finbarr
16-03-14, 23:10
Setting up your own VPN server inside your home will increase security while accessing your home network remotely. As far as I know, there are two ways to watch TV, and access OpenWebIf remotely.
A) Use 'Port Forwarding' on ports 80 (web), 8001 (stream) and 8002 (transcoding stream) your router.
B) Set up a VPN server at home, and use a VPN client on your mobile, or laptop to connect remotely, and have full access to all machines & ports on your home network. This requires port forwarding on only a single port for OpenVPN.
The first option has worked well for me in the past, but the second option would be considered more secure if set up the correct way. With a good VPN setup, all traffic can be encrypted into and out of your home. This comes at a cost of a slight reduction in overall speed.
Here is what I did to get OpenVPN running as a server on my Vu+ Duo on my home network. It is mostly done using Unix commands. If you are not comfortatble working on the command line, then stop reading now.
I used the OpenVPN HOWTO (https://openvpn.net/index.php/open-source/documentation/howto.html) to get it working. Please have a good long read of that page to understand VPNs a bit more. Most questions you might have will be answered on that page.
It took some tweaking to get it working, but once I did, it works 100% of the time. So lets go...
1. I would recommend doing a full image backup first. The below steps should not harm your setup, but it is always good to have a rollback plan...
2. Ensure you are running the latest VIX. Each time you do a clean install, you will need to set up the VPN afresh, so best to be on the latest. At the time of writing, I am running Zeus vesion 003. You can find out this, by going to
Menu>Information>About and check the Version and Build.
3. Install OpenVPN.
Menu>Setup>System>Network>OpenVPN setup
When prompted, select Yes to install the plugin
When done, do not run the plugin. Leave it turned off.
33251
4. ssh into the box as root. Not sure how to do that? See here (http://www.world-of-satellite.com/showthread.php?21644-SSH-login-help).
5. The standard OpenVPN installation on Vix does not include some files which we need to generate the master Certificate Authority (CA) certificate & key. I used easy-rsa for this. Lets get those missing files. Run the following commands:
cd /tmp/
wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz
tar -xvf openvpn-2.2.2.tar.gz
cp -r /tmp/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
cp /tmp/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/
cp /tmp/openvpn-2.2.2/sample-config-files/client.conf /etc/openvpn/client.ovpn
cd /etc/openvpn/easy-rsa/2.0/
chmod 777 *
6. You now need to edit the 'vars' file located in /etc/openvpn/easy-rsa/2.0/
and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank. Leave everything else as is. For example, here is what I set:
export KEY_COUNTRY="IE"
export KEY_PROVINCE="CO"
export KEY_CITY="Galway"
export KEY_ORG="Home"
export KEY_EMAIL="fin@gmail.com"
export KEY_CN=vuduo
export KEY_NAME=vuduo
export KEY_OU=vuduo
7. Next, initialize the PKI:
. ./vars
./clean-all
./build-ca
The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:
./build-ca
Output:
Generating a 1024 bit RSA private key
............++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IE]:
State or Province Name (full name) [CO]:
Locality Name (eg, city) [Galway]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [vuduo]:
Email Address [fin@gmail.com]:
Just press return each time it stops, and this will accept the default values which you set in the vars file.
8. Next, we will generate a certificate and private key for the server:
./build-key-server server
As in the previous step, most parameters must be defaulted. When the Common Name is queried, enter "server". Two other queries require 'y' responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]"
9. Generate certificates & keys for 2 clients
Generating client certificates is very similar to the previous step:
./build-key client1
./build-key client2
Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", or "client2". Always use a unique common name for each client.
10. Diffie Hellman parameters must be generated for the OpenVPN server:
./build-dh
Output:
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.................+................................ ...........
...................+.............+................ .+.........
......................................
Now you have newly-generated keys and certificates in the keys subdirectory.
11. Lets move the keys subdir to the right place:
mv -r keys /etc/openvpn/
12. We need to set up the server configuration file. Edit the file server.conf in /etc/openvpn
13. Leave most things as default, but set the following:
# edit the ca, cert, key, and dh parameters to point to the files you generated in the PKI section above
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
# To help with troubleshooting, initially turn logging on. I've set it to log to my usb key. (make sure to comment this back out when you have VPN working, or you might run out of space.)
log /media/usb/openvpn.log
# Now, you want to set up a route to your Vu box from the VPN interface.
# If your Vu has an ip of 192.168.1.25, then you would route to 192.168.1.0 subnet as follows:
push "route 192.168.1.0 255.255.255.0"
14. Save server.conf after making those changes.
15. At this point, we can test out the server to see if it will start ok.
Let's keep an eye on the log file while we do that. Run this command:
tail -F /media/usb/openvpn.log
16. And on the TV...
Menu>Setup>System>Network>OpenVPN setup
Start openvpn by pressing green
Enable autostart by pressing yellow
33253
17. If everything is working well, you should see something like this in your log output:
Output:
Sun Mar 16 13:36:42 2014 TUN/TAP device tun0 opened
Sun Mar 16 13:36:42 2014 TUN/TAP TX queue length set to 100
Sun Mar 16 13:36:42 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sun Mar 16 13:36:42 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sun Mar 16 13:36:42 2014 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Mar 16 13:36:42 2014 GID set to nogroup
Sun Mar 16 13:36:42 2014 UID set to nobody
Sun Mar 16 13:36:42 2014 Listening for incoming TCP connection on [undef]:1150
Sun Mar 16 13:36:42 2014 TCPv4_SERVER link local (bound): [undef]:1150
Sun Mar 16 13:36:42 2014 TCPv4_SERVER link remote: [undef]
Sun Mar 16 13:36:42 2014 MULTI: multi_init called, r=256 v=256
Sun Mar 16 13:36:42 2014 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Mar 16 13:36:42 2014 IFCONFIG POOL LIST
Sun Mar 16 13:36:42 2014 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sun Mar 16 13:36:42 2014 Initialization Sequence Completed
18. Now we need to configure the client config files. This depends on the client you want to use. Let's pretend client1 is a smartphone (iOS or Android) and client2 is a Mac or Linux machine.
19. Edit the file client.ovpn
# set remote to your public ip address or DDNS hostname. Leave port at 1194.
remote my-router-public-hostname-or-ip 1194
# SSL/TLS parms.
ca ca.crt
cert client.crt
key client.key
Make sure the remote parameter has been set to your home static public IP address, or DDNS hostname from services such as DynDNS.com or no-ip.com
20. Save client.ovpn.
21. Now we want to copy that file to new directories. Run these commands:
cd /etc/openvpn/
mkdir client1-mobile/
mkdir client2-laptop/
cp client.ovpn client1-mobile/
cp client.ovpn client2-laptop/
22. Copy the other certs and keys for each
cp keys/ca.crt client1-mobile
cp keys/client1.crt client1-mobile/client.crt
cp keys/client1.key client1-mobile/client.key
cp keys/ca.crt client2-laptop
cp keys/client2.crt client2-laptop/client.crt
cp keys/client2.key client2-laptop/client.key
23. There is an extra step for mobile, because some smartphones don't let you copy those cert/key files to the OpenVPN app. So what I did was embedded the certs and keys inside the client.ovpn file itself. To do this, run these commands:
cd /etc/openvpn/client1-mobile/
echo -e "\n\n<ca>\n$(cat ca.crt)\n</ca>" >> client.ovpn
echo -e "\n\n<cert>\n$(cat client.crt)\n</cert>" >> client.ovpn
echo -e "\n\n<key>\n$(cat client.key)\n</key>" >> client.ovpn
# Remove the ca.crt, client crt and key files now as they are not needed on mobile, once they are inside the ovpn file
cd /etc/openvpn/client1-mobile/
rm client.crt
rm client.key
rm ca.crt
24. You need to set up a port forward rule on your router to forward UDP port 1194 from the firewall/gateway to the machine running the OpenVPN server (your Vu box IP). Refer to your router help manual for instructions on how to do this.
25. The final step in the process is to copy all files to the clients which need them, taking care to copy secret files over a secure channel.
26. On iOS, I installed the excellent, free OpenVPN Connect app.
- I moved the /etc/openvpn/client1-mobile/client.ovpn file from my Vu to my Dropbox account.
- On iOS, I opened the file in the Dropbox app, and used 'Open With...' to open the file with the OpenVPN app.
33254
- Click connect, and viola, you now can access your Vu Duo using its local IP address while out and about! Works on 3G and 4G, and anywhere.
33255
27. On my Mac, I used the free Tunnelblick app, to import my ovpn file and certs (the ones in the client1-laptop folder).
Some notes:
UDP is the default, but you might find that TCP is more reliable for OpenVPN. I haven't yet figured out which one I will use long term. UDP is generally better for streaming.
A) Use 'Port Forwarding' on ports 80 (web), 8001 (stream) and 8002 (transcoding stream) your router.
B) Set up a VPN server at home, and use a VPN client on your mobile, or laptop to connect remotely, and have full access to all machines & ports on your home network. This requires port forwarding on only a single port for OpenVPN.
The first option has worked well for me in the past, but the second option would be considered more secure if set up the correct way. With a good VPN setup, all traffic can be encrypted into and out of your home. This comes at a cost of a slight reduction in overall speed.
Here is what I did to get OpenVPN running as a server on my Vu+ Duo on my home network. It is mostly done using Unix commands. If you are not comfortatble working on the command line, then stop reading now.
I used the OpenVPN HOWTO (https://openvpn.net/index.php/open-source/documentation/howto.html) to get it working. Please have a good long read of that page to understand VPNs a bit more. Most questions you might have will be answered on that page.
It took some tweaking to get it working, but once I did, it works 100% of the time. So lets go...
1. I would recommend doing a full image backup first. The below steps should not harm your setup, but it is always good to have a rollback plan...
2. Ensure you are running the latest VIX. Each time you do a clean install, you will need to set up the VPN afresh, so best to be on the latest. At the time of writing, I am running Zeus vesion 003. You can find out this, by going to
Menu>Information>About and check the Version and Build.
3. Install OpenVPN.
Menu>Setup>System>Network>OpenVPN setup
When prompted, select Yes to install the plugin
When done, do not run the plugin. Leave it turned off.
33251
4. ssh into the box as root. Not sure how to do that? See here (http://www.world-of-satellite.com/showthread.php?21644-SSH-login-help).
5. The standard OpenVPN installation on Vix does not include some files which we need to generate the master Certificate Authority (CA) certificate & key. I used easy-rsa for this. Lets get those missing files. Run the following commands:
cd /tmp/
wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz
tar -xvf openvpn-2.2.2.tar.gz
cp -r /tmp/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
cp /tmp/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/
cp /tmp/openvpn-2.2.2/sample-config-files/client.conf /etc/openvpn/client.ovpn
cd /etc/openvpn/easy-rsa/2.0/
chmod 777 *
6. You now need to edit the 'vars' file located in /etc/openvpn/easy-rsa/2.0/
and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank. Leave everything else as is. For example, here is what I set:
export KEY_COUNTRY="IE"
export KEY_PROVINCE="CO"
export KEY_CITY="Galway"
export KEY_ORG="Home"
export KEY_EMAIL="fin@gmail.com"
export KEY_CN=vuduo
export KEY_NAME=vuduo
export KEY_OU=vuduo
7. Next, initialize the PKI:
. ./vars
./clean-all
./build-ca
The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:
./build-ca
Output:
Generating a 1024 bit RSA private key
............++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IE]:
State or Province Name (full name) [CO]:
Locality Name (eg, city) [Galway]:
Organization Name (eg, company) [Home]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [vuduo]:
Email Address [fin@gmail.com]:
Just press return each time it stops, and this will accept the default values which you set in the vars file.
8. Next, we will generate a certificate and private key for the server:
./build-key-server server
As in the previous step, most parameters must be defaulted. When the Common Name is queried, enter "server". Two other queries require 'y' responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]"
9. Generate certificates & keys for 2 clients
Generating client certificates is very similar to the previous step:
./build-key client1
./build-key client2
Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", or "client2". Always use a unique common name for each client.
10. Diffie Hellman parameters must be generated for the OpenVPN server:
./build-dh
Output:
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.................+................................ ...........
...................+.............+................ .+.........
......................................
Now you have newly-generated keys and certificates in the keys subdirectory.
11. Lets move the keys subdir to the right place:
mv -r keys /etc/openvpn/
12. We need to set up the server configuration file. Edit the file server.conf in /etc/openvpn
13. Leave most things as default, but set the following:
# edit the ca, cert, key, and dh parameters to point to the files you generated in the PKI section above
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
# To help with troubleshooting, initially turn logging on. I've set it to log to my usb key. (make sure to comment this back out when you have VPN working, or you might run out of space.)
log /media/usb/openvpn.log
# Now, you want to set up a route to your Vu box from the VPN interface.
# If your Vu has an ip of 192.168.1.25, then you would route to 192.168.1.0 subnet as follows:
push "route 192.168.1.0 255.255.255.0"
14. Save server.conf after making those changes.
15. At this point, we can test out the server to see if it will start ok.
Let's keep an eye on the log file while we do that. Run this command:
tail -F /media/usb/openvpn.log
16. And on the TV...
Menu>Setup>System>Network>OpenVPN setup
Start openvpn by pressing green
Enable autostart by pressing yellow
33253
17. If everything is working well, you should see something like this in your log output:
Output:
Sun Mar 16 13:36:42 2014 TUN/TAP device tun0 opened
Sun Mar 16 13:36:42 2014 TUN/TAP TX queue length set to 100
Sun Mar 16 13:36:42 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sun Mar 16 13:36:42 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sun Mar 16 13:36:42 2014 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Mar 16 13:36:42 2014 GID set to nogroup
Sun Mar 16 13:36:42 2014 UID set to nobody
Sun Mar 16 13:36:42 2014 Listening for incoming TCP connection on [undef]:1150
Sun Mar 16 13:36:42 2014 TCPv4_SERVER link local (bound): [undef]:1150
Sun Mar 16 13:36:42 2014 TCPv4_SERVER link remote: [undef]
Sun Mar 16 13:36:42 2014 MULTI: multi_init called, r=256 v=256
Sun Mar 16 13:36:42 2014 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Mar 16 13:36:42 2014 IFCONFIG POOL LIST
Sun Mar 16 13:36:42 2014 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sun Mar 16 13:36:42 2014 Initialization Sequence Completed
18. Now we need to configure the client config files. This depends on the client you want to use. Let's pretend client1 is a smartphone (iOS or Android) and client2 is a Mac or Linux machine.
19. Edit the file client.ovpn
# set remote to your public ip address or DDNS hostname. Leave port at 1194.
remote my-router-public-hostname-or-ip 1194
# SSL/TLS parms.
ca ca.crt
cert client.crt
key client.key
Make sure the remote parameter has been set to your home static public IP address, or DDNS hostname from services such as DynDNS.com or no-ip.com
20. Save client.ovpn.
21. Now we want to copy that file to new directories. Run these commands:
cd /etc/openvpn/
mkdir client1-mobile/
mkdir client2-laptop/
cp client.ovpn client1-mobile/
cp client.ovpn client2-laptop/
22. Copy the other certs and keys for each
cp keys/ca.crt client1-mobile
cp keys/client1.crt client1-mobile/client.crt
cp keys/client1.key client1-mobile/client.key
cp keys/ca.crt client2-laptop
cp keys/client2.crt client2-laptop/client.crt
cp keys/client2.key client2-laptop/client.key
23. There is an extra step for mobile, because some smartphones don't let you copy those cert/key files to the OpenVPN app. So what I did was embedded the certs and keys inside the client.ovpn file itself. To do this, run these commands:
cd /etc/openvpn/client1-mobile/
echo -e "\n\n<ca>\n$(cat ca.crt)\n</ca>" >> client.ovpn
echo -e "\n\n<cert>\n$(cat client.crt)\n</cert>" >> client.ovpn
echo -e "\n\n<key>\n$(cat client.key)\n</key>" >> client.ovpn
# Remove the ca.crt, client crt and key files now as they are not needed on mobile, once they are inside the ovpn file
cd /etc/openvpn/client1-mobile/
rm client.crt
rm client.key
rm ca.crt
24. You need to set up a port forward rule on your router to forward UDP port 1194 from the firewall/gateway to the machine running the OpenVPN server (your Vu box IP). Refer to your router help manual for instructions on how to do this.
25. The final step in the process is to copy all files to the clients which need them, taking care to copy secret files over a secure channel.
26. On iOS, I installed the excellent, free OpenVPN Connect app.
- I moved the /etc/openvpn/client1-mobile/client.ovpn file from my Vu to my Dropbox account.
- On iOS, I opened the file in the Dropbox app, and used 'Open With...' to open the file with the OpenVPN app.
33254
- Click connect, and viola, you now can access your Vu Duo using its local IP address while out and about! Works on 3G and 4G, and anywhere.
33255
27. On my Mac, I used the free Tunnelblick app, to import my ovpn file and certs (the ones in the client1-laptop folder).
Some notes:
UDP is the default, but you might find that TCP is more reliable for OpenVPN. I haven't yet figured out which one I will use long term. UDP is generally better for streaming.