This is especially useful for:
- Sharing a single VPN connection between several devices.
- Using the VPN connection with devices that don't support VPN or proxy settings.
As an added bonus, the use of NAT and a couple of firewall rules provides a good level of security for any connected device.
I've found this setup works very nicely, and is fine even for streaming media.
Sources
These instructions draw heavily from the following extremely useful articles:- RPI Wireless Hotspot
- IPTables HowTo
- 10 iptables rules to help secure your Linux box
- Setting up a DNS for the local network on the Ubuntu 12.04 (Precise Pangolin) server
You'll Need
- A Rasberry Pi with Raspbian installed.
- A wireless USB adapter with a chipset that supports Access Point or Master mode. I used a Panda PAU03, and it worked perfectly and has a good signal. See the RPI Wireless Hotspot article for other options.
- A wired Ethernet connection between the RPI and your router.
- A VPN service you can connect to that supports tunneled connections and OpenVPN. It's entirely possible you could get this to work with a tap VPN connection, but I can only vouch for the tunneled variety. OpenVPN support is a must: watch out as not all providers support it.
Instructions
The following instructions assume a basic knowledge of Linux, the command prompt, and the ability to edit files with an editor such as Vi or Nano.
I've reconstructed these from my command-line history and the above articles, but haven't done a clean run-through, but I think they should work. Please let me know if you find any mistakes.
I've reconstructed these from my command-line history and the above articles, but haven't done a clean run-through, but I think they should work. Please let me know if you find any mistakes.
Basic Security
Your going to be connecting your RPI to the rest of the Internet via a VPN, which means it won't enjoy the protection of your router's firewall: the VPN tunnel will punch right through and expose your RPI to any machine on the Internet. We'll lock down the VPN connection later on, but before you start, make sure you've changed the default user password using the passwd command.
Initial Setup
Before you start, your RPI will need to be connected to your router via the Ethernet port and able to access the Internet, and your wirless USB adapter will need to be plugged-in.
Install Software
Install the access point server (hostapd), DHCP server (udhcpd), OpenVPN and DNS proxy server (bind9):
sudo apt-get install hostapd udhcpd bind9 openvpn
Configure and Secure the VPN
Your VPN service provider should be provide an OpenVPN configuration file you can use to connect to their VPN server. Copy this file into /etc/openvpn, and rename it openvpn.conf:
cp <your config file> /etc/openvpn/openvpn.conf
Start the OpenVPN service:
sudo service openvpn start
You can check the connection is open with:
ifconfig
You should see a network interface listed called tun0, assuming your VPN provider uses a tunnel (rather than a tap) interface.
You can test the VPN tunnel using the following command:
You can test the VPN tunnel using the following command:
curl --interface tun0 freegeoip.net/json/This uses an IP geolocation service to look up the geographic details of the IP address your tunnel connection is using (you might need to give the connection a few seconds to come up). The IP address and other details should be different if you stop the VPN service:
sudo service openvpn stop curl freegeoip.net/json/You now need to lock down that VPN tunnel using iptables. The following changes will prevent any unsolicited connections from other machines on the Internet, and make your Pi much less visible on the network:
sudo iptables -A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT sudo iptables -A INPUT -i tun0 -j DROP
Now save the iptables rules:
sudo sh -c "iptables-save > /etc/iptables.nat.vpn.secure"
To ensure the rules are re-applied at reboot, edit the file /etc/network/interfaces and add the following line at the end of the file:
Edit the file /etc/udhcpd.conf as follows:
Note those are tabs in front of the indented lines.
up iptables-restore < /etc/iptables.nat.vpn.secureBefore we go any further, restart the VPN connection:
sudo service openvpn restart
Configure Wireless Network and Access Point
Now we have a VPN, we can set up our wireless network and access point.
First, check your wireless adapter is working:ifconfigYou should see an interface listed called wlan0.
Edit the file /etc/udhcpd.conf as follows:
start 192.168.0.2 end 192.168.0.254 interface wlan0 remaining yes opt dns 192.168.0.1 option subnet 255.255.255.0 opt router 192.168.0.1 option lease 864000 # 10 days
This will give your new wireless network the IP range 192.168.0.1 - 192.168.0.254, and assign the address 192.168.0.1 to the wireless connection of your RPI. You might need to change the IP addresses if they clash with your existing network (check using ifconfig and looking for the IP address of the eth0 interface). The above configuration also tells any connected devices to use the RPI for their DNS server: we'll get to that later.
Edit the file /etc/default/udhcpd and un-comment the following line by removing the # from the front:
#DHCPD_ENABLED="yes"
becomes:
DHCPD_ENABLED="yes"
Set your Pi's IP address:
sudo ifconfig wlan0 192.168.0.1
and to keep the change at reboot, edit the file /etc/network/interfaces and replace the line:
iface wlan0 inet dhcpwith:
iface wlan0 inet static address 192.168.0.1 netmask 255.255.255.0
Note those are tabs in front of the indented lines.
In the same file, comment out the following lines by adding a hash at the start:
allow-hotplug wlan0 wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf iface default inet manual
becomes:
Now configure your wireless connection by editing the file /etc/hostapd/hostapd.conf as follows (you'll need to create it if it doesn't exist already):
#allow-hotplug wlan0 #wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf #iface default inet manual
Now configure your wireless connection by editing the file /etc/hostapd/hostapd.conf as follows (you'll need to create it if it doesn't exist already):
interface=wlan0 driver=nl80211 ssid=YOUR_SSID hw_mode=g channel=6 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 wpa=2 wpa_passphrase=YOUR_PASSWORD wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP
Change YOUR_SSID and YOUR_PASSWORD to be network name and password respectively for your new wireless network. It's also worth checking the channel your existing router is using and making sure this one doesn't clash.
Now edit the file /etc/default/hostapd and change the line:
#DAEMON_CONF=""
to:
DAEMON_CONF="/etc/hostapd/hostapd.conf"
Now start up the wireless network:
sudo service hostapd start sudo service udhcpd start
and make sure the services start at reboot:
sudo update-rc.d hostapd enable sudo update-rc.d udhcpd enable
Configure DNS
Now we'll set up a local caching DNS server on the RPI which will be used by the connected devices.
Edit the file /etc/bind/named.conf.options and add a forwarders section as follows:
Enable NAT:
Interestingly the RPI Wireless Hotspot article I based a lot of this on suggested adding a couple of other iptables rules to link the wireless and wired network adapters, but I found they weren't necessary. If you find the above alone isn't working, try the following:
Edit the file /etc/bind/named.conf.options and add a forwarders section as follows:
forwarders { 8.8.8.8; 8.8.4.4; };
The above IP addresses will use Googles public DNS server, but obviously you can choose an alternative if you prefer. Just don't try to use the DNS of your existing router, which won't be accessible over the VPN.
Now restart the DNS server:
sudo service bind9 restart
and make sure it starts again at reboot:
sudo update-rc.d bind9 enable
Set Up NAT for the VPN Connection
Finally, we just need to set up NAT for the VPN connection, which will allow us to share the connection with any connected devices.Enable NAT:
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"To set this at reboot, edit the file /etc/sysctl.conf and add the following line at the end:
net.ipv4.ip_forward=1Now set up NAT for the VPN connection:
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADEand to save this change so it's re-applied at reboot:
sudo sh -c "iptables-save > /etc/iptables.nat.vpn.secure"
Interestingly the RPI Wireless Hotspot article I based a lot of this on suggested adding a couple of other iptables rules to link the wireless and wired network adapters, but I found they weren't necessary. If you find the above alone isn't working, try the following:
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
Testing
OK, you're done. To test the setup, connect a device to the new wireless network using the password you configured. Now open a browser and navigate to the IP geolocation service we used to test the VPN connection earlier:
With any luck you should see the same details you saw when you accessed the service over the VPN on the command line. To make absolutely sure things have gone well, try changing back to your other wireless network and refreshing the page: you should see the details change.
Now if you're feeling really confident you can reboot your RPI and check everything comes back up OK. :)
99 comments:
In your hostapd.conf you specify a driver for the wifi single. In others pi wifi router projects a different one is used eg driver=rt1871xdrv. When I did one of the projects the driver line caused it to fail but commenting out the driver line led to success and I'm not sure I understand why. My question is how can I identify what to put in the driver line?
Hi, sorry for the very slow response.
Essentially this comes down to the wireless adapter you're using. Different adapters have different chipsets that support different drivers. The driver I use (nl80211), is the user-space counterpart to cfg80211, which some adapters support.
You can look up the driver for your adapter and whether it supports access point mode and / or cfg80211 here: http://wireless.kernel.org/en/users/Drivers
My openvpn provider gives me some .crt and .key files along with a sample config.
Where do i put the files? just in the same place as the openvpn.conf file?
Hi Alphaloop,
Can you please advise a VPN provider that supports this setup? I've tried multiple providers, including PrivateInternetAccess and StrongVPN and none support it. Seems like an excellent guide but can't even start OpenVPN as don't have a config containing my username and password - both of these providers refused to help.
Thanks!
