Thursday, 16 January 2014

Raspberry Pi as a VPN Wireless Access Point

The following post explains how you can turn a Raspberry Pi (RPI) into a wireless router that connects to the Internet over a VPN. By plugging this into your existing wireless router, you give yourself a second wireless network, and any devices connected to this network will access the Internet over the VPN.

This is especially useful for:
  • Sharing a single VPN connection between several devices.
  • Using the VPN connection with devices that don't support VPN or proxy settings.

As an added bonus, the use of NAT and a couple of firewall rules provides a good level of security for any connected device.

I've found this setup works very nicely, and is fine even for streaming media.

Sources

These instructions draw heavily from the following extremely useful articles:


You'll Need

  • A Rasberry Pi with Raspbian installed.
  • A wireless USB adapter with a chipset that supports Access Point or Master mode. I used a Panda PAU03, and it worked perfectly and has a good signal. See the RPI Wireless Hotspot article for other options.
  • A wired Ethernet connection between the RPI and your router.
  • A VPN service you can connect to that supports tunneled connections and OpenVPN. It's entirely possible you could get this to work with a tap VPN connection, but I can only vouch for the tunneled variety. OpenVPN support is a must: watch out as not all providers support it.

Instructions

The following instructions assume a basic knowledge of Linux, the command prompt, and the ability to edit files with an editor such as Vi or Nano.

I've reconstructed these from my command-line history and the above articles, but haven't done a clean run-through, but I think they should work. Please let me know if you find any mistakes.

Basic Security

Your going to be connecting your RPI to the rest of the Internet via a VPN, which means it won't enjoy the protection of your router's firewall: the VPN tunnel will punch right through and expose your RPI to any machine on the Internet. We'll lock down the VPN connection later on, but before you start, make sure you've changed the default user password using the passwd command.

Initial Setup

Before you start, your RPI will need to be connected to your router via the Ethernet port and able to access the Internet, and your wirless USB adapter will need to be plugged-in.

Install Software

Install the access point server (hostapd), DHCP server (udhcpd), OpenVPN and DNS proxy server (bind9):
sudo apt-get install hostapd udhcpd bind9 openvpn

Configure and Secure the VPN

Your VPN service provider should be provide an OpenVPN configuration file you can use to connect to their VPN server. Copy this file into /etc/openvpn, and rename it openvpn.conf:
cp <your config file> /etc/openvpn/openvpn.conf
Start the OpenVPN service:
sudo service openvpn start
You can check the connection is open with:
ifconfig
You should see a network interface listed called tun0, assuming your VPN provider uses a tunnel (rather than a tap) interface.

You can test the VPN tunnel using the following command:
curl --interface tun0 freegeoip.net/json/
This uses an IP geolocation service to look up the geographic details of the IP address your tunnel connection is using (you might need to give the connection a few seconds to come up). The IP address and other details should be different if you stop the VPN service:
sudo service openvpn stop
curl freegeoip.net/json/
You now need to lock down that VPN tunnel using iptables. The following changes will prevent any unsolicited connections from other machines on the Internet, and make your Pi much less visible on the network:
sudo iptables -A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i tun0 -j DROP
Now save the iptables rules:
sudo sh -c "iptables-save > /etc/iptables.nat.vpn.secure"
To ensure the rules are re-applied at reboot, edit the file /etc/network/interfaces and add the following line at the end of the file:
up iptables-restore < /etc/iptables.nat.vpn.secure
Before we go any further, restart the VPN connection:
sudo service openvpn restart

Configure Wireless Network and Access Point

Now we have a VPN, we can set up our wireless network and access point.
First, check your wireless adapter is working:
ifconfig
You should see an interface listed called wlan0.

Edit the file /etc/udhcpd.conf as follows:
start 192.168.0.2
end 192.168.0.254
interface wlan0
remaining yes
opt dns 192.168.0.1
option subnet 255.255.255.0
opt router 192.168.0.1
option lease 864000 # 10 days
This will give your new wireless network the IP range 192.168.0.1 - 192.168.0.254, and assign the address 192.168.0.1 to the wireless connection of your RPI. You might need to change the IP addresses if they clash with your existing network (check using ifconfig and looking for the IP address of the eth0 interface). The above configuration also tells any connected devices to use the RPI for their DNS server: we'll get to that later.

Edit the file /etc/default/udhcpd and un-comment the following line by removing the # from the front:
#DHCPD_ENABLED="yes"
becomes:
DHCPD_ENABLED="yes"

Set your Pi's IP address:
sudo ifconfig wlan0 192.168.0.1
and to keep the change at reboot, edit the file /etc/network/interfaces and replace the line:
iface wlan0 inet dhcp
with:
iface wlan0 inet static
  address 192.168.0.1
  netmask 255.255.255.0

Note those are tabs in front of the indented lines.

In the same file, comment out the following lines by adding a hash at the start:
allow-hotplug wlan0
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet manual
becomes:
#allow-hotplug wlan0
#wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
#iface default inet manual

Now configure your wireless connection by editing the file /etc/hostapd/hostapd.conf as follows (you'll need to create it if it doesn't exist already):
interface=wlan0
driver=nl80211
ssid=YOUR_SSID
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=YOUR_PASSWORD
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
Change YOUR_SSID and YOUR_PASSWORD to be network name and password respectively for your new wireless network. It's also worth checking the channel your existing router is using and making sure this one doesn't clash.

Now edit the file /etc/default/hostapd and change the line:
#DAEMON_CONF=""
to:
DAEMON_CONF="/etc/hostapd/hostapd.conf"

Now start up the wireless network:
sudo service hostapd start
sudo service udhcpd start
and make sure the services start at reboot:
sudo update-rc.d hostapd enable
sudo update-rc.d udhcpd enable

Configure DNS

Now we'll set up a local caching DNS server on the RPI which will be used by the connected devices.

Edit the file /etc/bind/named.conf.options and add a forwarders section as follows:
forwarders {
8.8.8.8;
8.8.4.4;
};
The above IP addresses will use Googles public DNS server, but obviously you can choose an alternative if you prefer. Just don't try to use the DNS of your existing router, which won't be accessible over the VPN.

Now restart the DNS server:
sudo service bind9 restart
and make sure it starts again at reboot:
sudo update-rc.d bind9 enable

Set Up NAT for the VPN Connection

Finally, we just need to set up NAT for the VPN connection, which will allow us to share the connection with any connected devices.

Enable NAT:
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
To set this at reboot, edit the file /etc/sysctl.conf and add the following line at the end:
net.ipv4.ip_forward=1
Now set up NAT for the VPN connection:
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
and to save this change so it's re-applied at reboot:
sudo sh -c "iptables-save > /etc/iptables.nat.vpn.secure"

Interestingly the RPI Wireless Hotspot article I based a lot of this on suggested adding a couple of other iptables rules to link the wireless and wired network adapters, but I found they weren't necessary. If you find the above alone isn't working, try the following:
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

Testing

OK, you're done. To test the setup, connect a device to the new wireless network using the password you configured. Now open a browser and navigate to the IP geolocation service we used to test the VPN connection earlier:


With any luck you should see the same details you saw when you accessed the service over the VPN on the command line. To make absolutely sure things have gone well, try changing back to your other wireless network and refreshing the page: you should see the details change.

Now if you're feeling really confident you can reboot your RPI and check everything comes back up OK. :)

94 comments:

Nick P said...

In your hostapd.conf you specify a driver for the wifi single. In others pi wifi router projects a different one is used eg driver=rt1871xdrv. When I did one of the projects the driver line caused it to fail but commenting out the driver line led to success and I'm not sure I understand why. My question is how can I identify what to put in the driver line?

alphaloop said...

Hi, sorry for the very slow response.

Essentially this comes down to the wireless adapter you're using. Different adapters have different chipsets that support different drivers. The driver I use (nl80211), is the user-space counterpart to cfg80211, which some adapters support.

You can look up the driver for your adapter and whether it supports access point mode and / or cfg80211 here: http://wireless.kernel.org/en/users/Drivers

Bryce V said...

My openvpn provider gives me some .crt and .key files along with a sample config.

Where do i put the files? just in the same place as the openvpn.conf file?

Yatsehitter said...

Hi Alphaloop,

Can you please advise a VPN provider that supports this setup? I've tried multiple providers, including PrivateInternetAccess and StrongVPN and none support it. Seems like an excellent guide but can't even start OpenVPN as don't have a config containing my username and password - both of these providers refused to help.

Thanks!

Yatsehitter said...

Never mind, managed to get it working saving a login.conf file containing my username and password for PIA.
Now just waiting for my new USB adapter and hopefully it will be up and running.
Just out of curiosity, I currently am able to SSH, WOL, Sabnzbd and torrents remotely via the internet for my NAS. Where will I add the port forwarding rules on the Pi? Is it part of the ip tables?

Thanks

alphaloop said...

Bryce V: Yes, they generaly go in the same directory as the config file (/etc/openvpn). To make sure, take a look in the config file and you should see some lines that look like this:

cert client.crt
key client.key

If the lines appear as above with no path in front of the certificate filenames, then OpenVPN will look for the certificate files in the same directory as the config file.

alphaloop said...

Yatsehitter: Glad you had some success. Just FYI, StrongVPN do support OpenVPN: take a look at this page: http://www.strongvpn.com/compare.shtml.

Good question regarding port forwarding. If you're looking to run services like bittorrent over your VPN then you will need to add iptables rules to allow this, as the rules I listed will block all incoming connections. It's not something I've tried myself, but the following post looks provising: http://www.cyberciti.biz/tips/linux-iptables-open-bittorrent-tcp-ports-6881-to-6889.html.

Hope that helps.

sanju83 said...

great work. it worked!!

on to my problem as i said it worked but only once. im stuck on obtaining ip address and authenticating. where did i go wrong? everything else seems to work. the PIA connection at boot along with the services booting up. the pi browser also works fine and routes all data threw PIA.

alphaloop said...

sanju83: When you say it worked once, do you mean you could connect a device to the new wireless network and connect to the Internet over the VPN? If so, did you reboot the Pi after it was working?

At any rate, this sounds like a problem with the configuration for the wireless access point. Check the steps in the section "Configure Wireless Network and Access Point", and make sure you've covered all of them.

It might also be worth trying to connect to the Pi's wireless network with several devices to see if you get the same problem.

Hope that helps.

Nick P said...

Its me again. See first comment.

I have eventually found the driver for my WiFi dongle.

It turns out it is already built into Raspbarian (rt2870) and so I don't need to specify it apparently!

But if you have a moment can I ask, were it to be one not included in the distribution, such as your rt1871xdrv, where would one put it in the file system so that the line 'driver=rt1871xdrv' in hostapd.conf would find it?

Nick P said...

Sorry.

Please substitute nl80211 for rl1871xdrv in my last comment. I wasnt thinking.

alphaloop said...

Nick P: Drivers are installed in the system as modules. To be honest this is a little outside my expertise, but the following page might be useful: https://wiki.debian.org/WiFi

mons said...

Dear Nick!

Thanks you very much for your wonderful tutorial, this helped me a lot... VPN works, hostapd, udhcpd.. but when I try to connect any device to the wifi that I have created no one seems to be able to connect.... easily... after a while laptop has connected but it has an ip that was not able to connect to internet... an ip such as 169...

Could you give me a hint to understand what is happening?

Kind regards,

Montse

alphaloop said...

Hi Montse,

The first thing I'd do is go over the instructions in the Configure Wireless Network and Access Point section and check that your settings match. I actually just spotted an error in the text: the line in /etc/default/udhcpd should read DHCPD_ENABLED="yes". I've updated the text in the post.

Does the IP address your laptop got assigned fall within the range you entered in /etc/udhcpd.conf? It should be between range set by the start and end lines in the file. If it doesn't then you're not connected to your Pi's wireless network. If it does then you're fine; the fact that it's a local IP range is fine as the Pi will perform network address translation to the VPN's IP address.

Hope that helps.

mons said...

Hi Alphaloop,

Thanks for your advise. I have all the settings exactly the way you report, my eth0 device is:

inet addr:192.168.1.137 Bcast:192.168.255.255 Mask:255.255.0.0

So, I understand that the settings you propose should not have conflicts. However, when I try to connect a device, instead of getting assigned an ip between the range I got his:

ip: 169.254.196.95
mask: 255.255.0.0

Have you got any other tip of what I am doing wrong?

Kind regards,

Montse

James Clark said...

Hello! Thanks for the amazing tut! I am having one issue, though. No net connection on connected devices. Everything starts at boot no problem. Devices get auto IP and can access ssh/vnc. Pi itself has net connection through ovpn and ifconfig shows all is well. Just no routing. Halp?! Thanks, again! :-)

Jobe lawn said...

Hi. Thank you a LOT for the instructions, but I’d like to ask you to extend this to use e.g. Synology’s OpenVPN connection. Actually This means only that TUN0 when started gets IP from Synology’s openVPN Server and this needs to be propagated directly to Wifi-Access point in RPi. So the DHCP Server inside RPi should be as “realy/pass through”. I managed to get VPN part to work, Synology shows the connection but from there forwards I have failed. I know how to produce Wifi Access Point out from PRi. Please give some advices and how to make DHCP realy and NAT the iptables… realjobe2000@yahoo.com

Alexander Michel said...

Hej mons.
I had the same problem. In my case udhcpd wanted to write in a file called "udhcpd.leases" which did not exist. I forget the path, however you can check the log file of your rasbian os. I created the file and everything just works fine. I hope this helps.

alphaloop said...

Apologies to Gavin Robertson: I was clearing out some spam comments and accidentally deleted your very helpful comment pointing out the typo. It's now fixed, thanks for the feedback and glad it all worked for you.

alphaloop said...

Montse - apologies for the slow response. Hopefully Alexander's comment is helpful to you.

alphaloop said...

James - the first things to check here would be that NAT is definitely enabled for iptables, and that the NAT rule is present and correct in your iptables config.

