Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Raspberry Pi VPN Router

Raspberry Pi VPN Router

This is a quick-and-dirty guide to setting up a Raspberry Pi as a "router on a stick" to PrivateInternetAccess VPN.

Requirements

Install Raspbian Jessie (2016-05-27-raspbian-jessie.img) to your Pi's sdcard.

Use the Raspberry Pi Configuration tool or sudo raspi-config to:

  • Expand the root filesystem and reboot
  • Boot to commandline, not to GUI
  • Configure the right keyboard map and timezone
  • Configure the Memory Split to give 16Mb (the minimum) to the GPU
  • Consider overclocking to the Medium (900MHz) setting on Pi 1, or High (1000MHz) setting on Pi 2

IP Addressing

My home network is setup as follows:

  • Internet Router: 192.168.1.1
  • Subnet Mask: 255.255.255.0
  • Router gives out DHCP range: 192.168.100-200

If your network range is different, that's fine, use your network range instead of mine.

I'm going to give my Raspberry Pi a static IP address of 192.168.1.2 by configuring /etc/network/interfaces like so:

auto lo
iface lo inet loopback

auto eth0
allow-hotplug eth0
iface eth0 inet static
    address 192.168.1.2
    netmask 255.255.255.0
    gateway 192.168.1.1
    dns-nameservers 8.8.8.8 8.8.4.4

You can use WiFi if you like, there are plenty tutorials around the internet for setting that up, but this should do:

auto lo
iface lo inet loopback

auto eth0
allow-hotplug eth0
iface eth0 inet manual

auto wlan0
allow-hotplug wlan0
iface wlan0 inet static
    wpa-ssid "Your SSID"
    wpa-psk  "Your Password"
    address 192.168.1.2
    netmask 255.255.255.0
    gateway 192.168.1.1
    dns-nameservers 8.8.8.8 8.8.4.4

You only need one connection into your local network, don't connect both Ethernet and WiFi. I recommend Ethernet if possible.

NTP

Accurate time is important for the VPN encryption to work. If the VPN client's clock is too far off, the VPN server will reject the client.

You shouldn't have to do anything to set this up, the ntp service is installed and enabled by default.

Double-check your Pi is getting the correct time from internet time servers with ntpq -p, you should see at least one peer with a + or a * or an o, for example:

$ ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
-0.time.xxxx.com 104.21.137.30    2 u   47   64    3  240.416    0.366   0.239
+node01.jp.xxxxx 226.252.532.9    2 u   39   64    7  241.030   -3.071   0.852
*t.time.xxxx.net 104.1.306.769    2 u   38   64    7  127.126   -2.728   0.514
+node02.jp.xxxxx 250.9.592.830    2 u    8   64   17  241.212   -4.784   1.398

Setup VPN Client

Install the OpenVPN client:

sudo apt-get install openvpn

Download and uncompress the PIA OpenVPN profiles:

wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
sudo apt-get install unzip
unzip openvpn.zip -d openvpn

Copy the PIA OpenVPN certificates and profile to the OpenVPN client:

sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/
sudo cp openvpn/Japan.ovpn /etc/openvpn/Japan.conf

You can use a diffrent VPN endpoint if you like. Note the extension change from ovpn to conf.

Create /etc/openvpn/login containing only your username and password, one per line, for example:

user12345678
MyGreatPassword

Change the permissions on this file so only the root user can read it:

sudo chmod 600 /etc/openvpn/login

Setup OpenVPN to use your stored username and password by editing the the config file for the VPN endpoint:

sudo nano /etc/openvpn/Japan.conf

Change the following lines so they go from this:

ca ca.rsa.2048.crt
auth-user-pass
crl-verify crl.rsa.2048.pem

To this:

ca /etc/openvpn/ca.rsa.2048.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.rsa.2048.pem

Test VPN

At this point you should be able to test the VPN actually works:

sudo openvpn --config /etc/openvpn/Japan.conf

If all is well, you'll see something like:

$ sudo openvpn --config /etc/openvpn/Japan.conf 
Sat Oct 24 12:10:54 2015 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec  5 2014
Sat Oct 24 12:10:54 2015 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Sat Oct 24 12:10:54 2015 UDPv4 link local: [undef]
Sat Oct 24 12:10:54 2015 UDPv4 link remote: [AF_INET]123.123.123.123:1194
Sat Oct 24 12:10:54 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Oct 24 12:10:56 2015 [Private Internet Access] Peer Connection Initiated with [AF_INET]123.123.123.123:1194
Sat Oct 24 12:10:58 2015 TUN/TAP device tun0 opened
Sat Oct 24 12:10:58 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Oct 24 12:10:58 2015 /sbin/ip link set dev tun0 up mtu 1500
Sat Oct 24 12:10:58 2015 /sbin/ip addr add dev tun0 local 10.10.10.6 peer 10.10.10.5
Sat Oct 24 12:10:59 2015 Initialization Sequence Completed

Exit this with Ctrl+c

Enable VPN at boot

sudo systemctl enable openvpn@Japan

Setup Routing and NAT

Enable IP Forwarding:

echo -e '\n#Enable IP Routing\nnet.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Setup NAT fron the local LAN down the VPN tunnel:

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

Make the NAT rules persistent across reboot:

sudo apt-get install iptables-persistent

The installer will ask if you want to save current rules, select Yes

If you don't select yes, that's fine, you can save the rules later with sudo netfilter-persistent save

Make the rules apply at startup:

sudo systemctl enable netfilter-persistent

VPN Kill Switch

This will block outbound traffic from the Pi so that only the VPN and related services are allowed.

Once this is done, the only way the Pi can get to the internet is over the VPN.

This means if the VPN goes down, your traffic will just stop working, rather than end up routing over your regular internet connection where it could become visible.

sudo iptables -A OUTPUT -o tun0 -m comment --comment "vpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p icmp -m comment --comment "icmp" -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment "ssh" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -j DROP

And save so they apply at reboot:

sudo netfilter-persistent save

If you find traffic on your other systems stops, then look on the Pi to see if the VPN is up or not.

You can check the status and logs of the VPN client with:

sudo systemctl status openvpn@Japan
sudo journalctl -u openvpn@Japan

Configure Other Systems on the LAN

Now we're ready to tell other systems to send their traffic through the Raspberry Pi.

Configure other systems' network so they are like:

  • Default Gateway: Pi's static IP address (eg: 192.168.1.2)
  • DNS: Something public like Google DNS (8.8.8.8 and 8.8.4.4)

Don't use your existing internet router (eg: 192.168.1.1) as DNS, or your DNS queries will be visible to your ISP and hence may be visible to organizations who wish to see your internet traffic.

Optional: DNS on the Pi

To ensure all your DNS goes through the VPN, you could install dnsmasq on the Pi to accept DNS requests from the local LAN and forward requests to external DNS servers.

sudo apt-get install dnsmasq

You may now configure the other systems on the LAN to use the Pi (192.168.1.2) as their DNS server as well as their gateway.

Thanks for doing this, Jamie.

vepascal commented Dec 7, 2015

Hi!
Very nice guide thanks.
Is working very well!!!
Thanks a lot.

Pay attention at the step:
sudo cp openvpn/Japan.ovpn /etc/openvpn/Japan.conf

@vepascal due to the order of this howto, you won't be able to connect to any external servers until you get the VPN started (due to the iptables rules). Just reboot your Pi and then install dnsmasq.

jc1121 commented Jan 13, 2016

I really appreciate this walk through. How do I create /etc/openvpn/login file?

Very nice instuctions, worked for me, thank you jamie

sictona commented Jan 20, 2016

I find this tutorial the best by far to create a vpn setup on the Raspberry Pi.

I do have one strange thing happen to my setup from time to time though.
My setup is:
fiber 100/100 ISP provider into house - Airport extreme as router/dhcp-server/dns (connected to 8.8.8.8/8.8.4.4). 2x appleTV connected by dhcp and a raspberry on dhcp but with reserved IP in the range.

This has worked as a charm from the moment I found this tutorial and I dont have any problems switching the appleTV:s from dhcp to manual, pointing them to the raspberry IP and then access the american Netflix, but then sometimes....

At random times the vpn stops working. I havent found out why and the easiest and most lazy solution has been to just reinstall everything using this tutorial.
Usually this works just fine and everything is back to normal with AppleTV and Netflix.
Sometimes though I get as far as I can list the content of the American Netflix (I know what titles differ between Sweden and USA), but as soon as I try to play any content I get the pesky Netflix error #139.

So what I am wondering is:
1- What would be the best way of error searching once the VPN stops working all together?
2- What on earth could create the strange error that makes me browse the content but not play it?

Any takers?

sictona commented Jan 20, 2016

@jc1121 - Just type sudo nano /etc/openvpn/login and the file will be created by nano. Type your info end then save/exit.

how to set up purevpn client on Rasberry pi? I saw you used the openvpn.

sg6 commented Jan 30, 2016

This is awesome! Thanks for that so much, it was really easy and now even my TV is connected to a VPN network!

MatusP commented Feb 3, 2016

Hi there

I have been trying for a while now, but as soon as I enable the netfilter at startup (sudo systemctl enable netfilter-persistent), my VPN would not connect.

SO I just simply flushed all iptables:
sudo iptables -A

and everything is working just fine.

I do not need the internet to stop if the vpn is down...

Fantastic! Very easy and clear to follow. Worked perfectly for IPVanish! - I may well script this in to something more reusable... 👍

ididna commented Mar 2, 2016

Short question: would it be possible to use the wired connection for the tunnel and in parallel the wireless one to share this tunnel? I have a Pi 1 and a wireless dongle and by following another tutorial (http://elinux.org/RPI-Wireless-Hotspot) I was able to make it act as a wireless router (it does what it should); unfortunately as soon as I activated the vpn part as described by you above (minus the kill switch, I omitted for the time being this part) the wireless clients can no longer access the Internet. There was an additional error in the vpn setting-up but in the end this part works (so, from the Pi I can browse the Internet via the tunnel). As I'm not an iptables specialist, I don't know exactly what to do to link the wlan0 and the tun0. Would this be necessary, actually? Should this work without other modifications/additions to your tutorial and something went wrong on my side? Thanks in advance.

This was very nice to follow. The one question I have is does the IP address in the following command need to be specific to my home network or exactly as the command is in the tutorial?

sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT

@donovision
exactly as the command is in the tutorial

Hello thank you for the tutorial. When I get to the part of "testing" the VPN, I get message saying AUTH FAILED. What should I do to correct this problem. Thanks! ps using a RPi 2.

mgmsfd commented Apr 2, 2016

Great document. Quick question, I need to also have inbound traffic so I can access my documents from the outside. Do you have a tutorial similar to this one?

I feel REALLY stupid for asking... but the RasPi network capabilities are limited compared to a PC yes?
My PC's on board ethernet adapter reads as 10/100/1000
The specs on my RasPi 2 are 10/100 as in... not gigabit

My question is this: By using a VPN hosted on the Raspi, wouldn't that mean that EVERYTHING would be limited to the 10/100 speed ?

pir8s commented Apr 9, 2016

Thanks for the tutorial, almost everything worked for me except for the VPN kill switch. If I stop the vpn service my real IP gets exposed.
I'm not using eth0 for my connection but wlan0 so I was wondering if all instances of eth0 should be replaced with wlan0 when setting up the iptables rules.
Also why would someone use:
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
shouldn't we be using our network specific address range. ex. 192.168.3.0/24 in my case.
thanks for any clarification

sagarun commented Apr 11, 2016

When tun0 goes down due to openvpn error or RPI is rebooting but tun0 is still not up, It seems to leak. what should be default gateway for the raspberry pi ? It should be itself?

pir8s commented Apr 12, 2016

the kill switch iptables rules specified here doesnt work for me! if tun0 goes down or I reboot the rpi the dns leaks. as @sagarun said.

The one issues I have ran into is that I can no longer mount a cifs network share once the IPTABLES are in place. Any help would be appreciated. I think I need to add a rule to allow access to the IP address of the NAS so that the cifs share can be mounted.

JvB94 commented May 8, 2016

Î love your turtoial it works very well.
But the kill siwtch is not working...

Can someone post a working killswitch?
I need it very importend and don't find a working one in the internet.

Dedo21 commented May 8, 2016 edited

Maybe you can try adding this rule?
sudo iptables -I FORWARD -i eth0 ! -o tun0 -j DROP
I think this would only protect the clients from leaking the real IP, not the Pi itself(?)

JvB94 commented May 20, 2016

Works for me, thank you!!!

winedog commented Jun 3, 2016 edited

One thing that I'm a little confused on. Does this require two network interfaces on the raspberry pi? Or can all of this be performed using the built-in ethernet port on my RPi? My RPi also has a wireless dongle if I need a 2nd interface, in which case do I have the Pi configured to establish the VPN connection through the wifi dongle and then anything connected to the ethernet port is routed through the Pi's VPN connection?

Thanks for this great and simple tutorial!
How to force all NTP traffic to the default gateway instead?
My VPN blocks NTP, and it's needed both by the raspberry server and clients connecting through it

gomaaz commented Jun 6, 2016

only one network device needed.

Killswitch isn't working and still necessary... please give adivce to that.

gomaaz commented Jun 8, 2016 edited

I just started from the beginning and it works now...

Because my VPN connection also needs UDP 443 I just added (didn't see this...I'm not familar with iptables...):
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 443 -m comment --comment "openvpn2" -j ACCEPT

and the killswitch only works with Dedo21's advice:
sudo iptables -I FORWARD -i eth0 ! -o tun0 -j DROP

BUT after that: Clients now don't have access on homenetwork 192.168.1.0/16
any solution for that?

this setup on my BananaPi 32 Mb/s (4 MB/s) gives throughput. As I have 64 Mb/s of linespeed I'll decide to get one of these odroid devices.

