Using your Pi as a VPN Gateway with an Access Point

Filling the Gaps

You can check to see whether the VPN actually works at http://icanhazip.com. This website only shows your public IP. You can use the curl -s icanhazip.com command to view your public IP from a terminal. If you now expand the command with a Geo IP lookup, you will see your current location, as far as the Internet is concerned. If the VPN is active, then the geoiplookup call will indicate either Germany or the Netherlands as the location (Listing 10).

Listing 10

Output of curl -s icanhazip.com

$ sudo apt install geoip-bin
$ sudo service openvpn stop
$ geoiplookup $(curl -s icanhazip.com)
GeoIP Country Edition: DE, Germany
$ sudo service openvpn start
$ geoiplookup $(curl -s icanhazip.com)
GeoIP Country Edition: NL, Netherlands

Your IP can also be monitored when you are using BitTorrent. This is done by adding a magnet link in the Transmission front-end from the Check My Torrent IP website [5]. Within a few moments, the Check My Torrent web page will update and show the VPN IP of the Raspberry Pi underneath the IP address of your web browser (Figure 3). Ignore the error message in Transmission itself. This pops up because there is no "real" download during the test.

Figure 3: You can use sites like Check My Torrent IP in order to find out whether services like BitTorrent are sending your data over the VPN.

The "Up" and "Down" scripts now make sure that critical services such as Transmission will only run if the OpenVPN service has been able to generate the previously configured connection (Listing 11). If something goes wrong at this point, for instance a program crashes, then the service will continue to transmit data but over your own connection. Therefore, you must secure the system so that it can only send data into the Internet using the VPN tunnel.

Listing 11

Stopping and Starting openvpn

$ sudo service openvpn stop
$ sudo service transmission-daemon status | grep Active
 Active: inactive (dead) since Do 2016-12-01 17:37:50 CET; 7s ago
$ sudo service openvpn start
$ sudo service transmission-daemon status | grep Active
 Active: active (running) since Do 2016-12-01 17:37:22 CET; 21s ago

The ufw program you installed earlier was developed by Canonical (Listing 12). The first thing to do is use it to only allow data traffic thorugh the VPN tunnel tun0. The system should also continue to be accessible over the internal network. So you have to release the address range from 192.168.0.0 to 192.168.255.255. You may need to adapt this address range to your network. Next make an additional exception for OpenVPN. The VPN client has to be able to connect to its counterpart on the Internet through Port 1198, or to a different port depending on the provider.

Listing 12

Setting up ufw

### First refuse all traffic one time
$ sudo ufw default deny incoming
$ sudo ufw default deny outgoing
### Open the VPN-Gateway in the Firewall
$ sudo ufw allow in on tun0
$ sudo ufw allow out on tun0
### Exception for Internal Network (please adapt IP range)
$ sudo ufw allow in on eth0 from 192.168.0.0/16
$ sudo ufw allow out on eth0 to 192.168.0.0/16
### Exception for OpenVPN on eth0 (adapt port accordingly)
$ sudo ufw allow in on eth0 from any port 1198
$ sudo ufw allow out on eth0 to any port 1198
### Activate Firewall
$ sudo ufw enable

The level of protection afforded by the firewall is easy to test. Start OpenVPN as shown in Listing 13, and use a Geo IP lookup to check your IP address and location. If you now suddenly shut down the OpenVPN service, all Internet data will stop instantaneously. After an attack like this on the firewall, you cannot re-establish a VPN connection. The best thing to do is to restart the system.

Listing 13

Output of curl -s icanhazip.com

$ sudo service openvpn start
$ geoiplookup $(curl -s icanhazip.com)
GeoIP Country Edition: NL, Netherlands
$ sudo pkill -9 -f openvpn
$ ping -c 1 raspberrypi.org
ping: unknown host raspberrypi.org

Pi VPN Access Point

The Wifi module of the Raspberry Pi 3 is not used when the computer is connected via Ethernet to the local network. Therefore, you don't have to use the VPN exclusively with the Raspberry Pi. If you install an access point on the Raspbian system, you can connect a laptop or smartphone to the VPN to the Internet.

You will need to install additional packages for the access point. Hostapd generates the Wifi network itself and Dnsmasq, the simple DNS and DHCP server, assigns IP addresses to the computers. In addition, you will need to make sure that Raspbian does not automatically assign an IP address to the WiFi device wlan0. You prevent this by inserting the line denyinterfaces wlan0 into the /etc/dhcpcd.conf configuration file (Listing 14). Next, go to the /etc/network/interfaces file and replace the configuration for the Wifi interface with the contents from Listing 15. Afterwards re-load all of the affected services and devices (Listing 16).

Listing 14

dhcpcd.conf

$ sudo apt-get install dnsmasq hostapd resolvconf
$ echo denyinterfaces wlan0 | sudo tee -a /etc/dhcpcd.conf

Listing 15

etc/network/interfaces

# allow-hotplug wifi0
# iface wlan0 inet manual
#  wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
allow-hotplug wifi0
iface wifi0 inet static
 address 172.24.1.1
 netmask 255.255.255.0
 network 172.24.1.0
 broadcast 172.24.1.255
# wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Listing 16

daemon-reload

$ sudo systemctl daemon-reload
$ sudo service dhcpcd restart
$ sudo ifdown wifi0; sudo ifup wifi0

Create the /etc/hostapd/hostapd.conf file and use it to install the Hostapd service. Listing 17 contains all of the necessary settings for a Raspberry Pi 3 and its integrated WiFi module. Set your own values in lines 15 and 16 for the SSID and the password for the WiFi network. Before Hostapd uses this configuration, you will need to enter the path to the file in /etc/default/hostapd (Listing 18).

Listing 17

hostapd.conf

01 interface=wifi0
02 driver=nl80211
03 hw_mode=g
04 channel=6
05 ieee80211n=1
06 wmm_enabled=1
07 ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]
08 macaddr_acl=0
09 auth_algs=1
10 ignore_broadcast_ssid=0
11 wpa=2
12 wpa_key_mgmt=WPA-PSK
13 rsn_pairwise=CCMP
14 # Please change Network Name and Password
15 ssid=<VPN-Gateway>
16 wpa_passphrase=<raspberry>

Listing 18

/etc/default/hostapd

[...]
#DAEMON_CONF=""
DAEMON_CONF="/etc/hostapd/hostapd.conf"
[...]

Now you must configure the DHCP server. Modify the /etc/dnsmasq.conf filr and delete all of the example configuration already inside the file and replace it with the specifications from Listing 19.

Listing 19

dnsmasq.conf

interface=wifi0
listen-address=172.24.1.1
bind-interfaces
server=8.8.8.8
domain-needed
bogus-priv
dhcp-range=172.24.1.50,172.24.1.150,12h

In the next step you will need to give permission to the system to forward data packets. Do this by adding the line net.ipv4.ip_forward=1 to the file /etc/sysctl.conf. Listing 20 does this for you and activates the new configuration without requiring a restart

Listing 20

sysctl.conf

$ sudo sed -i 's/#net.ipv4.ip_forward/net.ipv4.ip_forward/g' /etc/sysctl.conf
$ sudo sysctl -p /etc/sysctl.conf

Finally you need to modify the firewall. With just a few exceptions, it blocks all data traffic apart from the VPN tunnel. In addition, the corresponding rules are still not in place for forwarding data packets received via the WiFi interface on to the VPN.

You will need to create rules for this in Raspbian using Iptables. This is because ufw can only handle this function starting with version 0.35. Add the lines from Listing 21 to the /etc/rc.local file before the final exit 0. Afterwards, call the script once manually, activate the device ID wifi0 for the Wifi module in the firewall and restart the two participating services (Listing 22).

Listing 21

Output of iptables

#Specify Masquerading rules
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

Listing 22

Setting up rc.local

$ sudo /etc/rc.local
$ sudo ufw allow in on wifi0
$ sudo ufw allow out on wifi0
$ sudo service hostapd restart
$ sudo service dnsmasq restart

You should now now be able to see the new Wifi network generated by the Raspberry Pi in the connection manager of your laptop or smartphone. Once you have entered the password and connected, visit http://icanhazip.com – or perhaps more conveniently https://whatismyip.com in the device's browser to make sure your connection is safe (Figure 4).

Figure 4: When used as a VPN gateway, the Raspberry Pi tunnels all of the requests made by mobile devices through the VPN.

Buy this article as PDF

Express-Checkout as PDF

Pages: 8

Price $2.95
(incl. VAT)

Buy Raspberry Pi Geek

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content