Difference between revisions of "OpenVPN"
Line 33: | Line 33: | ||
If you'd like your VPN clients to get IP addresses in the same subnet as your HDA, and not in the 10.8.0.0/24 subnet (default), read this page: [[VPN Bridging]]. | If you'd like your VPN clients to get IP addresses in the same subnet as your HDA, and not in the 10.8.0.0/24 subnet (default), read this page: [[VPN Bridging]]. | ||
+ | |||
+ | = IP Forwarding for Ubuntu based HDA's = | ||
+ | |||
+ | Something that is often asked on the forums is how to have access to your remote LAN's resources while connected to your HDA. One way to accomplish this is through bridging VPN and eth0 on your HDA. This process may not be necessary for some users and a script has been developed by one of the forum members to accomplish this task. Not only with this script allow for a user to browse to their remote LAN's resources, the user will also be able to browse the internet. Below is the script and instructions for how to run it. Please keep in mind that this is for Ubuntu based HDA's ONLY. | ||
+ | |||
+ | {{Code| | ||
+ | Code = #!/bin/bash | ||
+ | log_file="/tmp/openvpn_extra.log" | ||
+ | |||
+ | function log() | ||
+ | { | ||
+ | echo -e "$(date +%b\ %d\ %H:%M:%S) $(hostname -s) openvpn_extra: $@" >> $log_file | ||
+ | echo -e "$(date +%b\ %d\ %H:%M:%S) $(hostname -s) openvpn_extra: $@" | ||
+ | } | ||
+ | |||
+ | # Enable it right now | ||
+ | if ! echo 1 > /proc/sys/net/ipv4/ip_forward; then | ||
+ | log "FATAL: could not enable ip_forward for immediate use" | ||
+ | exit 1 | ||
+ | fi | ||
+ | |||
+ | if ! iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; then | ||
+ | log "FATAL: could not set iptables for immediate use" | ||
+ | exit 1 | ||
+ | fi | ||
+ | |||
+ | #set it up so it does it at startup | ||
+ | if ! sed -i 's/#net.ipv4.ip_forward=.*\+/net.ipv4.ip_forward=1/' /etc/sysctl.conf; then | ||
+ | log "FATAL: could not set ip_forward permanantly" | ||
+ | exit 1 | ||
+ | fi | ||
+ | if ! sh -c "iptables-save > /etc/iptables.rules"; then | ||
+ | log "FATAL: could not set iptables permanantly" | ||
+ | exit 1 | ||
+ | fi | ||
+ | |||
+ | sudo cat > /etc/network/if-pre-up.d/iptablesload <<EOF | ||
+ | #!/bin/sh | ||
+ | iptables-restore < /etc/iptables.rules | ||
+ | exit 0 | ||
+ | EOF | ||
+ | |||
+ | sudo cat > /etc/network/if-post-down.d/iptablessave <<EOF | ||
+ | #!/bin/sh | ||
+ | iptables-save -c > /etc/iptables.rules | ||
+ | if [ -f /etc/iptables.downrules ]; then | ||
+ | iptables-restore < /etc/iptables.downrules | ||
+ | fi | ||
+ | exit 0 | ||
+ | EOF | ||
+ | |||
+ | if ! chmod +x /etc/network/if-post-down.d/iptablessave; then | ||
+ | log "FATAL: Could not chmod the iptablessave script" | ||
+ | exit 1 | ||
+ | fi | ||
+ | if ! chmod +x /etc/network/if-pre-up.d/iptablesload; then | ||
+ | log "FATAL: Could not chmod the iptablesload script" | ||
+ | exit 1 | ||
+ | fi | ||
+ | |||
+ | echo "Done" | ||
+ | |||
+ | exit 0 | ||
+ | }} | ||
+ | |||
+ | You can then run the script with the following command from the CLI: | ||
+ | |||
+ | {{Code| | ||
+ | Code = sudo bash openvpn_extra.sh | ||
+ | }} | ||
= Troubleshooting = | = Troubleshooting = |
Revision as of 16:00, 29 October 2013
Going forward, you will need to install the OpenVPN one-click app.
You need to forward one port (1194/UDP) to your HDA's IP to enable your OpenVPN service from outside.
You will also need client software.
Once connected from outside your network, your computer becomes virtually a computer in your home network. All your files and services are as easily accessible as when you are at home.
