🛡️ Portable OpenVPN Service for Kodi
An automated, GUI-driven VPN Server solution for Raspberry Pi & Kodi.

📖 Overview
This addon transforms your Kodi media center into a secure, private gateway. It allows you to connect your phone or laptop back to your home network from anywhere in the world using a military-grade encrypted "tunnel."

Unlike commercial VPNs, you own the data, there are no monthly fees, and your traffic is never logged by a third party.

🚀 Key Features
Zero-Terminal Setup: Manage your server address (DDNS), usernames, and passwords directly through the Kodi settings menu.

DDNS Ready: Full support for hostnames (like yourname.duckdns.org), making it easy to connect even if your home IP changes.

Auto-Boot Service: The server automatically launches 30 seconds after Kodi starts, ensuring network stability before the tunnel opens.

One-Click Export: Generates a custom .ovpn configuration file pre-loaded with your unique certificates for instant mobile setup.

🔐 The "Massive Encryption" Explained
Your connection is protected by a Public Key Infrastructure (PKI). This is the same level of security used by banks and government agencies.

1. The Handshake (Identity)
When you click "Generate Certificates," the addon creates a unique Certificate Authority (CA).

RSA-2048/4096: This is a digital "seal of authenticity." Your phone and the Pi exchange cryptographic keys to prove they are who they say they are.

Perfect Forward Secrecy (PFS): Every time you connect, a new set of temporary keys is created. If one session were somehow compromised, your past and future sessions remain safe.

2. The Tunnel (Data)
Once the handshake is complete, your data is wrapped in an AES-256-GCM (Advanced Encryption Standard) shroud.

AES-256: Considered "uncrackable" by current brute-force technology.

GCM Mode: Provides both encryption and integrity checking, ensuring that no one can "tamper" with your data while it's traveling over public Wi-Fi.

🛠️ Usage Guide
1. Configuration
Go to Add-on Settings.

Enter your DDNS Hostname (e.g., myhouse.duckdns.org).

Set a VPN Username and Password.

2. Deployment
Click "Generate Server Certificates" (This only needs to be done once).

Click "Export OVPN for Phone".

Transfer the resulting .ovpn file to your mobile device and import it into the OpenVPN Connect app.

3. Maintenance
View Log: Use this to see live connection attempts and server status.

Emergency Stop: Instantly kills the VPN process if needed.

⚠️ Important Requirements
Port Forwarding: You must forward UDP Port 1194 on your home router to the internal IP address of your Kodi device.

Static Internal IP: Ensure your Kodi device (Pi) has a "Reserved IP" in your router settings so it doesn't change.


####ROTATE CERTS####

Action,What happens?,When to do it?
Download (.ovpn),"You just export the current file again. The ""ID badge"" inside stays the same.",When you get a new phone or accidentally deleted the app.
Rotate Certs,"You destroy the ""Master Seal"" and create a brand-new one.","If you lose your phone, if you think someone hacked your Wi-Fi, or every few months just for ""good hygiene."""

The second you hit "Rotate," the .ovpn file currently sitting on your phone becomes a paperweight. It will try to connect, but the "handshake" will fail because the "secret math" inside the phone's file no longer matches the "secret math" on the Pi.

🔄 The "Rotate" Workflow
If you ever decide to push that button, you have to follow these three steps in order:

Push the Button: The Pi wipes the old keys and generates the "massive encryption" from scratch.

Export New OVPN: You click your "Export" button to create a new file containing the new keys.

Replace on Phone: You delete the old profile in the OpenVPN app on your phone and import the new one.

🧪 Why it's worth it
It sounds like a hassle, but it’s the only way to be 100% sure that old devices or stolen keys can't get into your network.

Standard Setup: If someone steals your phone, they have your VPN access forever until you change the password.

Rotation Setup: If someone steals your phone, you click "Rotate" on your Kodi remote at home, and that stolen phone is permanently locked out of your house, even if they know your password.