This guide will install Airprint and OpenVPN allowing you to use AirPrint from one local network to a remote network over a VPN connection. You must be on a local network running the VPN server, however your iOS device does not need to be on the VPN network to access the printer(s).
Install the software.
sudo apt-get update sudo apt-get install cups cups-pdf openvpn sudo usermod -aG lpadmin pi #Do not use for Ubuntu sudo /etc/init.d/cups start sudo nano /etc/cups/cupsd.conf
The line that reads “Listen localhost:631” needs to be changed to “Port 631”
“Allow All” needs to be added right be to the line that reads “Order allow,deny” in one place, “Restrict access to server…”
“Allow @Local” needs to be added right below the lines that read “Order allow,deny” in two places:
- Restrict access to the admin pages…
- Restrict access to configuration files…
Hit <control-x> to exit nano editor and enter line below to restart cups.
sudo /etc/init.d/cups restart
You can now use a web browser to configure and manage printers. Enter the IP address of your Raspberry Pi into your browsers address bar followed by “:631”.
Select the Administration page and be sure server settings are set as shown below. Enter your username and password if asked and ignore the warning message if there is one.
Before we do too much more printer setup though we might want to finish setting up the VPN connection. The keys, certificates and configuration files need to be generated on one computer and then moved to each computer securely. The key generation computer does not need to be any one in particular and doesn’t even need to be one that is actually going to use the VPN. On my last install, I had problems downloading easy-rsa directly so I just manually downloaded easy-rsa-master.zip from https://github.com/OpenVPN/easy-rsa/tree/release/2.x and placed everything in the “2.0” folder in the /etc/openvpn/easy-rsa directory using ftp. You may choose to clone the git instead or run easy-rsa from another platform. Tunnelblick on the Mac (The latest beta required for Mavericks) comes with easy-rsa installed. You can access it by opening the “VPN Details…” menu from Tunnelblicks menu, clicking the Utilities icon, and then clicking “Open easy-rsa in Terminal.” On the Pi or Ubuntu, I use “sudo bash” to make sure I have access to run the scripts, however I don’t think this is necessary if using a Mac with Tunnelblick. Use “cd” to get to the easy-rsa directory if needed.
sudo nano vars
Change “KEY_SIZE” to 2048 and edit the export fields at the end of the file to set the defaults for when you build your keys. When you run the build key scripts, you will be prompted to enter each item. You can just hit enter if you want to use the default value. You need to answer “y” to the last two prompts.
source vars ./clean-all ./build-ca ./build-key-server server ./build-dh openvpn --genkey --secret ta.key
Then build keys for every client you want to connect to your server. Use a unique “clientName” each time you build a key.
./build-key clientName ./build-key-pass clientName2 #For password protected keys.
port 1194 proto udp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-config-dir ccd client-to-client keepalive 10 120 tls-auth ta.key 0 cipher AES-256-CBC comp-lzo ;user nobody ;group nogroup persist-key persist-tun status openvpn-status.log verb 3 mute 20
client.conf file. Edit “your.server.ip” and “YourClient” to match the names of your files and the domain name of your server:
client dev tun proto udp remote your.server.ip 1194 resolv-retry infinite nobind ;user nobody ;group nogroup persist-key persist-tun ca ca.crt cert YourClient.crt key YourClient.key ns-cert-type server tls-auth ta.key 1 cipher AES-256-CBC comp-lzo verb 3
Copy server.conf, server.key, server.crt, ca.crt, dh2048.pem, and ta.key to /etc/openvpn on the server.
Copy YourClient.conf, YourClient.key, YourClient.crt, ca.crt, and ta.key to /etc/openvpn on each of your clients. You should have generated unique .key and .crt files for each one. For some reason I had to use the following command to get OpenVPN working on the clients, then exit OpenVPN with which stopped the connection. Then the command used on the server would work to get the clients working. I’m not sure but it may have had something to do with the different names on the configuration files.
sudo OpenVPN client.conf #using the name of your .conf file
You need to make sure your clients IP address on the VPN network does not change so you can always reliably connect to the printers, so create a directory in your /etc/openvpn directory called ccd
sudo mkdir /etc/openvpn/ccd
Into this directory you are going to put a file for each client hosting printers matching the client name.
sudo nano /etc/openvpn/ccd/YourClient
Into the first file put:
ifconfig-push 10.8.0.101 10.8.0.102
The next file will be:
ifconfig-push 10.8.0.105 10.8.0.106
allocating 4 IP addresses for each assigned address. Use “sudo service restart” to first restart your server and then your clients.
We can now finally configure the printers, so open the cup web configuration page by going to the IP address of one of the computers/Raspberry Pis that has a printer connected or a wireless printer on the same local network. Add your printers by clicking the Administration page and then clicking add printer. Ignore the warning message. You will need to use your user password to add the printer. Remember to set the printer as shared. Drivers take a long time to list on the Raspberry Pi, so be patient. Once you have completed this, you will be able to use AirPrint, and Printing from desktop/laptop computers locally, but we need to configure more for this to work over the VPN connection.
Connect to one of the remote computers cups interface the same as the local one. When you add the printer, select “Internet Printing Protocol (http).” The printers address will be something like this:http://10.8.0.101:631/printers/Your_Officejet
…where “YourOfficejet” is the name of the printer hosted on 10.8.0.101.
Once this printer has been added to the remote network, you will be able to AirPrint remotely even if the iOS device is not signed in to the VPN itself. You can still download the iOS OpenVPN client if you wish to use it for other purposes, but it is not necessary. Printing using a Raspberry Pi as a print server is slower, relaying through two over the internet, even slower, so this is not likely to be useful for very large documents.
Helpful hint 1: If you have a printer connected to an Airport Express or Extreme, you will be able to add the printer, however printing will always fail. To add one of these printers locally the address will look something like this:socket://10.0.1.1:9100
…where 10.0.1.1 should be the IP address of your own Airport Express/Extreme. The addressing set on the remote computer will however be set the same as first shown, since you will be relaying it to the other print server.
Helpful hint 2: After you have confirmed that the VPN is working properly, you can remove the semicolons in the configuration files, before “group nogroup” and “user nobody” on non Windows systems to improve security a bit.
My currently running configuration uses a Next Unit of Computing running Ubuntu as the main server with a few Raspberry Pi clients. Using faster client computers might help with printing speed, however my current configuration seems to work fast enough for me. ?
This post was written by Tom