PDA

View Full Version : Help me set up VPN for remote playback w/ iPeng etc



808htfan
2015-01-01, 22:02
I've just setup my router, LMS, and iPeng for playback from outside my network. I'm forwarding ports on my router and only managed to setup user/password for security. For that reason I don't actually use it much, I only turn on the forwarding when I head over to a friend's house, etc., where I know I'll probably use it.

I'd like to setup VPN but have no experience doing so.
I have an Asus router running a Shibby build of Tomato firmware. In the VPN Tunneling section there are OpenVPN Server, OpenVPN Client, PPTP Server, PPTP Client, PPTP Online options. Which do I setup if any, and how? Can anyone help me, or point me to a guide? Also, what do I need to do on the iOS/Android device?

Thanks!

philippe_44
2015-01-02, 00:33
I've just setup my router, LMS, and iPeng for playback from outside my network. I'm forwarding ports on my router and only managed to setup user/password for security. For that reason I don't actually use it much, I only turn on the forwarding when I head over to a friend's house, etc., where I know I'll probably use it.

I'd like to setup VPN but have no experience doing so.
I have an Asus router running a Shibby build of Tomato firmware. In the VPN Tunneling section there are OpenVPN Server, OpenVPN Client, PPTP Server, PPTP Client, PPTP Online options. Which do I setup if any, and how? Can anyone help me, or point me to a guide? Also, what do I need to do on the iOS/Android device?

Thanks!

PPTP is straightforward, not the best in term of security. In iOS devices, this is just a VPN connection to be installed. You need to have port 1723 (I think) opened for PPTP and set username/password accordingly on your server. In iPeng, I had to manually set the address of LMS

I also have an OpenVPN installed (1194 I think) , with a self-signed certificated that I also installed on my iPhone - It gave the possibility to setup the tunnel on demand. It was a much more complicated setup I had to do and I have notes somewhere if you are interested. Had to create certificates and install them with an Apple tool named "iphone config utility" - it was at the time of iOS 6 ... so might be outdated and much simplier options might exist today. I also had issues with a problem named triangle routing because my VPN server was not my default gateway, which I understood is not the case for you. Maybe somebody with a fresher experience will tell you, or I can dig out for my notes

PS: I do not know this router nor the firmware in it. If it is VPN servers (seems to be according to google), this is easy, otherwise, it might just be passthroughs in which case you need to have a real server somewhere

d6jg
2015-01-02, 03:40
I don't know that router either but it sounds like you want the settings under PPTP Server. You should just switch it on and create a user and password. Then on iPhone set up accordingly. You can switch it on and off on iPhone as required.
A warning though. In my experience a client to server VPN adds a lot of overhead and the resultant streaming may be choppy. It depends on the kit.

808htfan
2015-01-02, 19:18
Thanks for the replies, I'll see if I can get PPTP going then.

If setting up PPTP Server, or OpenVPN Server, options in my router that means my router becomes the VPN server? and the iPhone/Android device the client...
Then I see why the streaming may be choppy.

How does this affect Internet traffic to/from devices behind my router?

Thanks


BTW my Asus router model is the RT-N66U.

philippe_44
2015-01-02, 19:45
Thanks for the replies, I'll see if I can get PPTP going then.

If setting up PPTP Server, or OpenVPN Server, options in my router that means my router becomes the VPN server? and the iPhone/Android device the client...
Then I see why the streaming may be choppy.

How does this affect Internet traffic to/from devices behind my router?

Thanks

BTW my Asus router model is the RT-N66U.

I looked quickly at the Tomato firmware and it seems that it can be a VPN server (not only pass-through). So, yes your router will become the VPN server. From the "outside", a PPTP request on port 1723 will, after negotiation, assign a private IP address to the client(s) and then performs routing between your client(s) and your internal network. It does not affect the traffic of your devices behind your router, the router performs all routing as usual + makes your client(s) reachable - in other words, if your home is 192.1681.x and you assign addresses in 192.168.10.x range to the client(s), then when the devices behind your router send packets to a 192.168.10.x device, they will send them to your router who is still your default gateway and your router will then forward these to the client(s). This is a very simple setup, nothing complicated, not a lan-to-lan VPN, just client-to-lan.
For you usage, the only limitation with PPTP (beyond security considerations) is that, when you are outside, some firewall might block PPTP traffic so you'll not be able to establish the tunnerl and reach your home network, hence sometimes it is preferable to use OpenVPN that can build over port 443 that is never blocked

808htfan
2015-01-02, 20:46
Thank you for the explanation.