To check NAT is enabled, enter:
sudo cat /proc/sys/net/ipv4/ip_forward

This should return 1, not 0.

To check the NAT rule is present, enter:
iptables-save

This will list all the current iptables rules. Amongst the rules you should see something like:
*nat
-A POSTROUTING -o tun0 -j MASQUERADE

If you get different results for either of these, go through the "Set Up NAT for the VPN Connection" section again and make sure you've followed all the steps. Hope that helps.

alphaloop said...

Jobe - Thanks for the question. I don't think you want to relay the DHCP from your VPN provider to client of the access point: this would defeat the whole purpose of using NAT to allow you to share the connection between multiple devices.

Most providers will allocate an IP address to the VPN interface on your side via DHCP when you make a connection; that's quite normal - mine does the same thing. It sounds like your problem is with the NAT setup, which bridges the gap between the access point and VPN interfaces.

Take a look at my reply to James above and see if that helps at all.

Roger Martin said...

I've tried it on an old eeepc701 (Debian wheezy & NetworkManager). To use a usb wifi dongle as my interface wlan1 I had to add the line

allow-hotplug wlan1

before the iface wlan1... in /etc/network/interfaces.

Also, to avoid losing iptables after each reboot I followed instructions in https://wiki.debian.org/iptables and added /etc/network/if-pre-up.d/iptables.

Thanks a lot for your post!

Peter Cutting said...

If my router is handing out 192.168.0.X, then should the RPI be 1) on the same network or 2) on something else eg 192.168.1.X. I suspect 1) but could you elaborate on how to avoid IP clashes

alphaloop said...

Peter - Your RPI is will be connected to your router's network and will also be hosting a second network of it's own using the wireless adapter - it will therefore be on two networks (three if you count the VPN, which runs over your router's network) and will act as a bridge between them. As such the IP address ranges for your router's network and the wireless network hosted by your RPI need to be different, but your RPI will have an IP address on the router's network as well as running it's own network.

In short, this means that when you set the IP range in the /etc/udhcpd.conf file, you should make sure it's not the same as your router's, but should be a valid local IP address range (see http://en.wikipedia.org/wiki/Reserved_IP_addresses). My router uses 192.168.1.x, so I used the altenative local IP range 192.168.0.x .

Hope that all makes sense.

alphaloop said...

Roger - glad to hear you were successful, thanks for posting the tips.

Daniel Martins said...

Hello, what do I have to change if I want to connect RPI to internet over WIFI to establish a VPN, and all clients over ethernet (switch connected to Rpi) should use the VPN. Is that possible? How?
Could you post such a version?
Thanks!

alphaloop said...

Daniel - This is an interesting idea. Firstly you'd need to connect your RPI to your router's wifi network - this page would be a good place to start: http://www.raspberrypi.org/documentation/configuration/wireless/

Doing it this way round you could ignore all the hostapd configuration, as you wouldn't need the RPI to act as a wireless access point. If your switch is a layer 3 switch with it's own DHCP server, then you could also skip the udhcpd configuration, as the switch will allocate IP addresses to the connected devices and your RPI will just act as a gateway to the VPN. If the switch is a layer 2 switch then you'd still need udhcpd, but you'd set the interface to eth0 instead of wlan0 in the configuration.

I've never used OpenVPN over a wireless connection before, but I assume it's much the same as over a wired connection. You can almost certainly just use the same configuration as you would if your RPI was connected to your router using it's ethernet interface.

The NAT configuration for the VPN tunnel should also be the same, but you will still need it in order to share the VPN connection between the multiple devices connected via the switch.

Hope that all makes sense - let us know how you get on.

rathel said...

Good guide, I haven't put it to use yet. I was wondering if it's possible for a device not to pass through the VPN. I plan on getting a USB-Ethernet thing for my little server I don't want it to pass through the VPN, would that be possible?

alphaloop said...

rathel - If you don't want any of the traffic passing through the VPN, then you can just follow the instructions in one of the source articles I based this on: http://elinux.org/RPI-Wireless-Hotspot

Hope that helps.

Martin Willis said...

I have followed the instructions, but im getting no internet connection on the connected devices :-( PLEASE PLEASE HELP

alphaloop said...

Martin - has your VPN connection started OK, and are you able to access the Internet over it from the RPI command line? Try running:
$ sudo service openvpn status

It should tell you the service is running: if not you need to check the configuration for the VPN.

You can also try:
$ curl google.com

You should see a short HTML file with the title "301 Moved".

If the service is running and you can access the Internet from the RPI using curl above, then the VPN connection is working, but connections from your devices aren't being routed through the VPN. In this case check the iptables rules.

It's also worth checking the setting you entered for the bind9 DNS proxy.

Hope that helps.

Martin Willis said...

How would i check the ip tables etc openvpn is working and all is fine on the PI

Denis Salmon said...

Hi,

I've got the same problem as Martin Willis.

the tun0 connexion doesnt show up in my ifconfig, instead I get the following:

sudo ifconfig
eth0 Link encap:Ethernet HWaddr b8:27:eb:f4:d5:34
inet addr:192.168.1.105 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4101 errors:0 dropped:0 overruns:0 frame:0
TX packets:2623 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:276769 (270.2 KiB) TX bytes:334820 (326.9 KiB)

lo Link encap:Local Loopback
inet addr:1XX.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1738 (1.6 KiB) TX bytes:1738 (1.6 KiB)

mon.wlan0 Link encap:UNSPEC HWaddr CC-E1-D5-17-6E-90-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2939 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:655067 (639.7 KiB) TX bytes:0 (0.0 B)

wlan0 Link encap:Ethernet HWaddr cc:e1:d5:17:6e:90
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:103 errors:0 dropped:58 overruns:0 frame:0
TX packets:92 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:35236 (34.4 KiB) TX bytes:36266 (35.4 KiB)

alphaloop said...

Martin - To check your iptables rules, run the following command:

$ sudo iptables-save

You should see something like this:

# Generated by iptables-save v1.4.14 on Wed May 27 21:32:45 2015
*nat
:PREROUTING ACCEPT [273687:20933282]
:INPUT ACCEPT [55081:5719097]
:OUTPUT ACCEPT [30081:2231715]
:POSTROUTING ACCEPT [776:86335]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Wed May 27 21:32:45 2015
# Generated by iptables-save v1.4.14 on Wed May 27 21:32:45 2015
*filter
:INPUT ACCEPT [15952747:21689614178]
:FORWARD ACCEPT [23626234:20894722600]
:OUTPUT ACCEPT [8341558:1173975588]
-A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j DROP
COMMIT
# Completed on Wed May 27 21:32:45 2015

alphaloop said...

Denis - It looks like there's a problem with your OpenVPN configuration.

Check that you have a valid openvpn.conf file in /etc/openvpn and then run:

$ sudo service openvpn restart

You should see something like:
[ ok ] Stopping virtual private network daemon: openvpn.
[ ok ] Starting virtual private network daemon: openvpn.

If you've checked the config file and the service still isn't starting up, you'll need to check the OpenVPN log messages in the system log to find out what's wrong. To do this, run:

$ sudo less /var/log/syslog

Press Ctrl-G to go the the end of the file and scroll up, keeping on eye out for lines that contain 'ovpn-openvpn'. There should be something in there that indicates what the problem might be.

Martin Willis said...
This comment has been removed by the author.
Hingle Mcringleberry said...

Great tutorial! I'm having one issue with bind9 however. I get the error as follows when I restart bind9:

Stopping domain name service...: bind9rndc: connect failed: 127.0.0.1#953: connection refused
Starting domain name service...: bind9 failed!

I was attempting several other tutorials so I may have guffed something up, but I'm not super savvy with DNS.

any ideas?

Nick Parsons said...

I have been using this and other tutorials for a while. My dhcp server kept failing to start at bootup and so while the wifi network appeared it would not dish out an ip address to anything that tried to connect to it. It seemed that for some reason wlan0 was not getting it's ip address set at boot. Anyway I fixed it by putting a couple of lines in /etc/rc.local the first to give wlan0 a fixed ip address and the second to start the dhcp server. It worked...

It suggested in one place i looked that it apears as if the order that raspbian starts services at boot may have changed causing a chicken and egg problem with the dhcp server and the setting of the wlan0 fixed ip address. I don't know how to change the order services start at boot but my work around seems to do the job.

I am actually using a different dhcp server and a different subnet than in this tutorial so posting details may just cause confusion but if what I have said helps even one then my job is done.

decent said...

hi alphaloop,

Need your help here..I got the same problem as Denis where my openvpn doesn't show tun0 using ifconfig. I've look up /var/log/syslog and cant find any "ovpn/openvpn/ovpn-openvpn" in the log.
btw, I'm using my own openvpn server that i've setup using my vps. For windows, I use this tutorial n runs perfectly w/o any problem. How do i troubleshoot this problem?
Please help..
link: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04

alphaloop said...

Hingle - Check your bind9 configuration file /etc/bind/named.conf.options . You should have added a forwarders section to tell bind9 where to go for its DNS information. It looks like it's currently trying to connect to localhost.

alphaloop said...

