Setting Up Remote Access

Pre-requisite: Please go through demo setup page

Each of the demonstration images feature a built in, defense grade VPN solution running in a separate virtual machine. This allows secure access from the outside world into the home network where the Pi is installed.

Opening a port on the home router

In order to allow remote access from the public internet to the Raspberry Pi, a port forwarding rule needs to be installed on the existing home router. This procedure will be different for different router manufacturers, consult the documentation for your router for more information on this step.

The ports that need to be allowed are UDP 500, 4500.

Generating keys

A key generation script has been provided to allow client keys to be created easily. To gain access to the command line in the DIT cell, refer to the documentation on accessing the virtual machine command lines (link here).

From the DIT cell command line, login as the root user.

Then execute the following command to generate a key.
root@vpn: generate_client_keys.sh

You will be asked to enter a password to secure the certificate.

Getting the key off the Raspberry Pi

The resulting VPN certificate will be stored on partition 3 of the SDcard at the following path
/etc/ipsec.d/certs/client1.d4-secure.p12

Power down the gateway device and copy this certificate off the SDcard and onto your mobile phone.

or just transfer certificate to your machine using secure copy, e.g

scp /etc/ipsec.d/certs/client1.d4-secure.p12  <host machine user name>@<host machine ip / name>:/<destination path>

Install the certificate on the phone (see example).

Setting up the StrongSwan client

Project Golden Gate provides a Strongswan IPsec server running in the DIT cell. A Strongswan mobile application is available for Android and iOS devices through the app store.

The Strongswan configuration is outlined below:
Server: <ip address of eth0 interface>

(To find out ip address or RPI3, from OpenWRT cell, type ifconfig and check IP address assigned to eth0_ext, alernatively try Official RPI3 documentation)

(Note : If you are still not sure about how to figure out IP address of your RPI3, please check with your organisation’s network administrator. Typical task could require assigning a static IP to RPI3 / Or configuring the default router to forward VPN traffic to RPI3)

IKEV2 Certificate: Use the menu to select the client certificate extracted from the RPi3
User Identity: client1.d4-secure
CA Certificate: Select Automatically
Advanced Settings:
Server Identity: vpn.d4-secure

Accessing the home automation websites

Once the VPN is connected the web server running in the main virtual machine will be accessible.

The web servers need to be accessed through their local addresses, try to connect to 10.34.90.6.

Save