I guess I will start with PPTP, I'd also like to learn how to use OpenVPN.

Regarding OpenVPN and Tomato, I found this http://www.serverwatch.com/tutorials/article.php/3922956/Setting-Up-a-VPN-Server-on-a-Tomato-Router-Part-1.htm, though it's dated 2011. Somewhere for me to start...

808htfan
2015-01-03, 18:04
Thank you for the explanation.

I guess I will start with PPTP, I'd also like to learn how to use OpenVPN.

Regarding OpenVPN and Tomato, I found this http://www.serverwatch.com/tutorials/article.php/3922956/Setting-Up-a-VPN-Server-on-a-Tomato-Router-Part-1.htm, though it's dated 2011. Somewhere for me to start...

I also found this, http://dev.mensfeld.pl/2014/07/setting-up-a-vpn-server-on-a-tomato-router-wrt54gl/

I've downloaded OpenVPN for Win here http://openvpn.net/index.php/open-source/downloads.html, and the easyrsa zip from here https://github.com/OpenVPN/easy-rsa
EDIT: I needed to download the Windows version of EasyRSA v3.0.0-rc2 zip from https://github.com/OpenVPN/easy-rsa/releases instead

I think I can manage generating the certificates as shown in one/both of the guides. As for the iOS device, I don't see an OpenVPN section in Settings-->General-->VPN. It's an old iPhone 3GS a friend gave me to use as a wifi only device, so it's stuck on iOS 6. Do I need to put something like the OpenVPN Connect app https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8 on it?

Also, the guide suggests I change the subnet from 192.168.1.1 to something else because of potential conflicts. Does that matter if I'm only connecting a few clients from the outside to my router?

Thanks!

callesoroe
2015-01-04, 05:07
I've just setup my router, LMS, and iPeng for playback from outside my network. I'm forwarding ports on my router and only managed to setup user/password for security. For that reason I don't actually use it much, I only turn on the forwarding when I head over to a friend's house, etc., where I know I'll probably use it.

I'd like to setup VPN but have no experience doing so.
I have an Asus router running a Shibby build of Tomato firmware. In the VPN Tunneling section there are OpenVPN Server, OpenVPN Client, PPTP Server, PPTP Client, PPTP Online options. Which do I setup if any, and how? Can anyone help me, or point me to a guide? Also, what do I need to do on the iOS/Android device?

Thanks!

Hi!

You can also create a dyndns name for your music server. I have done that with great success. Then your router shall forward port 9000 and 3483 TCP/UDP. Put in user/password in LMS . I have created an account on www.dyndns.org.
Was free earlier but costs a small amount now for a year. Then you can access your music everywhere by putting in your dyndns name as a servername xxxxxxxxxx.dyndns.org:9000 . You can set this up in iPeng and Squeezeplayer too.
I enjoy this very much when travelling in train to work every day, and I also have a little iPod dock on my desk, that can play my music from home. A very nice soloution.

get.amped
2015-01-04, 06:42
Also, the guide suggests I change the subnet from 192.168.1.1 to something else because of potential conflicts. Does that matter if I'm only connecting a few clients from the outside to my router?

Thanks!

This is a good recommendation. You will likely experience IP conflicts if the remote LAN also uses 192.168.1.x addressing (the default for many consumer broadband routers). It's a one-time change that will cause a small disruption when you do it but will be worth it in the long run.

epoch1970
2015-01-04, 07:22
I also found this, http://dev.mensfeld.pl/2014/07/setting-up-a-vpn-server-on-a-tomato-router-wrt54gl/

I've downloaded OpenVPN for Win here http://openvpn.net/index.php/open-source/downloads.html, and the easyrsa zip from here https://github.com/OpenVPN/easy-rsa

I think I can manage generating the certificates as shown in one/both of the guides. As for the iOS device, I don't see an OpenVPN section in Settings-->General-->VPN. It's an old iPhone 3GS a friend gave me to use as a wifi only device, so it's stuck on iOS 6. Do I need to put something like the OpenVPN Connect app https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8 on it?

