Raspiblitz: Static IP via self hosted VPN Server Setup

The best written documentation on this with OpenVPN in detail found here:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04

If i setup openvpn client in that RaspiBlitz in background, what steps should i be aware of? In my opinion, the raspi and admin scripts should not care if VPN tunnel is fully setup. Even the LetsEncrypt + DynamicDNS Feature should still do his job. The client part should not be a big task to setup. The openvpn server can be tricky on first time.

// Zap Android respects the given domain name, great. 1ml.com is updating server informations with new public IP, not bad.

I did all the steps from this awesome OpenVPN Tutorial. Everything works great, my node gets the static public ip i registered on a VPS. I will close this, but OpenVPN is a big tool, maybe the blitz can deliver some ovpn import possibilities

What benefit do you see in using OpenVPN? There is the feature already of using reserve SSH forwarding you can set with the RaspiBlitz: https://github.com/rootzoll/raspiblitz/blob/master/FAQ.md#how-to-setup-port-forwarding-with-a-ssh-tunnel

i want to fight the QR code and DNS compatibility with a static public IP i dont get at my private ISP. So for additional security it was a long time ago i frist wanted to setup a VPN Gateway for mobile and some services i want to host on a static ip.

at raspiblitz i setup openvpn client service and at openvpn server i forward our common ports 5001:9735:10009. That seems to work very great. But the server side is a bit complex

// ah ok i did not know the possibility to tunnel ports through ssh, very interesting. The OpenVPN is very hard to setup without a guide and to understand al that signing what needs to be done in the right manner.

Your SSH Tunnel seems superior ;) I will get into this, thank you very much.

this can be helpful on a blitz to only allow traffic via openvpn and internal ssh via ufw

#!/bin/bash

# Reset firewall rules
sudo ufw reset

# deny traffic
sudo ufw default deny incoming
sudo ufw default deny outgoing

# allow ssh in every case  internaly
sudo ufw allow from 192.168.1.0/24 to any port 22 proto tcp

# RTL Webinterface
sudo ufw allow from 192.168.1.0/24 to any port 3001 proto tcp

# Thunderhub
sudo ufw allow from 192.168.1.0/24 to any port 3011 proto tcp

# Bitcoin RPC Explorer
sudo ufw allow from 192.168.1.0/24 to any port 3021 proto tcp

# allow OpenVPN Client connection
sudo ufw allow out 1194/udp

# allow traffic via openvpn tunnel only
sudo ufw allow out on tun0 from any to any
sudo ufw allow in on tun0 from any to any

# enable rules
sudo ufw enable

i thought of a subscription possibility in the blitz where you can get an ovpn client access to a vpn gateway setup for lightning network. So the server gets setup once and can serve some nodes with secure ip address. if users want lnbits on this, they need a dns and with a single public ip and several nodes it would not work. but a VPS can add some more IPs easy... all that config stuff is hard... and costs of public IPs is a pain

With some nice scripts to make the work it would be a possibility....

i thought of a subscription possibility in the blitz where you can get an ovpn client access to a vpn gateway setup for lightning network. So the server gets setup once and can serve some nodes with secure ip address.

Take a look at the IP2TOR show system of frennkie - it is build flexible enough that it also could sell SSH reverse or Open VPN subscriptions .. and its free to use fpr your own shop system: https://github.com/frennkie/django-ip2tor

Multi-Hosting SSH Tunnels as a service will need some consideration for hardening the hosts providing the SSH tunnels..

You most likely don't want to give out full shell access... Also people should only be able to use the assigned ports.. Not even sure whether this can be enforced.

But as mentioned: The IP2Tor shop software is designed for also selling other digital services besides ip2tor bridges.

you are awesome, after i get it solved my way, i should try the recommended way. Anyway its always good to have some more possible solutions to build from scratch and not depend on implementations you (me) dont have much experience with.

I would like to know which solution can get the best performance and server availability possible. I would expect that the OpenVPN Gateway is much more stable and client side easier to configure. Sure the openvpn server part is a bit weird, but could be packed in some execute scripts to setup as needed and ask for the relevant informations.

Further the costs should be compared. A small VPS begins at 80$/year, thats a bit overkill only to get a static public IP. This guy should serve some more nodes... Hard to get the ports working on several nodes on same public ip... maybe impossible cause of lnd behaviour?!

I have been using reserve ssh tunnels with a VPS I have running anyway for a year now .. works great.

OpenVPN seems a bit overkill if all you want is to have inbound redirection of 1-5 ports.

But if you also want your node to appear to the outside with the public (VPS) IP as source, then some VPN technology would required. But for me that would be outside of the scope of RaspiBlitz.

i want to use that VPN Gateway and replace some other VPN subscriptions i use for mobile work. its not a cheap solution yet, but iam a bit more independent.

To get some VPS up and running is not the worst invest for 80$ each. Thanks for your reply