[mythtv-users] controlling mythtv via mythweb and command line remotely

Stephen Worthington stephen_agent at jsw.gen.nz
Sat Dec 24 16:07:48 UTC 2022


On Sat, 24 Dec 2022 10:09:02 -0500, you wrote:

>For the last few years I've been controlling my MythTV backend remotely but
>using the built-in OpenVPN Server on my TP-Link Archer AX50 WiFi 6 router.
>All I had to do was set up a DDNS service with TP-Link and turn on the VPN
>on the router. It generated a config file that I put on each client that
>needed to run Openvpn and connect.  I can do that now with my Android phone
>and Dell laptop running W11 or Linux Mint 21.1
>
>I tried this on a Endeavour OS laptop (Archlinux based) and discovered that
>Arch openvpn and openssl has moved to a version that is not compatible with
>my 1 years old route's version of Openvpn. I can't easily make this work.
>
>So I thought about an alternative solution. What about putting an Openvpn
>server on the same server that is running MythTV backend? It is also the
>same server that contains all my shared network files and is set up as a
>cifs/smb server as my NAS for the home. This is the box I want to talk to
>when I'm not at home.
>
>I'm guessing I'd turn off the VPN server on the router and set up port
>forwarding to forward only 1194 UDP packets to the Mythtv server once
>Openvpn is set up on it.
>
>From a security point of view, I'd imagine that the Port forwarding port of
>the router is more secure than an old out of date VPN server.
>
>That way openvpn on the Mythtv server would be updated whenever Ubuntu
>updates it and the same with the clients.
>
>Thoughts and guidance please.
>
>Jim A

That is exactly the setup I have always used with my OpenVPN server on
my Ubuntu MythTV box.  It works well, and also allows you the option
of doing layer 2 connections where your connected devices will get the
broadcast traffic from your home network and can then get IPv6 RA
packets and so on and will get an IPv6 connection automatically.  And
packets announcing the availability of SMB servers, and anything else
that relies on broadcast traffic.  I actually run one layer 2 OpenVPN
server and also a layer 3 one for devices that can not do layer 2. You
do still need to keep an eye on the OpenVPN version as the packages
for your distro can occasionally be a bit out of date.  I had to use
an OpenVPN PPA to get up-to-date packages for Ubuntu 18.04, but 20.04
and 22.04 seem to be tracking the latest OpenVPN version.

The configuration of an OpenVPN server needs to be done carefully -
there are heaps of possible settings and a lot of them are insecure.
There are good web pages to advise on the safe settings, but you need
to make sure that you read about each recommended setting individually
and get them all right.  And review them every couple of years -
cryptography is a moving target and what was secure 10 years ago is
now easily broken by a modern PC.

I would never recommend using a router's OpenVPN unless it was
automatically kept up to date, including the choices of settings.  Or
you had to manually configure all the settings.  Just clicking a
button to create a setup is not good enough.  Just one bad setting
will make it insecure.

If you do not want layer 2, then you can use Wireguard instead of
OpenVPN.  Wireguard is also very secure and much easier to configure.
Due to its simplicity and careful implementation, it is generally
capable of significantly higher throughput than OpenVPN on the same
hardware.  It is also generally considered to be safe to use on a
router, and router Wireguard implementations can sometimes be using a
router's cryptographic hardware to get even greater throughput.  But
for best throughput, a big CPU as on a modern PC is still best.


More information about the mythtv-users mailing list