Good Tunneling
Have you ever been told by a website that certain content isn't available in your country? Configuring your Pi to route all your network traffic through a VPN can help.
Have you ever been told by a website that certain content isn't available in your country? Configuring your Pi to route all your network traffic through a VPN can help.
There are many VPN (Virtual Private Network) providers competing over the Internet for customers. This means that for a small monthly fee you can securely use public WiFi hotspots. This is done by creating an encrypted tunnel to the Internet. The Raspberry Pi is ideally suited to act as a VPN gateway with an integrated access point for mobile devices.
As a rule, employing a VPN does away with virtual boundaries on the internet. However, privacy requires more than just tunneling into the Internet of a foreign country. Each time you access a website with a standard web browser, traces are left behind. These can then be used to track down the owner of the connection. For this reason, if you're extremely concerned with your privacy, consider using a specialized Linux distribution like Tails [1].
Tails is a live operating system that boots from a USB stick or DVD. It is not designed for installation on a hard drive. Tails currently only runs on 32 and 64 bit PCs. The OS loads directly into your RAM and routes all internet through tor to anonymize your connection. An ARM version for the Raspberry Pi is still not available. This has to do with the small working memory of the Raspberry Pi. The complete system cannot load within 1 GByte RAM.
Nonetheless, the Raspberry Pi is an ideal system for protecting your privacy. You can easily install a Linux system in such a way that every data bit sent from the computer is guaranteed to go through a trusted VPN. For the purposes of this article, we will use the US service Private Internet Access, PIA [2].
Editor
At several stages during setup, you will need to edit configuration files. The easiest way to do this on the Raspberry Pi is to use the Nano editor. To start editing, open the file with the sudo nano file
command. The sudo
in front of the command takes care of administrative rights. Save the changes you make by pressing [Ctrl]+[O] and the return key. Once you are finished, close the editor by pressing the [Ctrl]+[X] keys.
First install Raspbian [3] on the Raspberry Pi. If you want the operating system to serve solely as a VPN gateway, you can do this without the graphical user interface. This means you can install the light version of Raspbian.
After installation, update the system and modify the language settings using the Raspberry Pi configuration tool (Listing 1). If you want to operate the Raspberry Pi without input devices and without a monitor, then as of 11.25.2016 version of Raspbian, you will need to activate the SSH server before installation. also create an empty file named ssh [4] on the boot partition.
Listing 1
output of raspi-config
$ sudo apt update $ sudo apt full-upgrade $ sudo raspi-config
Next you need the packages from the first line of Listing 2 to connect to an OpenVPN server. The Uncomplicated Firewall, ufw, application acts as a safeguard in case the VPN fails. Transmission, a BitTorrent client with an integrated web frontend (second and third line), will later be used to verify whether critical services such as file sharing are running over the VPN. If you don't need BitTorrent, you can skip installation of Transmission.
Listing 2
transmission-daemon
$ sudo apt install openvpn ufw $ sudo apt install transmission-daemon $ sudo update-rc.d -f transmission-daemon remove
If instead, you decide that you do need the Transmission client, then stop the service and configure it so that it no longer automatically loads during the boot process (Listing 3). In addition, you will need to make sure that you and other users in your network can call up the web frontend. The stream editor sed does this directly from the command line. The syntax for this operation is:
Listing 3
Output of settings.json
$ sudo service transmission-daemon stop $ sudo sed -i -e s/'"rpc-authentication-required": true'/'"rpc-authentication-required": false'/ /etc/transmission-daemon/settings.json $ sudo sed -i -e s/'127.0.0.1'/'127.0.0.1, <192.168.*.*>'/ /etc/transmission-daemon/settings.json $ sudo grep rpc /etc/transmission-daemon/settings.json "rpc-authentication-required": false, [...] "rpc-whitelist": "127.0.0.1, <192.168.*.*>", [...] $ sudo service transmission-daemon start
sed -i -e s/'<search>'/'<replace>'/ <file>
The -i
option indicates to sed that it should work directly in the file and -e
executes the option that follows as an sed script.
Desktop System
The steps illustrated here for the Raspberry Pi can also be used without any problems on PCs running Debian or its derivatives such as Ubuntu.
Instead of using sed commands, you can modify /etc/transmission-daemon/settings.json with a classic editor like nano. The output from the grep
command in Listing 3 details the finishing touches you must make. Depending on how your router is configured, you may have to adapt the commands to your network's IP range. The entry 192.168.*.* covers all IP addresses from 192.168.0.1 to 192.168.255.255.
After concluding these steps and restarting the Transmission server, you can now access it via your LAN at http://<Your_IP_Address>:9091 (Figure 1). However, do not add any torrents just yet! The Raspberry Pi is still transmitting all data directly via your own Internet connection.
VPN Providers usually offer OpenVPN and corresponding configuration files for download. With PIA, you will find these files on the home page. The commands from Listing 4 let you download these as a package and then unzip them together with the required certificates. Store them in /etc/openvpn/.
Listing 4
openvpn.zip
$ wget http://www.privateinternetaccess.com/openvpn/openvpn.zip $ sudo unzip openvpn.zip -d /etc/openvpn inflating: /etc/openvpn/AU Melbourne.ovpn [...] inflating: /etc/openvpn/ca.rsa.2048.crt inflating: /etc/openvpn/crl.rsa.2048.pem $ sudo sed -i -e s/'#AUTOSTART="home office"'/'AUTOSTART="PIA"'/ /etc/default/openvpn $ grep AUTOSTART /etc/default/openvpn #AUTOSTART="all" #AUTOSTART="none" AUTOSTART="PIA"
Modify the autostart entry in the /etc/default/openvpn file so that the OpenVPN client will automatically load one of the country specific VPN servers from PIA when it boots. The option AUTOSTART="PIA"
causes the OpenVPN service during start up to automatically load the configuration file PIA.conf
(which is still to be set up) from the /etc/openvpn/
file.
You can get the contents of this file from Listing 5. The configuration is configured to use PIA's server in the Netherlands. It has been augmented with additional logs and it also calls for two scripts, vpn-up.sh and vpn-down.sh, after start up and after the VPN connection is closed. If you prefer a VPN tunnel in a different country, modify the configuration accordingly.
Listing 5
openvpn
client dev tun proto udp remote nl.privateinternetaccess.com 1198 resolv-retry infinite nobind persist-key persist-tun cipher aes-128-cbc auth sha1 tls-client remote-cert-tls server auth-user-pass /etc/openvpn/userpass.data comp-lzo verb 1 reneg-sec 0 crl-verify /etc/openvpn/crl.rsa.2048.pem ca /etc/openvpn/ca.rsa.2048.crt disable-occ log-append /var/log/piavpn.log status-version 3 status status script-security 2 up /etc/openvpn/update-resolv-conf route-up /etc/openvpn/vpn-up.sh down /etc/openvpn/vpn-down.sh
The OpenVPN client gets its access data from the file /etc/openvpn/userpass.data. Enter your user name for the VPN provider on the first line of this file and the password on the second line (Listing 6). In order to prevent other system users from seeing this data, change the file permissions using
Listing 6
userpass.data
<username> <password>
sudo chmod 600 /etc/openvpn/userpass.data
so that only Root can read it.
Next fill in the scripts /etc/openvpn/vpn-up.sh (Listing 7) and /etc/openvpn/vpn-down.sh (Listing 8). Use the commands from the first line of Listing 9 to give the system permission to execute them. Next, have systemd search for modified configuration files to save the changes made to the /etc/default/openvpn
file. Finally, re-start the OpenVPN service (second and third line).
Listing 7
vpn-up.sh
#!/bin/sh # Start services like Transmission service transmission-daemon start
Listing 8
vpn-down.sh
#!/bin/sh # Stop services like Transmission service transmission-daemon stop # prevent DNS-Leaks /etc/openvpn/update-resolv-conf
Listing 9
vpn-down.sh vpn-up.sh
$ sudo chmod +x /etc/openvpn/vpn-down.sh /etc/openvpn/vpn-up.sh $ sudo systemctl daemon-reload $ sudo service openvpn restart
Now OpenVPN will automatically start the connection. The program will store any log files in /var/log/piavpn.log. Take a look at these while OpenVPN is connecting. Use sudo tail -f /var/log/piavpn.log
to see what's going on (Figure 2).
Pages: 8
Price $15.99
(incl. VAT)