I wanted a secure way of accessing my home network whilst away. Not only for my Home Assistant installation but to access files, photos, be able to work on scripts and the like. I did some research into various ways but kept coming back to a VPN. I found other reasons for using a VPN too, mainly to secure usage of public wifi, prevent region locking, and to use my PiHole DNS advert blocker.
For instance, if I’m using public wifi at a cafe/shopping center I can connect via my VPN to secure any passwords/bank details that I enter. If you don’t realise anyone sharing the same wifi network can gain access to your passwords or data that you enter, scared? Have a read how they do it here.
This same Pi is running an instance of PiHole for DNS level advert blocking, when I’m connected to my VPN, I’ll be using the PiHole to enable advert blocking on my remote device too, this will be outlined in another post.
So onto the install.
I’ve already a freshly installed Pi running Rasbian Stretch 4.9 with a PiHole installation, running in headless mode, you can view my previous threads for how to do this. I’m going to be using PiVPN, which is based on OpenVPN but written for the PI. To install I’ve used my Mac’s terminal and SSH’d into my Pi. Type:
curl -L https://install.pivpn.io | bash
Since I’m using Stretch which is a new version of Rasbian I receive an error:
Just hit Enter, next to pay attention to:
I’ve already setup a static IP during my Pi-Hole installation, so just agreed with the following page:
Agree to this, change it if you feel the need. Next the install will ask you to select a user, which you choose isn’t particularly important, if you’re using Pi (which you shouldn’t be, you should change the default user when first installing Rasbian for security reasons) then click that, else choose the user you wish to grant access. The next step is crucial, it’ll ask you to allow unattended updates, this gives an additional security level. Since you need to open a port on your router to the outside world, you want it to be as secure as possible.
Once you’ve progressed through this you shall receive a black screen whilst PiVPN sets up the user and enables auto updates. The following screen will ask UDP or TCP, just select TCP as per default.
The following screen asks for what port number you wish to use for your connection, it’s worth changing it from the default, this’ll just add another inch of security to prevent default port scanners finding the port. Have a google for port number list, you can find some that aren’t in use easy enough.
The following step is the level of encryption you wish to use, I chose the normal recommended 2048 level. I’m running this on an original Pi which is a little slow, so it takes well over an hour to generate the key, I would imagine the 4096-bit would take a lot longer.
Click through the following:
PiVPN will now generate your key, be prepared for it to take a while!
Expect a lot of output proving it’s still working:
Next up you need to set an external access point. Now my external IP changes as my ISP doesn’t grant me a static IP address, I use a dynamic dns service to give me a domain that my Pi updates periodically when my ISP changes the IP. I use duckdns.org which is a great service, so for example have pukit.duckdns.org as my address (although i dont ;).
I select a public DNS, then on the next screen enter the DNS name, eg pukit.duckdns.org.
The following screen gives the option of which DNS server to use, I just went with google as default for the time being.
This is nearly final screen, click through this one, reboot the pi as it asks, relogin via ssh.
So I encountered an issue with adding a user, I wanted to use IOS devices to access my VPN, and there’s an issue where this doesn’t work just by using the “pivpn add” command. After doing some research I’ve found I need a command:
pivpn add nopass
You will be asked for a passphrase for your key, use one that you’ll remember as you’ll need it when accessing the key from your remote device.
You’ll have to transfer the key file from the Pi to your device. First time in testing i did this by emailing it to my iphone, not the most secure route, I since have removed that user, set a new one up and transferred it more securely!
I so far only use a free app on my iPhone called OpenVPN. Simply access your key file from the app, enter the pass key and hit the slider to connect. It’s very straightforward.
With the VPN in operation, you could access your pihole stats from anywhere in the world now by typing your local ip address into your mobile browser, eg 192.168.0.2/admin to see the admin interface.
By being connected to the VPN you’ve now secured your connection, so feel free to login to various apps on your iphone’s connection. Obviously there are other apps for your Mac, Windows machine etc.