Amahi Wiki - User contributions [en]

OpenVPN

2014-11-06T20:40:41Z

Arthur:

OpenVPN custom certificates

2014-11-06T20:39:59Z

Arthur:

The default OpenVPN install for Amahi will work with the certificates provided on the wiki, however there are a couple of reasons you may not want to use these. One, you can only have one client connected to the VPN at a time with these certificates and two, security best practices would advise against allowing the same certificate for all devices. Follow the instructions below to reconfigure your OpenVPN instance for use with multiple certificates. All commands are issued from the CLI as the root user unless noted otherwise.

Step 1: Copy the necessary easy-rsa files to the openvpn directory in etc

<pre>cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa</pre>

Step 2: Navigate to the directory you just copied

<pre>cd /etc/openvpn/easy-rsa</pre>

Step 3: Backup, then modify the variables in the vars file

<pre>cp vars vars.backup</pre>

This creates a backup of the original file

<pre>nano vars</pre>

This is the command we will use to modify the variables in the vars file

The primary variable we are looking is (ctrl+w to search):

<pre>export EASY_RSA = “`pwd`”</pre>

You want to change this variable to this:

<pre>export EASY_RSA=”/etc/openvpn/easy-rsa”</pre>

OPTIONAL

You can also change the cipher strength in this file. If you wish to do this, the variable you are looking for is:

<pre>export KEY_SIZE=1024</pre>

You can bump this number up to 2048 to increase security, however you may notice a decrease in speeds over the VPN if you do so.

Step 4: The next step here is to build your new CA on your server. Issue the commands below:

First, be sure you are still in the /etc/openvpn/easy-rsa directory. Issuing the pwd command will display the directory you currently working in. If it is anything other than /etc/openvpn/easy-rsa, issue the following command:

<pre>cd /etc/openvpn/easy-rsa</pre>

Now issue the following commands to build the new CA:

<pre>source ./vars</pre>

This command loads the vars file you modified in step 3.

<pre>./clean-all</pre>

This command will remove anything in the /keys directory. There is most likely nothing in the directory at this point (if there is, back it up!).

<pre>./build-ca</pre>

This command will build the CA. You will be asked various questions, note that you do not need to modify any of these values. You can just hit enter and it will use the default displayed values.

Step 5: We now build the keys for the server with the following commands.

</pre>./build-key-server [HDA NAME HERE (no brackets)]</pre>

You will again be asked many questions. Default values should all be OK. Ensure that the 'common name' lines up with the HDA name you typed previously.

When asked for a challenge password, leave it blank

When asked to sign the certificate, type y

When asked to commit, type y

Step 6: Create certificates for each of your clients with the commands below:

<pre>./build-key-pass UserName(or client name, or whatever will identify this for you)</pre>

Enter a PEM password and confirm. This can be whatever you want.

You will be asked many questions again. You can leave these at the default values or modify them if you wish.

When asked for a challenge password, leave this field blank.

When asked to sign the certificate, type y

REPEAT THIS STEP FOR EACH CLIENT

After you have created certs/keys for each of your clients, move on to the next step.

Step 6: The next step is to change the encryption method of the client keys to be used. We will be using triple des in this tutorial, but you can use other encryption methods if you wish.

<pre>Cd keys</pre>

This command moves us to the keys directory.

<pre>Openssl rsa -in KEYNAMEFROMSTEP6.key -des3 -out KEYNAMEFROMSTEP6.3des.key</pre>

This command creates an encrypted key. Keep in mind the original key will not be impacted when doing this. You will be asked for a pass phrase. Use whatever you wish here, but do not leave this blank.

REPEAT THIS STEP FOR ALL THE KEYS CREATED IN STEP 6

Once you have created your 3des keys, move on to the next step.

Step 7: This step will be to build the diffie-hellman key exchange for the server.

<pre>Cd /etc/openvpn/easy-rsa/</pre>

This moves us back to the easy-rsa directory.

<pre>./build-dh</pre>

Depending on your system specs this can take some time, but it is typically pretty fast.

Step 8: Now we will generate an HMAC key for DoS protection.

<pre>Openvpn --genkey --secret keys/ta.key</pre>

Please note that copying and pasting this command may cause formatting issues. The lines in the command need to be two hyphens back to back without spaces.

OK, now we are getting close to the home stretch.

Step 9: In this step we will backup then modify the openvpn.conf file.

<pre>Cd /etc/openvpn</pre>

Change directory to the openvpn directory

<pre>cp openvpn.conf openvpn.conf.backup</pre>

This backs up the default config

<pre>nano openvpn.conf</pre>

You can use this [http://fpaste.org/136131/11574407/ config file] as a template. You will need to change the indicated fields as necessary. You will need to setup IP forwarding if you wish to browse LAN devices and the internet while on the VPN. This information can be found elsewhere in the Amahi wiki.

Step 10: In this step we will create a template file for a script to create ovpn files.

Use [http://fpaste.org/136132/ this file] as a template. Name the file Default.txt

Step 11: In this step we will download a script to create your ovpn files for you.

<pre>Cd /etc/openvpn/easy-rsa/keys</pre>

First we move to the keys directory

Download [https://gist.github.com/laurenorsini/10013430 this script] to the keys directory and call it makeovpn.sh

Now we need to make the script executable

<pre>chmod +x makeovpn.sh</pre>

Step 12: Run the script created in step 12 for each client you created in step 6.

<pre>./makeovpn.sh</pre>

When the script runs it will ask you for a client name you created in step 6. Enter the name and press enter. You may see some errors, but the file should still be created and be usable.

And that is it. You have now got everything you need to connect multiple clients to your VPN.

The following link was used as a primary source for the bulk of this tutorial:

[http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing Raspberry Pi VPN Tutorial]

OpenVPN

2014-11-06T01:21:40Z

Arthur:

Going forward, you will need to install the Amahi [http://www.amahi.org/apps/openvpn OpenVPN] application.

'''You need to forward one port (1194/UDP) to your HDA's IP''' to enable your OpenVPN service from outside your network.

You will also need client software.

Once connected from outside your network, your computer becomes virtually a computer in your home network. All your files and services are as easily accessible as when you are at home.

'''NEW! You can now use your amahi.org [https://www.amahi.org/user control panel] to test your VPN remotely!'''

= Overview =

There are two requirements for Remote Access to work:

* On the client side, you need to be running a client
** We provide one for Windows, pre-configured for Amahi
** We recommend one for the Mac, which requires some manual configuration
** The client for Linux comes with most distros and uses the same settings as the Mac
* Your router needs to forward '''UDP port 1194''' to the IP address of your HDA. The way to do this is through port forwarding, which varies from router to router. Make sure you forward UDP (not TCP)

= OpenVPN Clients =

Check the page for [[OpenVPN clients]].

= Port Forwarding References =

* Massive database of [http://www.portforward.com/english/routers/port_forwarding/routerindex.htm port forwarding] information by router.
* [http://www.youtube.com/watch?v=GWPUdW1kIJA YouTube Video] on Port Forwarding for Linksys Routers.

= Bridging VPN and eth0 =

If you'd like your VPN clients to get IP addresses in the same subnet as your HDA, and not in the 10.8.0.0/24 subnet (default), read this page: [[VPN Bridging]].

= IP Forwarding (Ubuntu) =

Something that is often asked on the forums is how to have access to your remote LAN's resources while connected to your HDA. One way to accomplish this is through bridging VPN and eth0 on your HDA. This process may not be necessary for some users and a script has been developed by user olson of the forum to accomplish this task. Not only with this script allow for a user to browse to their remote LAN's resources, the user will also be able to browse the internet while connected to their VPN. Below is the script and instructions for how to run it. Please keep in mind that this is for Ubuntu based HDA's ONLY.

<pre>#!/bin/bash
log_file="/tmp/openvpn_extra.log"

function log()
{
echo -e "$(date +%b\ %d\ %H:%M:%S) $(hostname -s) openvpn_extra: $@" >> $log_file
echo -e "$(date +%b\ %d\ %H:%M:%S) $(hostname -s) openvpn_extra: $@"
}

# Enable it right now
if ! echo 1 > /proc/sys/net/ipv4/ip_forward; then
log "FATAL: could not enable ip_forward for immediate use"
exit 1
fi

if ! iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; then
log "FATAL: could not set iptables for immediate use"
exit 1
fi

#set it up so it does it at startup
if ! sed -i 's/#net.ipv4.ip_forward=.*\+/net.ipv4.ip_forward=1/' /etc/sysctl.conf; then
log "FATAL: could not set ip_forward permanantly"
exit 1
fi
if ! sh -c "iptables-save > /etc/iptables.rules"; then
log "FATAL: could not set iptables permanantly"
exit 1
fi

sudo cat > /etc/network/if-pre-up.d/iptablesload <<EOF
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
EOF

sudo cat > /etc/network/if-post-down.d/iptablessave <<EOF
#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
iptables-restore < /etc/iptables.downrules
fi
exit 0
EOF

if ! chmod +x /etc/network/if-post-down.d/iptablessave; then
log "FATAL: Could not chmod the iptablessave script"
exit 1
fi
if ! chmod +x /etc/network/if-pre-up.d/iptablesload; then
log "FATAL: Could not chmod the iptablesload script"
exit 1
fi

echo "Done"

exit 0
</pre>

You can then run the script with the following command from the CLI:

sudo bash openvpn_extra.sh

= Generating your own certificates in OpenVPN for Amahi =

The default OpenVPN install for Amahi will work with the certificates provided on the wiki, however there are a couple of reasons you may not want to use these. One, you can only have one client connected to the VPN at a time with these certificates and two, security best practices would advise against allowing the same certificate for all devices. Follow the instructions below to reconfigure your OpenVPN instance for use with multiple certificates. All commands are issued from the CLI as the root user unless noted otherwise.

Step 1: Copy the necessary easy-rsa files to the openvpn directory in etc

<pre>cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa</pre>

Step 2: Navigate to the directory you just copied

<pre>cd /etc/openvpn/easy-rsa</pre>

Step 3: Backup, then modify the variables in the vars file

<pre>cp vars vars.backup</pre>

This creates a backup of the original file

<pre>nano vars</pre>

This is the command we will use to modify the variables in the vars file

The primary variable we are looking is (ctrl+w to search):

<pre>export EASY_RSA = “`pwd`”</pre>

You want to change this variable to this:

<pre>export EASY_RSA=”/etc/openvpn/easy-rsa”</pre>

OPTIONAL

You can also change the cipher strength in this file. If you wish to do this, the variable you are looking for is:

<pre>export KEY_SIZE=1024</pre>

You can bump this number up to 2048 to increase security, however you may notice a decrease in speeds over the VPN if you do so.

Step 4: The next step here is to build your new CA on your server. Issue the commands below:

First, be sure you are still in the /etc/openvpn/easy-rsa directory. Issuing the pwd command will display the directory you currently working in. If it is anything other than /etc/openvpn/easy-rsa, issue the following command:

<pre>cd /etc/openvpn/easy-rsa</pre>

Now issue the following commands to build the new CA:

<pre>source ./vars</pre>

This command loads the vars file you modified in step 3.

<pre>./clean-all</pre>

This command will remove anything in the /keys directory. There is most likely nothing in the directory at this point (if there is, back it up!).

<pre>./build-ca</pre>

This command will build the CA. You will be asked various questions, note that you do not need to modify any of these values. You can just hit enter and it will use the default displayed values.

Step 5: We now build the keys for the server with the following commands.

</pre>./build-key-server [HDA NAME HERE (no brackets)]</pre>

You will again be asked many questions. Default values should all be OK. Ensure that the 'common name' lines up with the HDA name you typed previously.

When asked for a challenge password, leave it blank

When asked to sign the certificate, type y

When asked to commit, type y

Step 6: Create certificates for each of your clients with the commands below:

<pre>./build-key-pass UserName(or client name, or whatever will identify this for you)</pre>

Enter a PEM password and confirm. This can be whatever you want.

You will be asked many questions again. You can leave these at the default values or modify them if you wish.

When asked for a challenge password, leave this field blank.

When asked to sign the certificate, type y

REPEAT THIS STEP FOR EACH CLIENT

After you have created certs/keys for each of your clients, move on to the next step.

Step 6: The next step is to change the encryption method of the client keys to be used. We will be using triple des in this tutorial, but you can use other encryption methods if you wish.

<pre>Cd keys</pre>

This command moves us to the keys directory.

<pre>Openssl rsa -in KEYNAMEFROMSTEP6.key -des3 -out KEYNAMEFROMSTEP6.3des.key</pre>

This command creates an encrypted key. Keep in mind the original key will not be impacted when doing this. You will be asked for a pass phrase. Use whatever you wish here, but do not leave this blank.

REPEAT THIS STEP FOR ALL THE KEYS CREATED IN STEP 6

Once you have created your 3des keys, move on to the next step.

Step 7: This step will be to build the diffie-hellman key exchange for the server.

<pre>Cd /etc/openvpn/easy-rsa/</pre>

This moves us back to the easy-rsa directory.

<pre>./build-dh</pre>

Depending on your system specs this can take some time, but it is typically pretty fast.

Step 8: Now we will generate an HMAC key for DoS protection.

<pre>Openvpn --genkey --secret keys/ta.key</pre>

Please note that copying and pasting this command may cause formatting issues. The lines in the command need to be two hyphens back to back without spaces.

OK, now we are getting close to the home stretch.

Step 9: In this step we will backup then modify the openvpn.conf file.

<pre>Cd /etc/openvpn</pre>

Change directory to the openvpn directory

<pre>cp openvpn.conf openvpn.conf.backup</pre>

This backs up the default config

<pre>nano openvpn.conf</pre>

You can use this [http://fpaste.org/136131/11574407/ config file] as a template. You will need to change the indicated fields as necessary. You will need to setup IP forwarding if you wish to browse LAN devices and the internet while on the VPN. This information can be found elsewhere in the Amahi wiki.

Step 10: In this step we will create a template file for a script to create ovpn files.

Use [http://fpaste.org/136132/ this file] as a template. Name the file Default.txt

Step 11: In this step we will download a script to create your ovpn files for you.

<pre>Cd /etc/openvpn/easy-rsa/keys</pre>

First we move to the keys directory

Download [https://gist.github.com/laurenorsini/10013430 this script] to the keys directory and call it makeovpn.sh

Now we need to make the script executable

<pre>chmod +x makeovpn.sh</pre>

Step 12: Run the script created in step 12 for each client you created in step 6.

<pre>./makeovpn.sh</pre>

When the script runs it will ask you for a client name you created in step 6. Enter the name and press enter. You may see some errors, but the file should still be created and be usable.

And that is it. You have now got everything you need to connect multiple clients to your VPN.

The following link was used as a primary source for the bulk of this tutorial:

[http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing Raspberry Pi VPN Tutorial]

= Troubleshooting =
Check out the [[OpenVPN troubleshooting]] page for troubleshooting tips.

= Implementation =

The VPN solution is implemented through the very popular [http://openvpn.net/ OpenVPN] software VPN.

[[Category: Services]]
[[Category: VPN]]

OpenVPN clients

2014-03-10T22:17:37Z

Arthur:

To connect to your network from the outside, you will need an OpenVPN client installed on the computer from which you want to connect to your network.

There are clients For Windows, Mac and Linux:

* [[VPNWindows|Windows Client]]: customized for Amahi to be ultra-easy to use
* Mac clients: [[VPNMacTunnelBlick|TunnelBlick]] (open source) or [[VPNMacViscosity|Viscosity]] (pay client, very nice)
* [[VPNLinux|Linux]]: (in general) and [[VPN Ubuntu|Ubuntu via GUI]]
* [[VPNAndroid|Android]]: VPN access on the Android phones
* [[OpenVPN_on_iOS|iOS]]: VPN access on the iPhone/iPod/iPad

'''NOTE: ''' you cannot really connect to your network and test your VPN from *inside* your network

Also, the network from which you connect to your network '''cannot''' be identical because the VPN cannot route packets in that situation. E.g. if your network at home is 192.168.1.* and the network from which you are connecting is also configured at 192.168.1.*, it will not work.

[[Category: VPN]]

OpenVPN clients

2014-03-10T22:15:38Z

Arthur: Undo revision 78350 by Arthur (talk)

To connect to your network from the outside, you will need an OpenVPN client installed on the computer from which you want to connect to your network.

There are clients For Windows, Mac and Linux:

* [[VPNWindows|Windows Client]]: customized for Amahi to be ultra-easy to use
* Mac clients: [[VPNMacTunnelBlick|TunnelBlick]] (open source) or [[VPNMacViscosity|Viscosity]] (pay client, very nice)
* [[VPNLinux|Linux]]: (in general) and [[VPN Ubuntu|Ubuntu via GUI]]
* [[VPNAndroid|Android]]: VPN access on the Android phones
* [[VPN Iphone|iPhone]]: VPN access on the iPhone/iPod/iPad

'''NOTE: ''' you cannot really connect to your network and test your VPN from *inside* your network

Also, the network from which you connect to your network '''cannot''' be identical because the VPN cannot route packets in that situation. E.g. if your network at home is 192.168.1.* and the network from which you are connecting is also configured at 192.168.1.*, it will not work.

[[Category: VPN]]

OpenVPN clients

2014-03-10T22:15:02Z

Arthur:

To connect to your network from the outside, you will need an OpenVPN client installed on the computer from which you want to connect to your network.

There are clients For Windows, Mac and Linux:

* [[VPNWindows|Windows Client]]: customized for Amahi to be ultra-easy to use
* Mac clients: [[VPNMacTunnelBlick|TunnelBlick]] (open source) or [[VPNMacViscosity|Viscosity]] (pay client, very nice)
* [[VPNLinux|Linux]]: (in general) and [[VPN Ubuntu|Ubuntu via GUI]]
* [[VPNAndroid|Android]]: VPN access on the Android phones
* [[OpenVPN on iOS|iOS]]: VPN access on the iPhone/iPod/iPad

'''NOTE: ''' you cannot really connect to your network and test your VPN from *inside* your network

Also, the network from which you connect to your network '''cannot''' be identical because the VPN cannot route packets in that situation. E.g. if your network at home is 192.168.1.* and the network from which you are connecting is also configured at 192.168.1.*, it will not work.

[[Category: VPN]]

OpenVPN on iOS

2014-03-10T22:07:51Z

Arthur:

=OpenVPN on iOS (not jailbroken)=

There is now an OpenVPN app in the app store that is free. The iOS app can be downloaded from here:

[https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8 iOS OpenVPN app]

To setup your connection to your HDA, perform the following steps:

First create your ovpn file using the following (the order that these items come in is VERY important) configuration:

<pre><nowiki>
client
dev tun
proto udp
remote XXXX.yourhda.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
ca Ca-cert.crt
cert AmahiHDAClient.crt
key AmahiHDAClient.key
comp-lzo
verb 3
</nowiki></pre>

Be sure to replace the XXXX to whatever your ddns name for your HDA is. Save this file as whatever you want with the .ovpn file extension. The next step is to download the certificates. The certificates can be found below (to download, right click > save as):

* [http://dl.amahi.org/vpn/AmahiHDAClient.crt AmahiHDAClient.crt]
* [http://dl.amahi.org/vpn/AmahiHDAClient.key AmahiHDAClient.key]
* [http://dl.amahi.org/vpn/ca-cert.crt ca-cert.crt]

If you rename these certificates you will need to modify the ovpn file with the names that you saved your certs as. You are now ready to copy your files over to your iOS device. The steps at the following page will point you in the right direction for importing the ovpn and cert files over to your iOS device.

[https://www.ivpn.net/knowledgebase/90/-iPhone---OpenVPN-Connect-Setup-Guide.html iOS OpenVPN]

=OpenVPN on iOS (jailbroken) **OLD DOCUMENTATION, MAY NO LONGER BE VALID**=

From the original [http://forums.amahi.org/viewtopic.php?f=3&t=1508&start=0 iPhone VPN] thread in the forums:

For all of you out there that have an iPhone or any other mobile "idevice" And want VPN access I have found a way. The catch is, you have to have a jail broken device. If you do have a jail broken device and want the openvpn app on the phone you will want to check out www.guizmovpn.com it's about 4€. The evaluation period is a full week. But the price is worth it.

To configure the client you will need to follow the guide on www.guizmovpn.com The client info you will need to get from the wiki here http://wiki.amahi.org/index.php/VPNLinux

I have also created a full guide custom tailored to amahi vpn access.
It might seem like a little to much or a hassle but its really simple. It just takes the time to read. http://home.mchsi.com/~irish-link/GuizmOVPN.pdf

If you go to set it up and have issues please head over to the forum (liked at the top) and let me know if you need help. If you do end up setting it up, let me know how it works for you.
[[Category: VPN]]

OpenVPN on iOS

2014-03-08T05:12:34Z

Arthur:

From the original [http://forums.amahi.org/viewtopic.php?f=3&t=1508&start=0 iPhone VPN] thread in the forums:

For all of you out there that have an iPhone or any other mobile "idevice" And want VPN access I have found a way. The catch is, you have to have a jail broken device. If you do have a jail broken device and want the openvpn app on the phone you will want to check out www.guizmovpn.com it's about 4€. The evaluation period is a full week. But the price is worth it.

