Documentos de Académico
Documentos de Profesional
Documentos de Cultura
RaspberryPiVPNRouterGitHub
Sign up for a GitHub account
Sign in
superjamie / raspberrypivpnrouter.md
Last active 8 hours ago
Requirements
Install Raspbian Jessie 20160527raspbianjessie.img to your Pi's sdcard.
Use the Raspberry Pi Configuration tool or sudoraspiconfig to:
Expand the root filesystem and reboot
Boot to commandline, not to GUI
Configure the right keyboard map and timezone
Configure the Memory Split to give 16Mb the minimum to the GPU
Consider overclocking to the Medium 900MHz setting on Pi 1, or High 1000MHz setting on Pi 2
IP Addressing
My home network is setup as follows:
Internet Router: 192.168.1.1
Subnet Mask: 255.255.255.0
Router gives out DHCP range: 192.168.100200
If your network range is different, that's fine, use your network range instead of mine.
I'm going to give my Raspberry Pi a static IP address of 192.168.1.2 by configuring /etc/network/interfaces like so:
autolo
ifaceloinetloopback
autoeth0
allowhotplugeth0
ifaceeth0inetstatic
address192.168.1.2
netmask255.255.255.0
gateway192.168.1.1
dnsnameservers8.8.8.88.8.4.4
You can use WiFi if you like, there are plenty tutorials around the internet for setting that up, but this should do:
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
1/21
1/26/2017
RaspberryPiVPNRouterGitHub
autolo
ifaceloinetloopback
autoeth0
allowhotplugeth0
ifaceeth0inetmanual
autowlan0
allowhotplugwlan0
ifacewlan0inetstatic
wpassid"YourSSID"
wpapsk"YourPassword"
address192.168.1.2
netmask255.255.255.0
gateway192.168.1.1
dnsnameservers8.8.8.88.8.4.4
You only need one connection into your local network, don't connect both Ethernet and WiFi. I recommend Ethernet if
possible.
NTP
Accurate time is important for the VPN encryption to work. If the VPN client's clock is too far off, the VPN server will reject the
client.
You shouldn't have to do anything to set this up, the ntp service is installed and enabled by default.
Doublecheck your Pi is getting the correct time from internet time servers with ntpqp, you should see at least one peer
with a + or a * or an o, for example:
$ntpqp
remoterefidsttwhenpollreachdelayoffsetjitter
==============================================================================
0.time.xxxx.com104.21.137.302u47643240.4160.3660.239
+node01.jp.xxxxx226.252.532.92u39647241.0303.0710.852
*t.time.xxxx.net104.1.306.7692u38647127.1262.7280.514
+node02.jp.xxxxx250.9.592.8302u86417241.2124.7841.398
Copy the PIA OpenVPN certificates and profile to the OpenVPN client:
sudocpopenvpn/ca.rsa.2048.crtopenvpn/crl.rsa.2048.pem/etc/openvpn/
sudocpopenvpn/Japan.ovpn/etc/openvpn/Japan.conf
You can use a diffrent VPN endpoint if you like. Note the extension change from ovpn to conf.
Create /etc/openvpn/login containing only your username and password, one per line, for example:
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
2/21
1/26/2017
RaspberryPiVPNRouterGitHub
user12345678
MyGreatPassword
Change the permissions on this file so only the root user can read it:
sudochmod600/etc/openvpn/login
Setup OpenVPN to use your stored username and password by editing the the config file for the VPN endpoint:
sudonano/etc/openvpn/Japan.conf
To this:
ca/etc/openvpn/ca.rsa.2048.crt
authuserpass/etc/openvpn/login
crlverify/etc/openvpn/crl.rsa.2048.pem
Test VPN
At this point you should be able to test the VPN actually works:
sudoopenvpnconfig/etc/openvpn/Japan.conf
$sudoopenvpnconfig/etc/openvpn/Japan.conf
SatOct2412:10:542015OpenVPN2.3.4armunknownlinuxgnueabihf[SSL(OpenSSL)][LZO][EPOLL][PKCS11][MH][IPv6]builtonDec5
SatOct2412:10:542015libraryversions:OpenSSL1.0.1k8Jan2015,LZO2.08
SatOct2412:10:542015UDPv4linklocal:[undef]
SatOct2412:10:542015UDPv4linkremote:[AF_INET]123.123.123.123:1194
SatOct2412:10:542015WARNING:thisconfigurationmaycachepasswordsinmemoryusetheauthnocacheoptiontopreventthis
SatOct2412:10:562015[PrivateInternetAccess]PeerConnectionInitiatedwith[AF_INET]123.123.123.123:1194
SatOct2412:10:582015TUN/TAPdevicetun0opened
SatOct2412:10:582015do_ifconfig,tt>ipv6=0,tt>did_ifconfig_ipv6_setup=0
SatOct2412:10:582015/sbin/iplinksetdevtun0upmtu1500
SatOct2412:10:582015/sbin/ipaddradddevtun0local10.10.10.6peer10.10.10.5
SatOct2412:10:592015InitializationSequenceCompleted
3/21
1/26/2017
RaspberryPiVPNRouterGitHub
Enable IP Forwarding:
echoe'\n#EnableIPRouting\nnet.ipv4.ip_forward=1'|sudoteea/etc/sysctl.conf
sudosysctlp
Setup NAT fron the local LAN down the VPN tunnel:
sudoiptablestnatAPOSTROUTINGotun0jMASQUERADE
sudoiptablesAFORWARDitun0oeth0mstatestateRELATED,ESTABLISHEDjACCEPT
sudoiptablesAFORWARDieth0otun0jACCEPT
The installer will ask if you want to save current rules, select Yes
If you don't select yes, that's fine, you can save the rules later with sudonetfilterpersistentsave
Make the rules apply at startup:
sudosystemctlenablenetfilterpersistent
If you find traffic on your other systems stops, then look on the Pi to see if the VPN is up or not.
You can check the status and logs of the VPN client with:
sudosystemctlstatusopenvpn@Japan
sudojournalctluopenvpn@Japan
4/21
1/26/2017
RaspberryPiVPNRouterGitHub
Now we're ready to tell other systems to send their traffic through the Raspberry Pi.
Configure other systems' network so they are like:
Default Gateway: Pi's static IP address eg: 192.168.1.2
DNS: Something public like Google DNS 8.8.8.8 and 8.8.4.4
Don't use your existing internet router eg: 192.168.1.1 as DNS, or your DNS queries will be visible to your ISP and hence
may be visible to organizations who wish to see your internet traffic.
You may now configure the other systems on the LAN to use the Pi 192.168.1.2 as their DNS server as well as their
gateway.
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
5/21
1/26/2017
RaspberryPiVPNRouterGitHub
I do have one strange thing happen to my setup from time to time though.
My setup is:
fiber 100/100 ISP provider into house Airport extreme as router/dhcpserver/dns connected to 8.8.8.8/8.8.4.4. 2x appleTV connected by dhcp
and a raspberry on dhcp but with reserved IP in the range.
This has worked as a charm from the moment I found this tutorial and I dont have any problems switching the appleTV:s from dhcp to manual,
pointing them to the raspberry IP and then access the american Netflix, but then sometimes....
At random times the vpn stops working. I havent found out why and the easiest and most lazy solution has been to just reinstall everything
using this tutorial.
Usually this works just fine and everything is back to normal with AppleTV and Netflix.
Sometimes though I get as far as I can list the content of the American Netflix I know what titles differ between Sweden and USA, but as soon
as I try to play any content I get the pesky Netflix error #139.
So what I am wondering is:
1 What would be the best way of error searching once the VPN stops working all together?
2 What on earth could create the strange error that makes me browse the content but not play it?
Any takers?
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
6/21
1/26/2017
RaspberryPiVPNRouterGitHub
works so, from the Pi I can browse the Internet via the tunnel. As I'm not an iptables specialist, I don't know exactly what to do to link the
wlan0 and the tun0. Would this be necessary, actually? Should this work without other modifications/additions to your tutorial and something
went wrong on my side? Thanks in advance.
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
7/21
1/26/2017
RaspberryPiVPNRouterGitHub
I think this would only protect the clients from leaking the real IP, not the Pi itself?
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
8/21
1/26/2017
RaspberryPiVPNRouterGitHub
BUT after that: Clients now don't have access on homenetwork 192.168.1.0/16
any solution for that?
this setup on my BananaPi 32 Mb/s 4 MB/s gives throughput. As I have 64 Mb/s of linespeed I'll decide to get one of these odroid devices.
Cheers.
to 1198
as that's what my Netherlands.conf file is saying
sudoiptablesAOUTPUToeth0pudpmudpdport**1198**mcommentcomment"openvpn"jACCEPT
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
9/21
1/26/2017
RaspberryPiVPNRouterGitHub
Also here, the above said it should look like this:
ca ca.crt
authuserpass
crlverify crl.pem
However, it looks like this:
ca ca.rsa.2048.crt
authuserpass
crlverify crl.rsa.2048.pem
When I changed it to this:
ca /etc/openvpn/ca.crt
authuserpass /etc/openvpn/login
crlverify /etc/openvpn/crl.pem
I keeping getting errors in those lines, which its asking me to correct.......Any help would be welcome, and thanks in advance.
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
10/21
1/26/2017
RaspberryPiVPNRouterGitHub
Also when I put this command line::sudo cp openvpn/ca.crt openvpn/crl.pem /etc/openvpn/........I am getting the below errors
*cp: cannot stat openvpn/ca.crt: No such file or directory
*cp: cannot stat openvpn/crl.pem: No such file or directory
Really don't know what i am doing wrong
Thanks for any help in advance..Tubbs
So, when you downloaded wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
you should have this files
ca.rsa.2048.crt
crl.rsa.2048.pem
You need to make sure that both of these files, Japan.conf and your login files are in this directory /etc/openvpn
then
sudonano/etc/openvpn/Japan.confAndmakesurethatyouhavethefullpathforthis3lines
ca/etc/openvpn/ca.rsa.2048.crt
authuserpass/etc/openvpn/login
crlverify/etc/openvpn/crl.rsa.2048.pem
Also FYI, PIA changed their port number to 1198. Hope it works
I would also edit this:
sudovim/etc/default/openvpn
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
11/21
1/26/2017
RaspberryPiVPNRouterGitHub
ca /etc/openvpn/ca.rsa.2048.crt
disableocc
And done this like this
sudo iptables A OUTPUT d 192.168.0.1/24 o eth0 m comment comment "lan" j ACCEPT
My raspberry Pi address added above 192.168.0.5
sudo iptables A OUTPUT o eth0 p udp m udp dport 1194 m comment comment "openvpn" j ACCEPT
Also add this port 1198 in
Test VPN
At this point you should be able to test the VPN actually works:
sudo openvpn config /etc/openvpn/Japan.conf
When I tested I'm getting this:
pi@raspberrypi ~ $ sudo openvpn config /etc/openvpn/Japan.conf
Sun Aug 7 23:30:43 2016 OpenVPN 2.3.4 armunknownlinuxgnueabihf [SSL OpenSSL] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23
2016
Sun Aug 7 23:30:43 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Sun Aug 7 23:30:43 2016 UDPv4 link local: [undef]
Sun Aug 7 23:30:43 2016 UDPv4 link remote: [AF_INET]161.202.72.147:1198
Sun Aug 7 23:30:44 2016 WARNING: this configuration may cache passwords in memory use the authnocache option to prevent this
Sun Aug 7 23:30:45 2016 [a256e14cb98c429b76e86d08cc3856ad] Peer Connection Initiated with [AF_INET]161.202.72.147:1198
Sun Aug 7 23:30:48 2016 AUTH: Received control message: AUTH_FAILED
Sun Aug 7 23:30:48 2016 SIGTERM[soft,authfailure] received, process exiting
Doesn't look as its working properly tho lol
And
Done this:
sudo vim /etc/default/openvpn
Look for line OPTARGS="" and change it to:
OPTARGS="authnocache"
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
12/21
1/26/2017
RaspberryPiVPNRouterGitHub
persisttun
cipheraes128cbc
authsha1
tlsclient
remotecerttlsserver
authuserpass/etc/openvpn/tmp
complzo
verb1
renegsec0
crlverify/etc/openvpn/crl.rsa.2048.pem
ca/etc/openvpn/ca.rsa.2048.crt
disableocc
scriptsecurity2
up/etc/openvpn/updateresolvconf
down/etc/openvpn/updateresolvconf
If you see your real public ip thats not good... then run this command:
sudoserviceopenvpnstatus
and look for "Running" if you see then you are good to go if you see "Existed" then need to troubleshoout.
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
13/21
1/26/2017
RaspberryPiVPNRouterGitHub
Excellent tutorial. Got my VPN up and working great.
Does anyone know how to write a small bash file to swap locations?. Im currently using the PIA london node but sometimes wish to use one
from the netherlands.
How can I stop the current vpn connection to London and quickly connect it the netherlands one? I have copied over the correct ovpn to the
correct directory etc.
!/bin/bash
start fresh
iptables flush
iptables deletechain
iptables t nat F
default drop
iptables P INPUT DROP
iptables P FORWARD DROP
iptables P OUTPUT DROP
loopback ok
iptables A INPUT i lo m comment comment "loopback" j ACCEPT
iptables A OUTPUT o lo m comment comment "loopback" j ACCEPT
14/21
1/26/2017
RaspberryPiVPNRouterGitHub
iptables A OUTPUT o eth0 p udp dport 1198 m comment comment "openvpn" j ACCEPT
DHCP ok
iptables A OUTPUT p UDP dport 67:68 m comment comment "dhcp" j ACCEPT
All TCP sessions should begin with SYN and drop bad packets
iptables A INPUT p tcp ! syn m state state NEW j BADPKT_LOGGING
iptables A INPUT m state state INVALID j BADPKT_LOGGING
iptables A INPUT p tcp tcpflags ALL NONE j BADPKT_LOGGING
iptables A INPUT p tcp tcpflags ALL ALL j BADPKT_LOGGING
iptables A INPUT f m comment comment "Drop FRAGS" j BADPKT_LOGGING
iptables A INPUT p tcp tcpflags ALL ACK,RST,SYN,FIN j BADPKT_LOGGING
iptables A INPUT p tcp tcpflags SYN,FIN SYN,FIN j BADPKT_LOGGING
iptables A INPUT p tcp tcpflags SYN,RST SYN,RST j BADPKT_LOGGING
LOGGING chain
iptables A LOGGING m limit limit 2/sec j LOG logprefix "IPTablesDropped: " loglevel 4
iptables A LOGGING j DROP
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
15/21
1/26/2017
RaspberryPiVPNRouterGitHub
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
16/21
1/26/2017
RaspberryPiVPNRouterGitHub
Note it's a different VPN provider
Any ideas? @superjamie ? :
Owner
@khromov Your VPN provider sends down the route to the internet endpoint 155.4.14.28/32via192.168.2.1 twice. It will have no effect,
but you can raise it to their tech support if you like.
As described here you can fix this by commenting out the last 4 lines of your /etc/rsyslog.conf file like this:
#daemon.*;mail.*;\
#news.err;\
#*.=debug;*.=info;\
#*.=notice;*.=warn|/dev/xconsole
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
17/21
1/26/2017
RaspberryPiVPNRouterGitHub
Which username and password do we need to enter in /etc/openvpn/login file ?
geoff@rpisiete:~$sudosystemctllstatusopenvpn@USWest
openvpn@USWest.serviceOpenVPNconnectiontoUSWest
Loaded:loaded(/lib/systemd/system/openvpn@.service;enabled)
Active:active(running)sinceSun2016112707:46:15MST;6hago
Process:418ExecStart=/usr/sbin/openvpndaemonovpn%istatus/run/openvpn/%i.status10cd/etc/openvpnconfig/etc/openvpn/%i.conf(cod
MainPID:484(openvpn)
CGroup:/system.slice/systemopenvpn.slice/openvpn@USWest.service
484/usr/sbin/openvpndaemonovpnUSWeststatus/run/openvpn/USWest.status10cd/etc/openvpnconfig/etc/openvpn/USWest.conf
Nov2707:46:15rpisieteovpnUSWest[418]:OpenVPN2.3.4armunknownlinuxgnueabihf[SSL(OpenSSL)][LZO][EPOLL][PKCS11][MH][IPv6]builtonJ
Nov2707:46:15rpisieteovpnUSWest[418]:libraryversions:OpenSSL1.0.1t3May2016,LZO2.08
Nov2707:46:15rpisieteovpnUSWest[418]:RESOLVE:Cannotresolvehostaddress:uswest.privateinternetaccess.com:Temporaryfailureinnamereso
Nov2707:46:15rpisieteovpnUSWest[484]:RESOLVE:Cannotresolvehostaddress:uswest.privateinternetaccess.com:Temporaryfailureinnamereso
Nov2707:46:15rpisietesystemd[1]:StartedOpenVPNconnectiontoUSWest.
Nov2707:46:20rpisieteovpnUSWest[484]:UDPv4linklocal:[undef]
Nov2707:46:20rpisieteovpnUSWest[484]:UDPv4linkremote:[AF_INET]104.200.151.75:1198
Nov2707:46:20rpisieteovpnUSWest[484]:WARNING:thisconfigurationmaycachepasswordsinmemoryusetheauthnocacheoptiontopreventthi
Nov2707:46:20rpisieteovpnUSWest[484]:[f328c7b07e90db3b9882f2157dc21269]PeerConnectionInitiatedwith[AF_INET]104.200.151.75:1198
Nov2707:46:23rpisieteovpnUSWest[484]:TUN/TAPdevicetun0opened
Nov2707:46:23rpisieteovpnUSWest[484]:do_ifconfig,tt>ipv6=0,tt>did_ifconfig_ipv6_setup=0
Nov2707:46:23rpisieteovpnUSWest[484]:/sbin/iplinksetdevtun0upmtu1500
Nov2707:46:23rpisieteovpnUSWest[484]:/sbin/ipaddradddevtun0local10.38.10.6peer10.38.10.5
Nov2707:46:23rpisieteovpnUSWest[484]:InitializationSequenceCompleted
Nov2713:00:59rpisieteovpnUSWest[484]:[f328c7b07e90db3b9882f2157dc21269]Inactivitytimeout(pingrestart),restarting
Nov2713:00:59rpisieteovpnUSWest[484]:SIGUSR1[soft,pingrestart]received,processrestarting
Nov2713:01:01rpisieteovpnUSWest[484]:UDPv4linklocal:[undef]
Nov2713:01:01rpisieteovpnUSWest[484]:UDPv4linkremote:[AF_INET]104.200.151.75:1198
Nov2713:01:01rpisieteovpnUSWest[484]:[f328c7b07e90db3b9882f2157dc21269]PeerConnectionInitiatedwith[AF_INET]104.200.151.75:1198
Nov2713:01:04rpisieteovpnUSWest[484]:PreservingpreviousTUN/TAPinstance:tun0
Nov2713:01:04rpisieteovpnUSWest[484]:NOTE:Pulledoptionschangedonrestart,willneedtocloseandreopenTUN/TAPdevice.
Nov2713:01:04rpisieteovpnUSWest[484]:/sbin/ipaddrdeldevtun0local10.38.10.6peer10.38.10.5
Nov2713:01:05rpisieteovpnUSWest[484]:TUN/TAPdevicetun0opened
Nov2713:01:05rpisieteovpnUSWest[484]:do_ifconfig,tt>ipv6=0,tt>did_ifconfig_ipv6_setup=0
Nov2713:01:05rpisieteovpnUSWest[484]:/sbin/iplinksetdevtun0upmtu1500
Nov2713:01:05rpisieteovpnUSWest[484]:/sbin/ipaddradddevtun0local10.42.10.6peer10.42.10.5
Nov2713:01:05rpisieteovpnUSWest[484]:InitializationSequenceCompleted
Nov2713:04:08rpisieteovpnUSWest[484]:[f328c7b07e90db3b9882f2157dc21269]Inactivitytimeout(pingrestart),restarting
Nov2713:04:08rpisieteovpnUSWest[484]:SIGUSR1[soft,pingrestart]received,processrestarting
Nov2713:04:10rpisieteovpnUSWest[484]:UDPv4linklocal:[undef]
Nov2713:04:10rpisieteovpnUSWest[484]:UDPv4linkremote:[AF_INET]104.200.151.75:1198
Nov2713:04:11rpisieteovpnUSWest[484]:[f328c7b07e90db3b9882f2157dc21269]PeerConnectionInitiatedwith[AF_INET]104.200.151.75:1198
Nov2713:04:13rpisieteovpnUSWest[484]:PreservingpreviousTUN/TAPinstance:tun0
Nov2713:04:13rpisieteovpnUSWest[484]:NOTE:Pulledoptionschangedonrestart,willneedtocloseandreopenTUN/TAPdevice.
Nov2713:04:13rpisieteovpnUSWest[484]:/sbin/ipaddrdeldevtun0local10.42.10.6peer10.42.10.5
Nov2713:04:14rpisieteovpnUSWest[484]:TUN/TAPdevicetun0opened
Nov2713:04:14rpisieteovpnUSWest[484]:do_ifconfig,tt>ipv6=0,tt>did_ifconfig_ipv6_setup=0
Nov2713:04:14rpisieteovpnUSWest[484]:/sbin/iplinksetdevtun0upmtu1500
Nov2713:04:14rpisieteovpnUSWest[484]:/sbin/ipaddradddevtun0local10.15.10.6peer10.15.10.5
Nov2713:04:14rpisieteovpnUSWest[484]:InitializationSequenceCompleted
Not sure why I'm getting the "RESOLVE" message, but again browsing from the OPENVPN client works
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
18/21
1/26/2017
RaspberryPiVPNRouterGitHub
Perhaps I don't know now to either setup the Windows 10 machine, or know how to connect:
For connection, I'm simply using a wired ethernet connection for both the OPENVPN machine and the Windows 10 client.
For the Windows 10 machine, I'm setting up a static ip with the gateway assigned to the OPENVPN machine, and using Google's dns settings.
Where am I going wrong?
I still can't manage to stop the DNS from leaking. I'm using the DNSMasq option and have my pi
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
19/21
1/26/2017
RaspberryPiVPNRouterGitHub
Also, if I hardcode my client DNS to something like an opendns server or google DNS, my DNS leak stops. So maybe it is some problem with
DNSMasq allowing the leak as well?
I've not applied any OUTPUT rules, but primarily what worked for forwarding to VPN, and only VPN was
sudoiptablesPFORWARDDROP which sets up the default rule for FORWARDing to DROP unless matched by another rule
If the vpn connection is down, then no routed clients can connect. But the Raspberry Pi can still connect for updates, browsing, problem solving,
etc
Hope this helps.
into
sudoiptablesAOUTPUToeth0ptcpmtcpdport80mcommentcomment"openvpn"jACCEPT
so tcp instead of udp and port 80 instead of 1198 to enable openvpn to contact the vpnserver.
the clients behind the router to the locally running DNS server e.g. dnsmasq on the router.
Once the request is there, you can handle it appropriately. No more DNS leaks.
ab1
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
20/21
1/26/2017
RaspberryPiVPNRouterGitHub
When I got to installing iptablespersistent in the guide, it would show an error that netfilterpersistent was not configured yet.
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
21/21