Running picoreplayer over a VPN

[odw199]

I spent a while searching for a guide on how to get picoreplayer working over a vpn and couldn't find one. After a bit of trial and error, I managed to get a picoreplayer connecting my home network over a vpn, meaning I can have picloreplayers outside my home network and don't need to open up the LMS ports to the rest of the big bad internet. This post will guide you through setting ups vpn client on your picoreplayer and connecting it to a VPN server on your home network. The set up needs to be done with the picoreplayer connected to your home network directly, once completed you can move it to the remote network on the internet.

My setup is as below:

picoreplayer on raspberry Pi running version 3.10 out on the internet
OpenVpn to connect to my home network
Asus router providing the OpenVpn server.
Mac Mini running LMS inside my home network

First thing to do is configure your VPN server. My Asus router provides this very easily from its web interface. There's a link on the left hand side under advanced settings called VPN:


Then click the OpenVPN button and make sure you are on the VPN server page (not VPN Client). You shouldn't need to set any advanced parameters, just leave everything default and set Enable OpenVPN Server to On:


You'll also need to add a VPN user under the username and password section, for example:


Once thats all done, hit apply and the VPN server should be running. I'm sure more details can be found on the OpenVPN and Asus forums...

To configure the client end of the VPN, you'll need some specific configuration details from the VPN Server. Luckily, Asus routers will generate all this for you. Click the big export button and you should download an .opvn configuration file. Save this as we'll use the details when configuring the VPN client on the picoreplayer.

Now it's time to get picoreplayer ready to run a VPN client:

On the web interface, click the advanced tab at the bottom, this allows us to easily install some extensions we need:


Then click the extensions button to take you to the extensions page. You want to make sure the Official piCore repository is selected under the Set extension repository section. If not, change to this and click set:


You want to install two extensions:

1. ntp.tcz
2. openvpn.tcz

Select each in turn and click load. This will install the ntp client (needed to make sure the time on picoreplayer is right - if it isn't the openvpn client won't connect) and the openvpn client.

With both of these installed, it's time to switch to the command line and configure the VPN Client.

Login on to your picloreplayer using ssh (use PuTTY on windows or just the command prompt on Linux/MacOs). You'll need to know the IP address of your picoreplayer on your home network.

Once logged on, create a directory in the tc user's home directoy called openvpn"

Code:

cd /home/tc/
mkdir openvpn
cd openvpn

In this directory you need to create 5 files:

ca.crt
In this file, paste in all the text between the <ca> and </ca> tags from the .ovpn file saved from the router.

client.crt
In this file, paste in all the text between the <cert> and </cert> tags from the .ovpn file saved from the router.

client.key
In this file, paste in all the text between the <key> and </key> tags from the .ovpn file saved from the router.

up
In this file, put the username and password created on the server openvpn page on your router, one per line. For example:

Code:

exampleUser
examplePassword

client.conf
In here goes all the other config you haven't yet used from the generated .ovpn file. One change you must make is to add "up" after auth-user-pass. My client.conf is below (your remote hostname will be different, the port should be the same)

Code:

client
dev tun
proto udp
remote example.hostname.com 1194
float
comp-lzo adaptive
keepalive 15 60
auth-user-pass /home/tc/openvpn/up
ns-cert-type server
resolv-retry infinite
nobind

Now we must create a backup of the files we created, otherwise they will all be lost when picoreplayer reboots (I learnt this the hard way after re-typing the config multiple times :-())

Code:

/usr/local/sbin/pcp bu
[ INFO ] Backing up files to /mnt/mmcblk0p2/tce/mydata.tgz|
Done.
[ OK ] Backup successful.

All the command line stuff is done now so you can log out.

The last step is to have picoreplayer set the date and time through ntpdate and then start the openvpn client at boot. This can all be done through the web interface. On the TWEAKS page, find the section near the end called User commands.

In the first box, type:

Code:

sudo ntpdate pool.ntp.org

In the second box type:

Code:

sudo openvpn --ca /home/tc/openvpn/ca.crt --cert /home/tc/openvpn/client.crt --key /home/tc/openvpn/client.key --config /home/tc/openvpn/client.conf

click save.

That's it, when your picoreplayre reboots it will set the date and time correctly then connect to your vpn server, thus presenting itself on your local home network and connect to your LMS.

The only additional step you might need (depending on if your vpn will allow the discovery service used by LMS) is to manually set the IP address of LMS in the picoreplayer web interface. This can be done on the Squeezelite Settings page in the LMS IP field.

[Greg Erskine]

hi odw199,

Great write up, thanks for your time and effort.

I was wondering about what you said about ntp. piCorePlayer does do a ntp to set the time on boot. During development we sync changed files, so if the time isn't set correctly we would know fairly quickly.