To configure the client you will need to follow the guide on www.guizmovpn.com The client info you will need to get from the wiki here http://wiki.amahi.org/index.php/VPNLinux

I have also created a full guide custom tailored to amahi vpn access.
It might seem like a little to much or a hassle but its really simple. It just takes the time to read. http://home.mchsi.com/~irish-link/GuizmOVPN.pdf

If you go to set it up and have issues please head over to the forum (liked at the top) and let me know if you need help. If you do end up setting it up, let me know how it works for you.
[[Category: VPN]]

The above is no longer true. There is now an OpenVPN app in the app store that is free. The iOS app can be downloaded from here:

[https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8 iOS OpenVPN app]

To setup your connection to your HDA, perform the following steps:

First create your ovpn file using the following (the order that these items come in is VERY important) configuration:

<pre><nowiki>
client
dev tun
proto udp
remote XXXX.yourhda.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
ca Ca-cert.crt
cert AmahiHDAClient.crt
key AmahiHDAClient.key
comp-lzo
verb 3
</nowiki></pre>

Be sure to replace the XXXX to whatever your ddns name for your HDA is. Save this file as whatever you want with the .ovpn file extension. The next step is to download the certificates. The certificates can be found below (to download, right click > save as):

* [http://dl.amahi.org/vpn/AmahiHDAClient.crt AmahiHDAClient.crt]
* [http://dl.amahi.org/vpn/AmahiHDAClient.key AmahiHDAClient.key]
* [http://dl.amahi.org/vpn/ca-cert.crt ca-cert.crt]

If you rename these certificates you will need to modify the ovpn file with the names that you saved your certs as. You are now ready to copy your files over to your iOS device. The steps at the following page will point you in the right direction for importing the ovpn and cert files over to your iOS device.

[https://www.ivpn.net/knowledgebase/90/-iPhone---OpenVPN-Connect-Setup-Guide.html iOS OpenVPN]

OpenVPN on iOS

2014-03-08T05:04:19Z

Arthur:

From the original [http://forums.amahi.org/viewtopic.php?f=3&t=1508&start=0 iPhone VPN] thread in the forums:

For all of you out there that have an iPhone or any other mobile "idevice" And want VPN access I have found a way. The catch is, you have to have a jail broken device. If you do have a jail broken device and want the openvpn app on the phone you will want to check out www.guizmovpn.com it's about 4€. The evaluation period is a full week. But the price is worth it.

To configure the client you will need to follow the guide on www.guizmovpn.com The client info you will need to get from the wiki here http://wiki.amahi.org/index.php/VPNLinux

I have also created a full guide custom tailored to amahi vpn access.
It might seem like a little to much or a hassle but its really simple. It just takes the time to read. http://home.mchsi.com/~irish-link/GuizmOVPN.pdf

If you go to set it up and have issues please head over to the forum (liked at the top) and let me know if you need help. If you do end up setting it up, let me know how it works for you.
[[Category: VPN]]

The above is no longer true. There is now an OpenVPN app in the app store that is free. To setup your connection to your HDA do the following:

First create your ovpn file using the following (the order that these items come in is VERY important):

<pre><nowiki>
client
dev tun
proto udp
remote XXXX.yourhda.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
ca Ca-cert.crt
cert AmahiHDAClient.crt
key AmahiHDAClient.key
comp-lzo
verb 3
</nowiki></pre>

Save this file as whatever you want with the .ovpn file extension. The next step is to download the certificates. The certificates can be found below (to download, right click > save as):

* [http://dl.amahi.org/vpn/AmahiHDAClient.crt AmahiHDAClient.crt]
* [http://dl.amahi.org/vpn/AmahiHDAClient.key AmahiHDAClient.key]
* [http://dl.amahi.org/vpn/ca-cert.crt ca-cert.crt]

You are now ready to copy your files over to your iOS device. The steps at the following page will point you in the right direction for importing the ovpn and cert files over to your iOS device.

[https://www.ivpn.net/knowledgebase/90/-iPhone---OpenVPN-Connect-Setup-Guide.html iOS OpenVPN]

OpenVPN on iOS

2014-03-08T05:01:10Z

Arthur:

From the original [http://forums.amahi.org/viewtopic.php?f=3&t=1508&start=0 iPhone VPN] thread in the forums:

For all of you out there that have an iPhone or any other mobile "idevice" And want VPN access I have found a way. The catch is, you have to have a jail broken device. If you do have a jail broken device and want the openvpn app on the phone you will want to check out www.guizmovpn.com it's about 4€. The evaluation period is a full week. But the price is worth it.

To configure the client you will need to follow the guide on www.guizmovpn.com The client info you will need to get from the wiki here http://wiki.amahi.org/index.php/VPNLinux

I have also created a full guide custom tailored to amahi vpn access.
It might seem like a little to much or a hassle but its really simple. It just takes the time to read. http://home.mchsi.com/~irish-link/GuizmOVPN.pdf

If you go to set it up and have issues please head over to the forum (liked at the top) and let me know if you need help. If you do end up setting it up, let me know how it works for you.
[[Category: VPN]]

The above is no longer true. There is now an OpenVPN app in the app store that is free. To setup your connection to your HDA do the following:

First create your ovpn file using the following (the order that these items come in is VERY important):

<pre><nowiki>
client
dev tun
proto udp
remote XXXX.yourhda.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
ca Ca-cert.crt
cert AmahiHDAClient.crt
key AmahiHDAClient.key
comp-lzo
verb 3
</nowiki></pre>

Save this file as whatever you want with the .ovpn file extension. The next step is to download the certificates. The certificates can be found below (to download, right click > save as):

** [http://dl.amahi.org/vpn/AmahiHDAClient.crt AmahiHDAClient.crt]
** [http://dl.amahi.org/vpn/AmahiHDAClient.key AmahiHDAClient.key]
** [http://dl.amahi.org/vpn/ca-cert.crt ca-cert.crt]

You are now ready to copy your files over to your iOS device. The steps at the following page will point you in the right direction for importing the ovpn and cert files over to your iOS device.

[https://www.ivpn.net/knowledgebase/90/-iPhone---OpenVPN-Connect-Setup-Guide.html iOS OpenVPN]

OpenVPN

2013-10-29T16:01:48Z

Arthur: /* IP Forwarding for Ubuntu based HDA's */

Going forward, you will need to install the [http://www.amahi.org/apps/openvpn OpenVPN one-click app].

'''You need to forward one port (1194/UDP) to your HDA's IP''' to enable your OpenVPN service from outside.

You will also need client software.

Once connected from outside your network, your computer becomes virtually a computer in your home network. All your files and services are as easily accessible as when you are at home.

'''NEW! You can now use your amahi.org [https://www.amahi.org/user control panel] to test your VPN remotely!'''

= Overview =

There are two requirements for Remote Access to work:

* On the client side, you need to be running a client
** We provide one for Windows, pre-configured for Amahi
** We recommend one for the Mac, which requires some manual configuration
** The client for Linux comes with most distros and uses the same settings as the Mac
* Your router needs to forward '''UDP port 1194''' to the IP address of your HDA. The way to do this is through port forwarding, which varies from router to router. Make sure you forward UDP (not TCP)

= OpenVPN Clients For Windows, Mac, Linux, Android, iPhone, ... =

Check the page for [[OpenVPN clients]].

= Resources on Port Forwarding =

* [http://www.portforward.com/english/routers/port_forwarding/routerindex.htm Massive database of port forwarding information by router]
* YouTube Video on Port Forwarding for Linksys Routers: http://www.youtube.com/watch?v=GWPUdW1kIJA

= Bridging VPN and eth0 =

If you'd like your VPN clients to get IP addresses in the same subnet as your HDA, and not in the 10.8.0.0/24 subnet (default), read this page: [[VPN Bridging]].

= IP Forwarding for Ubuntu based HDA's =

Something that is often asked on the forums is how to have access to your remote LAN's resources while connected to your HDA. One way to accomplish this is through bridging VPN and eth0 on your HDA. This process may not be necessary for some users and a script has been developed by user olson of the forum to accomplish this task. Not only with this script allow for a user to browse to their remote LAN's resources, the user will also be able to browse the internet while connected to their VPN. Below is the script and instructions for how to run it. Please keep in mind that this is for Ubuntu based HDA's ONLY.

{{Code|
Code = #!/bin/bash
log_file="/tmp/openvpn_extra.log"

function log()
{
echo -e "$(date +%b\ %d\ %H:%M:%S) $(hostname -s) openvpn_extra: $@" >> $log_file
echo -e "$(date +%b\ %d\ %H:%M:%S) $(hostname -s) openvpn_extra: $@"
}

# Enable it right now
if ! echo 1 > /proc/sys/net/ipv4/ip_forward; then
log "FATAL: could not enable ip_forward for immediate use"
exit 1
fi

if ! iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; then
log "FATAL: could not set iptables for immediate use"
exit 1
fi

#set it up so it does it at startup
if ! sed -i 's/#net.ipv4.ip_forward=.*\+/net.ipv4.ip_forward=1/' /etc/sysctl.conf; then
log "FATAL: could not set ip_forward permanantly"
exit 1
fi
if ! sh -c "iptables-save > /etc/iptables.rules"; then
log "FATAL: could not set iptables permanantly"
exit 1
fi

sudo cat > /etc/network/if-pre-up.d/iptablesload <<EOF
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
EOF

sudo cat > /etc/network/if-post-down.d/iptablessave <<EOF
#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
iptables-restore < /etc/iptables.downrules
fi
exit 0
EOF

if ! chmod +x /etc/network/if-post-down.d/iptablessave; then
log "FATAL: Could not chmod the iptablessave script"
exit 1
fi
if ! chmod +x /etc/network/if-pre-up.d/iptablesload; then
log "FATAL: Could not chmod the iptablesload script"
exit 1
fi

echo "Done"

exit 0
}}

You can then run the script with the following command from the CLI:

{{Code|
Code = sudo bash openvpn_extra.sh
}}

= Troubleshooting =
* Is the [http://www.amahi.org/apps/openvpn OpenVPN app] installed in your HDA? (this is not required if you are on Amahi Fedora 14, but required on all later releases)
* Make sure your HDA's network IP range is different than that of the remote network. (e.g. if your HDA's IP address is 192.168.1.X, you cannot connect to it on a remote network also using 192.168.1.X)

* If you are running your HDA from a Verizon FiOS connection, you may experience strange disconnections. This may be due to the Actiontec router's small NAT table. Please see guides here http://www.verizonfioswiki.com/index.php/Using_Your_Own_Router for instructions on how to use your own router.

