Skip to content

Instantly share code, notes, and snippets.

@asonnino

asonnino/raspbian-vpn-router-guide.md

Last active October 16, 2022 13:17
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save asonnino/78418df92c3fb6124fe50cac17e634bc to your computer and use it in GitHub Desktop.
Save asonnino/78418df92c3fb6124fe50cac17e634bc to your computer and use it in GitHub Desktop.
Download ZIP
Setup a VPN router on Raspbian.
Raw
raspbian-vpn-router-guide.md

Setup a VPN router on Raspbian

Useful Resources:

NOTE: The raspberry pi may take a long time to reboot (about 5 minutes) after this installation.

1. Install OpenVPN

sudo apt install openvpn
sudo systemctl enable openvpn

Create a file /etc/openvpn/auth with only the following two lines:

USERNAME # Your openvpn username.
PASSWORD # Your openvpn password.

Then, restrict access:

sudo chmod 600  /etc/openvpn/auth

Upload your openvonv configuration file <FILENAME>.ovpn to /etc/openvpn/; Open that file and replace auth-user-pass by auth-user-pass /etc/openvpn/auth; then make the configuration file automatically discoverable by openvpn:

sudo mv /etc/openvpn/<FILENAME>.ovpn /etc/openvpn/<FILENAME>.ovpn.conf

The above method works for ProtonVPN; the configuration files of other VPN providers may require to specify the path to certificates (ProtonVPN embeds their certificate into their configuration files).

2. Setup a WIFI hotstop

sudo apt install hostapd dnsmasq
sudo DEBIAN_FRONTEND=noninteractive apt install -y netfilter-persistent iptables-persistent
sudo systemctl unmask hostapd
sudo systemctl enable hostapd

Open /etc/dhcpcd.conf and insert the following lines at the end of the file:

interface wlan0
    static ip_address=192.168.4.1/24
    nohook wpa_supplicant

Insert the following lines into /etc/sysctl.d/routed-ap.conf:

# https://www.raspberrypi.org/documentation/configuration/wireless/access-point-routed.md
# Enable IPv4 routing
net.ipv4.ip_forward=1

Update the iptables:

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

and persist the changes:

sudo netfilter-persistent save

Make a copy of /etc/dnsmasq.conf:

sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig

Then insert the following lines int /etc/dnsmasq.conf:

interface=wlan0 # Listening interface
dhcp-range=192.168.4.2,192.168.4.20,255.255.255.0,24h
                # Pool of IP addresses served via DHCP
domain=wlan     # Local wireless DNS domain
address=/gw.wlan/192.168.4.1
                # Alias for this router

Make sure the WiFi card is unblocked:

sudo rfkill unblock wlan

Insert the following lines into /etc/hostapd/hostapd.conf. Note there cannot be quotes around the SSID or password.

interface=wlan0
hw_mode=a
channel=36
ieee80211d=1
country_code=GB
ieee80211n=1
ieee80211ac=1
wmm_enabled=1

auth_algs=1
wpa=2


ssid=<YOUR SSID>
wpa_passphrase=<YOUR PASSWORD>

3. Reboot

sudo systemctl reboot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment