This tutorial will run you through the steps you need to take to setup a VPN server at home, allowing you to securely connect back in and manage your staking machine.
If you're ever out and about and away from home for long periods of time, then this tutorial is for you!
Question - Why should I set up a VPN server? It is easier to simply forward ports and connect in.
Answer - A VPN server introduces another layer of security. To connect to your node via SSH, you first have to connect to your VPN and then SSH into your node. This introduces another barrier and makes intrusions much more difficult.
You will need a public static IP address or a DNS for your home network.
This tutorial assumes you have Ubuntu Server 22.04 LTS installed and running. If not, no stress! You can follow the below link for a tutorial on how to do that.
For security purposes, I recommend you set up the VPN server on a separate machine that is not your staking machine. This can even be a VM.
With all of that out of the way - Let's dive right into it!
Please login to the machine and authenticate as superuser using the below command
sudo -i
Now execute the below command to ensure the OS and packages are up to date. Please upgrade any that aren't.
apt-get update && apt-get upgrade
Please execute the below command.
apt-get install ca-certificates wget net-tools gnupg
Execute the below three commands
This command will load the OpenVPN public GPG key.
This command will add the OpenVPN access server repository to your machine.
This command will check all configured repositories for updates.
Now the fun begins! To install, execute the below command
Hooray, you've just installed OpenVPN access server! Pay attention to this part of the debug, it contains valuable information.
The Admin UI is for making changes to the server config and adding users.
The Client UI is for your devices, you'll be able to download user profiles/certificates here. We will do that part later.
Browse to your Admin UI URL. You'll receive a certificate warning, you can safely ignore this and continue. Once completed, you'll see the below UI.
Please login, read and accept the EULA and we are ready to go!
We need to make a few network changes, for this please navigate to Configuration > Network Settings
Please find the "Multi-Daemon Mode" section, and edit both ports away from the default ports. This is for security purposes. These ports can be the same number. I picked 9514, but this is an example only, I recommend choosing your own ports.
Please don't navigate away from the "Network Settings" page for now. But you will need to open the below URL in a new tab.
Copy your IP address from this website and paste it in the "Hostname or IP Address" field located at the top of the "Network Settings" page. This will already be populated with your private IP address, you must overwrite it with your public one.
This step is optional but for security purposes I heavily recommend it.
We are going to configure the admin UI and the client UI to run on different ports because we only need to publicly access the client UI.
On the same page "Network Settings", please scroll down to the bottom and find "Client Web Server" and toggle the "Use a different IP address or port" setting.
Now we can change which port we want the client web server to run on, you can make this any port of your choosing. I chose 9515.
From here, please click "Save Settings" and then "Update Running Server"
Once the running server has been updated, you may need to refresh your browser and log back into the admin UI.
This step is also optional, but for security purposes I also heavily recommend it.
We are going to require that all user accounts setup and use 2FA so in the worst case scenario where someone did get your otherwise guess your user credentials, they won't be able to gain access.
Please navigate to Authentication > Settings
Please find the "TOTP Multi-Factor Authentication" setting and toggle it
Once the setting has been changed, you must again click "Save Settings" down the bottom and then "Update running server" as shown in the bottom of the last example (Step 5.3).
If you are an advanced user - You may have setup your OpenVPN server on a different subnet than your Ethereum nodes/validators.
If that is the case, you will need to browse to "Configuration > VPN Settings" and add in a static route for your validator network.
If they are not on separate subnets, please continue onto step 6.
Please navigate to "User management" > "User Permissions".
From here, you can add a new user. Please type out a username and tick the "Allow Auto-login" box, then select the "More Settings" box.
You can now set a password for the account in the new options that appear when you click "More Settings".
Once done, please "Save Settings" and "Update Running Server" again.
If you are one of the lucky ones that had to do step 5.4, then you may also need to add your Ethereum node/validator subnet to the user account too.
If you are using a local firewall (which you should be), you may need to unblock the local ports depending on how you have it configured.
These are the ports you set in step 5.1 and step 5.3 + port 943 (The default admin port). You can change the admin UI port if you wish, but as it doesn't have external access it is not really necessary.
Almost there!
For this step you will need to login to your router and forward ports to the machine running OpenVPN access server. The exact workflow is router dependent, so please search online for instructions and include your router make and model in the search.
You will need to forward two ports, both TCP/UDP.
The port(s) you entered for "Multi-Daemon Mode" (I used 9514)
The port you entered for "Client Web Server" (I used 9515)
Once completed, please browse to the below website and enter in your ports to check if they are forwarded correctly.
If you've made it this far, then congrats! You will be pleased to know that all the hard stuff is out of the way.
Please complete this step on the device you want to set up remote access.
Open the client web UI - You can use either your public or private IP for this step. In my case, I navigated to https://192.168.3.111:9515
Once in, login using the user account you created in step 6. If successful, you will see the screen in the below step.
NOTE: If you enabled MFA as per step 5.4, then after logging in you will be prompted to setup a 2FA credential. You can use something like Google Authenticator or Authy. I heavily recommend enabling this as the extra security is definitely worth it.
Please select the OS you are using.
From here you can select a client for your device.
If on Windows or Mac, it will automatically download the OpenVPN client software and guide you through the rest of the process.
If on Linux, Android or iOS, it will take you to an external page with further instructions.
Please download the "autologin profile".
Once done, you will have to import the profile into the OpenVPN software. The software itself (Windows or Mac) or external pages (Linux, Android or iOS) will show you how to do this.
Lucky you, I saved the easiest step for last.
If using a laptop or desktop, please connect to another network such as a mobile hotspot.
If using a phone, please disconnect from your WiFi and ensure you are connected to your telco's internet.
Now check your IP address at > https://www.whatismyip.com/
Go back to the OpenVPN software and hit connect and you'll be connected in just a matter of seconds.
Now check your IP address again at > https://www.whatismyip.com/
If the connection was successful, you will see it now matches your home IP as you are now connected to your home internet connection. From here you can securely SSH into your Ethereum nodes/validators.
If you can connect to your home network but are unable to SSH into your servers, you may need to tweak the firewall on your Ethereum node to accept incoming SSH connections from the IP address of your OpenVPN server.
No. At least not easily. To get this to work you will need to write your own IP tables.
No. If you can access the server within your local network and download and setup your user profile, then you won't need to access the client UI externally.
However if you aren't within your local network and you need to redownload a user profile (For example if you are travelling and your phone/laptop dies and you get a new one) then you won't be able to login to the portal and download a new user profile.
So leaving the client UI exposed to the internet with MFA switched on (As per step 5.4) means the security is top notch.
