VPN tunnel to netPI and local network in 10 minutes - Printable Version +- Hilscher Community Forum (https://forum.hilscher.com) +-- Forum: netPI 3 - Docker featuring Industrial Raspberry Pi 3 platform (https://forum.hilscher.com/forum-1.html) +--- Forum: Software (https://forum.hilscher.com/forum-5.html) +--- Thread: VPN tunnel to netPI and local network in 10 minutes (/thread-605.html) |
VPN tunnel to netPI and local network in 10 minutes - Armin@netPI - June-5th-2020 Here is how to install, setup and operate a containerized OpenVPN server on a netPI. Physically you need:
The Raspbian container image is located here https://hub.docker.com/r/hilschernetpi/netpi-raspbian/ Since the OpenVPN functionality needs extended access to netPI's networking services the container needs to be deployed as follows: Network Mode: bridge Port mapping: host 1194 -> Container 1194 host 22 -> Container 22 Privileged Mode: on Device Map: Host "/dev/tun" -> Container "/dev/tun" Restart Policy: always Capabilities: NET_ADMIN switch set to on 2. Login over an SSH connection to the Raspbian OS container Open Putty, enter netPIs IP address in the Hostname field, use port 22 (default) and click login. When asked enter user 'pi' and the password 'raspberry'. Then call the two following Linux commands one after the other: Code: sudo sed -i 's@debian@Raspbian@g' -i /usr/lib/os-release 3. Fill out the questions during installation: Question "DHCP reservation" : IP Address 172.17.0.2/16, Gateway 172.17.0.1 select yes Question "Choose a user" : select (*) pi Question "Installation mode" : select (*) OpenVPN Question "Protocol": select (*) TCP Question "Default openvpn Port": replace 443 with 1194 Question "DNS Provider" : select Google Question "Custom Search Domain" : no Question "Public IP or DNS" : select (*) DNS Entry Question "Public DNS name": insert your personal domain name received from your DynDNS provider Question "ECDSA certificate size": select (*) 256 Use a 256-bit certificate (recommended level) Question "Unattended Upgraded": select no Question "Reboot": select no 4. Create a OpenVPN Client configuration file for a user Supposing you choose the user "armin" and the passphrase "12345678" call the command (example, replace with your own credentials) Code: sudo pivpn add -n armin -p 12345678 After that a new file will be generated under /home/pi/ovpns my as armin.opvn. 5. Configure the container to start relevant services whenever it is started Setup the OpenVPN server to start. Also configure proper routing so that netPI's local network connected to eth0 shall get available through the VPN tunnel also. Call the following command to edit the container's start script: Code: sudo nano /etc/init.d/entrypoint.sh In the third line (or later) of the script insert the 3 additional code lines sudo iptables -t nat -F POSTROUTING sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE [b]sudo service openvpn start[/b] The file at the beginning will then look like #!/bin/bash +e # catch signals as PID 1 in a container [b]sudo iptables -t nat -F POSTROUTING sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE [/b] [b]sudo service openvpn start[/b] # SIGNAL-handler ... Save you edits and confirm with <yes> 6. Download your created *.ovpn file to your Windows computer using program WinSCP Login to the netPI with WinSCP as with Putty in step 2. and the same credentials. Move the WinSCP explorer to the netPI folder /home/pi/ovpns/. Locate your file (my was armin.ovpn) and copy it to your Windows machine 7. Reboot your netPI now 8. While rebooting install a OpenVPN client like Windows OpenVPN Client Click the (+) to add a new server. Choose the option "IMPORT FROM FILE". Click "BROWSE" and locate your *.ovpn file on your Windows and let it load 9. Establish an OpenVPN connection switching the slider to position "on" The OpenVPN client will connect the Internet using the configured dynDNS name in the *.ovpn file. The name will be turned by DNS resolver into your Internet router's IP address. The Open VPN client will then get in touch with the router over its IP address at port 1194 The Internet router forwards the port 1194 to netPI. The OpenVPN server is configured to listen to port 1194 and establishes a bidirectional connection to the OpenVPN client You should see the slider getting green in the OpenVPN client 10. Access to any local IP address connected to eth0 interface of netPI Thx Armin |