* If you have a Vonage V-Portal (or perhaps other voip adapters as well), plug your router into your modem, then the v-portal into your router. Vonage tells you to put the v-portal between the modem and the router, but I was unable to connect to vpn until I moved the adapter behind the router.

* Check out [[VPN_troubleshooting]] for more troubleshooting tips.

= Implementation =

The VPN solution is implemented through the very popular [http://openvpn.net/ OpenVPN] software VPN.

[[Category: Services]]
[[Category: VPN]]

OpenVPN

2013-10-29T16:00:46Z

Arthur: /* IP Forwarding for Ubuntu based HDA's */

Going forward, you will need to install the [http://www.amahi.org/apps/openvpn OpenVPN one-click app].

'''You need to forward one port (1194/UDP) to your HDA's IP''' to enable your OpenVPN service from outside.

You will also need client software.

Once connected from outside your network, your computer becomes virtually a computer in your home network. All your files and services are as easily accessible as when you are at home.

'''NEW! You can now use your amahi.org [https://www.amahi.org/user control panel] to test your VPN remotely!'''

= Overview =

There are two requirements for Remote Access to work:

* On the client side, you need to be running a client
** We provide one for Windows, pre-configured for Amahi
** We recommend one for the Mac, which requires some manual configuration
** The client for Linux comes with most distros and uses the same settings as the Mac
* Your router needs to forward '''UDP port 1194''' to the IP address of your HDA. The way to do this is through port forwarding, which varies from router to router. Make sure you forward UDP (not TCP)

= OpenVPN Clients For Windows, Mac, Linux, Android, iPhone, ... =

Check the page for [[OpenVPN clients]].

= Resources on Port Forwarding =

* [http://www.portforward.com/english/routers/port_forwarding/routerindex.htm Massive database of port forwarding information by router]
* YouTube Video on Port Forwarding for Linksys Routers: http://www.youtube.com/watch?v=GWPUdW1kIJA

= Bridging VPN and eth0 =

If you'd like your VPN clients to get IP addresses in the same subnet as your HDA, and not in the 10.8.0.0/24 subnet (default), read this page: [[VPN Bridging]].

= IP Forwarding for Ubuntu based HDA's =

Something that is often asked on the forums is how to have access to your remote LAN's resources while connected to your HDA. One way to accomplish this is through bridging VPN and eth0 on your HDA. This process may not be necessary for some users and a script has been developed by one of the forum members to accomplish this task. Not only with this script allow for a user to browse to their remote LAN's resources, the user will also be able to browse the internet while connected to their VPN. Below is the script and instructions for how to run it. Please keep in mind that this is for Ubuntu based HDA's ONLY.

{{Code|
Code = #!/bin/bash
log_file="/tmp/openvpn_extra.log"

function log()
{
echo -e "$(date +%b\ %d\ %H:%M:%S) $(hostname -s) openvpn_extra: $@" >> $log_file
echo -e "$(date +%b\ %d\ %H:%M:%S) $(hostname -s) openvpn_extra: $@"
}

# Enable it right now
if ! echo 1 > /proc/sys/net/ipv4/ip_forward; then
log "FATAL: could not enable ip_forward for immediate use"
exit 1
fi

if ! iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; then
log "FATAL: could not set iptables for immediate use"
exit 1
fi

#set it up so it does it at startup
if ! sed -i 's/#net.ipv4.ip_forward=.*\+/net.ipv4.ip_forward=1/' /etc/sysctl.conf; then
log "FATAL: could not set ip_forward permanantly"
exit 1
fi
if ! sh -c "iptables-save > /etc/iptables.rules"; then
log "FATAL: could not set iptables permanantly"
exit 1
fi

sudo cat > /etc/network/if-pre-up.d/iptablesload <<EOF
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
EOF

sudo cat > /etc/network/if-post-down.d/iptablessave <<EOF
#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
iptables-restore < /etc/iptables.downrules
fi
exit 0
EOF

if ! chmod +x /etc/network/if-post-down.d/iptablessave; then
log "FATAL: Could not chmod the iptablessave script"
exit 1
fi
if ! chmod +x /etc/network/if-pre-up.d/iptablesload; then
log "FATAL: Could not chmod the iptablesload script"
exit 1
fi

echo "Done"

exit 0
}}

You can then run the script with the following command from the CLI:

{{Code|
Code = sudo bash openvpn_extra.sh
}}

= Troubleshooting =
* Is the [http://www.amahi.org/apps/openvpn OpenVPN app] installed in your HDA? (this is not required if you are on Amahi Fedora 14, but required on all later releases)
* Make sure your HDA's network IP range is different than that of the remote network. (e.g. if your HDA's IP address is 192.168.1.X, you cannot connect to it on a remote network also using 192.168.1.X)

* If you are running your HDA from a Verizon FiOS connection, you may experience strange disconnections. This may be due to the Actiontec router's small NAT table. Please see guides here http://www.verizonfioswiki.com/index.php/Using_Your_Own_Router for instructions on how to use your own router.

