Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Raspberry Pi as VPN access point
sudo apt-get install isc-dhcp-server hostapd openvpn iptables-persistent
  • Replace /etc/network/interfaces with:
auto lo
iface lo inet loopback

auto eth0
allow-hotplug eth0
iface eth0 inet static
# The IP range for this router is 192.168.178.20-200, the router itself has the IP 192.168.178.1
address 192.168.178.25
netmask 255.255.255.0
gateway 192.168.178.1

# Do not send SSH traffic through the tunnel
up ip rule add fwmark 65 table novpn
up ip route add default via 192.168.178.1 dev eth0 table novpn
up ip route flush cache

auto wlan0
allow-hotplug wlan0
iface wlan0 inet static
# The IP range for our VPN wifi is 192.168.42.20-40
address 192.168.42.1
netmask 255.255.255.0

# Restore iptables
pre-up iptables-restore /etc/iptables.ipv4.nat
  • In /etc/dhcp/dhcpd.conf, change:
authoritative;
  • In /etc/dhcp/dhcpd.conf, add:
subnet 192.168.42.0 netmask 255.255.255.0 {
  range 192.168.42.20 192.168.42.40;
  option broadcast-address 192.168.42.255;
  option routers 192.168.42.1;
  option domain-name "local";
  option domain-name-servers 8.8.8.8, 8.8.4.4;
}
  • In /etc/default/isc-dhcp-server, change:
INTERFACES="wlan0"
  • Get hostapd version modified to work with wRTL8192cu (this is not necessary for the Raspberry Pi 3):
sudo mv /usr/sbin/hostapd /usr/sbin/hostapd.old
wget http://dl.dropbox.com/u/1663660/hostapd/hostapd
sudo mv hostapd /usr/sbin/hostapd
sudo chmod 755 /usr/sbin/hostapd
sudo chgrp root /usr/sbin/hostapd
sudo chown root /usr/sbin/hostapd
  • Create /etc/hostapd/hostapd.conf, add:
interface=wlan0
# --- NOT NECESSARY FOR RASPBERRY 3 ---
driver=rtl871xdrv
# --- NOT NECESSARY FOR RASPBERRY 3 ---
ssid=london
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=ayckbourn
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
  • Create /etc/default/hostapd, add:
DAEMON_CONF="/etc/hostapd/hostapd.conf"
  • Get the openvpn configuration files (using UK London as an example):
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip openvpn.zip
sudo mv "UK London.ovpn" /etc/openvpn/london.conf
sudo mv ca.crt /etc/openvpn/ca.crt
sudo mv crl.pem /etc/openvpn/crl.pem
  • In /etc/openvpn/london.conf, change:
remote uk-london.privateinternetaccess.com 9201
ca /etc/openvpn/ca.crt
auth-user-pass /etc/openvpn/pass.txt
crl-verify /etc/openvpn/crl.pem
  • Create /etc/openvpn/pass.txt, add:
username
password
  • In /etc/default/openvpn, change:
AUTOSTART="all"
  • In /etc/default/ifplugd, change:
HOTPLUG_INTERFACES="eth0"
  • Activate IP forwarding:
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
  • To activate IP forwarding at boot, in /etc/sysctl.conf, change:
net.ipv4.ip_forward=1
  • Create SSH exception routing table:
sudo echo "201 novpn" >> /etc/iproute2/rt_tables
  • Flush current iptables:
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X
  • Write new iptables for tunneling:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -s 192.168.42.0/24 -i wlan0 -o eth0 -m conntrack --ctstate NEW -j REJECT
sudo iptables -A FORWARD -s 192.168.42.0/24 -i wlan0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT
  • Write new iptables for SSH exception:
sudo iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 65
  • Write new iptables to avoid brute-force attacks via SSH:
sudo iptables -A INPUT -p tcp --dport 22 -i eth0 -m conntrack --ctstate NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -i eth0 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
  • Save iptables (restored by iptables-persistent at reboot):
sudo sh -c "iptables-save > /etc/iptables/rules.v4"
  • Reboot:
reboot
  • If IPs do not work, use dig +short uk-london.privateinternetaccess.com to get an up-to-date list of IPs and paste into london.config file under remote-random as remote options, then keep restarting openvpn with /etc/init.d/openvpn restart to shuffle through the addresses and find one that works
@sinclairfr

This comment has been minimized.

Copy link

commented Jun 1, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.