Never mind, managed to get it working saving a login.conf file containing my username and password for PIA.
Now just waiting for my new USB adapter and hopefully it will be up and running.
Just out of curiosity, I currently am able to SSH, WOL, Sabnzbd and torrents remotely via the internet for my NAS. Where will I add the port forwarding rules on the Pi? Is it part of the ip tables?
Thanks
Bryce V: Yes, they generaly go in the same directory as the config file (/etc/openvpn). To make sure, take a look in the config file and you should see some lines that look like this:
cert client.crt
key client.key
If the lines appear as above with no path in front of the certificate filenames, then OpenVPN will look for the certificate files in the same directory as the config file.
Yatsehitter: Glad you had some success. Just FYI, StrongVPN do support OpenVPN: take a look at this page: http://www.strongvpn.com/compare.shtml.
Good question regarding port forwarding. If you're looking to run services like bittorrent over your VPN then you will need to add iptables rules to allow this, as the rules I listed will block all incoming connections. It's not something I've tried myself, but the following post looks provising: http://www.cyberciti.biz/tips/linux-iptables-open-bittorrent-tcp-ports-6881-to-6889.html.
Hope that helps.
great work. it worked!!
on to my problem as i said it worked but only once. im stuck on obtaining ip address and authenticating. where did i go wrong? everything else seems to work. the PIA connection at boot along with the services booting up. the pi browser also works fine and routes all data threw PIA.
sanju83: When you say it worked once, do you mean you could connect a device to the new wireless network and connect to the Internet over the VPN? If so, did you reboot the Pi after it was working?
At any rate, this sounds like a problem with the configuration for the wireless access point. Check the steps in the section "Configure Wireless Network and Access Point", and make sure you've covered all of them.
It might also be worth trying to connect to the Pi's wireless network with several devices to see if you get the same problem.
Hope that helps.
Its me again. See first comment.
I have eventually found the driver for my WiFi dongle.
It turns out it is already built into Raspbarian (rt2870) and so I don't need to specify it apparently!
But if you have a moment can I ask, were it to be one not included in the distribution, such as your rt1871xdrv, where would one put it in the file system so that the line 'driver=rt1871xdrv' in hostapd.conf would find it?
Sorry.
Please substitute nl80211 for rl1871xdrv in my last comment. I wasnt thinking.
Nick P: Drivers are installed in the system as modules. To be honest this is a little outside my expertise, but the following page might be useful: https://wiki.debian.org/WiFi
Dear Nick!
Thanks you very much for your wonderful tutorial, this helped me a lot... VPN works, hostapd, udhcpd.. but when I try to connect any device to the wifi that I have created no one seems to be able to connect.... easily... after a while laptop has connected but it has an ip that was not able to connect to internet... an ip such as 169...
Could you give me a hint to understand what is happening?
Kind regards,
Montse
Hi Montse,
The first thing I'd do is go over the instructions in the Configure Wireless Network and Access Point section and check that your settings match. I actually just spotted an error in the text: the line in /etc/default/udhcpd should read DHCPD_ENABLED="yes". I've updated the text in the post.
Does the IP address your laptop got assigned fall within the range you entered in /etc/udhcpd.conf? It should be between range set by the start and end lines in the file. If it doesn't then you're not connected to your Pi's wireless network. If it does then you're fine; the fact that it's a local IP range is fine as the Pi will perform network address translation to the VPN's IP address.
Hope that helps.
Hi Alphaloop,
Thanks for your advise. I have all the settings exactly the way you report, my eth0 device is:
inet addr:192.168.1.137 Bcast:192.168.255.255 Mask:255.255.0.0
So, I understand that the settings you propose should not have conflicts. However, when I try to connect a device, instead of getting assigned an ip between the range I got his:
ip: 169.254.196.95
mask: 255.255.0.0
Have you got any other tip of what I am doing wrong?
Kind regards,
Montse
Hello! Thanks for the amazing tut! I am having one issue, though. No net connection on connected devices. Everything starts at boot no problem. Devices get auto IP and can access ssh/vnc. Pi itself has net connection through ovpn and ifconfig shows all is well. Just no routing. Halp?! Thanks, again! :-)
Hi. Thank you a LOT for the instructions, but I’d like to ask you to extend this to use e.g. Synology’s OpenVPN connection. Actually This means only that TUN0 when started gets IP from Synology’s openVPN Server and this needs to be propagated directly to Wifi-Access point in RPi. So the DHCP Server inside RPi should be as “realy/pass through”. I managed to get VPN part to work, Synology shows the connection but from there forwards I have failed. I know how to produce Wifi Access Point out from PRi. Please give some advices and how to make DHCP realy and NAT the iptables… realjobe2000@yahoo.com
Hej mons.
I had the same problem. In my case udhcpd wanted to write in a file called "udhcpd.leases" which did not exist. I forget the path, however you can check the log file of your rasbian os. I created the file and everything just works fine. I hope this helps.
Apologies to Gavin Robertson: I was clearing out some spam comments and accidentally deleted your very helpful comment pointing out the typo. It's now fixed, thanks for the feedback and glad it all worked for you.
Montse - apologies for the slow response. Hopefully Alexander's comment is helpful to you.
James - the first things to check here would be that NAT is definitely enabled for iptables, and that the NAT rule is present and correct in your iptables config.
To check NAT is enabled, enter:
sudo cat /proc/sys/net/ipv4/ip_forward
This should return 1, not 0.
To check the NAT rule is present, enter:
iptables-save
This will list all the current iptables rules. Amongst the rules you should see something like:
*nat
-A POSTROUTING -o tun0 -j MASQUERADE
If you get different results for either of these, go through the "Set Up NAT for the VPN Connection" section again and make sure you've followed all the steps. Hope that helps.
Jobe - Thanks for the question. I don't think you want to relay the DHCP from your VPN provider to client of the access point: this would defeat the whole purpose of using NAT to allow you to share the connection between multiple devices.
Most providers will allocate an IP address to the VPN interface on your side via DHCP when you make a connection; that's quite normal - mine does the same thing. It sounds like your problem is with the NAT setup, which bridges the gap between the access point and VPN interfaces.
Take a look at my reply to James above and see if that helps at all.
I've tried it on an old eeepc701 (Debian wheezy & NetworkManager). To use a usb wifi dongle as my interface wlan1 I had to add the line
allow-hotplug wlan1
before the iface wlan1... in /etc/network/interfaces.
Also, to avoid losing iptables after each reboot I followed instructions in https://wiki.debian.org/iptables and added /etc/network/if-pre-up.d/iptables.
Thanks a lot for your post!
If my router is handing out 192.168.0.X, then should the RPI be 1) on the same network or 2) on something else eg 192.168.1.X. I suspect 1) but could you elaborate on how to avoid IP clashes
Peter - Your RPI is will be connected to your router's network and will also be hosting a second network of it's own using the wireless adapter - it will therefore be on two networks (three if you count the VPN, which runs over your router's network) and will act as a bridge between them. As such the IP address ranges for your router's network and the wireless network hosted by your RPI need to be different, but your RPI will have an IP address on the router's network as well as running it's own network.
In short, this means that when you set the IP range in the /etc/udhcpd.conf file, you should make sure it's not the same as your router's, but should be a valid local IP address range (see http://en.wikipedia.org/wiki/Reserved_IP_addresses). My router uses 192.168.1.x, so I used the altenative local IP range 192.168.0.x .
Hope that all makes sense.
Roger - glad to hear you were successful, thanks for posting the tips.
Hello, what do I have to change if I want to connect RPI to internet over WIFI to establish a VPN, and all clients over ethernet (switch connected to Rpi) should use the VPN. Is that possible? How?
Could you post such a version?
Thanks!
Daniel - This is an interesting idea. Firstly you'd need to connect your RPI to your router's wifi network - this page would be a good place to start: http://www.raspberrypi.org/documentation/configuration/wireless/
Doing it this way round you could ignore all the hostapd configuration, as you wouldn't need the RPI to act as a wireless access point. If your switch is a layer 3 switch with it's own DHCP server, then you could also skip the udhcpd configuration, as the switch will allocate IP addresses to the connected devices and your RPI will just act as a gateway to the VPN. If the switch is a layer 2 switch then you'd still need udhcpd, but you'd set the interface to eth0 instead of wlan0 in the configuration.
I've never used OpenVPN over a wireless connection before, but I assume it's much the same as over a wired connection. You can almost certainly just use the same configuration as you would if your RPI was connected to your router using it's ethernet interface.
The NAT configuration for the VPN tunnel should also be the same, but you will still need it in order to share the VPN connection between the multiple devices connected via the switch.
Hope that all makes sense - let us know how you get on.
Good guide, I haven't put it to use yet. I was wondering if it's possible for a device not to pass through the VPN. I plan on getting a USB-Ethernet thing for my little server I don't want it to pass through the VPN, would that be possible?
rathel - If you don't want any of the traffic passing through the VPN, then you can just follow the instructions in one of the source articles I based this on: http://elinux.org/RPI-Wireless-Hotspot
Hope that helps.
I have followed the instructions, but im getting no internet connection on the connected devices :-( PLEASE PLEASE HELP
Martin - has your VPN connection started OK, and are you able to access the Internet over it from the RPI command line? Try running:
$ sudo service openvpn status
It should tell you the service is running: if not you need to check the configuration for the VPN.
You can also try:
$ curl google.com
You should see a short HTML file with the title "301 Moved".
If the service is running and you can access the Internet from the RPI using curl above, then the VPN connection is working, but connections from your devices aren't being routed through the VPN. In this case check the iptables rules.
It's also worth checking the setting you entered for the bind9 DNS proxy.
Hope that helps.
How would i check the ip tables etc openvpn is working and all is fine on the PI
Hi,
I've got the same problem as Martin Willis.
the tun0 connexion doesnt show up in my ifconfig, instead I get the following:
sudo ifconfig
eth0 Link encap:Ethernet HWaddr b8:27:eb:f4:d5:34
inet addr:192.168.1.105 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4101 errors:0 dropped:0 overruns:0 frame:0
TX packets:2623 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:276769 (270.2 KiB) TX bytes:334820 (326.9 KiB)
lo Link encap:Local Loopback
inet addr:1XX.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1738 (1.6 KiB) TX bytes:1738 (1.6 KiB)
mon.wlan0 Link encap:UNSPEC HWaddr CC-E1-D5-17-6E-90-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2939 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:655067 (639.7 KiB) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr cc:e1:d5:17:6e:90
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:103 errors:0 dropped:58 overruns:0 frame:0
TX packets:92 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:35236 (34.4 KiB) TX bytes:36266 (35.4 KiB)
Martin - To check your iptables rules, run the following command:
$ sudo iptables-save
You should see something like this:
# Generated by iptables-save v1.4.14 on Wed May 27 21:32:45 2015
*nat
:PREROUTING ACCEPT [273687:20933282]
:INPUT ACCEPT [55081:5719097]
:OUTPUT ACCEPT [30081:2231715]
:POSTROUTING ACCEPT [776:86335]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Wed May 27 21:32:45 2015
# Generated by iptables-save v1.4.14 on Wed May 27 21:32:45 2015
*filter
:INPUT ACCEPT [15952747:21689614178]
:FORWARD ACCEPT [23626234:20894722600]
:OUTPUT ACCEPT [8341558:1173975588]
-A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j DROP
COMMIT
# Completed on Wed May 27 21:32:45 2015
Denis - It looks like there's a problem with your OpenVPN configuration.
Check that you have a valid openvpn.conf file in /etc/openvpn and then run:
$ sudo service openvpn restart
You should see something like:
[ ok ] Stopping virtual private network daemon: openvpn.
[ ok ] Starting virtual private network daemon: openvpn.
If you've checked the config file and the service still isn't starting up, you'll need to check the OpenVPN log messages in the system log to find out what's wrong. To do this, run:
$ sudo less /var/log/syslog
Press Ctrl-G to go the the end of the file and scroll up, keeping on eye out for lines that contain 'ovpn-openvpn'. There should be something in there that indicates what the problem might be.
Great tutorial! I'm having one issue with bind9 however. I get the error as follows when I restart bind9:
Stopping domain name service...: bind9rndc: connect failed: 127.0.0.1#953: connection refused
Starting domain name service...: bind9 failed!
I was attempting several other tutorials so I may have guffed something up, but I'm not super savvy with DNS.
any ideas?
I have been using this and other tutorials for a while. My dhcp server kept failing to start at bootup and so while the wifi network appeared it would not dish out an ip address to anything that tried to connect to it. It seemed that for some reason wlan0 was not getting it's ip address set at boot. Anyway I fixed it by putting a couple of lines in /etc/rc.local the first to give wlan0 a fixed ip address and the second to start the dhcp server. It worked...
It suggested in one place i looked that it apears as if the order that raspbian starts services at boot may have changed causing a chicken and egg problem with the dhcp server and the setting of the wlan0 fixed ip address. I don't know how to change the order services start at boot but my work around seems to do the job.
I am actually using a different dhcp server and a different subnet than in this tutorial so posting details may just cause confusion but if what I have said helps even one then my job is done.
hi alphaloop,
Need your help here..I got the same problem as Denis where my openvpn doesn't show tun0 using ifconfig. I've look up /var/log/syslog and cant find any "ovpn/openvpn/ovpn-openvpn" in the log.
btw, I'm using my own openvpn server that i've setup using my vps. For windows, I use this tutorial n runs perfectly w/o any problem. How do i troubleshoot this problem?
Please help..
link: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04
Hingle - Check your bind9 configuration file /etc/bind/named.conf.options . You should have added a forwarders section to tell bind9 where to go for its DNS information. It looks like it's currently trying to connect to localhost.
Nick - Thanks for the comment, that looks very useful.
decent - If you need more detailed information from OpenVPN, first try running it as a command, rather than as a service. First make sure the service is stopped:
$ sudo service openvpn stop
Then run openvpn, pointing it to your configuration file:
$ sudo openvpn /etc/openvpn/openvpn.conf
This will print a whole bunch of additional information to the terminal, and will hopefully give you some indication of what's wrong.
decent - Also, check your openvpn configuration to make sure you're set up to use a tunnel connection, rather than a tap. If you're using a tap, you won't see the tun0 network interface, even when openvpn is running.
Hi!
Thanks for the tutorial!
I got a CA.crt and lots of .ovpn files from my VPN provider, one for each location. Do you have an idea how to set up the RasPi to easily switch between locations?
Cheers,
Ben
Hi Thanks for the awesome tutorial. I was able to get the VPN to work.
Now my setting is
Main router -> rPi -> VPN
as rPi is hosting a second network, I am not able to discover devices connected to rPi from devices connected to Main router.
Is it possible to have both the rPi and Mainrouter on same subnet?
for example, my main router has ips 192.168.7.100 to 150, can I configure rPi to have address 192.168.7.20-192.168.7.30 instead of 192.168.0.X?
thanks!
I didn't connect to my Rpi's wifi. My smartphone found wifi, I entered the password, but it didn't acquire an Ip. So as Mark said I edited /etc/rc.local to start wlan0 with a static ip. With this mod my smartphone connected to Rpi, but It didn't go to the Web. One problem solved, but newer problem came. I edited /etc/udhcpd.conf as follow:
start 192.168.0.100
end 192.168.0.254
interface wlan0
remaining yes
opt dns 8.8.8.8 8.8.0.0
option subnet 255.255.255.0
opt router 192.168.0.1
option lease 864000 # 10 days
And in this way I went online
Hello, I tried your tutorial on a fresh new Raspbian installation on my Pi2, but I'm already facing problems at the beginning:
When I type in this command curl --interface tun0 freegeoip.net/json/, after I started the OpenVPN daemon, nothing happens.
And curl --interface eth0 freegeoip.net/json/ gives me an error: can't connect. It only works when I stop the daemon.
Surprisingly I can surf the web with the webbrowser over the VPN connection. Later I was facing another problem:
pi@raspberrypi ~ $ sudo service hostapd start
[FAIL] Starting advanced IEEE 802.11 management: hostapd failed!
I don't know what this means..
KrasBlogger - I would put all those files in /etc/openvpn and then symlink the .ovpn file you want to use at any given point:
$ sudo ln -s location1.ovpn openvpn.conf
You'll need to restart the OpenVPN service each time you change to symlink to point to a different .ovpn file.
$ sudo service openvpn restart
rajesh - I've not tired this. I think technically it should be possible, but will probably involve setting up some additional routing rules in iptables. Essentially you'd be running two network interfaces (your wireless adapter and the ethernet port) with the same subnet. You would need to make sure that each one had a unique IP address within that subnet. Good luck!
Mattia - Thanks for that, glad it worked out for you.
simpty! - Try curl without specifying an interface:
$ curl freegeoip.net/json/
If your openvpn service is running, it should default to the tun0 or equivalent connection.
Regarding your hostapd error, check the syslog for lines that refer to hostapd
$ sudo cat /etc/log/syslog | grep hostapd
There should be an error message in the log that gives you a clue to what's wrong.
Hey alphaloop,
thank you for your answer. I did the whole process again, renamed and copied the .ovpn file and started the daemon. Ifconfig shows me this:
tun0 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet Adresse:10.4.35.97 P-z-P:10.4.35.97 Maske:255.255.0.0
UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1500 Metrik:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:100
RX bytes:1496 (1.4 KiB) TX bytes:1226 (1.1 KiB)
When I execute $ curl freegeoip.net/json/, nothings happens. When I type curl --interface eth0 freegeoip.net/json/, it tells me: curl: (7) couldn't connect to host
simpty - The ifconfig output for tun0 looks good. Try running curl with verbose output:
$ curl -v freegeoip.net/json/
Hey alphaloop,
first of all I'd like to thank you for this great tutorial.
Everything worked for me untill I had to reboot my pi. Since that I'm not able to connect my smartphone to the accesspoint. My laptop can connect to the accesspoint but does not get an internet connection (DNS_probe_finished_no_internet). When I use 'curl freegeoip.net/json/' I get a positive reply for a working vpn connection. Furthermore 'sudo iptables-save' also delivery the right things.
Any ideas how to my problem?
Thank you in advance.
Hello Alphaloop,
Thanks for this tutorial. I bought a second hand raspberry PI and will try to make it work. I have 0 experience with linux though so might take me some effort.
I am having some trouble finding a free vpn that supplies an openvpn configuration file you need to make this work. Any chance you could make this work with websites like this: http://bit.ly/1Jbxq2Z. I use these websites on windows and all I have to do is enable vpn and fill in login name and password and off I go. Maybe I can do this with the raspberry PI as well and just share the VPN connection I made?
Thanks for your input.
hi
my devices are not able to obtain the ip address. Could you help me out with this ?
Thnx
I have a Raspberry pi VPN server (PPTP) in Spain and another Raspberry pi in germany this one will be the one I will convert into a "VPN Wireless Access Point". Is this possible with a pptp VPN?
Thank you so much for this great tutorial!! I struggled so long til I finally managed it with your help! When I connected to the Wifi with my laptop, I did as well not receive an IP. And the hint from the comments worked for me:
touch /var/lib/misc/udhcpd.leases
chmod +rw /var/lib/misc/udhcpd.leases
(since I don't know what ownership are required, I just gave read and write permissions. Hope thats not a safety issue)
Now I have internet an can connect! Thanks again!!
I have one safety issue, how can I block all internet connections not going true the vpn? If I turn openvpn of, it just connect over the regular ip. Will that be as well when the vpn is down for some reasons? I prefer no internet to an unsecured one!
Thanks for this great tutorial. I'm about to get my Pi and will definitly try it out. I still have two doubts though and would be happy if you could comment:
(1) By your method, what happens if the vpn connection breaks down e.g. because of a timeout. Does traffic than "leak2 through the normal connection or did you implement a mechanism that ensures that only traffic through the tunnel is happening?
(2) what about DNS leakages or is this a server side issue from the VPN provider?
Thx in advanve!
Hey alphaloop, thanks for sharing this and all the wonderful help you have provided too all of the folks in the comments. I just got a second Rpi and a second router and I plan on going all mad scientist on my home network this weekend. I'm thinking of giving this whole VPN thing a try and I'm positive I'll be able to figure it out using your tutorial, your source material, and all the help you've supplied in the comments. Again, thank you for freely sharing your knowledge with those of us who are still learning.
Hi Alphaloop
Awesome tutorial there! Would it be possible to build this with wifi at both ends? I mean, the raspi connects to a local unsecured wifi network and puts out it own VPN scoured wifi. I travel very frequently and such a device would be a boon! Thanx. AP
Sean - Sorry for the very slow response. Check to see of the tunnel interface (tun0) is shown when you run 'ifconfig'.
Ryan - Whatever VPN service you use would need to support VPN client software that will run on Linux, and which exposes a virtual network interface you can route data to using iptables. OpenVPN is by far the simplest option for this. I used strongvpn.com for a long time and they were very good.
Sahil - check the config in your /etc/udhcpd.conf file in the first instance.
Carlos - Yes, there are PTPP clients for Raspbian. Take a look here: https://devtidbits.com/2013/02/19/using-a-point-to-point-tunnelling-protocol-virtual-private-network-pptp-vpn-client-on-a-raspberry-pi/
Sturmpilzchen - Good question! I've not tried this, but it might be possible to block all outgoing traffic on the eth0 interface without blocking the tun0 VPN interface. Try adding the iptables rule:
iptables -A OUTPUT -o eth1 -j DROP
you might also need:
iptables -A FORWARD -o eth1 -j DROP
but it's possible this will also block traffic being output over the VPN.
Sturmpilzchen - come to think of it, this isn't necessary: the NAT forwarding rules specify the tun0 interface, so if it's down no traffic will get routed.
Peter - As per comment above, if the tun0 interface is down (i.e. the VPN is down), no packets should be forwarded from the wireless interface (wlan0). However, it's possible the processes on the Pi itself will still make internet connections over the eth0 interface in that situation.
Regarding the DNS leakage, the DNS requests will be satisfied by the bind9 service on the Pi, which I set up to use Google's DNS servers in the instructions. I've checked that DNS requests from bind9 are made via the VPN connection when the VPN connection is running, but I've not checked that no DNS requests are ever made over the open eth0 connection, either when the VPN is down or otherwise. If this is something you want to ensure, you will want to look at adding some more iptables rules to block DNS over eth0.
Unknown - You're welcome! Hope it went well.
AP - Interesting idea! I'd be surprised if that wasn't possible. The simplest way would be to have two wifi adapters, but it might be possible to configure a single adapter to be both an access point and to connect to another wireless network. At any rate one of the (either physical or virtual) adapters would need to be configured to connect to the local non-secure wireless network.
I think most of the instructions in the post should still apply if your internet connection is over a wireless connection rather than the ethernet port. It would be interesting to know if you're able to get this working.
It works for me. Only thing to watch out, somehow the adapters switch the identifier (wlan0 / wlan1). Don't ask me why. I worked around this problem with using two whit the same driver:-/ But then it works fine for me.
Well, thank you for a great tutorial. This works perfectly for me on a Raspberry 3. My chromecast connects to the new vpn wifi network and I can watch Netflix US ;-)
Only thing i had to adjust is that I connect to the VPN with this command : openvpn --config $name_of_config_file , and leave that window terminal open
Hi, great howTo.
I've got the same problem as martin: "no internet connection" I read the comments but for this problem there is no solution mentioned. Last comment was deleted by author :-(
Can you help me ?
Samoht - If you can connect to the wireless network being broadcast by the Pi but can't access the Internet there are two likey causes: either the VPN connection isn't working or the iptables rules to route traffic from the wireless network to the VPN connection isn't set up correctly.
To test that the VPN connection is working correctly, log into the Pi and type:
$sudo ifconfig
You should see a device listed called tun0. If you don't, enter the following command:
$ sudo service openvpn start
To check this is working and that you can access the Internet from the Pi, enter this command:
$ curl freegeoip.net/json/
You should see some output.
If this is all working okay there's likely an issue with your iptables setup. To check the configuration, enter the following command:
$sudo iptables-save
Among the output you should see the following line:
-A POSTROUTING -o tun0 -j MASQUERADE
If you don't see this line, run the following command:
$ sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
You should also check that NAT is enabled on your Pi. To do this type:
$ cat /proc/sys/net/ipv4/ip_forward
This should return "1". If it doesn't, enter the following command:
$ sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
Hope that helps.
Thank you
خرید vpn
But... if i have already my router which is doing the dhcp, should i also enable the dhcp on the pi? will it work?
DeatK - Yes, you should enable DHCP on the Pi as well. Your router will be providing one local network, while the Pi will be providing a second local network that routes data via the VPN: you need DHCP to allocate IP addresses to devices on both networks. If you connect a device to the Pi's local network, it will be allocated an IP address by the Pi; if you connect a device to the router's local network, it will be allocated an IP address by the router.
Hope that makes sense.
i am getting crazy about this...
i can see the ssid from the other devices, i insert the password but then i am not connected...
adding the two lines
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
i am able to connect to the pi but now i get error that there is no internet connection!!!
but i could test before that the vpn was working perfectly
the command iptables-save is not showing anything, but i am pretty sure i followed all the instructions...
but after a wile i opened the file /etc/iptables.nat.vpn.secure and it is empty
i am sure it was not empty before!!!!
I am also having problems after booting. The wlan0 ip is 169.254.63.144 not 192.168.0.1 and sudo iptables-save does not show anything. Should the setting be saved another way in Rasbian-Jessie
I have the solution to my problem and it was as simple as removing the hash from "#allow-hotplug wlan0" in etc/network/interfaces to leave "allow-hotplug wlan0"
for me it was not enough... still i can connect but there is no internet connection
i have tried connetting from a windows pc to the new wlan
if i perform an ipconfig i see
ip address = 169.254.187.105
subnet mask = 255.255.0.0
and no gateway
so the dhcp is not working properly?
i found out that the udhcp was not running
and i have found the solution, i had to disable from the reboot the dhcpcd service.
now when i connect to the wifi i have the right ip address on the client, but still i have no connection... >_<
Hi, thanks for the tutorial.
Is it possible to get the VPN provided DNS servers before the Google ones?
I am impressed with these details. I also need to purchase a reliable VPN service for my android phone but not able to find a good service. But I am now thinking to make list of best vpn service and software and use their trial versions before buying.
Really very interesting and very valuable information about the vpn nice work.
anonymous vpn
Very informative article regarding VPN I have been using best vpn service provider for encrypting my data.
Such a nice blog and I appreciate your all efforts about your thoughts. It’s really good work. well done. Please keep sharing more about Software Defined Network.
software defined network
Module Transceivers Are External To The Network And Are Installed And Function Similarly To Other Computer.
For best:Network Transceiver Module
Informative post. Thanks for sharing.
UK VPN
key outlets tap adapters suppliers
Post a Comment