel Connections to Specific IPs

apt-get install openvpn


Configure OpenVPN

Although we installed OpenVPN in Part 4, we didn't configure the server as it was acting as a client. So let's configure it now

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn/
gunzip server.conf.gz

By default, OpenVPN will hand out IP's in the subnet. We'll change this to

nano server.conf

# Find server and change to

Save and exit (Ctrl + X,Y)

Now we need to create some keys and certificates

cd /etc/openvpn
mkdir easy-rsa/keys -p
cd easy-rsa/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* ./
cd easy-rsa
nano vars

# Set these to suit
export KEY_CITY="Ipswich"
export KEY_ORG="myserver"
export KEY_EMAIL=""

Save and exit, now we'll generate the keys

. vars
./build-key-server server
./build-key client1
cd keys
cp server.crt server.key dh1024.pem /etc/openvpn
cd /etc/openvpn

# Setup a TLS Key
openvpn --genkey --secret ta.key

Next we need to configure OpenVPN to use the keys;

nano /etc/openvpn/server.conf

# Make sure your keys are defined as server.crt and server.key (should probably already be).
# Also make sure the following lines exist
tls-auth ta.key 0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS

Save any changes and exit. The first line implements HMAC authentication (which can help stave off DoS attacks), the second tells clients to route all traffic over the VPN, and the third tells clients to use our DNS server. - Some versions of Windows may have issues with this.


Configuring Network Address Translation

As stated above, if the address a client is trying to contact is off-LAN we want to NAT, if it's on the LAN then we won't. So we need to add a rule to iptables.

iptables -t nat -A POSTROUTING -s -d '!' -j MASQUERADE


Enabling the service

Let's start OpenVPN and then configure it to start at boot

service openvpn start
update-rc.d openvpn defaults


Configure Port Forwarding

Although our server is up and running, we won't be able to connect to it externally as the NAT firewall on the HomeHub will block our connection. Helpfully, it doesn't have a profile for OpenVPN so we'll need to create one. Log into the web interface of the HomeHub and perform the following steps

Settings --> (Enter Password) --> Advanced Settings --> Click 'Continue to Advanced Settings' *grumble* --> Port Forwarding --> Supported Applications --> Add new game or application

Use the following settings

  • Game/application name: OpenVPN
  • Protocol: UDP
  • Port Range: 1194, 1194
  • Translate To: 1194,1194

Click 'Add', then 'Apply'

Port Forwarding

Select 'OpenVPN' as the application, and set the device to match the hostname of your Raspberry Pi (mine is RaspPirouter, yours will be whatever you set in Part One), Then Click 'Add'.

Finally, click 'Apply'


Configure a Client

We should, in principle, now be able to connect to the VPN from the outside world. In reality, though, we've not actually configured a client so let's do that now

When we created our keys, we also created one for a client called 'client1'. We now need to get a copy of those keys onto our client (let's assume it's a laptop). We can use scp to grab the data

ben@laptop:~ mkdir VPNs

ben@laptop:~ scp root@rasppirouter://etc/openvpn/easy-rsa/keys/client1.* ./
ben@laptop:~ scp root@rasppirouter://etc/openvpn/easy-rsa/keys/ca.crt ./
ben@laptop:~ scp root@rasppirouter://etc/openvpn/ta.key ./

Now we need to create a config file

nano home.ovpn
dev tun
port 1194
proto udp
remote [HOME IP OR FQDN] 1194

ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1


We set up a Dynamic DNS Client in Part Three, so hopefully you should be able to enter something like as your FQDN.

Now, we should be able to connect to the VPN from the outside world. Connections should also be subject to the various routing rules we implemented in Part Four.


Usurping the BTHomeHub with a Raspberry Pi: Part 6 - Conclusion