Raspberry Pi VPN Router

Published by Matt Clemons on

Here’s how to configure an RPI so that it auto connects to a VPN on boot via PoE.  One could connect to it via WiFi and surf over the VPN, and no one will ever know.  EVAR!  This is for educational purposes only.  I’m not responsible for your actions.

Get a RPI 2 or 3, an SD card, and a PoE hat OR a PoE splitter.  The RPI 3 has built in WiFI that works great for this.  If you have a 2b, you’ll need WiFi and the PoE splitter.  The hat only works with the 3.

https://www.pi-supply.com/product/raspberry-pi-3-model-b-newest-version/

https://www.pi-supply.com/product/8gb-micro-sd-samsung-pre-loaded-noobs-official-card-adapter/

https://www.pi-supply.com/product/pi-poe-switch-hat-power-over-ethernet-for-raspberry-pi/
OR
https://www.amazon.com/DSLRKIT-Active-Splitter-Ethernet-Raspberry/dp/B01H37XQP8/ref=sr_1_4?ie=UTF8&qid=1491077927

Load the SD card up with Raspbian Lite
https://www.raspberrypi.org/downloads/raspbian/

dd bs=4M if=whatever.img of=/dev/sdX

 

Hook everything up and plug it into a PoE port.  You’ll need a keyboard and monitor so you can mod /etc/network/interfaces and set eth0 to dhcp.  Also do a systemctl enable ssh.

Install packages:

sudo apt-get install dnsmasq hostapd openvpn

Configure dnsmasq:

sudo nano /etc/dnsmasq.conf

interface=wlan0
 listen-address=10.32.1.1
 bind-interfaces
 server=4.2.2.2
 domain-needed
 bogus-priv
 dhcp-range=10.32.1.10,10.32.1.100,12h

 

Configure the network:

sudo nano /etc/network/interfaces

iface eth0 inet dhcp

auto wlan0
 allow-hotplug wlan0
 iface wlan0 inet static
 address 10.32.1.1
 netmask 255.255.255.0
 network 10.32.1.0
 broadcast 10.32.1.255

 

Configure forwarding:

sudo nano echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf

 Enabling forwarding:

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

Then bring up wifi:

sudo ifup wlan0

Enable NAT without the VPN:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
Configure hostapd
sudo nano /etc/hostapd/hostapd.conf

interface=wlan0
driver=nl80211
ssid=cacklinggoose
hw_mode=g
channel=6
ieee80211n=1
wmm_enabled=1
ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=2  #hide it.  2 was the only option that worked for me.
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_passphrase=angrymike
rsn_pairwise=CCMP

 

Start and enable services:

sudo service hostapd start
sudo service dnsmasq start
systemctl enable hostapd
systemctl enable dnsmasq

 

Copy your openvpn profile to /root/vpn.ovpn

Create an executable script /root/start_vpn.sh.  This does the NATing after tunnel creation.

#!/bin/sh
openvpn --config /root/vpn.ovpn &
sleep 15
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

 

Add these two items to /etc/rc.local

/root/start_vpn.sh

Power cycle it.

Connect and try it out.

Categories: NetworkingSecurity

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Security

Threathunting with Elasticsearch

All kinds of interesting information can be found using the Elasticsearch API. https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html I find it easier than using Kibana, but Kibana was necessary to figure out the query language. Using the same queries, you Read more…

Hardware

Cisco router CA server

Easy way to create a CA server for testing purposes.

Linux

Cleared SAA-C02

I started with acloud.guru AWS Certified Solutions Architect Associate course. https://acloudguru.com/course/aws-certified-solutions-architect-associate-saa-c02 If you get the pro subscription, you get access to labs without having to create your own AWS accounts. I think it’s 50 bucks Read more…