Need help: access my Raspy with OSMC from Internet

Hi guys,
here there’s my home configuration:
Fastweb HAG -> Netgear Router -> Raspy (OSMC)
-> …

The Fastweb HAG (WiF off) is only connected (cabled) to the Netgear Router that is my LAN Router where the Raspy (cabled) and other PC/MAC (WiFi) are connected and manged by the Netgear itself.

Yesterday, Fastweb give to me the pubblic ip so now I’d like to access my Raspy, that I use with OSMC as Media Center but also as mini-server (storage, aMule, Transmission…), from my office but I’m not a security expert so I need your help.

I presume I have to forward some ports from the HAG to the Router and from the Router to the Raspy, correct?
Wich ports and in which way for access my Raspy via ssh, ftp, samba, aMule GUI and Transmission GUI?
At the momenti I’m just forwarding the aMule and Transmission ports…

Any suggestion about the security of my LAN?

Thanks!

Hello @Markino,
I’m with similar setup. I manage our goal with domain name which is pointing to my public IP, after that I redirect all needed ports. For example you can do something like:
ExternalPort → InternalPort
80 → Pi_IP:80
2200(ssh) → Pi_IP:22
and so on…
Additionally I install fail2ban package to protect my system and on top of that all my visible from internet web applications (owncloud, torrnet client web UI, etc.) are protected with .htaccess password. Another approach can be using a OpenVPN server on your Pi (I already post a working solution in another topic here at the forum). With usage of VPN you will be abble to get maximum protection and at the same time you will be able to access your servicec/web apps/web server from everywhere. I hope that this information will help you :smile:

P.S. Excuse my English :smile:

Thanks WizziLalev, you’ve really helped me!
Yesterday I opened the ssh port (why I had to forward the 2200 to the real ssh port 22 instead of forwarding directly the 22 to the same port?) and now I can succesfully connect to my raspy form outside.
fail2ban seems a great tool so I’ll give it a try!

Thinking to the VPN solution… can you please exlpain to me what I’ll get different of forwarding the interested port in term of security etc… Sorry but I’m new in that argument and I don’t know well the VPN, port forwarding, security etc…

Hi Markino,

If your router has a VPN server all you’ll have to do is connect to it from your client device from the internet the same way as WizziLalev said with a domain name or your WAN IP address and it will be like you are connected to your home router. no need to forward any ports.

Hi @Markino,
I suggest you to forward external port 2200 to the internal ssh port only because there are some bots that are scanning for open “default” ports (for ftp, ssh etc.) and they start trying to login with some default credentials. With this step you are “masking” your services - in my opinion this is another layer of security. And about the VPN - well if you’re using it all of your traffic will be encrypted and only you will have direct access to your services.
My exact configuration is:

  • external port (normally visible from internet) is pointing to my Pi’s internal port 80 (I’m using ownCloud on my Pi)
  • external port (normally visible from internet) is pointing to my Pi’s internal port 22 (ssh - just in case if something goes wrong with my VPN and I need console access to my Pi - here I have installed fail2ban again just in case)
  • external port (normally visible from internet) is pointing to Pi’s internal port 1194 (pure VPN connection) - when I connect to my VPN I can access all other services that I have (but I don’t want to be visible from internet - torrent client web UI, router configurations, NAS configuration, another machines in my home network, ) - even with this solution I can use Yatse to stream media from Kodi@HOME to my phone while I’m traveling :wink: - there is OpenVPN client for Android
  • at top of all this I bought one domain and it is pointing to my public IP address - its more handy to remember domain instead of IP address. I’m using the same domain to access my Pi when I’m at home and I’m using my home network - I’ve just add new record at my router to redirect all request about this domain to Pi’s local IP.

I spend some time to configure everything but last 8 mounts it is very stable and I’m happy and secure :wink:

I hope that this explanation will help you to design your own solution :smile:

Woooow!!! You’re giving me great info and tons of idea… I’ve really appreciate your help!
Well… I think I’m going to implement a very similar solution to yours. My doubt is that the Netgear WNDR3800 doesn’t support the VPN creation and management… I have to investigate but if the router hasn’t this feature how can I create a VPN on my LAN?
On the Raspy side I only had to follow that guide?
http://brianhornsby.com/blog/#how-to-setup-your-vpn-client

PS: you’re using a Raspberry with OSMC as media center + an USB drive directly connected to the Raspy or do you have a NAS on your LAN? At the moment on my Raspy Pi2 running OSMC I have an USB 1TB drive connected so my Raspy act as media center, mini-server, NAS ecc… but since I have another “old” Raspy Pi 1+ I’m thinking if wouldn;t be a good idea to use the Pi 2 only as Mediacenter + server and the old one as NAS/STORAGE… what do you think?

I’m happy that you like my idea! :slight_smile:
First of all I want to clarify that my VPN server is running directly on my Pi, so at this Pi I have running:
OSMC + torrent client + full web server(php, apache, mysql) + ownCloud + OpenVPN server + CUPS (server to share my printers at home) + Retrosmc ( @mcobit’s master piece :wink: ) + I think that there was something else also :smiley:
I have 2TB NAS attached directly to my router and that NAS is mounted at my Pi via NFS. That NAS is holding my roms for Retrosmc, all my videos/movies/music (all my Kodi libraries), ownCloud main storage and my torrent client download folders.

And about your router - I think that it will be enough to forward needed ports for your VPN server :wink:

And about your last question: IMHO your current configuration (Pi2 + usb HDD) is absolutely fine. From my explanation you can see that I have a lot thinks that are running on my Pi and everything is absolutely stable.

P.S. I manage to configure my OpenVPN server following the instructions from this article: click me. Just one note: if you try to follow the same article make sure that all of your IP_TABLES rules are restored after every reboot otherwise your VPN won’t work :wink: I can provide more information about that also :smiley:

Perfect! Weel… I’ll do the same openVpn server config on my Pi too. You’re runnign OSMC isn’t it?
What about the parameters I’m looking in the guide, such as KEY_COUNTRY, KEY_PROVINCE, ip adderss… is there some stuff I have to be care and/or input correctly? I live in Italy and as I told you I’m newbye on that arguments. :stuck_out_tongue:
Yes, if you could possibly help me with the persistancy of iptables it will be fine. :smile:

PS: what is Retrosmc ?

If you are asking about:
export KEY_COUNTRY=“US”
export KEY_PROVINCE=“CA”
export KEY_CITY=“SanFrancisco”
export KEY_ORG=“Fort-Funston”
export KEY_EMAIL=“mail@domain”
I’ve edit them correctly (just in case :smile: ). Retrosmc is one great piece of software (thanks to @mcobit ) for it - Retrosmc allows you to transform your Pi in retro console and play almost all cool “old school” games. I’m using it to play my collection of MAME games. Let me go back home and I will send you instructions how to preserve your IPtables :smile:

P.S. @Markino you can check this article - it helps me to preserve my iptables :wink: and yes I’m using OSMC :smile:

Thanks again man! :wink:

Sorry to bother you again…
I’m just following the guide you sugget me right now from remote connection (OpenVPN on Debian 8 (Jessie) – I don't think I know what I'm doing | 2kswiki). Have you also applyed the Hardened feature (Hardened OpenVPN on CentOS 7 – I don't think I know what I'm doing | 2kswiki) mentioned at top of the first guide?
If yes… can you give me same help understand better how to integrate on the first guide?

Hi @Markino - no I skip this part - it is nice to try it but in my opinion first solution is enough and will provide you with enough protection :smile:

P.S. @Markino from time to time you need to restart your VPN server after Pi restart - there is small problem - the server is started before your iptables to be restored and this lets you without internet connection when you are connected to your VPN server. I’m still looking for simple solution and I will update you if I find out something.

Ok thanks! If you’ll find a solution please let me know. :smile:

I’m following the guide and now I’m waiting to the “./build-dh” command complete…
I had to do “sudo -s” because using “sudo” comand I wan’t be able to do some command:
source vars
./clean-all
./build-ca
./build-key-server server

Is it correct to create the certificates and all the other commands as root (sudo -s)?

I can’t wait to try my VPN! :smiley:

Word of warning, if you are doing this and have not changed the password in the username:password from the default osmc:osmc or preferably turned off password enabled logins to use private keys, you are making a grave mistake.

1 Like

Thanks @ActionA that is the step that I totally forgot to mention. @Markino yes you need to use sudo durring the preparations/configuration and please note the advise from @ActionA and sorry that I forgot to mention it!

P.S. @ActionA - what do you think about the setup that I propose? If you have more advices or another ideas I’m open for them :wink:

Ensuring that you have changed the default password, you are using a non-standard (22) port, and you have installed/config’d fail2ban, the only recommendations I would recommend are disabling password login and config’ing access only by use of private key. IMO this is sufficient hardening. As a somewhat related aside, NEVER expose FTP to the internet.

Thanks guys for all you’ve done! I think this thread is becomming very interesting. :smile:

Yes, of course I’ve changed the default osmc password and as WizziLalev suggested I expose another port to the internet for ssh conenction! :wink:
At the moment I also expose and forward to the Raspy the standard ports fro aMule and Transmission… I think I can’t change that port, right?

The idea to disable the password login is only reffered to the VPN connection or you’re suggesting me to disable all the password login of any conenctions type? How can I do it?

PS: I had to pause my work on Raspy but today I’'m going to continue…I’ll let you know! :smile:

Continuing with the guide…

On the iptables configuration is specified 1194 as port and 10.8.0.0/24 as vpn subnet: what does it means? Can I change it with some other ip and/or port? I’m using 192.168.69.XXX on my LAN.

If I understood well, after starting the server I have to generate the client certificate (public?) and the client ovpn file to be distributed and used on the client machine.
What is that line on the ovpn file: “remote vpn-01.domain.com 1194”? 1194 is the port I configured for the vpn and “vpn-01.domain.com”?
The guide use client1 for both the certificate and the file… that means that I have to repeat the configuration for all the clients (client2, client3…) I want to let to connect to my vpn?

What about the openvpn service and startup? Have I to do “systemctl enable openvpn@server” and also “systemctl enable openvpn@client1”, “systemctl enable openvpn@client2”… for all the clients I have created before starting the service?
Is it possible to make it anable and starts automatically on boot?

Thanks and sorry for the lot of questions… :smile:

Yes you can change it (in theory) but I never try it, this configuration will create new virtual subnetwork and will assign IP addresses from it to all devices connected via VPN.

You’re right - 1194 is the port on which your VPN server can be accessed, BUT here you must change it to your external port (ex: you’ve forward your external port 11094 to Pi’s internal port 1194 - in this case you must change 1194 to 11094 @ your ovpn file). “vpn-01.domain.com” is dummy domain - you must change it with your external IP address or domain which is pointing to your external IP address.

Yes you must create new certificate for every user, that will use your server, you must repeat the steps where you’re creating the certificate for your client1 nothing else - just change client1 to client2, client3 etc.

you only have to do “sudo systemctl enable openvpn@server” → this will autostart your server automatically on boot, next is to run once “sudo systemctl start openvpn@server”

Very clear explanation, thanks!
So… the 10.8.0.0/24 addresses are just the way used by the openVpn to enumerate the connected clients, right? In this case any configured subnet will be transparent to the client and we can leave the default. :smile:
For the port 1194… do you suggest me to chenge the external port and then forward it to the 1194 of the Raspy or chenge on both side the port so that I only have to forward the same port to the Raspy? Don’t know if there is a preffered way for security or other reason.

Last question: what exacltly means that I have to create new certificate for every user? Have I to create a certificate and the ovpn file both for John and David and then they will be able to connect to my vpn from all their devices with the same file or have I to create one certificate for each device/pc that I want to trust on my vpn? I’m not sure if the certificate and ovpn file could be reused on different devices and then is user based or device based…