* If you have a Vonage V-Portal (or perhaps other voip adapters as well), plug your router into your modem, then the v-portal into your router. Vonage tells you to put the v-portal between the modem and the router, but I was unable to connect to vpn until I moved the adapter behind the router.

* Check out [[VPN_troubleshooting]] for more troubleshooting tips.

= Implementation =

The VPN solution is implemented through the very popular [http://openvpn.net/ OpenVPN] software VPN.

[[Category: Services]]
[[Category: VPN]]

OpenVPN

2013-10-29T16:00:10Z

Arthur:

Going forward, you will need to install the [http://www.amahi.org/apps/openvpn OpenVPN one-click app].

'''You need to forward one port (1194/UDP) to your HDA's IP''' to enable your OpenVPN service from outside.

You will also need client software.

Once connected from outside your network, your computer becomes virtually a computer in your home network. All your files and services are as easily accessible as when you are at home.

'''NEW! You can now use your amahi.org [https://www.amahi.org/user control panel] to test your VPN remotely!'''

= Overview =

There are two requirements for Remote Access to work:

* On the client side, you need to be running a client
** We provide one for Windows, pre-configured for Amahi
** We recommend one for the Mac, which requires some manual configuration
** The client for Linux comes with most distros and uses the same settings as the Mac
* Your router needs to forward '''UDP port 1194''' to the IP address of your HDA. The way to do this is through port forwarding, which varies from router to router. Make sure you forward UDP (not TCP)

= OpenVPN Clients For Windows, Mac, Linux, Android, iPhone, ... =

Check the page for [[OpenVPN clients]].

= Resources on Port Forwarding =

* [http://www.portforward.com/english/routers/port_forwarding/routerindex.htm Massive database of port forwarding information by router]
* YouTube Video on Port Forwarding for Linksys Routers: http://www.youtube.com/watch?v=GWPUdW1kIJA

= Bridging VPN and eth0 =

If you'd like your VPN clients to get IP addresses in the same subnet as your HDA, and not in the 10.8.0.0/24 subnet (default), read this page: [[VPN Bridging]].

= IP Forwarding for Ubuntu based HDA's =

Something that is often asked on the forums is how to have access to your remote LAN's resources while connected to your HDA. One way to accomplish this is through bridging VPN and eth0 on your HDA. This process may not be necessary for some users and a script has been developed by one of the forum members to accomplish this task. Not only with this script allow for a user to browse to their remote LAN's resources, the user will also be able to browse the internet. Below is the script and instructions for how to run it. Please keep in mind that this is for Ubuntu based HDA's ONLY.

{{Code|
Code = #!/bin/bash
log_file="/tmp/openvpn_extra.log"

function log()
{
echo -e "$(date +%b\ %d\ %H:%M:%S) $(hostname -s) openvpn_extra: $@" >> $log_file
echo -e "$(date +%b\ %d\ %H:%M:%S) $(hostname -s) openvpn_extra: $@"
}

# Enable it right now
if ! echo 1 > /proc/sys/net/ipv4/ip_forward; then
log "FATAL: could not enable ip_forward for immediate use"
exit 1
fi

if ! iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; then
log "FATAL: could not set iptables for immediate use"
exit 1
fi

#set it up so it does it at startup
if ! sed -i 's/#net.ipv4.ip_forward=.*\+/net.ipv4.ip_forward=1/' /etc/sysctl.conf; then
log "FATAL: could not set ip_forward permanantly"
exit 1
fi
if ! sh -c "iptables-save > /etc/iptables.rules"; then
log "FATAL: could not set iptables permanantly"
exit 1
fi

sudo cat > /etc/network/if-pre-up.d/iptablesload <<EOF
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
EOF

sudo cat > /etc/network/if-post-down.d/iptablessave <<EOF
#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
iptables-restore < /etc/iptables.downrules
fi
exit 0
EOF

if ! chmod +x /etc/network/if-post-down.d/iptablessave; then
log "FATAL: Could not chmod the iptablessave script"
exit 1
fi
if ! chmod +x /etc/network/if-pre-up.d/iptablesload; then
log "FATAL: Could not chmod the iptablesload script"
exit 1
fi

echo "Done"

exit 0
}}

You can then run the script with the following command from the CLI:

{{Code|
Code = sudo bash openvpn_extra.sh
}}

= Troubleshooting =
* Is the [http://www.amahi.org/apps/openvpn OpenVPN app] installed in your HDA? (this is not required if you are on Amahi Fedora 14, but required on all later releases)
* Make sure your HDA's network IP range is different than that of the remote network. (e.g. if your HDA's IP address is 192.168.1.X, you cannot connect to it on a remote network also using 192.168.1.X)

* If you are running your HDA from a Verizon FiOS connection, you may experience strange disconnections. This may be due to the Actiontec router's small NAT table. Please see guides here http://www.verizonfioswiki.com/index.php/Using_Your_Own_Router for instructions on how to use your own router.

* If you have a Vonage V-Portal (or perhaps other voip adapters as well), plug your router into your modem, then the v-portal into your router. Vonage tells you to put the v-portal between the modem and the router, but I was unable to connect to vpn until I moved the adapter behind the router.

* Check out [[VPN_troubleshooting]] for more troubleshooting tips.

= Implementation =

The VPN solution is implemented through the very popular [http://openvpn.net/ OpenVPN] software VPN.

[[Category: Services]]
[[Category: VPN]]