June-5th-2020, 05:40 PM
(This post was last modified: July-17th-2020, 08:41 AM by Armin@netPI.)
Here is how to install, setup and operate a containerized OpenVPN server on a netPI.
Physically you need:
The Raspbian container image is located here https://hub.docker.com/r/hilschernetpi/netpi-raspbian/
Since the OpenVPN functionality needs extended access to netPI's networking services the container needs to be deployed as follows:
Network Mode: bridge
Port mapping: host 1194 -> Container 1194
host 22 -> Container 22
Privileged Mode: on
Device Map: Host "/dev/tun" -> Container "/dev/tun"
Restart Policy: always
Capabilities: NET_ADMIN switch set to on
2. Login over an SSH connection to the Raspbian OS container
Open Putty, enter netPIs IP address in the Hostname field, use port 22 (default) and click login. When asked enter user 'pi' and the password 'raspberry'.
Then call the two following Linux commands one after the other:
3. Fill out the questions during installation:
Question "DHCP reservation" : IP Address 172.17.0.2/16, Gateway 172.17.0.1 select yes
Question "Choose a user" : select (*) pi
Question "Installation mode" : select (*) OpenVPN
Question "Protocol": select (*) TCP
Question "Default openvpn Port": replace 443 with 1194
Question "DNS Provider" : select Google
Question "Custom Search Domain" : no
Question "Public IP or DNS" : select (*) DNS Entry
Question "Public DNS name": insert your personal domain name received from your DynDNS provider
Question "ECDSA certificate size": select (*) 256 Use a 256-bit certificate (recommended level)
Question "Unattended Upgraded": select no
Question "Reboot": select no
4. Create a OpenVPN Client configuration file for a user
Supposing you choose the user "armin" and the passphrase "12345678" call the command (example, replace with your own credentials)
After that a new file will be generated under /home/pi/ovpns my as armin.opvn.
5. Configure the container to start relevant services whenever it is started
Setup the OpenVPN server to start.
Also configure proper routing so that netPI's local network connected to eth0 shall get available through the VPN tunnel also.
Call the following command to edit the container's start script:
In the third line (or later) of the script insert the 3 additional code lines
sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
[b]sudo service openvpn start[/b]
The file at the beginning will then look like
#!/bin/bash +e
# catch signals as PID 1 in a container
[b]sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
[/b]
[b]sudo service openvpn start[/b]
# SIGNAL-handler
...
Save you edits and confirm with <yes>
6. Download your created *.ovpn file to your Windows computer using program WinSCP
Login to the netPI with WinSCP as with Putty in step 2. and the same credentials.
Move the WinSCP explorer to the netPI folder /home/pi/ovpns/.
Locate your file (my was armin.ovpn) and copy it to your Windows machine
7. Reboot your netPI now
8. While rebooting install a OpenVPN client like Windows OpenVPN Client
Click the (+) to add a new server.
Choose the option "IMPORT FROM FILE".
Click "BROWSE" and locate your *.ovpn file on your Windows and let it load
9. Establish an OpenVPN connection switching the slider to position "on"
The OpenVPN client will connect the Internet using the configured dynDNS name in the *.ovpn file.
The name will be turned by DNS resolver into your Internet router's IP address.
The Open VPN client will then get in touch with the router over its IP address at port 1194
The Internet router forwards the port 1194 to netPI.
The OpenVPN server is configured to listen to port 1194 and establishes a bidirectional connection to the OpenVPN client
You should see the slider getting green in the OpenVPN client
10. Access to any local IP address connected to eth0 interface of netPI
Thx
Armin
Physically you need:
- an Internet router supporting dynamic DNS and port forwarding
- an Internet connection with this Internet router
- a netPI RTE 3 or CORE 3 connected to the Internet router over Ethernet either with a static or dynamic IP address
- a dynDNS service provider like https://account.dyn.com/ and that is providing you a constant Internet DNS hostname for your Internet router
- dynDNS service enabled on your Internet router with your personal credentials received from the dynDNS provider
- activated port forwarding for the external Internet port 1194 forwarded to your netPI port 1194 on your Internet router
- a Windows computer with installed SSH client tool putty and a TFTP client tool WinSCP
The Raspbian container image is located here https://hub.docker.com/r/hilschernetpi/netpi-raspbian/
Since the OpenVPN functionality needs extended access to netPI's networking services the container needs to be deployed as follows:
Network Mode: bridge
Port mapping: host 1194 -> Container 1194
host 22 -> Container 22
Privileged Mode: on
Device Map: Host "/dev/tun" -> Container "/dev/tun"
Restart Policy: always
Capabilities: NET_ADMIN switch set to on
2. Login over an SSH connection to the Raspbian OS container
Open Putty, enter netPIs IP address in the Hostname field, use port 22 (default) and click login. When asked enter user 'pi' and the password 'raspberry'.
Then call the two following Linux commands one after the other:
Code:
sudo sed -i 's@debian@Raspbian@g' -i /usr/lib/os-release
curl -L https://raw.githubusercontent.com/pivpn/pivpn/master/auto_install/install.sh | bash
3. Fill out the questions during installation:
Question "DHCP reservation" : IP Address 172.17.0.2/16, Gateway 172.17.0.1 select yes
Question "Choose a user" : select (*) pi
Question "Installation mode" : select (*) OpenVPN
Question "Protocol": select (*) TCP
Question "Default openvpn Port": replace 443 with 1194
Question "DNS Provider" : select Google
Question "Custom Search Domain" : no
Question "Public IP or DNS" : select (*) DNS Entry
Question "Public DNS name": insert your personal domain name received from your DynDNS provider
Question "ECDSA certificate size": select (*) 256 Use a 256-bit certificate (recommended level)
Question "Unattended Upgraded": select no
Question "Reboot": select no
4. Create a OpenVPN Client configuration file for a user
Supposing you choose the user "armin" and the passphrase "12345678" call the command (example, replace with your own credentials)
Code:
sudo pivpn add -n armin -p 12345678
After that a new file will be generated under /home/pi/ovpns my as armin.opvn.
5. Configure the container to start relevant services whenever it is started
Setup the OpenVPN server to start.
Also configure proper routing so that netPI's local network connected to eth0 shall get available through the VPN tunnel also.
Call the following command to edit the container's start script:
Code:
sudo nano /etc/init.d/entrypoint.sh
In the third line (or later) of the script insert the 3 additional code lines
sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
[b]sudo service openvpn start[/b]
The file at the beginning will then look like
#!/bin/bash +e
# catch signals as PID 1 in a container
[b]sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
[/b]
[b]sudo service openvpn start[/b]
# SIGNAL-handler
...
Save you edits and confirm with <yes>
6. Download your created *.ovpn file to your Windows computer using program WinSCP
Login to the netPI with WinSCP as with Putty in step 2. and the same credentials.
Move the WinSCP explorer to the netPI folder /home/pi/ovpns/.
Locate your file (my was armin.ovpn) and copy it to your Windows machine
7. Reboot your netPI now
8. While rebooting install a OpenVPN client like Windows OpenVPN Client
Click the (+) to add a new server.
Choose the option "IMPORT FROM FILE".
Click "BROWSE" and locate your *.ovpn file on your Windows and let it load
9. Establish an OpenVPN connection switching the slider to position "on"
The OpenVPN client will connect the Internet using the configured dynDNS name in the *.ovpn file.
The name will be turned by DNS resolver into your Internet router's IP address.
The Open VPN client will then get in touch with the router over its IP address at port 1194
The Internet router forwards the port 1194 to netPI.
The OpenVPN server is configured to listen to port 1194 and establishes a bidirectional connection to the OpenVPN client
You should see the slider getting green in the OpenVPN client
10. Access to any local IP address connected to eth0 interface of netPI
Thx
Armin
„You never fail until you stop trying.“, Albert Einstein (1879 - 1955)