Cheers.

Hello guys, i want to run my raspberry pi as a router, the first ethernet port make the input for the network, for the output what can i use? and for the ouput have i to make different config in ipttables?
Looking for a response thanks to all!

gomaaz commented Jun 9, 2016

there is no second ethernet port. You can have it go through one ethernet port

winedog commented Jun 14, 2016

Is there a way to do this using a PPTP VPN connection instead of OpenVPN? I got this working, but the OpenVPN's encryption taxes the Raspberry Pi processing too much and I only get 3-4Mbps throughput. I think if I could do this with a PPTP connection the Pi would be able handle this better?

Aecasorg commented Jun 15, 2016 edited

Hi,

I have followed this guide to the letter however I cannot get it working. I left out the kill switch and DNS part in order not to complicate things. What I am aiming to do is connect a SKY HD box -> Ethernet cable -> Raspberry Pi -> WiFi -> Router. I can get the VPN up and running fine and it is all connected to internet however when I connect my laptop via ethernet cable to the RPi I cannot access internet. I've even changed the iptables 'eth0' to 'wlan0' to see if that helped. I've set my laptop manually to go to the RPi as Gateway (I use a Macbook Pro and Raspberry Pi 3) but still no access. What am I doing wrong?

Any help on this matter would really be appreciated!

Thanks in advance,
Henrik

jeroenjota commented Jul 17, 2016 edited

Thanks for the walkthrough

I changed the iptables rules:
The ip range
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
to to 192.168.2.0 as that is my subnet
sudo iptables -A OUTPUT -d 192.168.2.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
And also the port 1194 in
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
to 1198
as that's what my Netherlands.conf file is saying
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport **1198** -m comment --comment "openvpn" -j ACCEPT
Things seem to be working now ;-)

Tubbs2u commented Aug 6, 2016

Also here, the above said it should look like this:
ca ca.crt
auth-user-pass
crl-verify crl.pem

However, it looks like this:
ca ca.rsa.2048.crt
auth-user-pass
crl-verify crl.rsa.2048.pem

When I changed it to this:
ca /etc/openvpn/ca.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.pem
I keeping getting errors in those lines, which its asking me to correct.......Any help would be welcome, and thanks in advance.

sogseal commented Aug 6, 2016 edited

Also here, the above said it should look like this:
ca ca.crt
auth-user-pass
crl-verify crl.pem

However, it looks like this:
ca ca.rsa.2048.crt
auth-user-pass
crl-verify crl.rsa.2048.pem

When I changed it to this:
ca /etc/openvpn/ca.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.pem
I keeping getting errors in those lines, which its asking me to correct.......Any help would be welcome, and thanks in advance.

Change it to, unless you renamed them:
ca /etc/openvpn/ca.rsa.2048.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.rsa.2048.pem

Tubbs2u commented Aug 6, 2016 edited

Thanks for your reply sogseal, however this is what I am getting below::: sudo cp openvpn/ca.crt openvpn/crl.pem /etc/openvpn
*Options error: --ca fails with '/etc/openvpn/ca.rsa.2048.crt': No such file or directory
*Options error: --crl-verify fails with '/etc/openvpn/crl.rsa.2048.pem': No such file or directory
*Options error: Please correct these errors.
Use --help for more information.

OK..I now know why I was getting Errors,: (sudo cp openvpn/ca.crt openvpn/crl.pem /etc/openvpn)....Should look like this:::::::
(sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/)

Thanks......Tubbs

sogseal commented Aug 6, 2016 edited

Thanks for your reply sogseal, however this is what I am getting below::: sudo nano /etc/openvpn/Japan.conf
*Options error: --ca fails with '/etc/openvpn/ca.rsa.2048.crt': No such file or directory
*Options error: --crl-verify fails with '/etc/openvpn/crl.rsa.2048.pem': No such file or directory
*Options error: Please correct these errors.
Use --help for more information.

Also when I put this command line::sudo cp openvpn/ca.crt openvpn/crl.pem /etc/openvpn/........I am getting the below errors
*cp: cannot stat ‘openvpn/ca.crt’: No such file or directory
*cp: cannot stat ‘openvpn/crl.pem’: No such file or directory

Really don't know what i am doing wrong

Thanks for any help in advance..Tubbs

So, when you downloaded wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
you should have this files
ca.rsa.2048.crt
crl.rsa.2048.pem
You need to make sure that both of these files, Japan.conf and your login files are in this directory /etc/openvpn
then

sudo nano /etc/openvpn/Japan.conf And make sure that you have the full path for this 3 lines
ca /etc/openvpn/ca.rsa.2048.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.rsa.2048.pem

Also FYI, PIA changed their port number to 1198. Hope it works
I would also edit this:
sudo vim /etc/default/openvpn
Look for line OPTARGS="" and change it to:
OPTARGS="--auth-nocache"
this should prevent to cache password in memory

Tubbs2u commented Aug 7, 2016

Thanks you Sogseal... Will have another attempted again today....wish me luck lol, I am new to all this, but eager to learn.

sogseal commented Aug 7, 2016 edited

Thanks you Sogseal... Will have another attempted again today....wish me luck lol, I am new to all this, but eager to learn.

let me know, ill help with what i can.

Tubbs2u commented Aug 7, 2016 edited

Done this, however I don't think its working properly, don't know what I am doing wrong
sudo nano /etc/openvpn/Japan.conf

client
dev tun
proto udp
remote japan.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/login
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ

And done this like this
sudo iptables -A OUTPUT -d 192.168.0.1/24 -o eth0 -m comment --comment "lan" -j ACCEPT
My raspberry Pi address added above 192.168.0.5
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
Also add this port 1198 in

Test VPN

At this point you should be able to test the VPN actually works:
sudo openvpn --config /etc/openvpn/Japan.conf
When I tested I'm getting this:
pi@raspberrypi ~ $ sudo openvpn --config /etc/openvpn/Japan.conf
Sun Aug 7 23:30:43 2016 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Sun Aug 7 23:30:43 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Sun Aug 7 23:30:43 2016 UDPv4 link local: [undef]
Sun Aug 7 23:30:43 2016 UDPv4 link remote: [AF_INET]161.202.72.147:1198
Sun Aug 7 23:30:44 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Aug 7 23:30:45 2016 [a256e14cb98c429b76e86d08cc3856ad] Peer Connection Initiated with [AF_INET]161.202.72.147:1198
Sun Aug 7 23:30:48 2016 AUTH: Received control message: AUTH_FAILED
Sun Aug 7 23:30:48 2016 SIGTERM[soft,auth-failure] received, process exiting

