-rwxr-xr-x 1 root root 119 Mar 27 2016 build-ca -rwxr-xr-x 1 root root 352 Mar 27 2016 build-dh -rwxr-xr-x 1 root root 188 Mar 27 2016 build-inter -rwxr-xr-x 1 root root 163 Mar 27 2016 build-key -rwxr-xr-x 1 root root 157 Mar 27 2016 build-key-pass -rwxr-xr-x 1 root root 249 Mar 27 2016 build-key-pkcs12 -rwxr-xr-x 1 root root 268 Mar 27 2016 build-key-server -rwxr-xr-x 1 root root 213 Mar 27 2016 build-req -rwxr-xr-x 1 root root 158 Mar 27 2016 build-req-pass -rwxr-xr-x 1 root root 449 Mar 27 2016 clean-all -rwxr-xr-x 1 root root 1471 Mar 27 2016 inherit-inter drwx------ 2 pi pi 4096 Feb 17 20:46 keys -rwxr-xr-x 1 root root 302 Mar 27 2016 list-crl -rw-r--r-- 1 root root 7859 Mar 27 2016 openssl-0.9.6.cnf -rw-r--r-- 1 root root 8416 Mar 27 2016 openssl-0.9.8.cnf -rw-r--r-- 1 root root 8313 Mar 27 2016 openssl-1.0.0.cnf -rwxr-xr-x 1 root root 13246 Mar 27 2016 pkitool -rwxr-xr-x 1 root root 1035 Mar 27 2016 revoke-full -rwxr-xr-x 1 root root 178 Mar 27 2016 sign-req -rw-r--r-- 1 root root 2076 Mar 27 2016 vars -rwxr-xr-x 1 root root 740 Mar 27 2016 whichopensslcnf
Writing-up now, I’m confused why I’ve set keys to “pi” owner/group. It’s not like that when I finish. Anyway: looks like I set this instance up not that long ago, in March 2016. Already though, I lost the notes. 🙁 (Losing notes is a major contributing factor to creating this blog; it helps combat those existential crises where I feel I’m rather like the falling tree that nobody hears).
- A VPN is desirable because I can reduce my attack network facing surface for private services e.g. remote control, APIs, sensitive IoT MQTT etc.
- A VPN is desirable for times when I have no 3G/4G signal on my phone and need to use public WiFi
- A VPN is desirable if I want to access services I pay for, e.g. Netflix, from abroad
- I’ll be using a VPN built-in to PFSense for full network access, with easier-to-set highly granular control
- The Pi is for off-loading streaming (including for friends) and safe browsing from public WiFi
- I can partition it from the sensitive areas of my network
- It uses very little electricity … e.g. usually less than 2W including battery electronics
A service I used for free DDNS (Dynamic DNS) was no-ip. My router had client updater software built-in, and no-ip offered a free service that just needed a touch every 30-days. My ISP contract actually provides me with 5 usable IPv4 addresses, but I’m not sure of the technicalities of VPNs or how to access my internal networks if I set a Pi to use one of the external static IP addresses. I imagine I’d have to manually push and route to the internal networks which seemed like more hard work, as my networking & Linux knowledge is too basic. So it seemed easier to follow tutorials that use a Nat’d internal network IP that is forwarded to by a gateway router, usually from a dynamic IP.
Unfortunately something strange occurred with my no-ip account where the hostname I used no longer appeared in my account. Trying to reestablish it just raised error messages saying it was already in use. I suspect an error on no-ip’s side of things, but as it was a free service I felt too ashamed to challenge them on it. That left me looking at the Pi, without notes, trying to remember how making new .ovpn files (with a new DDNS domain) worked. Hmmm.
Before I continued, I decided to purchase an enhanced package with no-ip (about £25 I think it was) for the year, and chose a new host/domain. But then I made a CNAME on dyndns where I manage my xarta domains (pointed to by 1and1) as I have a lifetime free account on there (long story) so that vpn.xarta.co.uk can be set to whatever DDNS I’m using. (dyndns looked more expensive and complicated for Dynamic DNS ironically and didn’t permit PayPal payments which is why I stuck with no-ip). So at least I don’t have to remake VPN .ovpn files if my DDNS changes in the future.
Next I considered my options:
- Start afresh and use: http://www.pivpn.io/#
- Repair using this handy article which is the same as my existing set-up: https://melgrubb.com/2016/12/11/rphs-v2-openvpn/
I figured I’ll go the repair root which might help me understand the pre-scripted route when I inevitably switch at some point in the future (or set-up in an Ubuntu Server VM as a back-up VPN server maybe in the nearer future). OpenVPN is of course already installed on the Pi, but I updated/upgraded everything first. Then I just followed the instructions from Mel Grubb:
The OpenSSL version (built for Raspbian Jesse in Jan 2017) seems a little old … from May last year. From a quick investigation I couldn’t see any major severe issues to worry about right now, but I’ll probably look at building that or sourcing from another repository to obtain a more up-to-date copy, after which I might have to re-do the above all over again.
Meanwhile, I’ll isolate here for my convenience, just the steps required to set-up a new client .ovpn.
Then I just copy the .ovpn file temporarily to my pi Desktop so that I can scp it to my windows machine to put in LastPass, and to deploy to the intended client device / person (sharing it temporarily on GoogleDrive if necessary).
nb: for normal use I set this Pi to be headless with Raspi-Config though I can always use a virtual server with VNC of course, or just change the setting back to Desktop for VNC Server as required.
TODO: Look at using Dnsmasq and forwarding DNS requests over the VPN.
TODO: Investigate using the Google Authenticator pam_google_authenticator.so etc. with OpenVPN?
TODO: unattended update/upgrade
TODO: better monitoring/alert instrumentation. I want to do my own of course, but in a chicken & egg situation it’s better to have something rather than nothing/pending. I hate “wasting” my time on IT that might just become obsolete or which I only need rarely but in this case I might look at something like Nagios for monitoring/reporting/alerting on my servers including this OpenVPN server. e.g.