Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
en:howtos:pivpn [2022/02/18 07:34] – morquai | en:howtos:pivpn [2022/02/18 08:09] (aktuell) – Externe Bearbeitung 127.0.0.1 | ||
---|---|---|---|
Zeile 5: | Zeile 5: | ||
VPNs are offered by a wide variety of providers, but are usually subject to a fee or limited in data volume. In addition, there is the consideration that you have to trust the provider, because all network traffic runs through their server and can be read there.\\ | VPNs are offered by a wide variety of providers, but are usually subject to a fee or limited in data volume. In addition, there is the consideration that you have to trust the provider, because all network traffic runs through their server and can be read there.\\ | ||
- | Come for your own VPN solution | + | For your own VPN solution |
* your own (WLAN) router | * your own (WLAN) router | ||
* a computer in the home network in question | * a computer in the home network in question | ||
Zeile 34: | Zeile 34: | ||
That's it, a few questions are asked during the installation, | That's it, a few questions are asked during the installation, | ||
\\ | \\ | ||
- | After the installation, | + | After the installation, |
+ | \\ | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | |||
+ | ===== Configuration ===== | ||
+ | We now have a working VPN (__V__irtual __P__rivat __N__etwork) in which all participating devices are connected to each other. All participants (clients) | ||
+ | But sometimes we want more, e.g. access to other devices in our home network, the NAS drive is an example. In order to gain access to the home network, a " | ||
+ | To do this, the configuration file of the OpenVPN server (etc/ | ||
+ | |||
+ | push "route 192.168.178.0 255.255.255.0 10.8.0.1" | ||
+ | route 192.168.178.0 255.255.255.0 10.8.0.1 | ||
+ | |||
+ | We can now access the devices in our home network via the VPN, but we cannot address them with a name. If the home router provides a DNS service for the home network (e.g. the Fritz Box), the devices can also be addressed by name. The entry must be made in / | ||
+ | push "dhcp option DNS 192.168.178.1" | ||
+ | push "dhcp option DOMAIN fritz.box | ||
+ | be added. | ||
+ | |||
+ | ===== Create and manage clients ===== | ||
+ | The server is running, now we come to the clients. The OpenVPN software must be installed on each client and a configuration file must be transferred. This configuration file is required for the OpenVPN client. There is no need to describe the installation of the OpenVPN software, as this differs depending on the platform, I'll leave that to the friendly Mr. Google. | ||
+ | How do we get a configuration file now? So far we've only talked about Openvpn, but not PiVPN. PiVPN provides us with a few helpful tools for maintaining and operating our VPN. In order not to spend endless nights reading and understanding the configuration options for an OpenVPN client, we simply give the command | ||
+ | pivpn --help | ||
+ | ::: Control all PiVPN specific functions! | ||
+ | ::: | ||
+ | ::: Usage: pivpn < | ||
+ | ::: | ||
+ | ::: commands: | ||
+ | ::: -a, add [nopass] Create a client ovpn profile, optionally nopass | ||
+ | ::: -c, clients List any connected clients to the server | ||
+ | ::: -d, debug Start a debugging session if having trouble | ||
+ | ::: -l, list List all valid and revoked certificates | ||
+ | ::: -r, revoke Revoke a client ovpn profile | ||
+ | ::: -h, help Show this help dialog | ||
+ | ::: -u, uninstall Uninstall PiVPN from your system! | ||
+ | |||
+ | and get a list of available options. A client configuration file is e.g | ||
+ | pivpn -a | ||
+ | Enter a Name for the Client: myiphone | ||
+ | Enter the password for the client: | ||
+ | Enter the password again to verify: | ||
+ | spawn ./easyrsa build-client-full myiphone | ||
+ | Note: using Easy-RSA configuration from: ./vars | ||
+ | rand: Use -help for summary. | ||
+ | Generating a 4096 bit RSA private key | ||
+ | ..........................++ | ||
+ | .................................................. ....++ | ||