Doesn't look as its working properly tho lol

And
Done this:
sudo vim /etc/default/openvpn
Look for line OPTARGS="" and change it to:
OPTARGS="--auth-nocache"

sogseal commented Aug 8, 2016 edited

check your username and password are correct and did you do sudo chmod 600 /etc/openvpn/login ?
This guide is good, there is only few changes. Make sure you follow exactly the steps above and chage this in your Japan.conf:

crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
auth-user-pass /etc/openvpn/tmp

and your iptables
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
Here is my ls -alh /etc/openvpn/ output:

total 28K
drwxr-xr-x   2 root root 4.0K Aug  6 20:03 .
drwxr-xr-x 115 root root 4.0K Aug  7 11:54 ..
-rw-r--r--   1 root root 2.0K Aug  6 14:51 ca.rsa.2048.crt
-rw-r--r--   1 root root  869 Aug  6 14:51 crl.rsa.2048.pem
-rw-r--r--   1 root root  422 Aug  6 19:59 East.conf
-rw-------   1 root root   86 Aug  6 14:53 tmp
-rwxr-xr-x   1 root root 1.3K Jan 23  2016 update-resolv-conf

Here is my .conf if it'll helps you:

client
dev tun
proto udp
remote us-east.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/tmp
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Tubbs2u commented Aug 8, 2016 edited

Thanks once again for your time and patiant Sogseal.....I can get this ::

pi@raspberrypi ~ $ ls -alh /etc/openvpn/
total 28K
drwxr-xr-x 2 root root 4.0K Aug 7 14:00 .
drwxr-xr-x 112 root root 4.0K Aug 7 14:49 ..
-rw-r--r-- 1 root root 2.0K Aug 8 22:05 ca.rsa.2048.crt
-rw-r--r-- 1 root root 869 Aug 8 22:05 crl.rsa.2048.pem
-rw-r--r-- 1 root root 422 Aug 8 22:10 Japan.conf
-rw------- 1 root root 15 Aug 7 14:00 login
-rwxr-xr-x 1 root root 1.3K Jan 23 2016 update-resolv-conf

What do I do now to check if the vpn is working m8.....trying to get my mobile phone to connect, but its not doing so, I don,t think i am that far away

sogseal commented Aug 8, 2016

Do a quick check by:
curl ipinfo.io/json
If you see your real public ip thats not good... then run this command:
sudo service openvpn status
and look for "Running" if you see then you are good to go if you see "Existed" then need to troubleshoout.

Tubbs2u commented Aug 9, 2016 edited

Sogseal, when I write this command: sudo curl ipinfo.io/json
I get this....:curl: (7) Failed to connect to ipinfo.io port 80: Connection timed out

And when I run this command : sudo service openvpn status

I got this.....
● openvpn.service - OpenVPN service
Loaded: loaded (/lib/systemd/system/openvpn.service; enabled)
Active: active (exited) since Tue 2016-08-09 00:17:17 BST; 17h ago
Main PID: 596 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/openvpn.service

Nothing with the word "Running"....., however I see the word "Exited", which means something is wrong somewhere m8, not sure where to next, other than do a fresh install, have you got any suggestions m8ty.
And thanks once again for your time and effort m8

scoobyd00 commented Aug 12, 2016 edited

Excellent tutorial. Got my VPN up and working great.

Does anyone know how to write a small bash file to swap locations?. Im currently using the PIA london node but sometimes wish to use one from the netherlands.
How can I stop the current vpn connection to London and quickly connect it the netherlands one? (I have copied over the correct ovpn to the correct directory etc).

scoobyd00 commented Aug 12, 2016 edited

Managed to figure this one out.
I edited openvpn in /etc/default and selected AUTOSTART = "none"
I then created a simple bash script to select different VPN's using
sudo service openvpn@nameofvpn start to select the VPN
and
sudo service openvpn@nameofvpn stop to stop the VPN

Great work and thanks for the effort to publish your results. I started with the vpn gateway running on a raspberry pi. But for better performance I am actually now running a virtualbox debian VM with a similar config. I spent some time to tweak the iptables part of the setup. I created a iptables_vpn.sh file that I can execute to load up the rules. Here is what I am using:

!/bin/bash

start fresh

iptables --flush
iptables --delete-chain
iptables -t nat -F

default drop

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

setup logging chain logs to var log messages

iptables -N LOGGING
iptables -N BADPKT_LOGGING

loopback ok

iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT

traffic that is ok by default

iptables -I INPUT -i eth0 -m comment --comment "In from LAN" -j ACCEPT
iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT

OPENVPN on socket 1198 ok

iptables -A OUTPUT -o eth0 -p udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT

NTP on socket 123 ok

iptables -A OUTPUT -o eth0 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT

DHCP ok

iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT

DNS traffic to bring up tunnel ok

iptables -A OUTPUT -o eth0 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT

allow forwarding if VPN alive

iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT

NAT the gateway

iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE

All TCP sessions should begin with SYN and drop bad packets

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j BADPKT_LOGGING
iptables -A INPUT -m state --state INVALID -j BADPKT_LOGGING
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j BADPKT_LOGGING
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j BADPKT_LOGGING
iptables -A INPUT -f -m comment --comment "Drop FRAGS" -j BADPKT_LOGGING
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j BADPKT_LOGGING
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADPKT_LOGGING
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j BADPKT_LOGGING

Accept inbound VPN initiated traffic

iptables -A INPUT -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT

Accept outbound into the LAN packets on initited traffic

iptables -A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

setup logging for dropped traffic must be the last rules

iptables -A INPUT -m comment --comment "LOG and DROP" -j LOGGING
iptables -A OUTPUT -m comment --comment "LOG and DROP" -j LOGGING

LOGGING chain

iptables -A LOGGING -m limit --limit 2/sec -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

LOGGING BADPACKETS chain

iptables -A BADPKT_LOGGING -m limit --limit 2/sec -j LOG --log-prefix "IPTables- BADPACKETS: " --log-level 4
iptables -A BADPKT_LOGGING -j DROP

scoobyd00 commented Aug 23, 2016 edited

Has anyone tried this on a raspberry pi 3?

Im running it on my raspberry pi 2 at the moment, pi overclocked to maxium and on my 200mb internet connection im getting a throughput of about 23mb via the vpn sometimes peaking to 27mb.

Does anyone whose using this on a PI3 get better performance?.
I know openvpn takes a hit on speed and its also affected by cpu so just wondering if the PI3 would gain any better throughput.

I did try my setup with a RPi2, PRi3 and ODROID C2 before going to my current virtualbox debian setup. My downlink speed maxes out at 60Mb/s. I was able to max the link with the ODROID C2 running as the gateway. However the VPN tunnel kept interrupting and not recovering for some unknown reason. I don't remember the exact thruput I got with the RPi3, but it was somewhere between 30-50Mb/s. I did write down some of the openssl speed benchmark numbers which are not exactly Mb/s but give you some idea of the performance.

Here is the command:
openssl speed -evp AES-128-CBC

This runs a benchmark using openssl which is the main routine for CPU usage in openvpn.

