Internet security is a hot topic nowadays, having computers exposed to the internet (opened ports) is a very real risk and you wouldn't believe the number of bots that are scanning through all the IP addresses in hope of finding an ill-configured system or simply brute forcing everything.
I recently had an experience where one of the computers I managed, which had an exposed port 22 (SSH), was being brute forced from a Chinese IP addresses. Fortunately SSH was not enabled for the the root account, which it tried to break. However sooner or later on unchecked systems a robot will succeed and compromise the network.
This is why I'm writing about a simple way to set up a truly robust connection, as the Tvheadend server in this project obviously needs remote access.
Enter OpenVPN: an open, free, robust and easy to setup virtual private network software. It has a slight learning curve which might be discouraging at first, but this tutorial here explains how to set it up for the current use case, actually it's surprisingly easy and painless (as long as you use tunnelling mode and not ethernet bridging)
The VPN provides an encrypted connection, it does not require any configuration of the remote router, which is really nice as the Tvheadend server might be left at a friends or relatives place and changing their router settings is not always possible/allowed.
The network is set up as follows:
- The DVB-T dongle is connected to the Tvheadend server, which is a OpenVPN client
- The OpenVPN server is a Raspberry Pi 1
- The media center is another client connected to the OpenVPN server
- The local network router needs to forward the incoming UDP packets on port 1194 to the OpenVPN server
- The clients and server can communicate securely on the virtual private network between themselves on the 10.8.0.x subnet
This is the network setup I'm going for here. The media center (10.8.0.6) I'm using, based on Kodi, will be able to access the Tvheadend server via the IP address 10.8.0.10, through the OpenVPN server on 10.8.0.1. The red arrow indicates the virtual connection, the true physical connection is represented by the black arrows.
One could also set up the OpenVPN server on the media center computer, however I want to run a couple other services on the Raspberry Pi 1 which I don't want on the media center itself (Pi-Hole, OwnCloud...).
DietPi has pre-configured packages that one can install by simply checking a box, it is super useful in this case.
Which opens the software installation process:
Select "Software Optimized", scroll down until you see "OpenVPN", hit the space-bar to select it and follow the instructions to install it. Do the same for the server and client.
Configuring the OpenVPN server is a fairly straight forward procedure, you don't need to understand everything (I sure didn't), some certificates (read: impossible-to-guess-super-long-passwords) simply need to be generated and copied from the server to the client.
I followed the instructions on the official OpenVPN how-to tutorial.
First go to /etc/openvpn/easy-rsa/ where all the tools for certificate creation are located. Execute the following commands in order and hit enter or reply with "y" whenever it asks for something:
It created some files under /etc/openvpn/easy-rsa/keys/ which need to be copied to /etc/openvpn/ on the server and client computers.
Configuring OpenVPN server
Copy the following files to /etc/openvpn/ on the server:
Create the configuration file for the server, named server.conf in /etc/openvpn/. This is the main file that needs some custom setup and it is the only thing that differentiates the server from the client. I used the template provided by OpenVPN for the server.
To allow the clients to access each other modify the following lines in server.conf:
Read more »