+ | writing new private key to '/ | ||
+ | Enter PEM pass phrase: | ||
+ | Verifying - Enter PEM pass phrase: | ||
+ | ----- | ||
+ | Using configuration from / | ||
+ | Check that the request matches the signature | ||
+ | signature ok | ||
+ | The Subject' | ||
+ | commonName :ASN.1 12:' | ||
+ | Certificate is to be certified until Sep 12 12:54:03 2027 GMT (3650 days) | ||
+ | Write out database with 1 new entries | ||
+ | Database updated | ||
+ | Client' | ||
+ | Client' | ||
+ | CA public key found: ca.crt | ||
+ | tls-auth Private Key found: ta.key | ||
+ | ================================================== | ||
+ | Done! myiphone.ovpn successfully created! | ||
+ | myiphone.ovpn was copied to: | ||
+ | / | ||
+ | for easy transfer. | ||
+ | ================================================== | ||
+ | We have now created our first client and must transfer the resulting configuration file to the client. We can see where to find it in the last paragraph of the output. | ||
+ | |||
+ | ====== For experts ====== | ||
+ | In addition to the usual use, use of the home network from outside, I have implemented the following setup. The OpenVPN server is installed on a KVM server of my web host with Debian 9, i.e. outside of the home network. The installation of PiVPN also works without any problems under Debian, since the standard packages are installed from the server repository and Raspbian is based on Debian. | ||
+ | The aim should be to enable the following connection: | ||
+ | Home Network <- Raspberry Pi <-> OpenVPN Server <-> OpenVPN Client | ||
+ | to realize. Note that between home network and Raspberry Pi, the arrow only points in one direction. | ||
+ | ===== Preparation ===== | ||
+ | My server on the Internet has no access to other, private networks. I have now implemented a Raspberry Pi as a client in my home network, which connects to the internet server from home. The client is also able to propagate routes, so I made sure on the Raspberry Pi that data packets can be forwarded from one adapter (the OpenVPN tunnel device) to another. The entry makes this in the / | ||
+ | net.ipv4.ip_forward=1 | ||
+ | To enable this without a reboot, the command | ||
+ | sudo sysctl -w net.ipv4.ip_forward=1 | ||
+ | be dropped off; be discontinued; | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | ensure that the firewall accepts the traffic. These settings do not survive a reboot, so a script must be stored under /etc/init.d that reactivates these settings after the network start. Better (and recommended) is the method via the package [[https:// | ||
+ | sudo apt-get install iptables-persistent netfilter-persistent | ||
+ | The question of whether the current rules should be adopted can confidently be answered with " | ||
+ | sudo iptables-save > | ||
+ | sudo iptables-restore < | ||
+ | serve to save or restore the current rules. In order to save changed rules for the reboot, the file / | ||
+ | sudo iptables-save >/ | ||
+ | be changed. How the whole thing works with IPv6 I leave to the man pages. =) | ||
+ | ===== Configuration ===== | ||
+ | Now is the moment to enable the connection. The OpenVPN client on the Raspberry Pi must now tell the OpenVPN server that it is providing a route to a network. To do this, a new file must be created on the OpenVPN server under / | ||
+ | ifconfig-push 10.8.0.250 255.255.255.0 | ||
+ | iroute 192.168.178.0 255.255.255.0 | ||
+ | As soon as the Raspberry Pi registers with the VPN, the corresponding route is communicated to all clients who AFTER register with the VPN. The OpenVPN server also takes note of the routes immediately.\\ | ||
+ | The question arises how to ensure that the Raspberry Pi always receives the above address 10.8.0.250. Good question, here is the answer. Another configuration file is required on the server, which instructs it to always assign the same IP to the Raspberry Pi. The file is called \\ | ||
+ | / | ||
+ | client_name, | ||
+ | " | ||
+ | If I didn't forget anything and everything was installed and configured correctly, everything works now. Integrating another "home network", |