Revision as of 02:40, 2 December 2019

OpenVPN plus PIA

Preparing the Pi

Fixing iptables legacy

On the Kali linux pi image I used, I had to fix iptables to use a legacy NAT mode:

$ sudo update-alternatives --config iptables
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).

  Selection    Path                       Priority   Status
------------------------------------------------------------
  0            /usr/sbin/iptables-nft      20        auto mode
* 1            /usr/sbin/iptables-legacy   10        manual mode
  2            /usr/sbin/iptables-nft      20        manual mode

Initially, 0 was selected. Select the one called iptables-legacy.

OpenVPN

https://docs.pi-hole.net/guides/vpn/installation/

Installing OpenVPN

wget https://git.io/vpn -O openvpn-install.sh
chmod 755 openvpn-install.sh
sudo ./openvpn-install.sh

This will ask you which interface the openvpn server should bind to. Select the one that is public-facing (the internet).

I used the default port 1194, defaults for everything else.

Grab a coffee, this will install a bunch of stuff.

Checking OpenVPN Interface

OpenVPN will create a tun0 interface. Get its IP address:

ifconfig tun0 | grep 'inet'

Now take note of this IP address, as we will need to set a DNS option for our OpenVPN connection.

Use Pi VPN Gateway as DNS Server

The next step will tell anyone on the VPN network we just created to use the Pi as the DNS server.

Procedure covered on this page:

Main article: Kali/OpenVPN/DNS

PIA

https://www.novaspirit.com/2017/06/22/raspberry-pi-vpn-router-w-pia/

Forwarding from OpenVPN to Access Point

https://www.novaspirit.com/2017/06/22/raspberry-pi-vpn-router-w-pia/

The following assumes that you have the following configuration:

                 wlan0 --> Internet
                 tun0 (OpenVPN) --> Internet via wlan0
WiFi Network --> wlan1 (Wifi AP) --> Internet via tun0

Run these commands to wire up wlan1 to tun0:

sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -I INPUT -i wlan1 -m comment --comment "In from LAN" -j ACCEPT
sudo iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT
sudo iptables -A OUTPUT -o wlan1 -p udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
sudo iptables -A OUTPUT -o wlan1 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
sudo iptables -A OUTPUT -o wlan1 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A FORWARD -i tun+ -o wlan1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan1 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE

Flags

@@ Line 50: / Line 50: @@
 ===Use Pi VPN Gateway as DNS Server===
-The next step will tell anyone on the VPN network we just created to use the Pi as the DNS server. This ensures DNS queries are passed through the Pi.
+The next step will tell anyone on the VPN network we just created to use the Pi as the DNS server.
-Edit <code>/etc/openvpn/server/server.conf</code>
+Procedure covered on this page:
-Make the Pi the DNS resolver by adding the line
+{{Main|Kali/OpenVPN/DNS}}
-<pre>
-push "dhcp-option DNS <IP-ADDR-OF-TUN0-INTERFACE>"
-</pre>
-For me,
-<pre>
-push "dhcp-option DNS 10.8.0.1"
-</pre>
-Also comment out any other <code>push "dhcp-option DNS</code> lines.
-Now restart the OpenVPN server:
-<pre>
-sudo systemctl restart openvpn
-</pre>
 ==PIA==

RaspberryPi/OpenVPN: Difference between revisions

From charlesreid1