You can generate one per user - but the key here is that without a cert they cant connect to your VPN Now you have a fully working OpenVPN server its time to generate some client certificates. Verfiy the files are copied ls /etc/openvpnĮxit root mode by pressing ctrl+d and run `sudo service openvpn start`Īll being well you should see Active: active (exited) since…
Generate a Certificate and Key for the Serverīypass the values again - but this time you will be asked for a password - leave this blankġ out of 1 certificate requests certified, commit? Ĭp /etc/openvpn/easy-rsa/keys/ /etc/openvpn Run this command to build the ca - bypass the prompts as you already set the values in vars Run this command to fix the bug with Easy RSA Openssl dhparam -out /etc/openvpn/dh2048.pem 2048 Generate the Server Cert - this takes a very long time (my Pi took 2 hours) Sudo cp -r /usr/share/easy-rsa/ /etc/openvpnĬhange the below to something more relevant to your region export KEY_COUNTRY="US" You can check the status of the ufw with (remember in the future you might need to open another port or change a rule if you want to give access to a service or function. A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE # Allow traffic from OpenVPN client to eth0 Even the Home Assistant port will be blocked until you enable it below.Īllow VPN users to access all internal LAN servicesĬhange DEFAULT_FORWARD_POLICY=“ DROP” to DEFAULT_FORWARD_POLICY=“ ACCEPT”Īdd the following lines after the first set of commented lines
Install and Configure ufw (uncomplicated firewall) once this is installed you will have a firewall running on the Pi for all connections local and remote (if you forward them). Make this change perminant by un-commenting _forward=1
Sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward' Lower OpenVPNs run time auth - Uncomment user nobody and group nogroupĬhange the port OpenVPN runs on it should current by port 1194 - choose something obscure and above 1024 e.g. Prevent DNS leak by overriding the default DNS - Uncomment push “dhcp-option DNS 208.67.222.222” and push "dhcp-option DNS 208.67.220.220" Increase key security by Finding dh and makesure it reads dh dh2048.pemĪllow web traffic pass though to client by uncommenting push “redirect-gateway def1 bypass-dhcp” by removing the semi colon at the start of the line Sudo gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/ > /home/pi/nf Sudo apt-get install openvpn unzip easy-rsa Home assistant should now be running on your Pi. Sudo nano /etc/systemd/system/ ĮxecStart=/home/pi/homeassistant/bin/hass -c "/home/pi/.homeassistant" Then configure it to auto-start using the following
You’ll need to run Home assistant at least once to create you a default config directory under /home/pi/.homeassistant Once Logged in run the following and follow the promptsįollow the install part of this guide to install Home Assistant Install Home Assistant as a Python Virtual Environment
Run the following commands to ensure the pi is up-to-dateĮnable SSH - to manage the Pi from the PC its best to install SSHįind the Pi’s local ip address by running ifconfig - its best at this stage to setup a DHCP reservation for the Pi in your router - so it get assigned the same local IP Login with user pi and password raspberry
RASPBIAN STRETCH LITE zip image file and use Etcher to write to your SD cardīoot your Pi (your going to need a monitor and a keyboard) I’m doing this on a Raspberry Pi 3 from scratch - you could probably do this from any bit of hardware that can run Debian or Ubuntu. I did orginally put together a generic guide Guide : OpenVPN Access to Home Assistant - but I wanted to try and do this from scratch using a RaspberryPi 3 Raspbian image and HA as a virtual machine and see what steps were needed so I could share them here.