Here is what I got (1024 length):
ASUS RT-AC56 29,202 (my router for comparison)
Rasp Pi 2 21,000
Rasp Pi 3 51,400

Thanks for the reply @dumpster99.

It looks like the Pi3 can nearly double the throughput of the PI2.

I'll hold on using my PI2 for the time being, mostly stream HD content through it so its fine at around 20mb at the moment.
I will need to stream some 4k content in the future and they recommend a min of 25mb so will look at upgrading to the PI3 or even the PI4 if it gets released!.

khromov commented Sep 4, 2016 edited

Getting RTNETLINK answers: File exists error when trying to connect with the openvpn command, here is the log:

Sun Sep  4 06:56:49 2016 TUN/TAP device tun0 opened
Sun Sep  4 06:56:49 2016 TUN/TAP TX queue length set to 100
Sun Sep  4 06:56:49 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Sep  4 06:56:49 2016 /sbin/ip link set dev tun0 up mtu 1500
Sun Sep  4 06:56:49 2016 /sbin/ip addr add dev tun0 10.251.4.68/24 broadcast 10.251.4.255
Sun Sep  4 06:56:49 2016 /sbin/ip route add 155.4.14.28/32 via 192.168.2.1
Sun Sep  4 06:56:49 2016 /sbin/ip route add 0.0.0.0/1 via 10.251.4.1
Sun Sep  4 06:56:49 2016 /sbin/ip route add 128.0.0.0/1 via 10.251.4.1
Sun Sep  4 06:56:49 2016 /sbin/ip route add 155.4.14.28/32 via 192.168.2.1
RTNETLINK answers: File exists
Sun Sep  4 06:56:49 2016 ERROR: Linux route add command failed: external program exited with error status: 2
Sun Sep  4 06:56:49 2016 Initialization Sequence Completed

(Note it's a different VPN provider)

Any ideas? @superjamie ? :)

Owner

superjamie commented Sep 19, 2016

@khromov Your VPN provider sends down the route to the internet endpoint (155.4.14.28/32 via 192.168.2.1) twice. It will have no effect, but you can raise it to their tech support if you like.

It's possible to connect only one PC to the VPN client, and the others to the normal router?

Great instructions, Jamie, thanks a lot! With your help I now have two Wifi networks in my house, one that connects straight to the internet and a second one that connects via the VPN. Depending on what I want to do I can connect my clients to either Wifi.

The setup is:

  • A Wifi router from my internet provider, connected directly to the internet.
  • A Raspberry Pi 3 configured as described here and connected to the Wifi router above via ethernet.
  • A second Wifi router that is connected to the router above via ethernet and uses the Raspberry Pi as default gateway and DNS server.

For a while this setup didn't work until I found that dnsmasq is set to --local-service by default. There are a few workarounds for that, the one that works best for me is to specify the interface for dnsmasq to listen to (eth0 in my case) which will inactivate the --local-service option. See https://techtuts.info/2014/04/dnsmasq-2-69-sudden-timeouts/ for details.

I also had an issue with syslog not providing proper output and instead showing something like

Oct 7 02:03:12 raspberry rsyslogd-2007: action 'action 17' suspended, next retry is Wed Oct 7 02:03:42 2015 [try http://www.rsyslog.com/e/2007 ]

As described here you can fix this by commenting out the last 4 lines of your /etc/rsyslog.conf file like this:

#daemon.*;mail.*;\
#       news.err;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn       |/dev/xconsole

mvilrokx commented Oct 8, 2016

Very cool, works like a charm! I added a rule for my VNC as well:

sudo iptables -I INPUT -m state --state NEW -p tcp -m tcp --dport 5901 -m comment --comments "vnc" -j ACCEPT

Hi. Thank you. I added the RPi as the default gateway and now works for IPv4. What do I do to forward also IPv6?

bhatsu commented Nov 13, 2016

`Create /etc/openvpn/login containing only your username and password, one per line, for example:

user12345678
MyGreatPassword`

Which username and password do we need to enter in /etc/openvpn/login file ?

@bhatsunny Those would be the username and password of your Private Internet Access account.

bytemon commented Nov 27, 2016 edited

OK, followed instructions (I believe). Directly from the client, it seems to work ok - if I go to whatsmyip.org, it reports the proper IP address.

But, try as I may (from a Windows 10 machine on the network), if I set up a static IP with a gateway of the OPENVPN machine, it does not work - it says no connection to the internet. If I use the OPENVPN as the DNS reslover, a ping finds the internet ip address, but can not access.

Here is my "status printout:

geoff@rpi-siete:~ $ sudo systemctl -l status openvpn@USWest
● openvpn@USWest.service - OpenVPN connection to USWest
   Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled)
   Active: active (running) since Sun 2016-11-27 07:46:15 MST; 6h ago
  Process: 418 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=0/SUCCESS)
 Main PID: 484 (openvpn)
   CGroup: /system.slice/system-openvpn.slice/openvpn@USWest.service
           └─484 /usr/sbin/openvpn --daemon ovpn-USWest --status /run/openvpn/USWest.status 10 --cd /etc/openvpn --config /etc/openvpn/USWest.conf

Nov 27 07:46:15 rpi-siete ovpn-USWest[418]: OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Nov 27 07:46:15 rpi-siete ovpn-USWest[418]: library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Nov 27 07:46:15 rpi-siete ovpn-USWest[418]: RESOLVE: Cannot resolve host address: us-west.privateinternetaccess.com: Temporary failure in name resolution
Nov 27 07:46:15 rpi-siete ovpn-USWest[484]: RESOLVE: Cannot resolve host address: us-west.privateinternetaccess.com: Temporary failure in name resolution
Nov 27 07:46:15 rpi-siete systemd[1]: Started OpenVPN connection to USWest.
Nov 27 07:46:20 rpi-siete ovpn-USWest[484]: UDPv4 link local: [undef]
Nov 27 07:46:20 rpi-siete ovpn-USWest[484]: UDPv4 link remote: [AF_INET]104.200.151.75:1198
Nov 27 07:46:20 rpi-siete ovpn-USWest[484]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 27 07:46:20 rpi-siete ovpn-USWest[484]: [f328c7b07e90db3b9882f2157dc21269] Peer Connection Initiated with [AF_INET]104.200.151.75:1198
Nov 27 07:46:23 rpi-siete ovpn-USWest[484]: TUN/TAP device tun0 opened
Nov 27 07:46:23 rpi-siete ovpn-USWest[484]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 27 07:46:23 rpi-siete ovpn-USWest[484]: /sbin/ip link set dev tun0 up mtu 1500
Nov 27 07:46:23 rpi-siete ovpn-USWest[484]: /sbin/ip addr add dev tun0 local 10.38.10.6 peer 10.38.10.5
Nov 27 07:46:23 rpi-siete ovpn-USWest[484]: Initialization Sequence Completed
Nov 27 13:00:59 rpi-siete ovpn-USWest[484]: [f328c7b07e90db3b9882f2157dc21269] Inactivity timeout (--ping-restart), restarting
Nov 27 13:00:59 rpi-siete ovpn-USWest[484]: SIGUSR1[soft,ping-restart] received, process restarting
Nov 27 13:01:01 rpi-siete ovpn-USWest[484]: UDPv4 link local: [undef]
Nov 27 13:01:01 rpi-siete ovpn-USWest[484]: UDPv4 link remote: [AF_INET]104.200.151.75:1198
Nov 27 13:01:01 rpi-siete ovpn-USWest[484]: [f328c7b07e90db3b9882f2157dc21269] Peer Connection Initiated with [AF_INET]104.200.151.75:1198
Nov 27 13:01:04 rpi-siete ovpn-USWest[484]: Preserving previous TUN/TAP instance: tun0
Nov 27 13:01:04 rpi-siete ovpn-USWest[484]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Nov 27 13:01:04 rpi-siete ovpn-USWest[484]: /sbin/ip addr del dev tun0 local 10.38.10.6 peer 10.38.10.5
Nov 27 13:01:05 rpi-siete ovpn-USWest[484]: TUN/TAP device tun0 opened
Nov 27 13:01:05 rpi-siete ovpn-USWest[484]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 27 13:01:05 rpi-siete ovpn-USWest[484]: /sbin/ip link set dev tun0 up mtu 1500
Nov 27 13:01:05 rpi-siete ovpn-USWest[484]: /sbin/ip addr add dev tun0 local 10.42.10.6 peer 10.42.10.5
Nov 27 13:01:05 rpi-siete ovpn-USWest[484]: Initialization Sequence Completed
Nov 27 13:04:08 rpi-siete ovpn-USWest[484]: [f328c7b07e90db3b9882f2157dc21269] Inactivity timeout (--ping-restart), restarting
Nov 27 13:04:08 rpi-siete ovpn-USWest[484]: SIGUSR1[soft,ping-restart] received, process restarting
Nov 27 13:04:10 rpi-siete ovpn-USWest[484]: UDPv4 link local: [undef]
Nov 27 13:04:10 rpi-siete ovpn-USWest[484]: UDPv4 link remote: [AF_INET]104.200.151.75:1198
Nov 27 13:04:11 rpi-siete ovpn-USWest[484]: [f328c7b07e90db3b9882f2157dc21269] Peer Connection Initiated with [AF_INET]104.200.151.75:1198
Nov 27 13:04:13 rpi-siete ovpn-USWest[484]: Preserving previous TUN/TAP instance: tun0
Nov 27 13:04:13 rpi-siete ovpn-USWest[484]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Nov 27 13:04:13 rpi-siete ovpn-USWest[484]: /sbin/ip addr del dev tun0 local 10.42.10.6 peer 10.42.10.5
Nov 27 13:04:14 rpi-siete ovpn-USWest[484]: TUN/TAP device tun0 opened
Nov 27 13:04:14 rpi-siete ovpn-USWest[484]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 27 13:04:14 rpi-siete ovpn-USWest[484]: /sbin/ip link set dev tun0 up mtu 1500
Nov 27 13:04:14 rpi-siete ovpn-USWest[484]: /sbin/ip addr add dev tun0 local 10.15.10.6 peer 10.15.10.5
Nov 27 13:04:14 rpi-siete ovpn-USWest[484]: Initialization Sequence Completed

(Not sure why I'm getting the "RESOLVE" message, but again browsing from the OPENVPN client works)

Perhaps I don't know now to either setup the Windows 10 machine, or know how to connect:
For connection, I'm simply using a wired ethernet connection for both the OPENVPN machine and the Windows 10 client.
For the Windows 10 machine, I'm setting up a static ip with the gateway assigned to the OPENVPN machine, and using Google's dns settings.

Where am I going wrong?

It works on my Raspberry Pi 1 B. Thanks!

mdestagnol commented Dec 30, 2016 edited

I'm trying to find a clean way to enable/disable the traffic to go through the VPN tunnel, without having to change anything on the client side. With the current tutorial, when I stop openvpn the traffic isn't going through anymore (since tun0 isn't used anymore).

I'm not super familiar with iptable configs. Do you know what should I do in order to let the traffic flow through the raspberry pi gateway (when it doesn't go through the VPN)?

Hi, thanks for the guide! How do I direct certain traffic to NOT use the VPN?

For example I'd like outbound SMTP traffic to just not use the VPN since SMTP is blocked by my VPN by default ( I can request for it to not be blocked, but this is jsut an example).

I'm assuming some iptables rules are needed?

Thanks,

winedog commented Jan 16, 2017 edited

Is there any possibility this setup could allow information from ISPs IP address to be leaking through?

Everything is working fine for me, but when I set my windows 10 machine to route through the PI some sites detect that I'm using a proxy/vpn. I've confirmed that my external IP address and routing looks like it is coming out of my VPN servers destination location.

However, if I login to the exact same VPN server that the Pi is configured to connect to with a VPN client from Windows 10 (i.e. Viscosity), I don't get any proxy/vpn detection errors. All I can think is I'm leaking some sort of data that is tripping off the proxy/VPN detection.

EDIT: Further evaluation shows that the problem looks like DNS leaking. And it seems OpenVPN for the PI is really outdated at version 2.3.4. Struggling to figure out how I can upgrade to 2.4.0 OpenVPN on the Pi

winedog commented Jan 17, 2017

even after getting OpenVPN brought up to 2.4.0 and using the block-outside-dns command in the .conf files or adding this:

script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf

I still can't manage to stop the DNS from leaking. I'm using the DNSMasq option and have my pi

winedog commented Jan 17, 2017

So I've tried adding the killswitch, which I wasn't using before, and it doesn't work for me. When adding the tables everything works fine until I add the last line at which case clients routing through the pi lose connection.

sudo iptables -A OUTPUT -o eth0 -j DROP

Also, if I hardcode my client DNS to something like an opendns server or google DNS, my DNS leak stops. So maybe it is some problem with DNSMasq allowing the leak as well?

chrish619 commented Jan 17, 2017 edited

I'm leaving this here for posterity, in case it helps anyone:
Please note: My Raspberry Pi is currently configured purely as a VPN Client / Router, and is not used for browsing:

My IpTables rules are as follows:

Chain INPUT (policy ACCEPT 4027K packets, 5310M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 124K packets, 8718K bytes)
 pkts bytes target     prot opt in     out     source               destination
3594K 4391M ACCEPT     all  --  tun0   eth0    anywhere             anywhere             state RELATED,ESTABLISHED
3262K  254M ACCEPT     all  --  eth0   tun0    anywhere             anywhere             /* LAN out to VPN */

Chain OUTPUT (policy ACCEPT 2302K packets, 509M bytes)
 pkts bytes target     prot opt in     out     source               destination

I've not applied any OUTPUT rules, but primarily what worked for forwarding to VPN, and only VPN was
sudo iptables -P FORWARD DROP which sets up the default rule for FORWARDing to DROP (unless matched by another rule)

If the vpn connection is down, then no routed clients can connect. But the Raspberry Pi can still connect for updates, browsing, problem solving, etc

Hope this helps.

maartenjd commented Jan 18, 2017 edited

Excellent guide!

I have been struggeling for hours to get it working for PureVPN, until I found out that this provider uses port 80 for openvpn via tcp. So I changed

sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT

into

sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -m comment --comment "openvpn" -j ACCEPT

(so tcp instead of udp and port 80 instead of 1198) to enable openvpn to contact the vpn-server.

winedog commented Jan 20, 2017

I still cannot figure out anyway to stop DNS leaking when using the DNSMasq with the Pi and setting clients to the Pi's IP address for DNS. I'm using Ironsocket rather than PIA, but don't see how that should make any difference.

ab77 commented Jan 23, 2017

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1 will re-write any DNS request made by the clients behind the router to the locally running DNS server (e.g. dnsmasq) on the router.

Once the request is there, you can handle it appropriately. No more DNS leaks.

-- ab1

When I got to installing iptables-persistent in the guide, it would show an error that netfilter-persistent was not configured yet.

what is the need to make a vpn server on raspberry pi , can't we install that server and use it in a same pc laptop?please help me out of this..

NP726 commented Feb 9, 2017

@sivaarja this doesn't install a VPN server. This basically turns the pi into a portable router that routes all traffic through a VPN. It assumes you already have a VPN/VPN service to connect to.

Mubbya commented Feb 10, 2017

Hi,

Thanks for the useful guide. After solving the Jessie static IP issue, I'm now stuck, I think in part due to the presence of a space in the title of the PIA VPN I want to use.

I got as far as

Copy the PIA OpenVPN certificates and profile to the OpenVPN client:
Now if I take the stock code

sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/ sudo cp openvpn/Japan.ovpn /etc/openvpn/Japan.conf

And change it to reflect the name of the server I want to hit, UK Southampton.
sudo cp openvpn/UK Southampton.ovpn /etc/openvpn/UK Southampton.conf

The I get
cp: cannot stat ‘openvpn/UK’: No such file or directory cp: cannot stat ‘Southampton.ovpn’: No such file or directory cp: omitting directory ‘/etc/openvpn/UK’

I get the impression it is because of the spaces. If I try

sudo cp openvpn/UK Southampton.ovpn /etc/openvpn/UK\ Southampton.conf

Then I get

cp: cannot stat ‘openvpn/UK’: No such file or directory cp: cannot stat ‘Southampton.ovpn’: No such file or directory

Can anyone help me out on this one? I'm fairly new to terminal and it's commands.

Mubbya commented Feb 11, 2017

No worries: Started from scratch and using the '' command to denote spaces all worked well.

Also had to manually create the vpn conf file before copying the data over from the ovpn file.

Thanks.

lowviz commented Feb 14, 2017

I have a few questions. How can we stop the DNS leak? How can we connect android phones as clients ? Is it necessary to create the certificates ?

Is there any way to force OpenVPN to reconnect if it gets disconnected?

limerick11 commented Feb 21, 2017 edited

Hi all,
When i'm editing the iptables, everything works fine if I don't add the last line (DROP). Once I add it, I have no access to the internet. I assume the iptables is blocking access. Does anyone know how to fix this?
Removing the last line connects me to the internet via VPN. I'm connected using my Raspbian Raspberry via Router. I've hardcoded my IP to be 192.168.0.15

sudo iptables -A OUTPUT -o tun0 -m comment --comment "vpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p icmp -m comment --comment "icmp" -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment "ssh" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -j DROP

Hi Guys,

I just have one question, I already have my own VPN Server set-up at home and have the .ovpn file that is working fine under Windows 7.
Where do I copy the .ovpn file in my RasPI to make it act as Client please, do I have to rename the .ovpn file to .conf file as well?

Thanks for guiding me in this it does my head-in. There are many suggestions out there and all are a bit contradictory in a way, just a simple guide would be really appreciated.

Cheers
Siamak

siafix@free.fr

winedog commented Feb 25, 2017

I have a strange issue that is happening. After using my Pi for 2 months or so the VPN connection starts slowing down unexplainably and rebooting does nothing to resolve it. Fortunately, the last time I rebuilt my VPN router from scratch and had had it working I created an image of the SD card so I can simply reflash the SD card and I'm up and running in minutes. Here is what happens.

I start with my clean installation and I get about 50mbps reliable performance from my VPN provider using the Rpi3 as the router / gateway. Then, inexplicably, about 8 weeks later I will notice that I can't get much more than about 4-10mbps. I can login to my VPN provider on my Win10 desktop machine and get the normal 50mbps so I know it's not a performance issue with my ISP or my VPN provider. If I reboot the Rpi3 there is no difference. If I then pull the SD card and reflash it with my backup image and then reboot, my performance instantly goes back up to the 50mbps I expect.

So what is happening overtime that causes the performance to degrade? Is there some sort of cache / buffer that is filling up that needs purging or cleanup? The Rpi3 is just standard Raspbian with nothing else installed or running on it.

Hi Guys,
I have posted a question earlier but had no answer, so I will elaborate a bit more:
I have configured a RasPi as a Router using this site tutorial, just the router part:

http://blogs.arcsoftwareconsultancy.com/pi/2013/07/17/georestrictions/?replytocom=2161

I don't have any account but have my own VPN server set-up using again one of the tutorials on Internet and it is working fine under windoze.

I would like to know how to configure my Router above to connect to the VPN server PLEASE.

I am not a professional just a novice trying to do things and learn at the same time

Many thanks

Siamak

siamak06 commented Mar 1, 2017 edited

Hi Everyone,

I have managed to get this message after having looked on many tutorials:

sudo openvpn --config /etc/openvpn/siamak.conf
Wed Mar 1 11:48:20 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL )] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Wed Mar 1 11:48:20 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Enter Private Key Password: **********
Wed Mar 1 11:48:26 2017 WARNING: this configuration may cache passwords in memo ry -- use the auth-nocache option to prevent this
Wed Mar 1 11:48:26 2017 Control Channel Authentication: tls-auth using INLINE s tatic key file
Wed Mar 1 11:48:26 2017 Attempting to establish TCP connection with [AF_INET]xxx .xxx.xxx.xxx:443 [nonblock]
Wed Mar 1 11:48:27 2017 TCP connection established with [AF_INET]xx.xxx.xxx.xxx :443
Wed Mar 1 11:48:27 2017 TCPv4_CLIENT link local: [undef]
Wed Mar 1 11:48:27 2017 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Wed Mar 1 11:48:28 2017 [server] Peer Connection Initiated with [AF_INET]xxx.xxx .xxx.xxx:443
Wed Mar 1 11:48:30 2017 TUN/TAP device tun0 opened
Wed Mar 1 11:48:30 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Mar 1 11:48:30 2017 /sbin/ip link set dev tun0 up mtu 1500
Wed Mar 1 11:48:30 2017 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0 .255
RTNETLINK answers: File exists
Wed Mar 1 11:48:30 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Any suggestions?

Cheers

Siamak

siamak06 commented Mar 1, 2017

Hi winedog,

I have read your misfortune, and I think of the followings;
a-If you are using the same SD card it may have lived its life therefore get a new one, and bigger one if possible;
b-May be the SD card gets saturated with temp files, so you can try to use USB 3 Flash key in parallel to the SD card, I am using 64Gb USB3 and it is very fast.

Good luck.

Samak

I've run into the same issue as @limerick11, when I execute the sudo iptables -A OUTPUT -o eth0 -j DROP command all external connections drop.

henry74 commented Mar 8, 2017

Has anyone got this working in conjuction with pi-hole to block ads through DNS? pi-hole

It looks like DNS request directly on the pi are being properly screened, but devices which are using the raspberry pi as the gateway/DNS are skipping the pi-hole filter. I'm guessing all inbound requests are being funneled through the VPN tunnel (tun0) which is doing the DNS resolution on the VPN server side and those ignoring the pi-hole. Thoughts and comments appreciated! Thank you!

This is a brilliant guide — thank you!

I didn't set up the kill switch (either), and for now I may just send some sort of notification when the VPN status changes. Now, I don't know if this is a valuable tip... or if I'm just showing my fundamental cluelessness, but:

When you copy the PIA certificate and VPN profile, make sure to omit all spaces in the target .conf filename. Remove them, don't escape them. Like this, for example: sudo cp US\ New\ York\ City.ovpn /etc/openvpn/nyc.conf

I can't be the only person who assumed the resulting .conf name had to match... right??? ;-)

This is awesome. Thanks!

ShVerni commented Apr 3, 2017

This is a great guide! I've written a script to help automate this setup process, as well as adding some features like scripts to swap the endpoint, built-in Monit support for monitoring the VPN connection, and compiling/installing the latest OpenVPN. It's still a very rough draft, but check it out if you're interested:

https://github.com/ShVerni/Raspberry-Pi-VPN-Gateway

hey @superjamie i've written the steps i took to enable automatic vpn with auto reconnect as another gist. I used your guide but i had to upgrade to stretch to get network-manager working correctly with pia.

Following your guide and with the additional steps i can now expect my vpn to remain on and connected as well as reconnecting when the connection drops without having to do anything manually.

When i pi boots it starts a pia service that will maintain the connection for as long as it's turned on.

https://gist.github.com/lachlan-00/839481c842ad5a11b0963c7ce51b12a2

@limerick11 If your internal network is using 192.168.0.15, you'll need to change the line

from
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT

to
sudo iptables -A OUTPUT -d 192.168.0.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT

to match the rest of your network.

@rgstephens your problem is probably similar. The IP address in that iptables command needs to match your internal network x.x.x.0/24

batman84 commented May 2, 2017 edited

just follow all the instruction.
it works and the config is running on rpi.
but when i check at whatismyipaddress.com the ip is not change.
it still shows my broadband ip

btw, internet just work like normal on my laptop or android devices (wireless)

internet router ip=192.168.1.1
rpi ip =192.168.1.84 (pihole)

Thu May 4 19:21:56 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu May 4 19:21:56 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]
Thu May 4 19:21:56 2017 UDPv4 link local: [undef]
Thu May 4 19:21:56 2017 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XX:1945
Thu May 4 19:21:57 2017 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XX:1945, sid=c4d1b5a746 ee5g6f36
Thu May 4 19:21:57 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu May 4 19:21:57 2017 VERIFY OK: depth=1, C=SG, ST=SG, L=Singapore, O=White-VPS, OU=Provider, CN=sg0-white-vps, name=White-VPS, emailAddress=info@XXXX.com
Thu May 4 19:21:57 2017 VERIFY OK: depth=0, C=SG, ST=SG, L=Singapore, O=White-VPS, OU=Provider, CN=sg0-white-vps, name=White-VPS, emailAddress=mailto:info@XXX.com
Thu May 4 19:21:57 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 4 19:21:57 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 4 19:21:57 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 4 19:21:57 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 4 19:21:57 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu May 4 19:21:57 2017 [sg0-white-vps] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XX:1945
Thu May 4 19:22:00 2017 SENT CONTROL [sg0-white-vps]: 'PUSH_REQUEST' (status=1)
Thu May 4 19:22:00 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.10.6.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.10.6.6 10.10.6.5'
Thu May 4 19:22:00 2017 OPTIONS IMPORT: timers and/or timeouts modified
Thu May 4 19:22:00 2017 OPTIONS IMPORT: --ifconfig/up options modified
Thu May 4 19:22:00 2017 OPTIONS IMPORT: route options modified
Thu May 4 19:22:00 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu May 4 19:22:00 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=C51:22:eC:6e:03:b3
Thu May 4 19:22:00 2017 TUN/TAP device tun0 opened
Thu May 4 19:22:00 2017 TUN/TAP TX queue length set to 100
Thu May 4 19:22:00 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu May 4 19:22:00 2017 /sbin/ip link set dev tun0 up mtu 1500
Thu May 4 19:22:00 2017 /sbin/ip addr add dev tun0 local 10.10.6.6 peer 10.10.6.5
Thu May 4 19:22:00 2017 /sbin/ip route add XXX.XXX.XXX.XX/32 via 192.168.1.1
Thu May 4 19:22:00 2017 /sbin/ip route add 0.0.0.0/1 via 10.10.6.5
Thu May 4 19:22:00 2017 /sbin/ip route add 128.0.0.0/1 via 10.10.6.5
Thu May 4 19:22:00 2017 /sbin/ip route add 10.10.6.0/24 via 10.10.6.5
Thu May 4 19:22:00 2017 Initialization Sequence Completed

shanempope commented May 2, 2017 edited

@dumpster99 that bash script is great. Just wondering if you've had to update it any since then. thanks!

Edit: i'm doing the same thing with a debian cli VM on a windows server.

lj1722 commented May 17, 2017 edited

I get this setup and working ok. The tunnel is up. However any client that connects to the AP gets no internet. I saw someone else with the same problem but no answer. Any ideas? Im a linux noob.

I should add that Im trying to set this up so its a VPN service that routes all WiFi traffic out the tunnel over ethernet.

Thanks Jamie 🥇

Clpero1 commented May 31, 2017

Is port forwarding necessary with this setup? If so, how/what rules do I need to add to IPTables? I believe that my ports are being handled properly but I can't confirm with sites like canyouseeme.

cariacou commented Jun 5, 2017

If I were to point my Router to the PI, I am guessing all the devices connected to my router will then go through the VPN, both for DNS & browsing?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment