Hello Guest, if you are reading this it means you have not registered yet. Please take a second, Click here to register, and in a few simple steps you will be able to enjoy our community and use our OpenViX support section.
Results 1 to 4 of 4

Thread: Guide to setting up an OpenVPN server on Vix

  1. #1
    finbarr's Avatar
    Title
    Forum Supporter
    Donated Member
    Join Date
    Jan 2014
    Posts
    211
    Thanks
    45
    Thanked 83 Times in 37 Posts

    Guide to setting up an OpenVPN server on Vix

    Setting up your own VPN server inside your home will increase security while accessing your home network remotely. As far as I know, there are two ways to watch TV, and access OpenWebIf remotely.

    A) Use 'Port Forwarding' on ports 80 (web), 8001 (stream) and 8002 (transcoding stream) your router.
    B) Set up a VPN server at home, and use a VPN client on your mobile, or laptop to connect remotely, and have full access to all machines & ports on your home network. This requires port forwarding on only a single port for OpenVPN.

    The first option has worked well for me in the past, but the second option would be considered more secure if set up the correct way. With a good VPN setup, all traffic can be encrypted into and out of your home. This comes at a cost of a slight reduction in overall speed.

    Here is what I did to get OpenVPN running as a server on my Vu+ Duo on my home network. It is mostly done using Unix commands. If you are not comfortatble working on the command line, then stop reading now.

    I used the OpenVPN HOWTO to get it working. Please have a good long read of that page to understand VPNs a bit more. Most questions you might have will be answered on that page.

    It took some tweaking to get it working, but once I did, it works 100% of the time. So lets go...

    1. I would recommend doing a full image backup first. The below steps should not harm your setup, but it is always good to have a rollback plan...

    2. Ensure you are running the latest VIX. Each time you do a clean install, you will need to set up the VPN afresh, so best to be on the latest. At the time of writing, I am running Zeus vesion 003. You can find out this, by going to
    Menu>Information>About and check the Version and Build.

    3. Install OpenVPN.

    • Menu>Setup>System>Network>OpenVPN setup
    • When prompted, select Yes to install the plugin
    • When done, do not run the plugin. Leave it turned off.


    1_0_0_0_0_0_0_0_0_0.jpg

    4. ssh into the box as root. Not sure how to do that? See here.

    5. The standard OpenVPN installation on Vix does not include some files which we need to generate the master Certificate Authority (CA) certificate & key. I used easy-rsa for this. Lets get those missing files. Run the following commands:

    Code:
    cd /tmp/
    wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz
    tar -xvf openvpn-2.2.2.tar.gz
    cp -r /tmp/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
    cp /tmp/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/
    cp /tmp/openvpn-2.2.2/sample-config-files/client.conf /etc/openvpn/client.ovpn
    cd /etc/openvpn/easy-rsa/2.0/
    chmod 777 *
    6. You now need to edit the 'vars' file located in /etc/openvpn/easy-rsa/2.0/
    and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank. Leave everything else as is. For example, here is what I set:

    Code:
    export KEY_COUNTRY="IE"
    export KEY_PROVINCE="CO"
    export KEY_CITY="Galway"
    export KEY_ORG="Home"
    export KEY_EMAIL="fin@gmail.com"
    export KEY_CN=vuduo
    export KEY_NAME=vuduo
    export KEY_OU=vuduo
    7. Next, initialize the PKI:

    Code:
    . ./vars
    ./clean-all
    ./build-ca
    The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:


    Code:
    ./build-ca
    Output:
    Generating a 1024 bit RSA private key
    ............++++++
    ...........++++++
    writing new private key to 'ca.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [IE]:
    State or Province Name (full name) [CO]:
    Locality Name (eg, city) [Galway]:
    Organization Name (eg, company) [Home]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) [vuduo]:
    Email Address [fin@gmail.com]:


    Just press return each time it stops, and this will accept the default values which you set in the vars file.

    8. Next, we will generate a certificate and private key for the server:

    Code:
    ./build-key-server server
    As in the previous step, most parameters must be defaulted. When the Common Name is queried, enter "server". Two other queries require 'y' responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]"

    9. Generate certificates & keys for 2 clients

    Generating client certificates is very similar to the previous step:

    Code:
    ./build-key client1
    ./build-key client2
    Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", or "client2". Always use a unique common name for each client.

    10. Diffie Hellman parameters must be generated for the OpenVPN server:

    Code:
    ./build-dh
    Output:
    Generating DH parameters, 1024 bit long safe prime, generator 2
    This is going to take a long time
    .................+................................ ...........
    ...................+.............+................ .+.........
    ......................................


    Now you have newly-generated keys and certificates in the keys subdirectory.

    11. Lets move the keys subdir to the right place:

    Code:
    mv -r keys /etc/openvpn/
    12. We need to set up the server configuration file. Edit the file server.conf in /etc/openvpn

    13. Leave most things as default, but set the following:

    Code:
    # edit the ca, cert, key, and dh parameters to point to the files you generated in the PKI section above
    
    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/server.crt
    key /etc/openvpn/keys/server.key
    
    dh /etc/openvpn/keys/dh1024.pem
    
    # To help with troubleshooting, initially turn logging on. I've set it to log to my usb key. (make sure to comment this back out when you have VPN working, or you might run out of space.)
    log         /media/usb/openvpn.log
    
    
    # Now, you want to set up a route to your Vu box from the VPN interface.
    # If your Vu has an ip of 192.168.1.25, then you would route to 192.168.1.0 subnet as follows:
    push "route 192.168.1.0 255.255.255.0"
    14. Save server.conf after making those changes.

    15. At this point, we can test out the server to see if it will start ok.

    Let's keep an eye on the log file while we do that. Run this command:
    Code:
    tail -F /media/usb/openvpn.log
    16. And on the TV...
    • Menu>Setup>System>Network>OpenVPN setup
    • Start openvpn by pressing green
    • Enable autostart by pressing yellow


    1_0_0_0_0_0_0_0_0_0-2.jpg

    17. If everything is working well, you should see something like this in your log output:

    Output:

    Sun Mar 16 13:36:42 2014 TUN/TAP device tun0 opened
    Sun Mar 16 13:36:42 2014 TUN/TAP TX queue length set to 100
    Sun Mar 16 13:36:42 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
    Sun Mar 16 13:36:42 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
    Sun Mar 16 13:36:42 2014 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
    Sun Mar 16 13:36:42 2014 GID set to nogroup
    Sun Mar 16 13:36:42 2014 UID set to nobody
    Sun Mar 16 13:36:42 2014 Listening for incoming TCP connection on [undef]:1150
    Sun Mar 16 13:36:42 2014 TCPv4_SERVER link local (bound): [undef]:1150
    Sun Mar 16 13:36:42 2014 TCPv4_SERVER link remote: [undef]
    Sun Mar 16 13:36:42 2014 MULTI: multi_init called, r=256 v=256
    Sun Mar 16 13:36:42 2014 IFCONFIG POOL: base=10.8.0.4 size=62
    Sun Mar 16 13:36:42 2014 IFCONFIG POOL LIST
    Sun Mar 16 13:36:42 2014 MULTI: TCP INIT maxclients=1024 maxevents=1028
    Sun Mar 16 13:36:42 2014 Initialization Sequence Completed



    18. Now we need to configure the client config files. This depends on the client you want to use. Let's pretend client1 is a smartphone (iOS or Android) and client2 is a Mac or Linux machine.

    19. Edit the file client.ovpn

    Code:
    # set remote to your public ip address or DDNS hostname. Leave port at 1194.
    remote my-router-public-hostname-or-ip 1194
    
    # SSL/TLS parms.
    ca ca.crt
    cert client.crt
    key client.key
    Make sure the remote parameter has been set to your home static public IP address, or DDNS hostname from services such as DynDNS.com or no-ip.com

    20. Save client.ovpn.

    21. Now we want to copy that file to new directories. Run these commands:

    Code:
    cd /etc/openvpn/
    mkdir client1-mobile/
    mkdir client2-laptop/
    cp client.ovpn client1-mobile/
    cp client.ovpn client2-laptop/

    22. Copy the other certs and keys for each

    Code:
    cp keys/ca.crt client1-mobile
    cp keys/client1.crt client1-mobile/client.crt
    cp keys/client1.key client1-mobile/client.key
    
    cp keys/ca.crt client2-laptop
    cp keys/client2.crt client2-laptop/client.crt
    cp keys/client2.key client2-laptop/client.key
    23. There is an extra step for mobile, because some smartphones don't let you copy those cert/key files to the OpenVPN app. So what I did was embedded the certs and keys inside the client.ovpn file itself. To do this, run these commands:

    Code:
    cd /etc/openvpn/client1-mobile/
    echo -e "\n\n<ca>\n$(cat ca.crt)\n</ca>" >> client.ovpn
    echo -e "\n\n<cert>\n$(cat client.crt)\n</cert>" >> client.ovpn
    echo -e "\n\n<key>\n$(cat client.key)\n</key>" >> client.ovpn
    # Remove the ca.crt, client crt and key files now as they are not needed on mobile, once they are inside the ovpn file

    Code:
    cd /etc/openvpn/client1-mobile/
    rm client.crt
    rm client.key
    rm ca.crt

    24. You need to set up a port forward rule on your router to forward UDP port 1194 from the firewall/gateway to the machine running the OpenVPN server (your Vu box IP). Refer to your router help manual for instructions on how to do this.


    25. The final step in the process is to copy all files to the clients which need them, taking care to copy secret files over a secure channel.

    26. On iOS, I installed the excellent, free OpenVPN Connect app.

    • - I moved the /etc/openvpn/client1-mobile/client.ovpn file from my Vu to my Dropbox account.
    • - On iOS, I opened the file in the Dropbox app, and used 'Open With...' to open the file with the OpenVPN app.
      Photo 16-03-2014 21 50 33.jpg
    • - Click connect, and viola, you now can access your Vu Duo using its local IP address while out and about! Works on 3G and 4G, and anywhere.
      Photo 15-03-2014 21 48 19.jpg


    27. On my Mac, I used the free Tunnelblick app, to import my ovpn file and certs (the ones in the client1-laptop folder).

    Some notes:
    UDP is the default, but you might find that TCP is more reliable for OpenVPN. I haven't yet figured out which one I will use long term. UDP is generally better for streaming.

  2. The Following 24 Users Say Thank You to finbarr For This Useful Post:

    + Show/Hide list of the thanked

    50plus (15-11-14),abu baniaz (17-03-14),Alankellyeire (01-05-17),Andy_Hazza (16-03-14),AzZ (21-03-14),bedrock (18-11-16),BobbyC (18-03-14),cwebb66 (22-03-14),dknight (25-04-14),dpark (08-06-19),duocams (17-03-14),jgc115 (17-03-14),judge (16-03-14),KristianM (20-03-14),machare (24-04-14),Maxwell (16-03-14),mrchannel007 (30-12-17),rave333 (05-03-17),s31teg (18-03-14),seame (16-03-14),stick50jr (16-03-14),timofee (17-03-14),Watsoccurring (25-03-14)

  3. #2
    finbarr's Avatar
    Title
    Forum Supporter
    Donated Member
    Join Date
    Jan 2014
    Posts
    211
    Thanks
    45
    Thanked 83 Times in 37 Posts
    @phoenix I have created a shell script which can automate the whole process as described in the OpenVPN Guide I wrote a while back. This makes it very fast to re-generate certs and configure the server after doing a reflash.

    You will first need to create a folder called 'setup_openvpn_files' which is then compressed into setup_openvpn_files.tar.gz file with the following contents. Note the static files which I have marked for you to 'configure first'.

    Code:
    ls -lR setup_openvpn_files
    total 24
    -rw-r--r--@  1   staff  3237 18 Jun 16:39 client_desktop.ovpn (configure first)
    -rw-r--r--@  1   staff   427 18 Jun 16:49 client_mobile.ovpn (configure first)
    drwxr-xr-x@ 22   staff   748 12 Jun 19:24 easy-rsa
    -rw-r--r--@  1   staff  1624 18 Jun 16:46 server.conf (configure first)
    
    setup_openvpn_files/easy-rsa:
    total 224
    -rw-r--r--@ 1   staff    119 12 Jun 19:24 build-ca
    -rw-r--r--@ 1   staff    352 12 Jun 19:24 build-dh
    -rw-r--r--@ 1   staff    188 12 Jun 19:24 build-inter
    -rw-r--r--@ 1   staff    163 12 Jun 19:24 build-key
    -rw-r--r--@ 1   staff    157 12 Jun 19:24 build-key-pass
    -rw-r--r--@ 1   staff    249 12 Jun 19:24 build-key-pkcs12
    -rw-r--r--@ 1   staff    268 12 Jun 19:24 build-key-server
    -rw-r--r--@ 1   staff    213 12 Jun 19:24 build-req
    -rw-r--r--@ 1   staff    158 12 Jun 19:24 build-req-pass
    -rw-r--r--@ 1   staff    449 12 Jun 19:24 clean-all
    -rw-r--r--@ 1   staff   1471 12 Jun 19:24 inherit-inter
    -rw-r--r--@ 1   staff    302 12 Jun 19:24 list-crl
    -rw-r--r--@ 1   staff   7791 12 Jun 19:24 openssl-0.9.6.cnf
    -rw-r--r--@ 1   staff   8348 12 Jun 19:24 openssl-0.9.8.cnf
    -rw-r--r--@ 1   staff   8245 12 Jun 19:24 openssl-1.0.0.cnf
    -rw-r--r--@ 1   staff  12966 12 Jun 19:24 pkitool
    -rw-r--r--@ 1   staff    928 12 Jun 19:24 revoke-full
    -rw-r--r--@ 1   staff    178 12 Jun 19:24 sign-req
    -rw-r--r--@ 1   staff   2052 12 Jun 19:24 vars      (configure first)
    -rw-r--r--@ 1   staff    740 12 Jun 19:24 whichopensslcnf
    Could you add this post as a new post on the OpenVPN Guide for those who want to automate it like I did.
    Attached Files Attached Files

  4. The Following 7 Users Say Thank You to finbarr For This Useful Post:

    daimon (13-10-14),davis (11-10-14),imish (04-08-15),Larry-G (24-06-14),Poocha (10-11-15),rave333 (05-03-17),stick50jr (08-12-14)

  5. #3

    Title
    Forum Supporter
    Donated Member
    Join Date
    Sep 2010
    Posts
    793
    Thanks
    360
    Thanked 216 Times in 134 Posts
    Hi I get an error at this stage

    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/server.crt
    key /etc/openvpn/keys/server.key

    -sh ca not found
    -sh cert not found
    -sh key not found

    the previous step also failed but I moved the keys folder manually by ftp to etc/openvpn

    Thanks for any help
    VU+Duo2 5.2.025

  6. #4

    Title
    Forum Supporter
    Donated Member
    Join Date
    Feb 2012
    Posts
    599
    Thanks
    294
    Thanked 73 Times in 66 Posts
    Been trying to execute the automated shell file but cant seem to get it.

    Just to be sure am doing it correctly I have ssh into my box sent the .tar.gz file to tmp and gave it chmod 777 permissions and then went back to telnet session and enter /var/volatile/filename.tar.gz

    Is this correct as it comes up with file not found but before I gave it full permissions it said access denied.
    Vu+ Duo
    Vu+ Solo
    Gigablue HD 800 SE

    All with latest vix image - Autobouquets - SgtFlipflop 28.2e Picons - WebradioFS

  7. The Following User Says Thank You to s1m0nw For This Useful Post:

    rave333 (05-03-17)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
This website uses cookies
We use cookies to store session information to facilitate remembering your login information, to allow you to save website preferences, to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners.