Tutorial - Secure your home automation - VPN - What is it? How do I use it?

I have been looking at the Tailscale configuration tutorial created by @BartButenaers, and also, previously configured Cloudflare Zero Trust to work on my devices/network with the encouragement of @TotallyInformation. Cloudflare ZT worked well until my main laptop needed rebuilding. Unfortunately, I never did get ZT to work again! This was down to me I feel, I understand what I am trying to configure, but I am not quite competent enough to completely understand the steps.

I decided that I needed a system that did not rely on any third parties with the possibility of changes in their configuration causing problems with any existing configuration of mine, or, if there are any disruptions to service. Something was needed that was under my control and that I completely understood how it worked, was reliable and secure. This is my attempt at a simple solution, it works fine for me, I know from experience it is reliable and secure, I used to use it to remotely troubleshoot machines and to permanently connect my local network with my Business Partners network in Scotland for development and loading software onto machines (not PCs). More specifically, I am comfortable re-configuring should something go wrong!

For those familiar with how a VPN works, jump over the italics.

A VPN (Virtual Private Network) is a secure way of sending and receiving information between your computer, phone, tablet or Router and a VPN Server. It communicates through an encrypted tunnel and enables you to look at, depending on configuration, any Website, Web Application, Network or Computer. Within the tunnel there is bi-directional encrypted data flow between the Client and the Server. The Client can be run on your device, or possibly the Router of any network you are on if supported. The Server could be provided by a third party, or the Router for your home/office network (if supported), or a Server within your home/office network. A VPN can be run using various Protocols such as OpenVPN and Wireguard (both of which I use).

VPN was described to me (a long time ago) as being like taking a journey on a Ferry across the English Channel. On a normal crossing you will see other ferries. If you have a Telescope or pair of Binoculars, you can examine the other ferry in more detail and possibly make out more of what the ferry is carrying. (You could liken this to packets of traffic travelling through the internet with some persons using Software tools to examine what is in each packet of data).

We may already know that the Channel Tunnel between UK and France follows a path similar to the ferry routes. You know the tunnel exists and with specialist tools, you might be able to find the location of the tunnel, and with more advanced equipment, detect that a train is passing through, but you don't know what is on that train, even if you do know exactly where the tunnel is beneath you. To equate this to our Client/Server setup, you may be able to locate the secure tunnel on the Internet, but other than detecting an encrypted packet passing through an encrypted tunnel, you will find it extremely difficult to break all the encryption involved with the VPN. This is a very much simplified explanation, but hopefully, a practical demonstration of how the VPN works.

Basically, a VPN server supplied a 3rd Party VPN Service will have secure Servers/Exit Points to the Internet (to mask or change your apparent location). If the VPN Server is installed in the Home/Office router or on a device within your Home/Office, it can give access to some, or all of your internal Network, and may also allow you to access the Internet from your Server location. This all depends upon how the VPN is configured. I will add here that all I want is access to my Home Network. CIDR, IP mapping, or any other configuration to change what devices a VPN allows access to is beyond me!.

The configuration of the VPN can involve the opening of ports on Routers to allow the VPN Client and Server to communicate with each other. Some Routers do this automatically when you configure a Tunnel, others, rules may have to be added on Routers to open the respective Ports. The VPN Server or Client is always behind the IP of the IP connection you are using, whether a Router or Device. All that is required is an IP Address or Domain Name for access to the Server. The communications are secure and effectively behind any point of connection to the Internet where any Let's Encrypt, or other TLS Certificate may be needed. Other than configuring the VPN Client and Server and possibly having to open the Ports, there are no other requirements for configuration or Security

My configuration gives me access to my Node-RED and Frigate CCTV servers as well as the rest of my Home Network, so I can carry out all tasks on my computers as if at Home. I did not have to open Ports for any of the VPN Clients (taken care of by the local App). On one of my routers (Firebrick 2900) I had to create a rule to open the Ports, whereas on the Teltonika RUTX, the Ports are taken care of by the Configuring of the Client.

Personally, I use a VPN if I am out and about, especially when using a local WiFi Hotspot or Network. With the VPN activated, I will get an encrypted tunnel between my device and the VPN Server therefore preventing any nefarious people from stealing my information, especially if they are carrying out a 'Man in the Middle' attack. Basically, someone sets up a Computer to intercept any traffic passing through the WiF/Hotspot before passing it on again to it's original destination. You would be oblivious to this happening and any unencrypted data from your communications can now be examined by them and any sensitive information gleaned, i.e. passwords, PINs etc.. HTTPS has made this kind of attack less common now, but the method can still be used to gather data. The same can happen with spoofed Mobile Network Cell towers.

There is a proviso, as with all secure communications, including Tailscale and Cloudflare, you have to trust someone to handle your encrypted traffic. The VPN Server will decrypt the data from your Tunnel and it will appear as normal internet/network traffic from then on. If the VPN Server is provided by a third Party the decryption takes place at the exit point of your VPN, this will be for a connection to the Internet, and so unencrypted data is handled by your VPN Provider. There is much discussion as to who are the best VPN providers, especially with regard to cost, and cost, to a certain extent, should not be the main driver in choosing a Company. There are plenty of Providers, some trustworthy, some not so trustworthy. Also the jurisdiction of the Providers servers may affect your choice, so choose carefully!

However, this does not affect you if you are accessing your own Home/Office network from a remote location. For this, you need your own VPN Server installed in or behind the router at whichever IP Address or Domain your network is behind. You can also use, for example, Tailscale or Cloudflare Zero Trust to do the same job.

In my case, I have VPN clients for both OpenVPN and Wireguard available on all of my/our devices that might want to VPN Home. We have a VPN Server installed on the Router we use in our Motorhome configured for both OpenVPN and Wireguard so that we are able to connect our remote location Network with our Home location Network. This configuration allows all devices in the Motorhome to connect to the Router's Network and then, via the Router's VPN Client, the Home Network without enabling VPN on any of the devices. Equally, because each remote device has a VPN Client, they can also connect to Home directly if needed. The reason we have two VPN Clients on each device is 'just in case', it is insurance. I have also seen examples of use where Tasker has been used to decide when a VPN Client on your device needs to connect or not.

Assuming a level of knowledge that allows you to use the CLI over SSH, let us start with our Office/Home Network VPN Server. I use a RaspberryPi Zero 2 W, loaded with Raspberry OS Lite (Headless) and SSH enabled.

As a VPN Server, I have discovered PiVPN. This package is easy to install, and to configure the VPN 'Profiles' (each remote devices configuration file) for both OpenVPN and Wireguard Clients using similar simple commands.

Once the RPi is up and running on the Home/Office Network, connection to the RPi is made by SSH and then following the instructions on the PiVPN website to create a VPN Server with which you can then use to create Client Certificates for both OpenVPN and Wireguard. PiVPN can run on any of your Pi servers, but personally I use a server dedicated to supply the VPN Server endpoint.

When I started with PiVPN, I was thinking too deeply about configuration. It is all simply done by using SSH to the Server and then CLI to create endpoints for both OpenVPN and Wireguard. These configuration files are required to configure your VPN Clients. Both of these Protocols are free and open-source and are considered to be very secure. (Example generation of a Config File pivpn ovpn add or pivpn wg add, then just follow the on screen instructions.)

On every Phone and Tablet (Android and IOS) I load the Official Apps for OpenVPN and Wireguard. The configuration files created by the server are then used by either uploading the file, or copying details into the Client App on each device. If you do as suggested and create a configuration file for each device, it means that the VPN connection profile can be revoked individually in case of loss or retirement of a device.

When downloading the Apps for your devices, MAKE SURE that you download Official Apps from the Official Site - there are people supposedly offering valid Apps are touted to have benefits over the original App in the various App Stores, but they may not be what they seem and might possibly steal your data amongst other things!

Be sure you have the correct Client App BEFORE you start using it - links are provided in the text! Protocol details can be seen on each site's web pages if you are interested.

4 Likes

Thanks @mudwalker :star_struck: for al the free time that you have spend to answer my question:

Imho it would be useful if you would explain in a public discussion how you use openvpn and wireguard

2 Likes

Hi @mudwalker
I am still interested in your setup. I am very pleased with my Tailscale setup, but not sure I will ever be able to explain to the wife and kids how it works. In order to allow them to maintain it, in case I wouldn't be on this planet anymore...

But then the setup needs to be less complex complex compared to Tailscale AND offer me all the features that I minimally need....

One of my major headaches about this is how I can I have https with LetsEncrypt certificates for all my web apps (Node-RED, Letsencrypt,...) in an easy way within my LAN.

I was wondering if I can perhaps buy a router that:

  1. Has an OpenVpn server
  2. Has a DNS server so that I can assign hostnames to all devices in my LAN
  3. Can request/renew LetsEncrypt certificates for alll these hosts. E.g. a single wildcard certificate that can somehow be used for all hostnames.

My knowledge of this kind of stuff is too limited ...

So all ideas are welcome from people with more knowledge and creativity.

The "easy" ways are still not easy to explain to non-tech folk I'm afraid. You can, at least, register wild-card, multi-domain certificates. While that is not perfect from a security perspective, it certainly makes them easier to manage. Personally, I keep the LE cert updates as a separate process to everything else as I find that using other tools with built-in updaters ultimately confusing and restrictive. I've keep things "simple" from my perspective by just using LE's "Acme" CLI script with CRON to run it just short of the LE certificate expiry period. This process has been rock solid for years now with zero maintenance.

I think various routers have that. Here's what ChatGPT says.

All routers have local DNS I believe. Though some are better than others. I use a Ubiquiti EdgeRouter Lite which has pretty good DNS support. I've used it to set up "hairpin nat" which lets me use a publicly registered domain (and therefore an LE cert) without letting the traffic leave the LAN.

Not sure how much of my LE config I can share given the sensitivity. As mentioned, I decided to use the acme.sh client as it was recommended by LE at the time and seemed super-simple and bullet-proof. But other clients are available of course.

The acme.sh client is so stable, I no longer even know how it updates - it just does. :grin: It has loads of integration features that I don't bother to use and it can be run on some routers since it is pure shell.

1 Like

The beauty of VPN is that LE certificates are not a MUST for items within your network so that is one headache gone (at least, for me).

Personally, I use Wireguard as first choice and OpenVPN second, the reason being that Wireguard is faster than OpenVPN, or at least it was. But truth be told, I use either. I know that Draytek and Teltonika can have their own OpenVPN and Wireguard servers available in some of their Routers.

I have used OpenWrt on some of my old Routers and it has been solid (Old BT ISP routers - Hub5). Lots of Software packages can be added (opkg packages) which includes VPN Servers. Teltonika and GL.iNet both use OpenWrt with their own I/F added.

For my Internet facing websites, I use ISPConfig3 which operates on their own shared single IP Address. LE is taken care of there by ISPConfig, so again, works great for me. My Teltonika RUTX50 can also have a LE Certificate, just need to sort a good DDNS service.

If I want to have a server-backed website (as opposed to the several static sites where I use Netlify or better still, Cloudflare Pages), I would expose it via Cloudflare Zero Trust. Then I can use all of Cloudflare's protection and their certs, I don't need my own certs at all for that. It is a simple case of running the CF ZT cloudflared client on a server and configuring the route. And no VPN to worry about.

Agreed, I do use Cloudflare as the main DNS for the sites to protect from most attacks. ISPConfig protects the IP itself and has Cloudflare certificates as well as an up to date LE for each domain, it's a pretty comprehensive setup in itself. Indeed before you recommended Cloudflare it stood on it's own for quite a few years.

As for ZT, I get it but don't quite understand it, so when it goes wrong, it causes me much frustration and headaches!

Haha, I do sympathise. There is certainly some terminology to learn. But once set up, it seems to just keep running. And, of course, you do get 50 user identities for free and easy integration to things like federated GitHub logins.

I keep meaning to do a full write-up but I keep running out of time and other priorities get in the way.

1 Like

Yes idd. That is a big problem for home automation stuff, since the families mostly consist out of those non-tech folk... So the least I try to do is to simplify it as much as possible. And if at the end Tailscale is the 'least complex' solution for me, then it is...

Don't know enough about network stuff. I am just wondering if I can buy some router X, which contains an OpenVpn server, a DNS server and some module to request LetsEncrypt certificates. So that I have a single point (i.e. my router) that I need to maintain:

  1. In my browser I navigate to https://router_hostname/xxx, where xxx is a service (node-red, frigate, ...).
  2. The SSL connection between my browser and my router is setup, based on the LetsEncrypt certificate inside my router (which is automatically renewed by my router).
  3. The router does SSL termination and connects via plain http to the device where service xxx is running, and forwards the request to that device (and port).

No idea whether that is possible, whether I forgot something very critical, whether this is secure, whether this is perhaps more complex for some reason, and so on...

Well I have a series of reasons to work with LetsEncrypt certificates, because a lot of browser features are only accessible when using such certificates (PWA web app, web push notifications, ...)

Do you mean it is not safe to access your internal network via an OpenVpn server on your router, for some reason?

Yes, should be easy enough. As mentioned, I think that an OpenWRT based one would probably do the job.

Just bear in mind that they don't last forever - what happens then? If you aren't around, do the family throw it all away? Some clear design instructions would probably allow someone with tech knowledge build a new one, your family could outsource that probably fairly easily.

Sure, I'm certain it is. You probably want a router with a reasonable amount of processing power and memory though. Both DNS and TLS can be fairly intensive, especially if also expecting high router throughputs - e.g. 100MB+ Internet, possibly GB LAN.

Well, you are putting all your eggs in the router basket. Not probably totally ideal but should be more than enough for most home use, if you can automate or at least semi-automate router firmware updates though, that would be useful. You can't afford for the router software to get too far behind new-ish versions.

Personally, I would perhaps prefer to have a couple of devices rather than one. But maybe that's just me. In the same vein, I stopped buying Wi-Fi routers a long time back because the Wi-Fi side of things tends to die after a few years of 24x7 use. So I have separate AP's and router but I also have a separate home server and a separate NAS. Allowing some specialisation without getting too extreme. It's a balancing act.

There is always the danger of a vulnerability either something in the router or in the VPN service. But more generally, VPN's themselves, as I keep saying, are only ever as secure as the weakest/most vulnerable device on the VPN - typically a laptop or mobile device when it is outside the house.

Any connection inbound through the router/firewall is a vulnerability. Whether that might be a critical risk to you is a whole calculation. You need to think about the value of your home services, the country you live in, the countries you might take your mobile devices to, whether someone might consider you a person of interest, ...

Personally, I don't leave external connections up. I leave them down and only enable them if I really need them on. Most of the time, I don't. I also don't leave any configs installed on my mobile devices - so crossing borders and leaving things in hotel rooms is much less of an issue. I have the means to recreate connections when mobile should I need to.

As Julian has said if you want something that will do it all in a single device then OpenWrt is the simplest way - but then you have ongoing hardware obsolescence - and you being you (and very inquisitive !!) will probably spend a lot of time breaking it and playing around !

Your other all in one options is either PFSense or OpnSense - both of which can run on more X86 based hardware and hence can easily be kept up to date hardware wise

What size internet pipe do you have at home ?

I run OpenWrt when i travel on a small pocket router for all of our devices and use Wireguard to VPN back into the home network - and run OpnSense on the home system on a Protectli mini PC

Craig

1 Like

@BartButenaers - as you know, I'm using your Tailscale setup at home, and a couple of weeks ago Vodafone delivered me a replacement router, as the 'old' router (which was only 6 months old!) developed a intermittent wifi problem.
I switched the router, changed it's wifi login, and was back up working again in 10 minutes!

My point is, that by introducing an OpenVPN router, aren't you adding more pieces to the jigsaw?

1 Like

Depends how paranoid/trusting you are. Any hardware provided as part of a service can probably be “updated” remotely as part of their maintenance, including allowing access to agencies if requested by courts etc. That access can potentially be backdoored by nefarious 3rd parties, so having your own router under your control may be a good thing.

Ok thanks all for the info! Now at least I have something as a starting point.
Will first have a look at OpenWrt then.

@Paul-Reed
But don't get me wrong. I am VERY pleased with my Tailscale setup. It runs VERY well.
If it turns out that Tailscale is simpler to maintain compared to something else, then I will stay using Tailscale obviously. But I will only know that after I had a look at OpenWrt. Now at this moment I don't know...