Also, the guide suggests I change the subnet from 192.168.1.1 to something else because of potential conflicts. Does that matter if I'm only connecting a few clients from the outside to my router?

Thanks!
- I've quickly gone through the dev.mensfeld.pl guide, it seems to the point; I'd use that, esp. if you are using Tomato as your VPN server.
- I've always setup openvpn in a private environment, with a laptop -with personal firewall OFF- as test client, before going all out with the server listening to the WAN port, using certs and all. Not sure Tomato would let you define simplistic tunnel setups (like trying to hop from a home wireless network to a separate home wired network, with no cypher and simple password security), but I'd recommend to tackle the problem as gradually as possible.
(Be warned that if the OpenVPN server listens to the WAN, you should test with a client using an outside address, as one obtained from a public wifi hotspot. If the client comes from a private address within your own network you might enter the router 'hairpinning' issue.)
- Use easy-rsa (or any GUI helper using it) to generate certs when you go for certificate-based authentication. You can generate credentials on any machine and move them to the target machines afterwards. What target machines/applications will be fussy about is the format of the files (pkcs12, PEM ...)
- The openvpn app seems to work on iOS 6.1 onwards; My ipad never leaves home and my iPhone still runs iOS 5, so I've never used it... However: i. you need this app for sure on your iOS devices if you want to use them as OpenVPN clients, ii. your first client would rather be a laptop, debugging will be much easier.

About the 192.168.1.x network: what these guides say is that 192.168.1.0/24 is the most common private network. So, if you're on a wifi hotspot with a 192.168.1.123 LAN address, connect to your OpenVPN server and it tries to serve you with a 192.168.1.56 address because your own network is on 192.168.1.x too, the client will get confused. Moving to 192.168.2.x is a trick supposed to mitigate the issue.
I'm sure 192.168.2.x is quite commonly used too. I'd rather recommend moving up to 192.168.255.0/24 (the .255 part of the quad strikes fear in some admins, as it looks like a broadcast address), or better to a -possibly subnetted if you're brave- "class-B" private network, like 172.[16 to 31].0.0/16. The "class-A" private network 10.0.0.0/8 is also commonly used but again if you use a subnet like 10.255.255.0/24 I doubt you'll find many conflicting configurations in the outside world.
(and since you only seek access to your LMS server, in case you don't want to renumber your home network, you could also run an openvpn client on the LMS server too, and let OpenVPN manage its own network, eg 192.168.255.0/24. AFAIK if LMS runs on a machine with multiple interfaces it will listen to all by default. Just make sure the OpenVPN client on the server has setup its interface before LMS starts up.)

I hope this helps and is clear enough. OpenVPN is a fantastic piece of software well worth some initial investment.

808htfan
2015-01-04, 20:10
Hi!

You can also create a dyndns name for your music server. I have done that with great success. Then your router shall forward port 9000 and 3483 TCP/UDP. Put in user/password in LMS . I have created an account on www.dyndns.org.
Was free earlier but costs a small amount now for a year. Then you can access your music everywhere by putting in your dyndns name as a servername xxxxxxxxxx.dyndns.org:9000 . You can set this up in iPeng and Squeezeplayer too.
I enjoy this very much when travelling in train to work every day, and I also have a little iPod dock on my desk, that can play my music from home. A very nice soloution.

I didn't mention it, but I have setup ddns with no-ip.com. I've setup user/password in LMS also, but wanted to try VPN for better security. Also, just wanted to learn about VPN use.


This is a good recommendation. You will likely experience IP conflicts if the remote LAN also uses 192.168.1.x addressing (the default for many consumer broadband routers). It's a one-time change that will cause a small disruption when you do it but will be worth it in the long run.


