RaspberryPi/OpenVPN: Difference between revisions
From charlesreid1
No edit summary |
(→PIA) |
||
| Line 73: | Line 73: | ||
https://www.novaspirit.com/2017/06/22/raspberry-pi-vpn-router-w-pia/ | https://www.novaspirit.com/2017/06/22/raspberry-pi-vpn-router-w-pia/ | ||
===Setup=== | |||
<pre> | <pre> | ||
| Line 81: | Line 83: | ||
</pre> | </pre> | ||
===Add to OpenVPN=== | |||
Now add login creds for PIA to file <code>/etc/openvpn/login</code>: | |||
<pre> | <pre> | ||
| Line 99: | Line 103: | ||
auth-user-pass /etc/openvpn/login | auth-user-pass /etc/openvpn/login | ||
ca /etc/openvpn/ca.rsa.2048.crt | ca /etc/openvpn/ca.rsa.2048.crt | ||
</pre> | |||
===Test it out=== | |||
Check that it runs interactively: | |||
<pre> | |||
openvpn --config /etc/openvpn/US.conf | |||
</pre> | |||
Now set it as a startup service: | |||
<pre> | |||
sudo systemctl enable openvpn@US | |||
</pre> | |||
===Enable packet forwarding=== | |||
Edit <code>/etc/sysctl.conf</code> | |||
Add/uncomment the line: | |||
<pre> | |||
net.ipv4.ip_forward = 1 | |||
</pre> | |||
Enable the service: | |||
<pre> | |||
sudo sysctl -p | |||
</pre> | |||
==Forwarding from OpenVPN to Access Point== | |||
The following assumes that you have the following configuration: | |||
<pre> | |||
wlan0 --> Internet | |||
tun0 (OpenVPN) --> Internet via wlan0 | |||
WiFi Network --> wlan1 (Wifi AP) --> Internet via tun0 | |||
<pre> | |||
Run these commands to wire up <code>wlan1</code> to <code>tun0</code>: | |||
<pre> | |||
sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT | |||
sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT | |||
sudo iptables -I INPUT -i wlan1 -m comment --comment "In from LAN" -j ACCEPT | |||
sudo iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT | |||
sudo iptables -A OUTPUT -o wlan1 -p udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT | |||
sudo iptables -A OUTPUT -o wlan1 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT | |||
sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT | |||
sudo iptables -A OUTPUT -o wlan1 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT | |||
sudo iptables -A FORWARD -i tun+ -o wlan1 -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
sudo iptables -A FORWARD -i wlan1 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT | |||
sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE | |||
</pre> | </pre> | ||
Revision as of 12:08, 24 November 2019
OpenVPN plus PIA
Preparing the Pi
Fixing iptables
On the Kali linux pi image I used, I had to fix iptables to use a legacy NAT mode:
$ sudo update-alternatives --config iptables There are 2 choices for the alternative iptables (providing /usr/sbin/iptables). Selection Path Priority Status ------------------------------------------------------------ 0 /usr/sbin/iptables-nft 20 auto mode * 1 /usr/sbin/iptables-legacy 10 manual mode 2 /usr/sbin/iptables-nft 20 manual mode
Initially, 0 was selected. Select the one called iptables-legacy.
OpenVPN
https://docs.pi-hole.net/guides/vpn/installation/
Installing OpenVPN
wget https://git.io/vpn -O openvpn-install.sh chmod 755 openvpn-install.sh sudo ./openvpn-install.sh
This will ask you which interface the openvpn server should bind to. Select the one that is public-facing (the internet).
I used the default port 1194, defaults for everything else.
Grab a coffee, this will install a bunch of stuff.
Checking OpenVPN Interface
OpenVPN will create a tun0 interface. Get its IP address:
ifconfig tun0 | grep 'inet'
Now take note of this IP address, as we will need to set a DNS option for our OpenVPN connection.
Edit /etc/openvpn/server/server.conf
Add the tun0 interface by adding the line
push "dhcp-option DNS <IP-ADDR-OF-TUN0-INTERFACE>"
For me,
push "dhcp-option DNS 10.8.0.1
Also comment out any other push "dhcp-option DNS lines.
Now restart the OpenVPN server:
sudo systemctl restart openvpn
PIA
https://www.novaspirit.com/2017/06/22/raspberry-pi-vpn-router-w-pia/
Setup
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip unzip openvpn.zip -d openvpn sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/ sudo cp 'openvpn/US New York.ovpn' /etc/openvpn/US.conf
Add to OpenVPN
Now add login creds for PIA to file /etc/openvpn/login:
username123 password123
Now edit the config file to use these creds:
vim /etc/openvpn/US.conf
change the line with auth-user-pass in it to:
auth-user-pass /etc/openvpn/login ca /etc/openvpn/ca.rsa.2048.crt
Test it out
Check that it runs interactively:
openvpn --config /etc/openvpn/US.conf
Now set it as a startup service:
sudo systemctl enable openvpn@US
Enable packet forwarding
Edit /etc/sysctl.conf
Add/uncomment the line:
net.ipv4.ip_forward = 1
Enable the service:
sudo sysctl -p
Forwarding from OpenVPN to Access Point
The following assumes that you have the following configuration:
wlan0 --> Internet
tun0 (OpenVPN) --> Internet via wlan0
WiFi Network --> wlan1 (Wifi AP) --> Internet via tun0
<pre>
Run these commands to wire up <code>wlan1</code> to <code>tun0</code>:
<pre>
sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -I INPUT -i wlan1 -m comment --comment "In from LAN" -j ACCEPT
sudo iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT
sudo iptables -A OUTPUT -o wlan1 -p udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
sudo iptables -A OUTPUT -o wlan1 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
sudo iptables -A OUTPUT -o wlan1 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A FORWARD -i tun+ -o wlan1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan1 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE