How to Remotely Manage Your RAK LoRa Gateways with OpenVPN

1 Overview

Unlike its early development, IoT now has become more apparent in our daily lives – in our thermostats, home virtual assistants, lighting, and airconditioning units. With IoT’s growing presence, its devices’ vulnerability to threats also grows. Fortunately, a virtual private network (VPN) can be utilized to protect your private IoT network from hacks and other security hazards. VPN is created where a server is deployed that both the gateway and any number of customer devices (PC, Phone, and other devices) can connect to via a public IP address. This creation is possible to implement using any of the backhaul connectivity options the gateway supports (Ethernet, Wi-Fi, LTE).

If you use RAK Industrial LPWAN gateways, you can employ remote management based on OpenVPN. Thus, by connecting to the server via a remote client the user can remotely manage the Gateway from any point, at any time.

2 Network Topology

3 Deploy the OpenVPN Server

This tutorial assumes you already have an AWS EC2 Instance with Ubuntu Server 18.04 LTS running on it.

3.1 Install OpenVPN

First, we need to install the Open VPN package:

sudo apt install openvpn -y

3.2 Download a certificate management tool suite

We are going to be using Easy RSA:

wget https://github.com/OpenVPN/easy-rsa/archive/v3.0.6.tar.gz -O easyrsa.tar.gz

3.3 Initialize Easy RSA to generate a CA certificate and a server certificate

step 1. Extract and copy easyrsa to /etc/openvpn/easyrsa/

sudo mkdir -p /etc/openvpn/easyrsa

tar zxvf easyrsa.tar.gz

sudo cp -rf easy-rsa-3.0.6/easyrsa3/* /etc/openvpn/easyrsa/

step 2. Initialize the pki

cd /etc/openvpn/easyrsa

sudo ./easyrsa init-pki

step 3. Generate the CA certificate

sudo ./easyrsa build-ca

Enter the required information according to the prompt.

Note: When asked for a password, make sure to write it down as it will be required later on.

step 4. Generate the Server certificate

sudo ./easyrsa build-server-full server nopass

step 5. Generate the DH parameters file

sudo ./easyrsa gen-dh

step 6. Generate the crl.pem file

sudo ./easyrsa gen-crl

3.4 Generate the OpenVPN Server configuration and running files

step 1. Created the OpenVPN server configuration file and fill it in:

Create the folder the file will reside in:

sudo mkdir -p /etc/openvpn/server

Create the file and open it for editing

sudo nano /etc/openvpn/server/config.ovpn

Note: Change the local 123.56.96.211 IP with your private AWS IP.

Note: You have to add an inbound rule in the AWS Security Group for UDP port 1194.

# openvpn server

cd /etc/openvpn/server

daemon

dev tap

proto udp

#local ipaddr to bind. Change it with Server IP.

local123.56.96.211

port 1194

server-bridge 10.0.8.1 255.255.255.0 10.0.8.11 10.0.8.100

ifconfig-pool-persist ip_pool.txt

up interface-up.sh

client-to-client

keepalive 10 120

comp-lzo

user root

group root

persist-key

persist-tun

ca /etc/openvpn/easyrsa/pki/ca.crt

cert /etc/openvpn/easyrsa/pki/issued/server.crt

key /etc/openvpn/easyrsa/pki/private/server.key

dh /etc/openvpn/easyrsa/pki/dh.pem

crl-verify /etc/openvpn/easyrsa/pki/crl.pem

status /var/log/openvpn-status-server.log

log /var/log/openvpn-server.log

verb 3

script-security 2

step 2. Create and fill in the interface-up.sh. This is a script that will create the virtual tap interface:

sudo nano /etc/openvpn/server/interface-up.sh

Fill in the content of the file with the lines below:

#!/bin/sh

/sbin/ifconfig $1 10.0.8.1 netmask 255.255.255.0 broadcast 10.0.8.0

Make the script executable:

sudo chmod +x /etc/openvpn/server/interface-up.sh

3.5 Start OpenVPN

step 1. Start OpenVPN

Note: If you want to OpenVPN to run on instance startup, run the command:

sudo systemctl enable openvpn

Execute the following to get your tap interface up:

sudo openvpn --config /etc/openvpn/server/config.ovpn

Note: If you want OpenVPN to execute the configuration file automatically, you should rename the config.ovpn to config.conf and move it to the /etc/openvpn folder.

In this way, if the Operating System is rebooted, OpenVPN will automatically load the tap interface.

cd /etc/openvpn/server

sudo mv config.ovpn /etc/openvpn/config.conf

step 2. Check whether the OpenVPN virtual interface is up:

ifconfig tap0

You should see a similar output if the tap0 interface is up and running.

tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 10.0.8.1 netmask 255.255.255.0 broadcast 10.0.8.0

ether 3a:37:f6:5a:bb:32 txqueuelen 100 (Ethernet)

RX packets 45125 bytes 8292906 (7.9 MiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 16611 bytes 2205218 (2.1 MiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

4 Setup the OpenVPN Management Client

4.1 Generate the OpenVPN Server client certificate for your PC

Note: We use management as the name for the client PC.

cd /etc/openvpn/easyrsa
# ./easyrsa build-client-full <client_name> nopass
sudo ./easyrsa build-client-full managment nopass

# Update certificate control file
sudo ./easyrsa gen-crl

4.2 Make the OpenVPN Client profile file.

The <ca>, <cert>, and <key>in the configuration file are the CA certificate, Client certificate, and Client secret key.

The CA certificate is located in:

/etc/openvpn/easyrsa/pki/ca.crt

The Client certificate together with the Client secret key we generated in Section 4.1. Client certificate:

/etc/openvpn/easyrsa/issued/<client_name>.crt

Client secret key:

/etc/openvpn/easyrsa/private/<client_name>.key

Open a text editor in your PC and copy this template. Change the remote IP with your Amazon Instance Public IP. Add each certificate in its corresponding section by copying the content from the locations mentioned above and replacing the corresponding section in the template.

dev tap
client
remote 123.56.96.211 1194
proto udp
nobind

resolv-retry infinite

persist-key
persist-tun

remote-cert-tls server

comp-lzo
verb 3

# copy from openvpn-server /etc/openvpn/easyrsa/pki/ca.crt

<ca>

-----BEGIN CERTIFICATE-----

MIIDNTCCAh2gAwIBAgIJANYEjCM+cqsxMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNVBAMMC1JBS1dpcmVsZXNzMB4XDTE5MTEyNTAxMzIyOVoXDTI5MTEyMjAxMzIyOVowFjEUMBIGA1UEAwwLUkFLV2lyZWxlc3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZS/8PCehr3TSTvidQLFVYT5EydKDVidEUm6/yOE0BZs99kZKGn6eFmFQnBfve4mAHzPnC3amiuCh+01kf97P7MDpS/cYTdR9RB9Xng/jyBQqMVVHLbwoGIS7mQmBpV0NdU8RYKsLCARPn50eRGiL2AS6cPDSjrrj2xsBEydTsjE/95gJ7AvWQRPRoVTI9S31mY6tLrs16zydtEXWicDVaRFkvultijCmCiUhfaDE8lt1dQxd5jkvwcHtm1EBdHjyce7oXa+Og0p2c5EmTb1K2pjHZHG0jINv9lErC049g/ey7CcddDd+QBm7fqArIaov7kk+U7zKhBrTVH3dmPWEHAgMBAAGjgYUwgYIwHQYDVR0OBBYEFLd+eVD4IqyA84ABBeFupjEV0+bOMEYGA1UdIwQ/MD2AFLd+eVD4IqyA84ABBeFupjEV0+bOoRqkGDAWMRQwEgYDVQQDDAtSQUtXaXJlbGVzc4IJANYEjCM+cqsxMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQABFT6ZgK7YtM5tZEfEKSCMUxfESJ+4pPN2lryZVskXtD6BfjvKkQpj3A+R6MRNloOPvZ4spAvH5fFvfI97Ts40rQjWpgPLQDEBcgBi6dzzmMSap/iw9wLtgqWFVm+LXPMHQnqBKfs2HksTlKOhiKZlvtGYfxay6kbMU35LX8WdRxx8JNvRNIDL68lLdreXB7vTKQYAvcKPo1GuZFqKV2KFxpjxzLg1BeM3U4X5k4xDQDaOHENKJO4pdWBfMLP3AAyC9wq481POhgA1R8ZAt+psYxOAB6O3A1SzDJ/df5ciPdsp1Kia0HCB2cGIZ7ZwfzPDNivH8/bTn7UOb+khvmsD

-----END CERTIFICATE-----

</ca>

# Client certificate PEM
# Copy from server /etc/openvpn/easyrsa/pki/issued/managment.crt
#

<cert>

-----BEGIN CERTIFICATE-----

MIIDTzCCAjegAwIBAgIQVm22YDcNRRzycbFHSEkkFjANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtSQUtXaXJlbGVzczAeFw0yMDAyMDUwMjI5MzZaFw0yMzAxMjAwMjI5MzZaMBcxFTATBgNVBAMMDFJBSzcyNThfNjY2NjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK53T6vlbm4xVgM5z8fC6ul5WsdT3gfEGEOKu0MWcxq4YP0jrhXAwJV20EdUXYiFIOdf9woYvv8ANTFYHIBAT+jZrGhbhph7QSzmb1xzc3g/nGJVJAW7L10EmQ0mSsi64NTv/8Ou7wZQpqd8+FuIjDbMFJMP24GbqswG6nnhJCST1b1hfAgijK/dagRFJTcYhJcutwJrpUjhdAwVBG/GuXQwyI82WXzpqvVyfPgCb4Ek9ehHuA1Zsmgp68ChGFM+WrEZ1sETDlxlNAfsON7hihf3xYZ2iZ/6rq5RpUczJm3P9dxO74I8/dxe9TnNcIvqasxGg3jZW4UvQyATqnb+z5kCAwEAAaOBlzCBlDAJBgNVHRMEAjAAMB0GA1UdDgQWBBRQkqjMkMV4u8R0EKDDG08qjxJb4TBGBgNVHSMEPzA9gBS3fnlQ+CKsgPOAAQXhbqYxFdPmzqEapBgwFjEUMBIGA1UEAwwLUkFLV2lyZWxlc3OCCQDWBIwjPnK67dATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAGDGH6+b1EGkVj//EDyJUBISWWcXC8EwmrT25TgaWDid21QQatQahriVOFHu0B7DGSJb6kw4Om8Mz+kef1v529VIip56wP4I7aVQdcTgSoVBCc0ToXxGO+EXPWc0jBwPReofMzYeaZ+hZcSHeFOYAso5aFSMfk5Z7qwYQfajZQ7AdTj2NcxH92bIv7JUzW6Xh8OcTuTzQd4J2dtJr4ObnRkYrqg27dzlV1dz73hJJIs7AXUH4wivehV3VGd95am6ejs4Hedhaw23h+pV91LmG4gdb6EPHm0JPCHbaQAbJzF75JEh0CLOlDFBK419Dgg10n0gqLkSTcp+CzNlCx7k+24=

-----END CERTIFICATE-----

</cert>

# Client key PEM
# Copy from server /etc/openvpn/easyrsa/pki/private/managment.key
#

<key>

-----BEGIN PRIVATE KEY-----

MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCud0+r5W5uMVYDOc/HwurpeVrHU94HxBhDirtDFnMauGD9I64VwMCVdtBHVF2IhSDnX/cKGL7/ADUxWByAQE/o2axoW4aYe0Es5m9cc3N4P5xiVSQFuy9dBJkNJkrIuuDU7//Dru8GUKanfPhbiIw2zBSTD9uBm6rMBup54SQkk9W9YXwIIoyv3WoERSU3GISXLrcCa6VI4XQMFQRvxrl0MMiPNll86ar1cnz4Am+BJPXoR7gNWbJoKevAoRhTPlqxGdbBEw5cZTQH7Dje4YoX98WGdomf+q6uUaVH11Ztz/XcTu+CPP3cXvU5zXCL6iIMRoN42VuFL0MgE6p2/s+ZAgMBAAECggEAGGwPNQra2IYDelQfZ+E7LQ+Vy41L6V5j3yCOcie0WSsyOH1EIztmOgX1xeZjaXbpUjo2xK0OH3gR+iRRaQqXpQrDfaBCSRoH15cyQ4jNwyl0ZLdyYXMAgE7iddrEYTD3xBcMgIH+Z63mhk+SHI4SwqDyyFtR6OS3lfPp4sHHY28rFJPXW7a10M+pxjEX+A8m3UM4VJiLy2YeklB7laJkQjHcA/Gh+sh/0NjZwCYyWWAiirATLDSa3z6N7yr3xAO/J4vEZVaGxyyJRvR4qmr0xE15xyCfQQcWdw1DpGT9uBk/4z/1Tq2sJUekzYebeENliJY3ADVsVS0JszRRHCYwGQKBgQDhRlwvrjvRP8ZCd9thssKXgkJBUSqxp8VvFtylMKy2koNq6S2S3yiGmiNWd7JxdGk+77MGmA8kTdpORMcNL9xSLMWiuMLHGEYf79TkON0ZBqN/wwuPttJG8ICWhqAjL+dDcLoqz8j4dO6FwKPoz+fVjVupXgYKfqLpm9SAD1apewKBgQDGQuyhzv0Ru7o29MDg5YZ0dwj9bV1KzlFf3DAdcX+k4Z48R50e5VhewIedA3eafy+UER63CAWLQru96sbRoGkk8aKBk9AGJPFbi4NVWWaiUA2A2WVUKkdIQsNrr2xHBTwiFPftTxWRWUT1DKgF+uHvSzBKfn13PReSKCjxzPis+wKBgQDVeW9yX5GfwOeHpTznYBa2rGFMtDXZFDssAmYkw/NnL4AJl93wCDjHFNnX3qXijYYOdecYoI/4vy3YbaSTAn+t/29pu9wX/xC0wvjjLF+Yj4nwUExsa7roLpAsFHc74PEuH2zLlQvFJknBxcONozb2T3ZFESx4VXjcFydQEzj0cQKBgANqWbs73p40lrOlqcD2E0fkWRJMlQPZ5Ar7txR6xREpFdnB/hHvL4OKW4u36JKPyFkLpnTOvZG1l5hg+AXadpU9WGhVDItejY3fLGcHAD6hlGn41McLZ2j2RXmQbxQWIgAQTmkXKK71U7vI+QgJV2UQ7YcLAMxSEBrjeDkaJ9qLAoGAEiSjuv5X0PbZpiyH6/GXYuMhFYWZnk/IwoxQW4alBIRuI7EQ+fLvrFUxikMOIsLKtKrcVLjJBgFSz4hIE9YEYnaQ5Vx+RMzTwakRJtPook55pS1HpdK7Y/0oiUOsJGCEzVj8P/e/WrhFqWPGalIJENCGBuhos/YdITFeKQ381zk=

-----END PRIVATE KEY-----

</key>

Save the file with the name management_client.ovpn

4.3 OpenVPN PC client

Download the OpenVPN Client from here and install it.

Start the OpenVPN GUI Client. You will see an icon in the taskbar.

Right-click Import file. Navigate to the management_client.ovpnfile and open it.

Make sure to go into the OpenVPN menu again and press “Connect” (it will not initiate automatically).

If everything is set up properly there will be a connection log window that will disappear after the procedure runs through (refer to Figure 8).

The OpenVPN should now be in green (Figure 9), meaning the connection has been successful.

You can check which clients are currently connected to the OpenVPN Server and their corresponding IP addresses by executing the following command in your Ubuntu console:

sudo nano /etc/openvpn/server/ip_pool.txt

There should be only one client and its IP address visible now. This is the PC connected to the OpenVPN Server. Later, the gateway also should be visible.

5 Setup OpenVPN client on LoRa gateway

The procedure for generating the Keys for the gateway is the same as the one for the Management PC, with the exception of there being a different client name.

You can go through Section 4.1and Section 4.2 again, and do the same procedure, not forgetting to replace the “management” name we used for the client with the one for the gateway. We have used “rak7258-001”.

Once you have assembled your certificates into a single file you need to import the contents into the OpenVPN client section of your gateway.

5.1 Log into the Gateway via the Web UI (locally)

Make sure you still have local network access to your gateway and connect to it to access the Web UI.

Go to the Services OpenVPN Tunnels in the sidebar menu section. Enter a name and choose “Custom OpenVPN Configuration” from the drop-down menu. Finalize by pressing the “Add” button. Use Figure 11 as a reference.

In the next window simply copy/paste the content of the file you created at the beginning of Section 5, “Save & Apply” (Figure 12).

Finally, as shown in Figure 13, go back to the OpenVPN Tunnels section, flip the “Enable” switch into the on state and “Save & Apply.” This will finalize things and the gateway should now be connected to the OpenVPN Server. The process might take a few minutes to complete.

Check again in the client list file on the OpenVPN server for the IP address of the gateway:

sudo nano /etc/openvpn/server/ip_pool.txt

The IP address of the gateway should be in the second entry.

5.2 Log into the Gateway (remotely)

You can now log into the gateway by using the IP address (Figure 14) assigned to it by the OpenVPN Server. This can be utilized for an SSH2 connection, the Web UI (via a browser), and many other applications.

This concludes the tutorial. You can now further use your private IoT network without any worries about security threats. Your automated lifestyle can now rest easy with the protection that OpenVPN brings. However, it is still best to protect your networks by not only installing a VPN, but also being mindful of the data that you share. At the core of all connections that you build in IoT, your data is stored. Carefully choose what you will publish as confidential or not.