Skip to content

Instantly share code, notes, and snippets.

@cfstras

cfstras/setup_vpn_pi.md

Last active June 16, 2021 21:12
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save cfstras/386c9410a143fa7b590d21b00fe367cb to your computer and use it in GitHub Desktop.
Save cfstras/386c9410a143fa7b590d21b00fe367cb to your computer and use it in GitHub Desktop.
Download ZIP
Setting up an OpenVPN Raspberry Pi for client devices
Raw
setup_vpn_pi.md

Setting up an OpenVPN Raspberry Pi for client devices

Install nbnsd

So you can find your host via NetBIOS later on:

wget https://github.com/cfstras/nbnsd/releases/download/v1.1/nbnsd.arm -O /usr/bin/nbnsd
chmod a+x /usr/bin/nbnsd
wget https://raw.githubusercontent.com/cfstras/nbnsd/master/nbnsd.service -O /etc/systemd/system/nbnsd.service
systemctl daemon-reload
systemctl enable --now nbnsd

Install stuff

apt-get update && apt-get install -y openvpn hostapd

Enable forwarding

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/99-sysctl.conf
sysctl -w net.ipv4.ip_forward=1

Set a static IP for your device

cat >> /etc/network/interfaces <<EOF
auto eth0
iface eth0 inet static
	address 192.168.0.3/24
	gateway 192.168.0.1
	nameserver 8.8.8.8
	
auto wlan0
allow-hotplug wlan0
iface wlan0 inet static
	address 10.99.0.1/24
EOF

systemctl restart networking
systemctl disable --now NetworkManager

Setup Wifi AP

systemctl disable --now wpa_supplicant.service

echo 'DAEMON_CONF="/etc/hostapd/hostapd.conf"' >> /etc/default/hostapd
cat >> /etc/hostapd/hostapd.conf <<EOF
interface=wlan0
hw_mode=g
channel=11
ieee80211d=1
country_code=DE
ieee80211n=1
wmm_enabled=1

ssid=YOUR WIFI SSID
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=WIFI PASSWORD

ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
logger_syslog_level=2
EOF

systemctl enable --now hostapd

Configure dnsmasq for DHCP

apt-get install -y dnsmasq
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
cat > /etc/dnsmasq.conf <<EOF
interface=eth0           # Also allow clients on ethernet
interface=wlan0          # Use interface wlan0 mainly
listen-address=10.99.0.1 # Explicitly specify the address to listen on  
bind-interfaces          # Bind to the interface to make sure we aren't sending things elsewhere  
server=1.1.1.1           # specify your VPN Providers DNS servers here
server=1.0.0.1
domain-needed            # Don't forward short names (from LAN)
bogus-priv               # Never forward addresses in the non-routed address spaces.  
dhcp-range=10.99.0.10,10.99.0.150,30d   # set DHCP range
no-resolv                # don't read resolv.conf
local-service            # only perform dns for local subnets

EOF
systemctl enable --now dnsmasq
systemctl restart dnsmasq

Configure NAT

apt-get install -y iptables-persistent
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE  
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT  
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT  
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT  
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT  

iptables-save > /etc/iptables/rules.v4

Configure OpenVPN

Now, copy your openvpn conf files into /etc/openvpn/client. hint: add the line auth-user-pass auth.txt, and a file auth.txt with two lines (user & password).

Assuming your file is called ${CONFIG}.conf:

systemctl enable --now openvpn-client@$CONFIG

You're Done!

Configure your Clients

You can connect clients in one of two ways:

  1. Simply connect to the WiFi. Easy, but not very fast (depending on your Pi)

  2. Connect them via ethernet cable. Give them this manual IP config:

    • IP: 192.168.0.x (something in the range, not 1, not 3)
    • Subnet Mask: 255.255.255.0
    • Gateway: 192.168.0.3
    • DNS: 192.168.0.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment