Setting up home VPN access
This tutorial will run you through the steps you need to take to setup a VPN server at home, allowing you to securely connect back in and manage your staking machine.
If you're ever out and about and away from home for long periods of time, then this tutorial is for you!
Question - Why should I set up a VPN server? It is easier to simply forward ports and connect in.
Answer - A VPN server introduces another layer of security. To connect to your node via SSH, you first have to connect to your VPN and then SSH into your node. This introduces another barrier and makes intrusions much more difficult.
- You will need a public static IP address or a DNS for your home network.
- This tutorial assumes you have Ubuntu Server 22.04 LTS installed and running. If not, no stress! You can follow the below link for a tutorial on how to do that.
- For security purposes, I recommend you set up the VPN server on a separate machine that is not your staking machine. This can even be a VM.
With all of that out of the way - Let's dive right into it!
Please login to the machine and authenticate as superuser using the below command
Now execute the below command to ensure the OS and packages are up to date. Please upgrade any that aren't.
apt-get update && apt-get upgrade
Your output will look like this if there are no upgrades needed.
Please execute the below command.
apt-get install ca-certificates wget net-tools gnupg
With all those installed, we are ready to prepare the machine for the VPN server.
Execute the below three commands
- This command will load the OpenVPN public GPG key.
curl -fsSL https://as-repository.openvpn.net/as-repo-public.gpg | gpg --dearmor > /etc/apt/trusted.gpg.d/as-repo-public.gpg
- This command will add the OpenVPN access server repository to your machine.
echo "deb http://as-repository.openvpn.net/as/debian jammy main">/etc/apt/sources.list.d/openvpn-as-repo.list
- This command will check all configured repositories for updates.
You'll now notice a new line for the OpenVPN access server repository after running "apt-get update".
Now the fun begins! To install, execute the below command
apt-get install openvpn-as
You may need to install a fair few packages for this one...
Hooray, you've just installed OpenVPN access server! Pay attention to this part of the debug, it contains valuable information.
Note the URL, the username and the password. Very important!
The Admin UI is for making changes to the server config and adding users.
Browse to your Admin UI URL. You'll receive a certificate warning, you can safely ignore this and continue. Once completed, you'll see the below UI.
Please login here!
Please login, read and accept the EULA and we are ready to go!
We need to make a few network changes, for this please navigate to Configuration > Network Settings
Please find the "Multi-Daemon Mode" section, and edit both ports away from the default ports. This is for security purposes. These ports can be the same number. I picked 9514, but this is an example only, I recommend choosing your own ports.
"9514" is an example port only.
Please don't navigate away from the "Network Settings" page for now. But you will need to open the below URL in a new tab.
Copy your IP address from this website and paste it in the "Hostname or IP Address" field located at the top of the "Network Settings" page. This will already be populated with your private IP address, you must overwrite it with your public one.
If you don't have a static IP, you will need a DNS for your home network.
This step is optional but for security purposes I heavily recommend it.
We are going to configure the admin UI and the client UI to run on different ports because we only need to publicly access the client UI.
On the same page "Network Settings", please scroll down to the bottom and find "Client Web Server" and toggle the "Use a different IP address or port" setting.
Please press "No" and turn it into "Yes".
Now we can change which port we want the client web server to run on, you can make this any port of your choosing. I chose 9515.
"9515" is an example port only.
From here, please click "Save Settings" and then "Update Running Server"
Please hit this button
And also this button...
Once the running server has been updated, you may need to refresh your browser and log back into the admin UI.
This step is also optional, but for security purposes I also heavily recommend it.
We are going to require that all user accounts setup and use 2FA so in the worst case scenario where someone did get your otherwise guess your user credentials, they won't be able to gain access.
Please navigate to Authentication > Settings
Please find the "TOTP Multi-Factor Authentication" setting and toggle it
Once the setting has been changed, you must again click "Save Settings" down the bottom and then "Update running server" as shown in the bottom of the last example (Step 5.3).
If you are an advanced user - You may have setup your OpenVPN server on a different subnet than your Ethereum nodes/validators.
If that is the case, you will need to browse to "Configuration > VPN Settings" and add in a static route for your validator network.
If they are not on separate subnets, please continue onto step 6.
Advanced users only.
Advanced users only - Toggle "Yes, using Routing" and add in the subnet your Ethereum nodes/validators are on.
Please navigate to "User management" > "User Permissions".
From here, you can add a new user. Please type out a username and tick the "Allow Auto-login" box, then select the "More Settings" box.
"Allow Auto-Login", and then "More Settings"
You can now set a password for the account in the new options that appear when you click "More Settings".
Make sure its a complex one!
Once done, please "Save Settings" and "Update Running Server" again.
If you are using a local firewall (which you should be), you may need to unblock the local ports depending on how you have it configured.
sudo ufw allow 943
sudo ufw allow 9514 <Change to your "Multi-Daemon Mode" port>
sudo ufw allow 9515 <Change to your "Client Web Server" port>
sudo ufw enable
sudo ufw status numbered
For this step you will need to login to your router and forward ports to the machine running OpenVPN access server. The exact workflow is router dependent, so please search online for instructions and include your router make and model in the search.
You will need to forward two ports, both TCP/UDP.
- The port(s) you entered for "Multi-Daemon Mode" (I used 9514)
- The port you entered for "Client Web Server" (I used 9515)
Once completed, please browse to the below website and enter in your ports to check if they are forwarded correctly.
(IP Address redacted) - My VPN traffic port is open.
(IP Address redacted) - My client web UI port is open.
If you've made it this far, then congrats! You will be pleased to know that all the hard stuff is out of the way.
Please complete this step on the device you want to set up remote access.
NOTE: If you enabled MFA as per step 5.4, then after logging in you will be prompted to setup a 2FA credential. You can use something like Google Authenticator or Authy. I heavily recommend enabling this as the extra security is definitely worth it.
Please select the OS you are using.
From here you can select a client for your device.
- If on Windows or Mac, it will automatically download the OpenVPN client software and guide you through the rest of the process.
- If on Linux, Android or iOS, it will take you to an external page with further instructions.
Please download the "autologin profile".
Once done, you will have to import the profile into the OpenVPN software. The software itself (Windows or Mac) or external pages (Linux, Android or iOS) will show you how to do this.
Lucky you, I saved the easiest step for last.
- If using a laptop or desktop, please connect to another network such as a mobile hotspot.
- If using a phone, please disconnect from your WiFi and ensure you are connected to your telco's internet.
Go back to the OpenVPN software and hit connect and you'll be connected in just a matter of seconds.
If the connection was successful, you will see it now matches your home IP as you are now connected to your home internet connection. From here you can securely SSH into your Ethereum nodes/validators.
If you can connect to your home network but are unable to SSH into your servers, you may need to tweak the firewall on your Ethereum node to accept incoming SSH connections from the IP address of your OpenVPN server.
No. At least not easily. To get this to work you will need to write your own IP tables.
No. If you can access the server within your local network and download and setup your user profile, then you won't need to access the client UI externally.
However if you aren't within your local network and you need to redownload a user profile (For example if you are travelling and your phone/laptop dies and you get a new one) then you won't be able to login to the portal and download a new user profile.