If you're ever out and about and away from home for long periods of time, then this tutorial is for you!

Question - Why should I set up a VPN server? It is easier to simply forward ports and connect in.

Answer - A VPN server introduces another layer of security. To connect to your node via SSH, you first have to connect to your VPN and then SSH into your node. This introduces another barrier and makes intrusions much more difficult.

Requirements

• You will need a public static IP address or a DNS for your home network.

• This tutorial assumes you have Ubuntu Server 22.04 LTS installed and running. If not, no stress! You can follow the below link for a tutorial on how to do that.

Recommendations

• For security purposes, I recommend you set up the VPN server on a separate machine that is not your staking machine. This can even be a VM.

With all of that out of the way - Let's dive right into it!

Step 1 ) Run commands to ensure your machine is up to date.

Please login to the machine and authenticate as superuser using the below command

sudo -i

Now execute the below command to ensure the OS and packages are up to date. Please upgrade any that aren't.

apt-get update && apt-get upgrade

Step 2 ) Install OpenVPN dependencies.

Please execute the below command.

apt-get install ca-certificates wget net-tools gnupg

Step 3) Import OpenVPN GPG key and add the official repository.

Execute the below three commands

• This command will load the OpenVPN public GPG key.

curl -fsSL https://as-repository.openvpn.net/as-repo-public.gpg | gpg --dearmor > /etc/apt/trusted.gpg.d/as-repo-public.gpg

• This command will add the OpenVPN access server repository to your machine.

echo "deb http://as-repository.openvpn.net/as/debian jammy main">/etc/apt/sources.list.d/openvpn-as-repo.list

• This command will check all configured repositories for updates.

apt-get update

Step 4) Install OpenVPN access server.

Now the fun begins! To install, execute the below command

apt-get install openvpn-as

Hooray, you've just installed OpenVPN access server! Pay attention to this part of the debug, it contains valuable information.

The Admin UI is for making changes to the server config and adding users.

The Client UI is for your devices, you'll be able to download user profiles/certificates here. We will do that part later.

Step 5) Configuring the server for remote access.

Browse to your Admin UI URL. You'll receive a certificate warning, you can safely ignore this and continue. Once completed, you'll see the below UI.

Please login, read and accept the EULA and we are ready to go!

We need to make a few network changes, for this please navigate to Configuration > Network Settings

Step 5.1) - Changing the VPN traffic port

Please find the "Multi-Daemon Mode" section, and edit both ports away from the default ports. This is for security purposes. These ports can be the same number. I picked 9514, but this is an example only, I recommend choosing your own ports.

Step 5.2) - Adding in your public IP

Please don't navigate away from the "Network Settings" page for now. But you will need to open the below URL in a new tab.

Copy your IP address from this website and paste it in the "Hostname or IP Address" field located at the top of the "Network Settings" page. This will already be populated with your private IP address, you must overwrite it with your public one.

Step 5.3) Configure the admin UI and client UI to run on different ports.

This step is optional but for security purposes I heavily recommend it.

We are going to configure the admin UI and the client UI to run on different ports because we only need to publicly access the client UI.

On the same page "Network Settings", please scroll down to the bottom and find "Client Web Server" and toggle the "Use a different IP address or port" setting.

Now we can change which port we want the client web server to run on, you can make this any port of your choosing. I chose 9515.

From here, please click "Save Settings" and then "Update Running Server"

Once the running server has been updated, you may need to refresh your browser and log back into the admin UI.

Step 5.4) Enforce MFA on all user accounts

This step is also optional, but for security purposes I also heavily recommend it.

We are going to require that all user accounts setup and use 2FA so in the worst case scenario where someone did get your otherwise guess your user credentials, they won't be able to gain access.

Please navigate to Authentication > Settings

Please find the "TOTP Multi-Factor Authentication" setting and toggle it

Once the setting has been changed, you must again click "Save Settings" down the bottom and then "Update running server" as shown in the bottom of the last example (Step 5.3).

Step 5.5) Advanced users only - Adding a static route

If you are an advanced user - You may have setup your OpenVPN server on a different subnet than your Ethereum nodes/validators.

If that is the case, you will need to browse to "Configuration > VPN Settings" and add in a static route for your validator network.

If they are not on separate subnets, please continue onto step 6.

Step 6) Adding user accounts.

Step 6.1) - Create a new user and set a password

Please navigate to "User management" > "User Permissions".

From here, you can add a new user. Please type out a username and tick the "Allow Auto-login" box, then select the "More Settings" box.

You can now set a password for the account in the new options that appear when you click "More Settings".

Once done, please "Save Settings" and "Update Running Server" again.

Step 6.2) Advanced users only - Allow access to another network

If you are one of the lucky ones that had to do step 5.4, then you may also need to add your Ethereum node/validator subnet to the user account too.

Step 7) Unblock local ports.

If you are using a local firewall (which you should be), you may need to unblock the local ports depending on how you have it configured.

These are the ports you set in step 5.1 and step 5.3 + port 943 (The default admin port). You can change the admin UI port if you wish, but as it doesn't have external access it is not really necessary.

sudo ufw allow 943
sudo ufw allow 9514 <Change to your "Multi-Daemon Mode" port>
sudo ufw allow 9515 <Change to your "Client Web Server" port>
sudo ufw enable
sudo ufw status numbered

Almost there!

Step 8) Port forwarding.

For this step you will need to login to your router and forward ports to the machine running OpenVPN access server. The exact workflow is router dependent, so please search online for instructions and include your router make and model in the search.

You will need to forward two ports, both TCP/UDP.

• The port(s) you entered for "Multi-Daemon Mode" (I used 9514)

• The port you entered for "Client Web Server" (I used 9515)

Once completed, please browse to the below website and enter in your ports to check if they are forwarded correctly.

Step 9) - Configure a device for VPN access.

If you've made it this far, then congrats! You will be pleased to know that all the hard stuff is out of the way.

Please complete this step on the device you want to set up remote access.

Open the client web UI - You can use either your public or private IP for this step. In my case, I navigated to https://192.168.3.111:9515

Once in, login using the user account you created in step 6. If successful, you will see the screen in the below step.

NOTE: If you enabled MFA as per step 5.4, then after logging in you will be prompted to setup a 2FA credential. You can use something like Google Authenticator or Authy. I heavily recommend enabling this as the extra security is definitely worth it.

Step 9.1 ) - Install OpenVPN client

Please select the OS you are using.

From here you can select a client for your device.

• If on Windows or Mac, it will automatically download the OpenVPN client software and guide you through the rest of the process.

• If on Linux, Android or iOS, it will take you to an external page with further instructions.

Step 9.2) Download the client user profile

Please download the "autologin profile".

Once done, you will have to import the profile into the OpenVPN software. The software itself (Windows or Mac) or external pages (Linux, Android or iOS) will show you how to do this.

Step 10) - Connect to the VPN

Lucky you, I saved the easiest step for last.

• If using a laptop or desktop, please connect to another network such as a mobile hotspot.

• If using a phone, please disconnect from your WiFi and ensure you are connected to your telco's internet.

Now check your IP address at > https://www.whatismyip.com/

Go back to the OpenVPN software and hit connect and you'll be connected in just a matter of seconds.

Now check your IP address again at > https://www.whatismyip.com/

If the connection was successful, you will see it now matches your home IP as you are now connected to your home internet connection. From here you can securely SSH into your Ethereum nodes/validators.

If you can connect to your home network but are unable to SSH into your servers, you may need to tweak the firewall on your Ethereum node to accept incoming SSH connections from the IP address of your OpenVPN server.

FAQ

Can I connect to this VPN while also using a different VPN provider?

No. At least not easily. To get this to work you will need to write your own IP tables.

Does the client UI need to be exposed to the internet?

No. If you can access the server within your local network and download and setup your user profile, then you won't need to access the client UI externally.

However if you aren't within your local network and you need to redownload a user profile (For example if you are travelling and your phone/laptop dies and you get a new one) then you won't be able to login to the portal and download a new user profile.

So leaving the client UI exposed to the internet with MFA switched on (As per step 5.4) means the security is top notch.