PIVPN is now maintained again

Title says it all really.

http://www.pivpn.io/

That's excellent, I haven't used it, I did mine by hand, but if I had to do another one that is the way I would go. Assuming it works as documented then it is vastly less work than DIY. On the first one I think I would want to look at the config files though, to make sure I was happy with the setup.

I'll bite.....

I am wanting to install a VPN on one of my RPI's.
As it is, it is running Stretch.

Raspberry Pi 2 Model B Rev 1.1

PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"

I want to be "away from home" and have said machine on.
Be able to connect to it from "outside" and access my network.

A few VPN programs were going to install an entire O/S on the SD card.
That isn't going to happen.

I need the machine as is, but with a VPN on top of it.
Not: a VPN machine which I then have to re-build to where it is now with NR, etc.

Since you posted here, I would like to check what this one does and how it installs.
(Is it a VPN I want? I am still learning all the TLA that exist and their subtle differences.)
TLA - Three Letter Acronym.

Just follow the link I posted, everything is explained there!

Yes it is a VPN and installs OpenVPN - pretty much the industry standard

Yes using a VPN is probably the most secure method (and the easiest to understand)

Think of it as if you are creating an encrypted tunnel across the internet that only you are allowed access to.

You will need to install a VPN client on whatever device it is that you wish to use to access your home system.

By using a VPN you can give access to (if you wish) you whole home network by just allowing a single open port at your firewall.

Thanks Craig.

So I am still confused to "getting it working":
I have a working RPI with a whole lot of stuff on it that I want to keep status quo.

But I want to make this machine the front end for accessing my network from outside.

I do not want to (as I have found) get a VPN install which will wipe and re-install a whole new "O/S" on said machine.

I want it to simply install the VPN part.

Luckily this entire thing is low priority, but I fell that one day I will have to do it, so I am still not rushing into anything.

Did you have a look at the link to PIVPN I posted?

Yes, I have.

Just read through it again now. (Or tried to.)

I have tried (downloaded) many different VPN programs for the RPI and when I run them they say (as I see it) that they will wipe the installation I have and install VPN. Operative word there wipe.

Having to read War and peace to determine if this is the case is (to me) not desired.
A simple "This installs onto an existing install" would be clearer for me than all those words I am seeing.

I shall have to find time to get a spare SD card, back up the one I have and try it. That way if it does wipe the card, I have my working copy.

Alas all that requires time which just now I can't allocate to that thing.

I know that may sound petty, but we all deal with things our own way, and I am calling it as best I see it.

I am still waist deep in projects on NR which need attention and time which are higher priority than this - at this point in time.

Thanks.

I strongly advise taking an occasional image backup of any 'production' Pis. Then you can reasonably easily restore it if you mess it up completely, or restore onto another card in the case the one you are using goes AWOL.

Practically the first thing is says on that link is that you need to first install Raspbian on the pi, then run the install script to setup openVPN on it. It will not wipe your existing system, however there is always the chance of things going wrong which is why you should have an image backup first. If you make a copy of your working system onto another card then you can install openvpn on that one and then you just have to plug the original back in if it goes horribly wrong. However I suggest that you first make sure that you understand what a VPN is, how to install a VPN client on whatever device you want to connect remotely from and so on. If you don't understand at least the principles of what you are doing then it is doomed to failure.

2 Likes

Just a reminder to people that the use of a VPN from a client device to a remote network can create a secure link but it does extend your network to the client device - which means that any insecurities on the client device may compromise your network.

In other words, using a VPN from a laptop from a hotel room in Russia (or many other locations) is asking for trouble! (Don't ever leave a laptop unattended in your room in such a location if you ever want to trust it again).

3 Likes

Provided one has a strong password on the VPN connection key (or whatever the right terminology is) it should not be a big danger should it?

He means that the physical device can easily be compromised if you leave the room. On a windows laptop it takes about 10 minutes to boot one with a USB key, change the admin password (and store the old one), log in to the machine - do whatever you want, then set the password back to what it was and the owner is none the wiser

Craig

2 Likes

You can of course disable USB boot.

Yep and 99.99% of people do not and would not know how

Plus there are ways around that - reset the BIOS to defaults etc

Craig

1 Like

You are right of course, but anyone travelling to a foreign country with a laptop that has access to sensitive information through a VPN would belong to someone who was a bit savvy to the danger.

The point was specifically about the VPN and the ability to get into ones home network using it. I was asking whether, provided the VPN has a strong password, does that still pose a security risk.

It is a danger I'm afraid. While the strong password protects the startup of the link, the device you run the VPN becomes a potential weak-point. So if you get malware on the device that allows remote access, potentially attackers then also have access to your remote network.

Not saying that this is very likely, it isn't. Just saying that it is possible and the more mobile you are, the more likely it is - hotels and public networks, in certain countries particularly - are rife with such compromises.

Corporate VPNs somewhat mitigate this be forcing closed all other network connections - all traffic has to go via the VPN. A lot of the VPN connections used for purposes like this however don't do that, instead only driving certain traffic down the VPN and leaving everything else going via the normal connection.

Anyway, the point is that while VPN's have their uses, they are not a magic bullet. If you are doing commercial work, you need to be aware of these issues as you might end up liable for damages. For home automation, the impact is likely to be less of course.

Of course, my other point that you quoted was that if you leave a laptop in a hotel room in some countries, you can pretty well guarantee that it will be compromised, particularly if you are travelling on business.

I wish that were true but that is the reason I started us down this rabbit hole to begin with - many people believe that VPN's are some magic security bullet and they are most certainly not.

I've even seen someone who was specifically informed by the FCO not to take corporate devices (with lots of protection installed) on a foreign business trip, he ignored that direct advice, was stopped on return and his PC was riddled with spyware.

2 Likes

I stand corrected Julian. The real danger is always the weakest link - people :slight_smile:

3 Likes