NEW! You can now use your amahi.org control panel to test your VPN remotely!
Contents
Overview
There are two requirements for Remote Access to work:
- On the client side, you need to be running a client
- We provide one for Windows, pre-configured for Amahi
- We recommend one for the Mac, which requires some manual configuration
- The client for Linux comes with most distros and uses the same settings as the Mac
- Your router needs to forward UDP port 1194 to the IP address of your HDA. The way to do this is through port forwarding, which varies from router to router. Make sure you forward UDP (not TCP)
OpenVPN Clients For Windows, Mac, Linux, Android, iPhone, ...
Check the page for OpenVPN clients.
Resources on Port Forwarding
- Massive database of port forwarding information by router
- YouTube Video on Port Forwarding for Linksys Routers: http://www.youtube.com/watch?v=GWPUdW1kIJA
Bridging VPN and eth0
If you'd like your VPN clients to get IP addresses in the same subnet as your HDA, and not in the 10.8.0.0/24 subnet (default), read this page: VPN Bridging.
IP Forwarding for Ubuntu based HDA's
Something that is often asked on the forums is how to have access to your remote LAN's resources while connected to your HDA. One way to accomplish this is through bridging VPN and eth0 on your HDA. This process may not be necessary for some users and a script has been developed by one of the forum members to accomplish this task. Not only with this script allow for a user to browse to their remote LAN's resources, the user will also be able to browse the internet. Below is the script and instructions for how to run it. Please keep in mind that this is for Ubuntu based HDA's ONLY.
bash code |
---|
#!/bin/bash log_file="/tmp/openvpn_extra.log" function log() { echo -e "$(date +%b\ %d\ %H:%M:%S) $(hostname -s) openvpn_extra: $@" >> $log_file echo -e "$(date +%b\ %d\ %H:%M:%S) $(hostname -s) openvpn_extra: $@" } # Enable it right now if ! echo 1 > /proc/sys/net/ipv4/ip_forward; then log "FATAL: could not enable ip_forward for immediate use" exit 1 fi if ! iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; then log "FATAL: could not set iptables for immediate use" exit 1 fi #set it up so it does it at startup if ! sed -i 's/#net.ipv4.ip_forward=.*\+/net.ipv4.ip_forward=1/' /etc/sysctl.conf; then log "FATAL: could not set ip_forward permanantly" exit 1 fi if ! sh -c "iptables-save > /etc/iptables.rules"; then log "FATAL: could not set iptables permanantly" exit 1 fi sudo cat > /etc/network/if-pre-up.d/iptablesload <<EOF #!/bin/sh iptables-restore < /etc/iptables.rules exit 0 EOF sudo cat > /etc/network/if-post-down.d/iptablessave <<EOF #!/bin/sh iptables-save -c > /etc/iptables.rules if [ -f /etc/iptables.downrules ]; then iptables-restore < /etc/iptables.downrules fi exit 0 EOF if ! chmod +x /etc/network/if-post-down.d/iptablessave; then log "FATAL: Could not chmod the iptablessave script" exit 1 fi if ! chmod +x /etc/network/if-pre-up.d/iptablesload; then log "FATAL: Could not chmod the iptablesload script" exit 1 fi echo "Done" exit 0
|
You can then run the script with the following command from the CLI:
bash code |
---|
sudo bash openvpn_extra.sh
|
Troubleshooting
- Is the OpenVPN app installed in your HDA? (this is not required if you are on Amahi Fedora 14, but required on all later releases)
- Make sure your HDA's network IP range is different than that of the remote network. (e.g. if your HDA's IP address is 192.168.1.X, you cannot connect to it on a remote network also using 192.168.1.X)
- If you are running your HDA from a Verizon FiOS connection, you may experience strange disconnections. This may be due to the Actiontec router's small NAT table. Please see guides here http://www.verizonfioswiki.com/index.php/Using_Your_Own_Router for instructions on how to use your own router.
- If you have a Vonage V-Portal (or perhaps other voip adapters as well), plug your router into your modem, then the v-portal into your router. Vonage tells you to put the v-portal between the modem and the router, but I was unable to connect to vpn until I moved the adapter behind the router.
- Check out VPN_troubleshooting for more troubleshooting tips.
Implementation
The VPN solution is implemented through the very popular OpenVPN software VPN.