Saturday, March 24, 2018

networking - VPN to home network without opening port


I have several devices running on a network at home. I'd like to be able to access them remotely, specifically OpenHAB and OctoPrint webpages, without exposing any ports on my network or dealing with DNS at home.


I was planning to set up an OpenVPN server remotely on DigitalOcean and connect to it via smartphone. Is there a way to have a single computer (say a Raspberry Pi) expose the entire home network to the OpenVPN server?


Speed is not a major issue, but security is. It seems like something doable but I don't have enough networking background to know the right words to search, this would be my time setting up a VPN server. I do not want to install VPN software on every device at home as that's much more to keep updated and some are just little Arduino boards I'd like to ping. Any device outside the network would have VPN software installed of course.


Answer




Is there a way to have a single computer (say a Raspberry Pi) expose the entire home network to the OpenVPN server?



Yes, that's a basic function of a router.



  • Both the server and the Raspberry will need IP routing (forwarding) enabled. For example, on Linux that would be the net.ipv4.conf.all.forwarding and net.ipv6.conf.all.forwarding sysctls.


  • The VPN server needs a route to the LAN subnet via the Raspberry Pi's IP address. (Specifically, via its VPN address, not the LAN one, since the route is from the perspective of VPN server.)


    Note: When you're using OpenVPN in the default "tun" mode, this actually needs to be split into two configurations:


    1. a kernel route to home subnet via tun0 (no gateway),
    2. and an OpenVPN iroute option to the same subnet via Raspberry Pi's IP as the gateway.


    In "tap" (Ethernet emulation) mode, a single kernel route would be all you need.


  • Your LAN's primary router (e.g. the ISP-issued "router/modem") needs a route in the opposite direction – to the VPN subnet via the Raspberry Pi's LAN IP address.


    There are alternatives in case you can't configure this, but they're a topic of a separate thread.


  • The Raspberry Pi itself already has all necessary routes (as it's directly attached to both the LAN and the VPN).


  • Finally, your VPN server needs to push a route for the LAN subnet to all other clients (such as your phone), so that they'll know they need to go through the VPN to reach it.


    (This is optional if you're already pushing the "default" route, but I'd recommend it anyway.)



-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...