OpenVPN Server help

Akovia · January 19, 2023 at 7:59 PM

Hi,

I have been reading and tinkering for a couple days off and on and I can't seem to get anything working. I am setting up a NUC for my brother that lives many states away and is a disabled vet that would not be able to manage a kodi system on his own. I would like to be able to ssh into the NUC to manage updates and anything else that's needed remotely.

I have installed the Docker and LinuxServer.io addons, but right off the bat, there is not an openvpn image to download through the addon as is mentioned in the forums. If I go directly to LinuxServer.io, I can see the image there and that it's deprecated. I did find some guides for using the image at hub.docker.com, but the instructions there fail at a couple places. I'm guessing there is something fundamentally different about setting this up on Libreelec, and I think it's a path issue.

While I'm not completely inept, this is my first foray into both Libreelec and OpenVPN, so I find myself getting lost and could really use some help. Would anyone be able to give me some advice on how to get this going? I didn't want to start by posting a wall of text of everything I've tried so far, but happy to do so.

Thanks!

Akovia · January 19, 2023 at 9:01 PM

Just a quick update. I found one of my errors and have now successfully created my ovpn file and copied it to my client machine.

Will I be able to test this connection even though server and client are on the same network behind my router's firewall? I did try to connect already by importing the ovpn file into my kde network manager, but it's asking for a "Key Password". Obviously I have something wrong as I understood that it should not require a p/w at all.

Here are the contents of my ovpn file with keys and ip removed.

Code

client
nobind
dev tun
remote-cert-tls server


remote my.public.ip.address 1194 udp


<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END ENCRYPTED PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----
</tls-auth>


redirect-gateway def1

Display More

Thanks!

Mario77 · January 19, 2023 at 11:26 PM

The key password is the password you used when you created your ovpn user key on the server..you will need that to connect otherwise anyone with the ovpn file can connect to your server..

**chewitt** · January 20, 2023 at 5:59 AM

Do you really need a VPN? .. Or would SSH key-only auth be sufficient? (which is a one-click toggle in the GUI once you've deployed keys). You can change the sshd_config to move the exposed port to something non-standard; doesn't improve security but does reduce the number of bots that will find the port and attempt to exploit it.

Akovia · January 20, 2023 at 9:54 PM

Everytime I think I'm getting somewhere, I'm not.

Quote from Mario77

The key password is the password you used when you created your ovpn user key on the server..you will need that to connect otherwise anyone with the ovpn file can connect to your server..

I managed to figure that out, but trying to set this up at home on a single network was futile. Thanks though!

Quote from chewitt

Do you really need a VPN? .. Or would SSH key-only auth be sufficient? (which is a one-click toggle in the GUI once you've deployed keys). You can change the sshd_config to move the exposed port to something non-standard; doesn't improve security but does reduce the number of bots that will find the port and attempt to exploit it.

I want super simple, so this sounds more my speed. I thought I saw on these forums that it was recommended to use openvpn for any remote access which is why I was trying this.

Is there a tutorial you recommend?

Mario77 · January 20, 2023 at 11:50 PM

Where are you getting stuck?Did you find an openvpn server addon?

I m using this and it's very easy to setup but its for Rpi's but you can always ask on that thread for any help to get it working on your nuc Open vpn server

Keep in mind that by setting up the server you ll be probably able to access all your brother's home network connected devices not just the nuc..and your connecting device will be like being at your brother s house and assigned the ip from your brother's isp router..

**chewitt** · January 21, 2023 at 2:20 PM

Quote from Akovia

Is there a tutorial you recommend?

Nope. VPN and SSH achieve different things. VPN will give you access to the remote network. SSH will give you access to the remote host. If you only want to admin the remote system SSH is enough and 99% easier to setup than a VPN server. Both expose services to the Internet which creates a risk; but LE is generally using very recent versions of SSH binaries which mitigates the risk of known vulnerabilities. You need to use SSH key auth to expose logins securely else the login process will be targetted with dictionary attacks. Ensure you only expose SSH and not all ports (else SMB and Kodi services are exposed too).

There are a millions of "how to use SSH key authentication" guides .. read a few and you'll see the repetition/process.

Akovia · February 5, 2023 at 6:26 PM

Hi again,

I had to abandon this project for a while and didn't want to respond until I had a chance to set this up and try it.

So I already had my key set up and use it already to sign in. When I tried to turn off password login, I found that I can't write to the \etc\ssh\sshd_config file as it's read-only. If I've read correctly, I cloned that file to ~/.ssh/config and made 3 adjustments.

Code

Port xxxx
PasswordAuthentication no
ChallengeResponseAuthentication no

As you may have guessed, I no longer have access as it appears you can not change the default port. I read that it's good practice to not use the default port, so I never thought I wouldn't be able to do so. I also have the firewall turned off, so I didn't think it would be an issue.

I'm assuming this is the issue at least. All attempts to ssh in is greeted with "connection refused"

I can't seem to find a way back in and wondered if someone could help me without having to lose all of the settings I've configured so far.

Thanks!

Akovia · February 5, 2023 at 9:25 PM

I managed to get it sorted using a live usb.

It wasn't the port after all as I forgot to uncomment the line anyway.

It was the "ChallengeResponseAuthentication no" option which I turned off. Hopefully I can do a real test across the internet soon.

Thanks for all the help!

elonesna · February 5, 2023 at 10:22 PM

Akovia:

Do like me, every day at four in the morning I make an automatic backup on a remote server, to be able to recover any malfunction of the device.

Mario77 · February 6, 2023 at 11:04 AM

Quote from Akovia
Hi again,
I had to abandon this project for a while and didn't want to respond until I had a chance to set this up and try it.
So I already had my key set up and use it already to sign in. When I tried to turn off password login, I found that I can't write to the \etc\ssh\sshd_config file as it's read-only. If I've read correctly, I cloned that file to ~/.ssh/config and made 3 adjustments.
Code
Port xxxx
PasswordAuthentication no
ChallengeResponseAuthentication no
As you may have guessed, I no longer have access as it appears you can not change the default port. I read that it's good practice to not use the default port, so I never thought I wouldn't be able to do so. I also have the firewall turned off, so I didn't think it would be an issue.
I'm assuming this is the issue at least. All attempts to ssh in is greeted with "connection refused"
I can't seem to find a way back in and wondered if someone could help me without having to lose all of the settings I've configured so far.
Thanks!
Display More

Not sure what you'r trying to do but you don't really need to change any ports from your OS..

You change the ports when you forward them to the outside world trough your router.

**chewitt** · February 6, 2023 at 1:12 PM

SSH can run on multiple ports at the same time so the 'safe' way to experiment is to configure the additional port first (leaving 22 active) and then restart the service. If you can now connect on the new port, you can make an additional change to remove port 22.

Akovia · February 6, 2023 at 3:42 PM

I'll just leave it on 22. Was just trying to follow advice to make it more secure, but I just need it to work and keep it as simple as possible without being too insecure. The fact that it's now key only should mitigate most security holes I would think.

Now that I have this sorted, I can no longer see files in some of the media source folders out of nowhere. Will start a new thread.

This has turned into a nightmare. *sigh*