See [Main Page] in [Beta] mode > [Diagnostics] > [Boot]
Then scroll down to /usr/bin/getTime.sh

The [Boot] page shows the boot process.

regards
Greg

[odw199]

The ntp requirement came from one instance when my pi booted up with the date set to 1st Jan (presumably 1972 - I didn't check). It had been unpowered for a while so sensible to assume the clock had reset. This prevented openvpn from connecting as it saw the certificates as not yet being valid.

Could user command 1 execute before the built in time sync?

[Greg Erskine]

The ntp requirement came from one instance when my pi booted up with the date set to 1st Jan (presumably 1972 - I didn't check). It had been unpowered for a while so sensible to assume the clock had reset. This prevented openvpn from connecting as it saw the certificates as not yet being valid.

Could user command 1 execute before the built in time sync?

The [Boot] page shows the order that processes are run. So User commands (in do_rebootstuff.sh) are run after settime/getTime. But I just realised, the response from crond showing the time has been set comes up 10 or 15 seconds after the "Setup piCorePlayer complete".

I do see on the odd occasion the time displayed on the web interface showing epoch instead of the correct time. I have assumed this is due to the fact that we can fire up the web interface before the ntp has completed setting the time. A refresh shows the correct date.

Some of the startup commands are backgrounded, so commands can sometimes run before others have completed.

Code:

/usr/sbin/ntpd -q -p pool.ntp.org

This is the standard command to set the time (maybe with sudo).

Maybe a wait 5; before the openvpn command. If you like scripting, a wait loop checking that the time is not epoch before proceeding.

I am just trying to eliminate one download and an extra command.

Again, thanks for doing this.

regards
Greg

[odw199]

I'll see if I can eliminate the ntp requirement, but as I have a working implementation it'll be a while before I fiddle with it

[Jeff07971]

I'll see if I can eliminate the ntp requirement, but as I have a working implementation it'll be a while before I fiddle with it

I have never needed to do anything "extra" from the standard Pcp as regards NTP

I wrote a script that starts the VPN and checks the VPN connection every 10 minutes. It restarts OpenVPN if the remote network cannot be contacted.

Code:

#!/bin/sh

sudo openvpn --config /home/tc/openvpn/config.conf &

VPNTest() {

#Check if the VPN is already being tested

  if [ -f /home/tc/TestingVPN ]; then
    echo "VPN is already being tested"
  else

  touch /home/tc/TestingVPN

# Get Local network address

  homenet=$(/sbin/ifconfig | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){2}[0-9]*' | grep -v '127.0.0')

# Choose a host on the remote network

  testhost=192.168.5.2

# If we can ping the host remote network then the VPN is up

    if [ "$homenet" != "192.168.5" ]; then
        count=$(ping -c 4 $testhost | grep 'received' | awk -F',' '{ print $2 }' | awk '{ print $1 }')
          if [ $count -eq 4 ]; then
            hostup=yes
          echo "VPN is UP"
          else
        
          echo "VPN is DOWN"
          echo "Restarting OpenVPN"
        
    sudo killall -HUP openvpn &
          
          sleep 20
          count=$(ping -c 4 $testhost | grep 'received' | awk -F',' '{ print $2 }' | awk '{ print $1 }')
            if [ $count -eq 4 ]; then
            echo "VPN is now up"
            else
            echo "VPN is still down will try again next time this script is run"
            fi
      fi		
	  else
# If we happen to be on the remote network without VPN

      echo "We're Home !"
    fi

rm -f /home/tc/TestingVPN

  fi
}
  
while true
  do
    VPNTest
    sleep 600
  done

I added this to user command 1

Code:

/home/tc/Startvpn.sh

Seems to work fine

[Jeff07971]

The ntp requirement came from one instance when my pi booted up with the date set to 1st Jan (presumably 1972 - I didn't check). It had been unpowered for a while so sensible to assume the clock had reset. This prevented openvpn from connecting as it saw the certificates as not yet being valid.

Could user command 1 execute before the built in time sync?

There is no RTC on the Pi, the clock needs to be set everytime the Pi boots

[Linvincible]

Thanks a lot for your efforts investigating this!
I have a ubiquity router already configured as L2tp server, and looking at the article to set it up for open vpn scares me...
What would one need to do to setup and configure an L2tp client on picoreplayer?

I spent a while searching for a guide on how to get picoreplayer working over a vpn and couldn't find one. After a bit of trial and error, I managed to get a picoreplayer connecting my home network over a vpn, meaning I can have picloreplayers outside my home network and don't need to open up the LMS ports to the rest of the big bad internet. This post will guide you through setting ups vpn client on your picoreplayer and connecting it to a VPN server on your home network. The set up needs to be done with the picoreplayer connected to your home network directly, once completed you can move it to the remote network on the internet.
[...]

[bernt]

Or use ZeroTier.

https://zerotier.atlassian.net/wiki/...+with+ZeroTier

[Pommes]

Hello
I would like to use Picoreplayer on Raspberry in remote location by using openvpn.
But i can not find openvpn.tcz in the repository.
Is there a way to manually install this?

Thank You
Pommes