Nick - Thanks for the comment, that looks very useful.

alphaloop said...

decent - If you need more detailed information from OpenVPN, first try running it as a command, rather than as a service. First make sure the service is stopped:

$ sudo service openvpn stop

Then run openvpn, pointing it to your configuration file:

$ sudo openvpn /etc/openvpn/openvpn.conf

This will print a whole bunch of additional information to the terminal, and will hopefully give you some indication of what's wrong.

alphaloop said...

decent - Also, check your openvpn configuration to make sure you're set up to use a tunnel connection, rather than a tap. If you're using a tap, you won't see the tun0 network interface, even when openvpn is running.

Pedro Ramirez said...
This comment has been removed by the author.
KrasBlogger said...

Hi!

Thanks for the tutorial!

I got a CA.crt and lots of .ovpn files from my VPN provider, one for each location. Do you have an idea how to set up the RasPi to easily switch between locations?

Cheers,
Ben

rajesh said...

Hi Thanks for the awesome tutorial. I was able to get the VPN to work.

Now my setting is

Main router -> rPi -> VPN

as rPi is hosting a second network, I am not able to discover devices connected to rPi from devices connected to Main router.

Is it possible to have both the rPi and Mainrouter on same subnet?

for example, my main router has ips 192.168.7.100 to 150, can I configure rPi to have address 192.168.7.20-192.168.7.30 instead of 192.168.0.X?

thanks!

Mattia Quatraro said...

I didn't connect to my Rpi's wifi. My smartphone found wifi, I entered the password, but it didn't acquire an Ip. So as Mark said I edited /etc/rc.local to start wlan0 with a static ip. With this mod my smartphone connected to Rpi, but It didn't go to the Web. One problem solved, but newer problem came. I edited /etc/udhcpd.conf as follow:
start 192.168.0.100
end 192.168.0.254
interface wlan0
remaining yes
opt dns 8.8.8.8 8.8.0.0
option subnet 255.255.255.0
opt router 192.168.0.1
option lease 864000 # 10 days
And in this way I went online

simpty! said...

Hello, I tried your tutorial on a fresh new Raspbian installation on my Pi2, but I'm already facing problems at the beginning:
When I type in this command curl --interface tun0 freegeoip.net/json/, after I started the OpenVPN daemon, nothing happens.
And curl --interface eth0 freegeoip.net/json/ gives me an error: can't connect. It only works when I stop the daemon.
Surprisingly I can surf the web with the webbrowser over the VPN connection. Later I was facing another problem:

pi@raspberrypi ~ $ sudo service hostapd start
[FAIL] Starting advanced IEEE 802.11 management: hostapd failed!

I don't know what this means..

alphaloop said...

KrasBlogger - I would put all those files in /etc/openvpn and then symlink the .ovpn file you want to use at any given point:

$ sudo ln -s location1.ovpn openvpn.conf

You'll need to restart the OpenVPN service each time you change to symlink to point to a different .ovpn file.

$ sudo service openvpn restart

alphaloop said...

rajesh - I've not tired this. I think technically it should be possible, but will probably involve setting up some additional routing rules in iptables. Essentially you'd be running two network interfaces (your wireless adapter and the ethernet port) with the same subnet. You would need to make sure that each one had a unique IP address within that subnet. Good luck!

alphaloop said...

Mattia - Thanks for that, glad it worked out for you.

alphaloop said...

simpty! - Try curl without specifying an interface:

$ curl freegeoip.net/json/

If your openvpn service is running, it should default to the tun0 or equivalent connection.

Regarding your hostapd error, check the syslog for lines that refer to hostapd

$ sudo cat /etc/log/syslog | grep hostapd

There should be an error message in the log that gives you a clue to what's wrong.

simpty! said...
This comment has been removed by the author.
simpty said...

Hey alphaloop,
thank you for your answer. I did the whole process again, renamed and copied the .ovpn file and started the daemon. Ifconfig shows me this:

tun0 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet Adresse:10.4.35.97 P-z-P:10.4.35.97 Maske:255.255.0.0
UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1500 Metrik:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:100
RX bytes:1496 (1.4 KiB) TX bytes:1226 (1.1 KiB)

When I execute $ curl freegeoip.net/json/, nothings happens. When I type curl --interface eth0 freegeoip.net/json/, it tells me: curl: (7) couldn't connect to host

alphaloop said...

simpty - The ifconfig output for tun0 looks good. Try running curl with verbose output:

$ curl -v freegeoip.net/json/

Sean Boyd said...

Hey alphaloop,

first of all I'd like to thank you for this great tutorial.
Everything worked for me untill I had to reboot my pi. Since that I'm not able to connect my smartphone to the accesspoint. My laptop can connect to the accesspoint but does not get an internet connection (DNS_probe_finished_no_internet). When I use 'curl freegeoip.net/json/' I get a positive reply for a working vpn connection. Furthermore 'sudo iptables-save' also delivery the right things.

Any ideas how to my problem?

Thank you in advance.

Ryan said...

Hello Alphaloop,

Thanks for this tutorial. I bought a second hand raspberry PI and will try to make it work. I have 0 experience with linux though so might take me some effort.

I am having some trouble finding a free vpn that supplies an openvpn configuration file you need to make this work. Any chance you could make this work with websites like this: http://bit.ly/1Jbxq2Z. I use these websites on windows and all I have to do is enable vpn and fill in login name and password and off I go. Maybe I can do this with the raspberry PI as well and just share the VPN connection I made?

Thanks for your input.

Sahil Thakur said...

hi

my devices are not able to obtain the ip address. Could you help me out with this ?

Thnx

Carlos Palacios said...

I have a Raspberry pi VPN server (PPTP) in Spain and another Raspberry pi in germany this one will be the one I will convert into a "VPN Wireless Access Point". Is this possible with a pptp VPN?

Sturmpilzchen said...

Thank you so much for this great tutorial!! I struggled so long til I finally managed it with your help! When I connected to the Wifi with my laptop, I did as well not receive an IP. And the hint from the comments worked for me:

touch /var/lib/misc/udhcpd.leases
chmod +rw /var/lib/misc/udhcpd.leases

(since I don't know what ownership are required, I just gave read and write permissions. Hope thats not a safety issue)
Now I have internet an can connect! Thanks again!!

I have one safety issue, how can I block all internet connections not going true the vpn? If I turn openvpn of, it just connect over the regular ip. Will that be as well when the vpn is down for some reasons? I prefer no internet to an unsecured one!

Peter Steter said...

Thanks for this great tutorial. I'm about to get my Pi and will definitly try it out. I still have two doubts though and would be happy if you could comment:
(1) By your method, what happens if the vpn connection breaks down e.g. because of a timeout. Does traffic than "leak2 through the normal connection or did you implement a mechanism that ensures that only traffic through the tunnel is happening?

(2) what about DNS leakages or is this a server side issue from the VPN provider?

Thx in advanve!

Unknown said...

Hey alphaloop, thanks for sharing this and all the wonderful help you have provided too all of the folks in the comments. I just got a second Rpi and a second router and I plan on going all mad scientist on my home network this weekend. I'm thinking of giving this whole VPN thing a try and I'm positive I'll be able to figure it out using your tutorial, your source material, and all the help you've supplied in the comments. Again, thank you for freely sharing your knowledge with those of us who are still learning.

AP said...

Hi Alphaloop

Awesome tutorial there! Would it be possible to build this with wifi at both ends? I mean, the raspi connects to a local unsecured wifi network and puts out it own VPN scoured wifi. I travel very frequently and such a device would be a boon! Thanx. AP

alphaloop said...

Sean - Sorry for the very slow response. Check to see of the tunnel interface (tun0) is shown when you run 'ifconfig'.

alphaloop said...

Ryan - Whatever VPN service you use would need to support VPN client software that will run on Linux, and which exposes a virtual network interface you can route data to using iptables. OpenVPN is by far the simplest option for this. I used strongvpn.com for a long time and they were very good.

alphaloop said...

Sahil - check the config in your /etc/udhcpd.conf file in the first instance.

alphaloop said...

Carlos - Yes, there are PTPP clients for Raspbian. Take a look here: https://devtidbits.com/2013/02/19/using-a-point-to-point-tunnelling-protocol-virtual-private-network-pptp-vpn-client-on-a-raspberry-pi/

alphaloop said...

Sturmpilzchen - Good question! I've not tried this, but it might be possible to block all outgoing traffic on the eth0 interface without blocking the tun0 VPN interface. Try adding the iptables rule:

iptables -A OUTPUT -o eth1 -j DROP

you might also need:

iptables -A FORWARD -o eth1 -j DROP

but it's possible this will also block traffic being output over the VPN.

alphaloop said...

Sturmpilzchen - come to think of it, this isn't necessary: the NAT forwarding rules specify the tun0 interface, so if it's down no traffic will get routed.

alphaloop said...

Peter - As per comment above, if the tun0 interface is down (i.e. the VPN is down), no packets should be forwarded from the wireless interface (wlan0). However, it's possible the processes on the Pi itself will still make internet connections over the eth0 interface in that situation.

Regarding the DNS leakage, the DNS requests will be satisfied by the bind9 service on the Pi, which I set up to use Google's DNS servers in the instructions. I've checked that DNS requests from bind9 are made via the VPN connection when the VPN connection is running, but I've not checked that no DNS requests are ever made over the open eth0 connection, either when the VPN is down or otherwise. If this is something you want to ensure, you will want to look at adding some more iptables rules to block DNS over eth0.

alphaloop said...

Unknown - You're welcome! Hope it went well.

alphaloop said...

AP - Interesting idea! I'd be surprised if that wasn't possible. The simplest way would be to have two wifi adapters, but it might be possible to configure a single adapter to be both an access point and to connect to another wireless network. At any rate one of the (either physical or virtual) adapters would need to be configured to connect to the local non-secure wireless network.

I think most of the instructions in the post should still apply if your internet connection is over a wireless connection rather than the ethernet port. It would be interesting to know if you're able to get this working.

Sturmpilzchen said...

It works for me. Only thing to watch out, somehow the adapters switch the identifier (wlan0 / wlan1). Don't ask me why. I worked around this problem with using two whit the same driver:-/ But then it works fine for me.

Will Potage said...

Well, thank you for a great tutorial. This works perfectly for me on a Raspberry 3. My chromecast connects to the new vpn wifi network and I can watch Netflix US ;-)
Only thing i had to adjust is that I connect to the VPN with this command : openvpn --config $name_of_config_file , and leave that window terminal open

Samoht - Ein UNS entsteht said...

Hi, great howTo.

I've got the same problem as martin: "no internet connection" I read the comments but for this problem there is no solution mentioned. Last comment was deleted by author :-(

Can you help me ?

alphaloop said...

Samoht - If you can connect to the wireless network being broadcast by the Pi but can't access the Internet there are two likey causes: either the VPN connection isn't working or the iptables rules to route traffic from the wireless network to the VPN connection isn't set up correctly.

To test that the VPN connection is working correctly, log into the Pi and type:

$sudo ifconfig

You should see a device listed called tun0. If you don't, enter the following command:

$ sudo service openvpn start

To check this is working and that you can access the Internet from the Pi, enter this command:

$ curl freegeoip.net/json/

You should see some output.

If this is all working okay there's likely an issue with your iptables setup. To check the configuration, enter the following command:

$sudo iptables-save

Among the output you should see the following line:

-A POSTROUTING -o tun0 -j MASQUERADE

If you don't see this line, run the following command:

$ sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

You should also check that NAT is enabled on your Pi. To do this type:

$ cat /proc/sys/net/ipv4/ip_forward

This should return "1". If it doesn't, enter the following command:

$ sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

Hope that helps.

iransafe vpn said...

Thank you

خرید vpn

DeatK said...

But... if i have already my router which is doing the dhcp, should i also enable the dhcp on the pi? will it work?

alphaloop said...

DeatK - Yes, you should enable DHCP on the Pi as well. Your router will be providing one local network, while the Pi will be providing a second local network that routes data via the VPN: you need DHCP to allocate IP addresses to devices on both networks. If you connect a device to the Pi's local network, it will be allocated an IP address by the Pi; if you connect a device to the router's local network, it will be allocated an IP address by the router.

Hope that makes sense.

DeatK said...
This comment has been removed by the author.
DeatK said...
This comment has been removed by the author.
DeatK said...
This comment has been removed by the author.
DeatK said...

i am getting crazy about this...
i can see the ssid from the other devices, i insert the password but then i am not connected...

DeatK said...

adding the two lines
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

i am able to connect to the pi but now i get error that there is no internet connection!!!

but i could test before that the vpn was working perfectly

DeatK said...

the command iptables-save is not showing anything, but i am pretty sure i followed all the instructions...

but after a wile i opened the file /etc/iptables.nat.vpn.secure and it is empty
i am sure it was not empty before!!!!

scrumpy111 said...

I am also having problems after booting. The wlan0 ip is 169.254.63.144 not 192.168.0.1 and sudo iptables-save does not show anything. Should the setting be saved another way in Rasbian-Jessie

scrumpy111 said...

I have the solution to my problem and it was as simple as removing the hash from "#allow-hotplug wlan0" in etc/network/interfaces to leave "allow-hotplug wlan0"

DeatK said...

for me it was not enough... still i can connect but there is no internet connection

DeatK said...

i have tried connetting from a windows pc to the new wlan
if i perform an ipconfig i see

ip address = 169.254.187.105
subnet mask = 255.255.0.0
and no gateway

so the dhcp is not working properly?

DeatK said...

i found out that the udhcp was not running
and i have found the solution, i had to disable from the reboot the dhcpcd service.

now when i connect to the wifi i have the right ip address on the client, but still i have no connection... >_<

Evil said...

Hi, thanks for the tutorial.
Is it possible to get the VPN provided DNS servers before the Google ones?

alfred03white said...

I am impressed with these details. I also need to purchase a reliable VPN service for my android phone but not able to find a good service. But I am now thinking to make list of best vpn service and software and use their trial versions before buying.

Albert Stone said...

Really very interesting and very valuable information about the vpn nice work.

anonymous vpn