RaspberryPi/OpenVPN

From charlesreid1

Revision as of 12:08, 24 November 2019 by Admin (talk | contribs) (→‎PIA)

OpenVPN plus PIA

Preparing the Pi

Fixing iptables

On the Kali linux pi image I used, I had to fix iptables to use a legacy NAT mode: 

$ sudo update-alternatives --config iptables
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).

  Selection    Path                       Priority   Status
------------------------------------------------------------
  0            /usr/sbin/iptables-nft      20        auto mode
* 1            /usr/sbin/iptables-legacy   10        manual mode
  2            /usr/sbin/iptables-nft      20        manual mode

Initially, 0 was selected. Select the one called iptables-legacy.

OpenVPN

https://docs.pi-hole.net/guides/vpn/installation/

Installing OpenVPN

wget https://git.io/vpn -O openvpn-install.sh
chmod 755 openvpn-install.sh
sudo ./openvpn-install.sh

This will ask you which interface the openvpn server should bind to. Select the one that is public-facing (the internet).

I used the default port 1194, defaults for everything else.

Grab a coffee, this will install a bunch of stuff.

Checking OpenVPN Interface

OpenVPN will create a tun0 interface. Get its IP address: 

ifconfig tun0 | grep 'inet'

Now take note of this IP address, as we will need to set a DNS option for our OpenVPN connection.

Edit /etc/openvpn/server/server.conf

Add the tun0 interface by adding the line 

push "dhcp-option DNS <IP-ADDR-OF-TUN0-INTERFACE>"

For me, 

push "dhcp-option DNS 10.8.0.1

Also comment out any other push "dhcp-option DNS lines.

Now restart the OpenVPN server: 

sudo systemctl restart openvpn

PIA

https://www.novaspirit.com/2017/06/22/raspberry-pi-vpn-router-w-pia/

Setup

wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip openvpn.zip -d openvpn
sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/
sudo cp 'openvpn/US New York.ovpn' /etc/openvpn/US.conf

Add to OpenVPN

Now add login creds for PIA to file /etc/openvpn/login: 

username123
password123

Now edit the config file to use these creds: 

vim /etc/openvpn/US.conf

change the line with auth-user-pass in it to: 

auth-user-pass /etc/openvpn/login
ca /etc/openvpn/ca.rsa.2048.crt

Test it out

Check that it runs interactively: 

openvpn --config /etc/openvpn/US.conf

Now set it as a startup service: 

sudo systemctl enable openvpn@US

Enable packet forwarding

Edit /etc/sysctl.conf

Add/uncomment the line: 

net.ipv4.ip_forward = 1

Enable the service: 

sudo sysctl -p

Forwarding from OpenVPN to Access Point

The following assumes that you have the following configuration: 

                 wlan0 --> Internet
                 tun0 (OpenVPN) --> Internet via wlan0
WiFi Network --> wlan1 (Wifi AP) --> Internet via tun0
<pre>

Run these commands to wire up <code>wlan1</code> to <code>tun0</code>:

<pre>
sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -I INPUT -i wlan1 -m comment --comment "In from LAN" -j ACCEPT
sudo iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT
sudo iptables -A OUTPUT -o wlan1 -p udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
sudo iptables -A OUTPUT -o wlan1 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
sudo iptables -A OUTPUT -o wlan1 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A FORWARD -i tun+ -o wlan1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan1 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
Retrieved from "https://charlesreid1.com/w/index.php?title=RaspberryPi/OpenVPN&oldid=27126"