- I've quickly gone through the dev.mensfeld.pl guide, it seems to the point; I'd use that, esp. if you are using Tomato as your VPN server.
- I've always setup openvpn in a private environment, with a laptop -with personal firewall OFF- as test client, before going all out with the server listening to the WAN port, using certs and all. Not sure Tomato would let you define simplistic tunnel setups (like trying to hop from a home wireless network to a separate home wired network, with no cypher and simple password security), but I'd recommend to tackle the problem as gradually as possible.
(Be warned that if the OpenVPN server listens to the WAN, you should test with a client using an outside address, as one obtained from a public wifi hotspot. If the client comes from a private address within your own network you might enter the router 'hairpinning' issue.)
- Use easy-rsa (or any GUI helper using it) to generate certs when you go for certificate-based authentication. You can generate credentials on any machine and move them to the target machines afterwards. What target machines/applications will be fussy about is the format of the files (pkcs12, PEM ...)
- The openvpn app seems to work on iOS 6.1 onwards; My ipad never leaves home and my iPhone still runs iOS 5, so I've never used it... However: i. you need this app for sure on your iOS devices if you want to use them as OpenVPN clients, ii. your first client would rather be a laptop, debugging will be much easier.

About the 192.168.1.x network: what these guides say is that 192.168.1.0/24 is the most common private network. So, if you're on a wifi hotspot with a 192.168.1.123 LAN address, connect to your OpenVPN server and it tries to serve you with a 192.168.1.56 address because your own network is on 192.168.1.x too, the client will get confused. Moving to 192.168.2.x is a trick supposed to mitigate the issue.
I'm sure 192.168.2.x is quite commonly used too. I'd rather recommend moving up to 192.168.255.0/24 (the .255 part of the quad strikes fear in some admins, as it looks like a broadcast address), or better to a -possibly subnetted if you're brave- "class-B" private network, like 172.[16 to 31].0.0/16. The "class-A" private network 10.0.0.0/8 is also commonly used but again if you use a subnet like 10.255.255.0/24 I doubt you'll find many conflicting configurations in the outside world.
(and since you only seek access to your LMS server, in case you don't want to renumber your home network, you could also run an openvpn client on the LMS server too, and let OpenVPN manage its own network, eg 192.168.255.0/24. AFAIK if LMS runs on a machine with multiple interfaces it will listen to all by default. Just make sure the OpenVPN client on the server has setup its interface before LMS starts up.)

I hope this helps and is clear enough. OpenVPN is a fantastic piece of software well worth some initial investment.

Thanks for the additional info!
I will get started shortly.

808htfan
2015-01-20, 01:08
- I've quickly gone through the dev.mensfeld.pl guide, it seems to the point; I'd use that, esp. if you are using Tomato as your VPN server.
- I've always setup openvpn in a private environment, with a laptop -with personal firewall OFF- as test client, before going all out with the server listening to the WAN port, using certs and all. Not sure Tomato would let you define simplistic tunnel setups (like trying to hop from a home wireless network to a separate home wired network, with no cypher and simple password security), but I'd recommend to tackle the problem as gradually as possible.
(Be warned that if the OpenVPN server listens to the WAN, you should test with a client using an outside address, as one obtained from a public wifi hotspot. If the client comes from a private address within your own network you might enter the router 'hairpinning' issue.)
- Use easy-rsa (or any GUI helper using it) to generate certs when you go for certificate-based authentication. You can generate credentials on any machine and move them to the target machines afterwards. What target machines/applications will be fussy about is the format of the files (pkcs12, PEM ...)
- The openvpn app seems to work on iOS 6.1 onwards; My ipad never leaves home and my iPhone still runs iOS 5, so I've never used it... However: i. you need this app for sure on your iOS devices if you want to use them as OpenVPN clients, ii. your first client would rather be a laptop, debugging will be much easier.

I think I've managed to get things working with OpenVPN.

One thing that took the longest time to figure out was that I needed to download the Windows version of EasyRSA v3.0.0-rc2 zip from https://github.com/OpenVPN/easy-rsa/releases, instead of the zip from https://github.com/OpenVPN/easy-rsa. Didn't figure that out until I stumbled on a forum thread somewhere after Googling something.

Also had to check out all the sample config files (not just the client one) included with OpenVPN to get an idea of proper use. The OpenVPN Connect iOS app Help section also pointed out a few things I needed to know: 1) For iOS, Interface type has to be TUN 2) Easiest way for me to include the certs/keys in config is to copy/paste with header/footer, such as <ca></ca>, etc. 3) Save that .ovpn config as UTF-8 or ASCII
Edit: added some tls-auth settings and a static key created with OpenVPN, which it put in its Config folder. There's also a small error in the OpenVPN Connect app's Help section that says to use <tls-auth> </key> headder/footer instead of <tls-auth> </tls-auth>.

I configured my router's OpenVPN server this way:

VPN server Configuration>Basic >

Start with WAN : Yes
Interface Type : TUN
Protocol : UDP
Port : 1194
Firewall : Automatic
Authorization Mode : TLS
Extra HMAC-authorization : Disabled, EDIT: changed to Incoming (0)
VPN subnet/netmask : 10.8.0.0/255.255.255.0

VPN Server Configuration>advanced :

Poll Interval : 0
Push LAN to Clients : Yes
Direct clients to redirect internet traffic : Yes
Respond to DNS : Yes
Advertise DNS to clients : Yes
Encryption cipher : AES-256-CBC *EDIT: changed to AES-128-CBC
Compression : Adaptive *EDIT: changed to Disabled
TLS Renegotiation Time : -1
Manage client-specific options : Yes
Allow Client<->Client : Yes


I tested by running the OpenVPN client on my Win7 laptop and connected to router's OpenVPN server by using the router's local IP (192.168.1.x) in the config file. Then used a smartphone setup as a wifi hotspot, connected the iPhone 3GS (I'm using as wifi only device) to said hotspot, then connected to my router's OpenVPN server using the DDNS address I setup with no-ip.com.



About the 192.168.1.x network: what these guides say is that 192.168.1.0/24 is the most common private network. So, if you're on a wifi hotspot with a 192.168.1.123 LAN address, connect to your OpenVPN server and it tries to serve you with a 192.168.1.56 address because your own network is on 192.168.1.x too, the client will get confused. Moving to 192.168.2.x is a trick supposed to mitigate the issue.
I'm sure 192.168.2.x is quite commonly used too. I'd rather recommend moving up to 192.168.255.0/24 (the .255 part of the quad strikes fear in some admins, as it looks like a broadcast address), or better to a -possibly subnetted if you're brave- "class-B" private network, like 172.[16 to 31].0.0/16. The "class-A" private network 10.0.0.0/8 is also commonly used but again if you use a subnet like 10.255.255.0/24 I doubt you'll find many conflicting configurations in the outside world.
(and since you only seek access to your LMS server, in case you don't want to renumber your home network, you could also run an openvpn client on the LMS server too, and let OpenVPN manage its own network, eg 192.168.255.0/24. AFAIK if LMS runs on a machine with multiple interfaces it will listen to all by default. Just make sure the OpenVPN client on the server has setup its interface before LMS starts up.)

I hope this helps and is clear enough. OpenVPN is a fantastic piece of software well worth some initial investment.

I don't know if what I did is the correct way to configure Client-to-Client (all I did was check the box in the router setup) but, setup like that, I could connect to LMS and playback through the iPhone 3GS. I wonder now, will I have that address problem if I connect from somewhere with a similarly numbered network? I did not re-number my network...

Anything I need to correct?

Thanks again!

epoch1970
2015-01-20, 07:57
Excellent!
If I am right, your VPN net is on 10.8.x.x and both the LMS server and clients run an OpenVPN client instance to obtain an address on this network. This is fine and removes the need to renumber your LAN. You might need to change the OVPN server (and clients?) config files if the 10.8.X.X network is also used by your favorite hotspot.
If the iOS app is ok with that, you can do without AES-256: AES-128 or Blowfish are much faster. I doubt the router has hardware crypto acceleration, and the 2 links will make it work hard. AES-128 or Blowfish could double the bandwidth, I'd recommend a test.
Same goes with adaptive compression: if you stream binary -like music- it won't compress so you might give the router a little relief by disabling compression altogether.
I think you do need Client-to-Client, because from the OVPN server standpoint, the LMS server machine and the iPhone are clients. Client-to-client is disabled by default I believe; I think the idea is by default to avoid an invasion of computers personal shares within the VPN network.

d6jg
2015-01-20, 11:01
Yes the chances of finding yourself on another 10.8. Network are very slim indeed.

808htfan
2015-01-20, 19:43
Yes the chances of finding yourself on another 10.8. Network are very slim indeed.


Excellent!
If I am right, your VPN net is on 10.8.x.x and both the LMS server and clients run an OpenVPN client instance to obtain an address on this network. This is fine and removes the need to renumber your LAN. You might need to change the OVPN server (and clients?) config files if the 10.8.X.X network is also used by your favorite hotspot.
If the iOS app is ok with that, you can do without AES-256: AES-128 or Blowfish are much faster. I doubt the router has hardware crypto acceleration, and the 2 links will make it work hard. AES-128 or Blowfish could double the bandwidth, I'd recommend a test.
Same goes with adaptive compression: if you stream binary -like music- it won't compress so you might give the router a little relief by disabling compression altogether.
I think you do need Client-to-Client, because from the OVPN server standpoint, the LMS server machine and the iPhone are clients. Client-to-client is disabled by default I believe; I think the idea is by default to avoid an invasion of computers personal shares within the VPN network.

Thanks for the replies.

I will make the changes to encryption and compression.


Another question: With my VPN server setup to 'Direct clients to redirect internet traffic : Yes', does that now make it safe to use free, non-secured wifi hotspots? Assuming that I connect to my VPN server with whatever device I'm using...

Thanks again for the help!

d6jg
2015-01-21, 10:28
In theory it should but you will find that a lot, probably most, of such hotspots won't allow the VPN pass through. It depends on the equipment in use. You stand a better chance with your setup than with say PPTP mind.

epoch1970
2015-01-21, 14:22
About the direct to redirect (huh?) internet traffic thing. If you're an employee in, say, a bank, the admins want to see all the traffic going out and coming in to your computer. To do this the default outgoing route (Internet) has to be through the VPN link, then to the VPN server's default route, and then back to you. This is secure but it makes casual browsing a bit expensive.

If you don't force the default route to go through the VPN link, you'll have one route for 10.8.x.x, and a default route pointing to the router on the hotspot you're on. Browsing will be faster but the hotspot router will know what you've done (besides hitting your VPN server.)

Basically, if you don't know the purpose of redirecting the default route through the VPN, there is little chance you really need it.

BTW. For hotspot use, you might be interested in using the HTTP tunneling feature of OVPN. I guess some hotspots will restrict outgoing traffic to mainstream ports/services. The feature is supposed to keep the link working through web proxies. Unfortunately I have no experience with this particular setup.

808htfan
2015-01-21, 19:38
Another question: With my VPN server setup to 'Direct clients to redirect internet traffic : Yes', does that now make it safe to use free, non-secured wifi hotspots? Assuming that I connect to my VPN server with whatever device I'm using...

Thanks again for the help!

So basically, I was just wondering if it would be safe to use those free/unsecured wifi hotspots for something like online shopping, and not have somebody sniff out our credit card numbers etc... Actually asking for the benefit of other family members...
If they block VPN, oh well... maybe looking into HTTP thing will be interesting...

Me, I'm just interested in the safe, remote access to my Squeezebox library so I can impress the friends next time there's a party at someone's house...ha ha ha! ;)

A big Thanks, again, for the help!

toby10
2015-01-22, 03:57
So basically, I was just wondering if it would be safe to use those free/unsecured wifi hotspots for something like online shopping, and not have somebody sniff out our credit card numbers etc... Actually asking for the benefit of other family members...

No, because the WiFi signal between your computer and the router for the free/unsecured hotspot is... well.... unsecured. :)

get.amped
2015-01-22, 04:24
No, because the WiFi signal between your computer and the router for the free/unsecured hotspot is... well.... unsecured. :)

But the data within that connection will be encrypted and unreadable by anyone attempting to intercept it.

808htfan
2015-01-22, 19:11
Thanks!

808htfan
2015-05-20, 20:17
I think I've managed to get things working with OpenVPN.

One thing that took the longest time to figure out was that I needed to download the Windows version of EasyRSA v3.0.0-rc2 zip from https://github.com/OpenVPN/easy-rsa/releases, instead of the zip from https://github.com/OpenVPN/easy-rsa. Didn't figure that out until I stumbled on a forum thread somewhere after Googling something.

Also had to check out all the sample config files (not just the client one) included with OpenVPN to get an idea of proper use. The OpenVPN Connect iOS app Help section also pointed out a few things I needed to know: 1) For iOS, Interface type has to be TUN 2) Easiest way for me to include the certs/keys in config is to copy/paste with header/footer, such as <ca></ca>, etc. 3) Save that .ovpn config as UTF-8 or ASCII
Edit: added some tls-auth settings and a static key created with OpenVPN, which it put in its Config folder. There's also a small error in the OpenVPN Connect app's Help section that says to use <tls-auth> </key> headder/footer instead of <tls-auth> </tls-auth>.

I configured my router's OpenVPN server this way:

VPN server Configuration>Basic >

Start with WAN : Yes
Interface Type : TUN
Protocol : UDP
Port : 1194
Firewall : Automatic
Authorization Mode : TLS
Extra HMAC-authorization : Disabled, EDIT: changed to Incoming (0)
VPN subnet/netmask : 10.8.0.0/255.255.255.0

VPN Server Configuration>advanced :

Poll Interval : 0
Push LAN to Clients : Yes
Direct clients to redirect internet traffic : Yes
Respond to DNS : Yes
Advertise DNS to clients : Yes
Encryption cipher : AES-256-CBC *EDIT: changed to AES-128-CBC
Compression : Adaptive *EDIT: changed to Disabled
TLS Renegotiation Time : -1
Manage client-specific options : Yes
Allow Client<->Client : Yes


I tested by running the OpenVPN client on my Win7 laptop and connected to router's OpenVPN server by using the router's local IP (192.168.1.x) in the config file. Then used a smartphone setup as a wifi hotspot, connected the iPhone 3GS (I'm using as wifi only device) to said hotspot, then connected to my router's OpenVPN server using the DDNS address I setup with no-ip.com.


Just got hold of an Android device not long ago...

I've setup an OpenVPN config file and installed the OpenVPN connect app, installed Orange Squeeze and Squeezeplayer, also installed Squeeze Ctrl and SB Player. I have both the remote control of Squeezboxes and playback working so far and they're all really nice.

But, I am having a problem connecting to LMS when going thru the VPN. It seems Orange Squeeze and Squeeze Ctrl can't find/connect to the server. My OpenVPN connection says it's connected. I'm using another cell phone's wifi hotspot feature to connect my Android device to 'net, then turning on OVPN. Maybe once or twice OrangeSqueeze connected, but when I try browsing my albums, etc, it just says 'Loading' for so long I give up waiting. Playback, etc with iPeng continues to work pretty well thru the VPN.

Any one use an Android device and OpenVPN while also getting remote playback working?

Thanks!

pippin
2015-05-21, 06:17
Did you manually configure the server? Server discovery might not work through a VPN

bernt
2015-05-21, 06:48
Hi!

I have used Neorouter for years. It's free and easy to install.

Install Neorouter server on your server and the client on your phone or pc. That's it!

If your FW\router don't support upnp you may have to open one port.

808htfan
2015-05-21, 16:36
Did you manually configure the server? Server discovery might not work through a VPN

Hi-
Yup, I added the 'normal' local IP and the one assigned by my router's VPN server.

Thanks :)

808htfan
2015-05-21, 16:37
Hi!

I have used Neorouter for years. It's free and easy to install.

Install Neorouter server on your server and the client on your phone or pc. That's it!

If your FW\router don't support upnp you may have to open one port.

I'm not familiar with neorouter, I'll have to look it up. Thanks

bernt
2015-05-21, 22:38
I'm not familiar with neorouter, I'll have to look it up. Thanks

One thing, it don't work with iPeng. It only works with some predefined apps like ftp and rdp.

Have only used it on my work pc. Sorry!

bernt
2015-11-27, 05:59
Hi!

Found a better way to do it. I'm using Vortexbox that has ssh enabled by default

First open port 22 on your FW and redirect it to your Vortexbox.

Install Serverauditor from AppStore on your iDevice. In Serverauditor add a new host with your external ip-address or prefered a dynamic dns name.

Go to Port Forwarding in Serverauditor and add a New Rule, choose Local, select your host, set Port From: 9000, destination: 127.0.0.1, set Port To: 9000.

Add another rule but use port 3483.

Start Portforwarding by pressing the rules.

In iPeng add a server with address 127.0.0.1.

That's it.

d6jg
2015-11-27, 11:45
Hi!

Found a better way to do it. I'm using Vortexbox that has ssh enabled by default

First open port 22 on your FW and redirect it to your Vortexbox.

Install Serverauditor from AppStore on your iDevice. In Serverauditor add a new host with your external ip-address or prefered a dynamic dns name.

Go to Port Forwarding in Serverauditor and add a New Rule, choose Local, select your host, set Port From: 9000, destination: 127.0.0.1, set Port To: 9000.

Add another rule but use port 3483.

Start Portforwarding by pressing the rules.

In iPeng add a server with address 127.0.0.1.

That's it.

Warning. Only ever do this if you have changed the Vortexbox password from the default. Opening SSH to allow access from anywhere is very very dangerous. You will get portscanned and you will get people trying to access.

DJanGo
2015-11-27, 12:59
Warning. Only ever do this if you have changed the Vortexbox password from the default. Opening SSH to allow access from anywhere is very very dangerous. You will get portscanned and you will get people trying to access.

+1.000000000000.0000000000000000000

wtf? even with a non std password and i dont think some Guy that has that great Idea would use a Password like YAz74!:!74zAY and even that is sorted in secs not hours......

bernt
2015-11-30, 06:50
Warning. Only ever do this if you have changed the Vortexbox password from the default. Opening SSH to allow access from anywhere is very very dangerous. You will get portscanned and you will get people trying to access.

The password is changed.

DJanGo
2015-11-30, 07:06
The password is changed.

so we can call you right now hero?

Its not what you do its what tipps you gave others there might be less knowhow then you (even its hard to think that someone exists)

Dont give tipps for something you have no clue about

bernt
2015-11-30, 07:08
so we can call you right now hero?

Its not what you do its what tipps you gave others there might be less knowhow then you (even its hard to think that someone exists)

Dont give tipps for something you have no clue about


Ok, sorry.:(

philippe_44
2015-11-30, 08:31
Warning. Only ever do this if you have changed the Vortexbox password from the default. Opening SSH to allow access from anywhere is very very dangerous. You will get portscanned and you will get people trying to access.

Not that I'm using one, but the SSH server on the Vortexbox is ill-configured ?

bernt
2015-12-02, 07:56
Let's see if I done my homework?

In hosts.deny
sshd:ALL

In hosts.allow
sshd:my work ip, lokal lan

In sshd_config
Changed the default port from 22 to xxxx
PermitRootLogin no
DenyUsers root
DenyGroups root
AllowUsers user1

d6jg
2015-12-02, 08:16
Let's see if I done my homework?

In hosts.deny
sshd:ALL

In hosts.allow
sshd:my work ip, lokal lan

In sshd_config
Changed the default port from 22 to xxxx
PermitRootLogin no
DenyUsers root
DenyGroups root
AllowUsers user1

Looks correct if you really want to block root access even on your local network? It can be handy on a Vortexbox to access via SSH & WinSCP.
Was the squeezelite issue the UDP port forward?

bernt
2015-12-02, 08:29
Looks correct if you really want to block root access even on your local network? It can be handy on a Vortexbox to access via SSH & WinSCP.
Was the squeezelite issue the UDP port forward?

I can do su to root.

Havent test it with Squeezelite yet. Think I use Neouroter for playback\browsing and ssh for sftp and Winscp.

Winscp i about 3 times faster if it don't go through Neurouter. Faster backups.

d6jg
2015-12-02, 08:41
If you secure SSH with those rules I don't see why you couldn't use it for playback & browsing as well. Things like neorouter always have issues.