OpenVPN

From Amahi Wiki
Jump to: navigation, search

Going forward, you will need to install the Amahi OpenVPN application.

You need to forward one port (1194/UDP) to your HDA's IP to enable your OpenVPN service from outside your network.

You will also need client software.

Once connected from outside your network, your computer becomes virtually a computer in your home network. All your files and services are as easily accessible as when you are at home.

NEW! You can now use your amahi.org control panel to test your VPN remotely!

Overview

There are two requirements for Remote Access to work:

  • On the client side, you need to be running a client
    • We provide one for Windows, pre-configured for Amahi
    • We recommend one for the Mac, which requires some manual configuration
    • The client for Linux comes with most distros and uses the same settings as the Mac
  • Your router needs to forward UDP port 1194 to the IP address of your HDA. The way to do this is through port forwarding, which varies from router to router. Make sure you forward UDP (not TCP)

OpenVPN Clients

Check the page for OpenVPN clients.

Port Forwarding References

Bridging VPN and eth0

If you'd like your VPN clients to get IP addresses in the same subnet as your HDA, and not in the 10.8.0.0/24 subnet (default), read this page: VPN Bridging.

IP Forwarding (Ubuntu)

Something that is often asked on the forums is how to have access to your remote LAN's resources while connected to your HDA. One way to accomplish this is through bridging VPN and eth0 on your HDA. This process may not be necessary for some users and a script has been developed by user olson of the forum to accomplish this task. Not only with this script allow for a user to browse to their remote LAN's resources, the user will also be able to browse the internet while connected to their VPN. Below is the script and instructions for how to run it. Please keep in mind that this is for Ubuntu based HDA's ONLY.

#!/bin/bash
log_file="/tmp/openvpn_extra.log"

function log()
{
  echo -e "$(date +%b\ %d\ %H:%M:%S) $(hostname -s) openvpn_extra: $@" >> $log_file
  echo -e "$(date +%b\ %d\ %H:%M:%S) $(hostname -s) openvpn_extra: $@"
}

# Enable it right now
if ! echo 1 > /proc/sys/net/ipv4/ip_forward; then
  log "FATAL: could not enable ip_forward for immediate use"
  exit 1
fi

if ! iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; then
  log "FATAL: could not set iptables for immediate use"
  exit 1
fi

#set it up so it does it at startup
if ! sed -i 's/#net.ipv4.ip_forward=.*\+/net.ipv4.ip_forward=1/' /etc/sysctl.conf; then
  log "FATAL: could not set ip_forward permanantly"
  exit 1
fi
if ! sh -c "iptables-save > /etc/iptables.rules"; then
  log "FATAL: could not set iptables permanantly"
  exit 1
fi

sudo cat > /etc/network/if-pre-up.d/iptablesload <<EOF
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
EOF

sudo cat > /etc/network/if-post-down.d/iptablessave <<EOF
#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
   iptables-restore < /etc/iptables.downrules
fi
exit 0
EOF

if ! chmod +x /etc/network/if-post-down.d/iptablessave; then
  log "FATAL: Could not chmod the iptablessave script"
  exit 1
fi
if ! chmod +x /etc/network/if-pre-up.d/iptablesload; then
  log "FATAL: Could not chmod the iptablesload script"
  exit 1
fi

echo "Done"

exit 0

You can then run the script with the following command from the CLI:

sudo bash openvpn_extra.sh

Troubleshooting

Check out the OpenVPN troubleshooting page for troubleshooting tips.

Implementation

The VPN solution is implemented through the very popular OpenVPN software VPN.

Custom Certs

To see how one can create custom certificates for us in Amahi's OpenVPN, see the details in the OpenVPN custom certificates page.