Need advice about remotely accessing TVHeadEnd via PiVPN

[1uke_]

I have recently set up the new DVB-T hat and have the system connected to my home network. Every thing works very smoothly when I am at home.

When I am away from home I can successfully log in to my home network using PiVPN

I thought i would then be able to type in my browser http://hostname:9981

However when i do this I don't get to the TVHeadEnd interface

• I wondered what i might be doing wrong?

I've included a picture of my network setup below

[DougieLawson]

If you set the VPN up with
/etc/openvpn/server.conf

Code: Select all

port 1194
proto udp
dev tun0
dev-type tun
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
keepalive 10 120
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
verb 3
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.3.0 255.255.255.0"
push "dhcp-option DNS 192.168.3.14"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
<ca>
-----BEGIN CERTIFICATE-----
insert certificate auth certificate here
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
insert server certificate here
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
insert private key here
-----END PRIVATE KEY-----
</key>
<dh>
-----BEGIN DH PARAMETERS-----
insert Diffie Hellman file here
-----END DH PARAMETERS-----
</dh>

And a client config

Code: Select all

client
dev tun
proto udp
remote openvpn-server.example.co.uk 1194 # can use a dotted decimal address
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----
insert certificate auth certificate here
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
insert client certificate here
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
insert client private key here
-----END PRIVATE KEY-----
</key>

That gets you a routing tunnel, all remote traffic will reach the public internet appearing to originate from the servers location (using the server public IP address). [I've stripped out my IPv6 stuff that gets a globally unique routable IPv6 address pushed down the tunnel as well.

Once you do that you can also reach the local server at 10.8.0.1 and http://10.8.0.1:9981 will get you to your TvHeadEnd server as long as it's running on the same machine as OpenVPN.

It gets ever more complex may need iptables masquerading if the OpenVPN and the TVHeadEnd are on seperate machines. Next time I'm in the pub on 14th for the monthly SWAB Pi IG meeting I'll see what I can do with my OpenVPN and a raspberry running TvHeadEnd back at home.

[1uke_]

It gets ever more complex may need iptables masquerading if the OpenVPN and the TVHeadEnd are on seperate machines. Next time I'm in the pub on 14th for the monthly SWAB Pi IG meeting I'll see what I can do with my OpenVPN and a raspberry running TvHeadEnd back at home.

Hi @Dougie,

Yes I am running OpenVPN on a different machine.

• Would it work if I had PiVPN running on the same machine as TVHeadEnd?

• It's it advisable / safe to have multiple VPN instances running on my home network?

• I'm very new to all this so still learning, I was expecting to have one PiVPN server that would let me access the whole network. Does PiVPN only let you access the computer that it is running on?

Thanks for your help and I'd really appreciate it if can do a test and let me know the results next time you are at the pub

[DougieLawson]

It will definitely work if OpenVPN and TvHeadEnd are on the same machine. It's the routing from OpenVPN to another machine on your LAN that's the hard part.

[DougieLawson]

So it's not in apt-get yet.

viewtopic.php?f=35&t=225036&start=125#p1386496
gives you another way to update the channel maps.

[1uke_]

@DougieLawson

I tried installing PiVPN on the machine running TVHeadEnd today.

I set it up to use the same port as the VPN on the other machine. (Not sure if that is the right thing to do)?

However when I try to log in I get the following message,


Fri Nov 02 15:32:05 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Nov 02 15:32:05 2018 TLS Error: TLS handshake failed


This website explains what some of the possible errors may be - https://openvpn.net/faq/tls-error-tls-k ... 0-seconds/

But I don't have this issue when trying to log in to the VPN on the other machine.

I'm not sure where to start unpicking and resolving this issue, please could you share any tips with me?

[DougieLawson]

TLS errors mean your CA cert, client cert, server cert and diffie-hellman files are inconsistent.

You should generate a completely new server certificate and private key for the new OpenVPN server. You can use the CA cert across multiple machines. If everything is signed with the same CA cert then you don't need to change anything on the OpenVPN client apart from the IP address/port.

[1uke_]

Thanks for the reply @DoguieLawson

I've used the command 'pivpn add'

and created a few new profiles -

• TV-Profile
• TV-Profile2
• TV-Profile3

They all give me the same error.

I have even tried uninstalling and reinstalling PI VPN but still get the same error.

• Is there anything else I could try to resolve the issue?

• Is there any other easy to install remote access software that I could try as an alternative?

Thank you for your help

[DougieLawson]

You'll have to ask the folks who develop PiVPN - I've no idea how they abuse OpenVPN for their version.

[DougieLawson]

It will definitely work if OpenVPN and TvHeadEnd are on the same machine. It's the routing from OpenVPN to another machine on your LAN that's the hard part.

I just tried this on my phone with OpenVPN and I was able to access TVHeadEnd and my weather station using the LAN addresses.

Network was too slow to go further. But that's probably because Debenhams are restricting bandwidth.