Connect dietpi (raspberry) to cloud OPENVPN server on google cloud openvpn server

Is there is any way we can connect dietpi with cloud base OPENVPN server. I have configured my openvpn server on google cloud. Now I need vpn client for my raspberry pi running dietpi. I am able to connect my android phone with my open cloud server. but I am confusing how I can add *.ovpn file in my dietpi so that it will connect to cloud openvpn server. Please guide me or divert to right direction,
The main reason for this process. I have dietpi running a home assistant software, I want to access the home assistant webpage on my android phone (outside LAN network). I also not want to open port on my router as I am scare with that. So I install openvpn on cloud & my cell phone able to connect with it. Now I want to connect my homeassistant(dietpi) to cloud server. With that my cell phone directly able to access home assistant as both are internally connected through secured vpn connection.
thanks

Hi,
Small question for clarification: so you like to connect from your mobile phone to your home assistant that is running on your DietPi system at your home? Correct? Do you have other use cases that you like to have implemented or is the access to home assistant the only one?

Because if this is the only reason, than you don’t need a VPN server somewhere on a cloud installation. You could easily install a VPN server next to your home assistant installation. That would make things easier and save some money. For this you would have multiple options on DietPi. There are various VPN server available.

I personally use Wireguard VPN server to connect to my home. It’s working perfectly on all my mobile devices like Win10 laptop, Android phones as well as iPhones.

if i used openvpn on my local machine. i have to open port from my router. which i do not want. my cloud VPS is spare from my past usage so either its idle or use for this purpose cost me same. but with my approach i do not need to open port in my router. the homeassistant pi connected with cloud openvpn & my android phone also. so basically this method give me virtual cloud router with limited devices. even on hacking its not effect me directly. my iptables rules.v4 is as below. please suggest me what alteration need to put here, thanks

=====================================
nano /etc/iptables/rules.v4 (for dietpi raspberry)

Generated by iptables-save v1.8.2 on Sun Jan 12 19:06:35 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:184]
COMMIT

Completed on Sun Jan 12 19:06:35 2020

Generated by iptables-save v1.8.2 on Sun Jan 12 19:06:35 2020

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:184]
:POSTROUTING ACCEPT [1:184]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

Completed on Sun Jan 12 19:06:35 2020



& my google cloud rule.v4 is as

================================================
nano /etc/iptables/rules.v4 (for google cloud)

Generated by iptables-save v1.6.0 on Fri Jan 10 01:16:28 2020

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
COMMIT

Completed on Fri Jan 10 01:16:28 2020

Generated by iptables-save v1.6.0 on Fri Jan 10 01:16:28 2020

*filter
:INPUT ACCEPT [42XX:79XXXXX] (XXX i replaced not to show in public)
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [40XX:37XXXXX] (XXX i replaced not to show in public)
COMMIT

Completed on Fri Jan 10 01:16:28 2020

i adopt following procedure & struck near the final goal

  • create one client.ovpn file from cloud openvpn server
  • copied that it in /etc/openvpn.ovpn & rename client.conf (in dietpi raspberrypi) which want to make client for openvpn server
  • make a service & start & make autorun
  • in htop i am able to see client.service working
  • with command “ip a | grep tun” able to see TUN0
    *with command"route -n"
    ==============================
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
    10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
    10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun1
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    ========================================
  • from cloud i know system reserve 10.8.0.3 ip address to this line
    *when i give command ‘ping 10.8.0.3’ system send data but never receive anything (this command with putty through dietpi raspberrypi)
    *my openvpn cloud server command ‘ping 10.8.0.1’ working ok (this command with putty through dietpi raspberrypi)
    *my cellphone command ‘ping 10.8.0.2’ working ok (this command with putty through dietpi raspberrypi)

So, if you are connected to your DietPi system you are able to ping your Cloud server as well as you Mobile right?
And if your are login in your Cloud server, how does it look there? Which connections your are able to see? Fro your Cloud server, are you able to ping your DietPi system?

from my cloud side to ssh commands

10.8.0.1 Ping command works (Cloud server itself & pihole on cloud server )
10.8.0.2 ping command not work (my android phone connected through openVPN client)
10.8.0.3 ping command work (raspberry pi in question)

also on cloud server openvpn & pihole both are installed. in pi hole log i am able to see client (10.8.0.3)


my overall goal to achieve (with no port opening in home modem/router),

if i am out of my LAN network & start openVPN app. i can able to see my home assistant home webpage & check status etc.

pihole filter all advertisements from my web surfing (system working perfectly this time) as well as secure my surfing through VPN Tunnel in public networks

is this command make any difference ?

echo 1 > /proc/sys/net/ipv4/ip_forward

as per opnvpn guidelines

https://community.openvpn.net/openvpn/wiki/265-how-do-i-enable-ip-forwarding

OR

may be there is need to finetune ethernet or tan0 in iptables rules.v4 like

:POSTROUTING ACCEPT [1:184]
-t nat -A POSTROUTING -o tun0 -j MASQUERADE

existing like


:POSTROUTING ACCEPT [1:184]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

any expert tell me what is best for my scenario

some guidelines here but i am confusing now :-
https://ephams.com/2019/02/turns-your-raspberry-pi-into-a-vpn-gateway/

It might be better to have this question raised within an OpenVPN forum as it looks more like a VPN server configuration problem than a DietPi one. As you said, DietPi is able to connect to the VPN Server and the VPN server is able to reach DietPi.