Raspberry Pi VPN Gateway - NordVPN

I wrote an Instructable about using a Raspberry Pi as a VPN gateway. It was based on Tunnel Bear and I wrote several follow ups on my blog as well. I have recieved several questions specific to NordVPN so I put together this short Instructable just for NordVPN.

For additional information around using the Raspberry Pi as a VPN Gateway read my last Instructable on the subject.

For more interesting projects visit my blog https://www.hackviking.com

For implementations like this I use the Raspbian Lite operating system. Since I have no need for the GUI at all. You can get the latest release here.

I use Win32DiskImager to load the .img file on the SD-card for the Raspberry Pi. Then add a blank text file to the partition labeled boot just named ssh. That will enable ssh when the Raspberry Pi boots.

Once the Raspberry Pi have booted I look in my routers DHCP list to get the IP-address and then connect over SSH with Putty. Standard username and password are pi/raspberry

Once connected I run the raspi-config tool to change the basic settings.

sudo raspi-config

The most importent things to take care of in this config is:

• Expand file system
• Change password

You can also change the hostname of your Raspberry Pi if you like. My DHCP have very long leases and I can also reserve a specific address. If you don't have that ability you have to configure the Raspberry Pi to use a static IP-address. Since other devices will use this as there default gateway it is important that it keeps using the same IP-address. Here is a post I wrote about setting a static IP in Raspbian Jessie.

Then we need to upgrade everything to the latest version:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

Lets set up OpenVPN on the Raspberry Pi.

sudo apt-get install openvpn

Make sure the service starts properly

sudo systemctl enable openvpn

Now we can configure the NordVPN specific things. They published a tutorial them self's on setting it up on Raspberry Pi but targeted towards users running it on command. They still make it very easy to use for an automated setup like ours with supplying proper configuration files with the certificates included.

First we need to download all the configuration files.

cd /etc/openvpn
sudo wget https://nordvpn.com/api/files/zip
sudo unzip zip
sudo rm zip

Now we have all the configuration files for the different exit servers that they offer. The filenames are constructed as {country+number}.nordvpn.com.{protocol}1194.ovpn. Check the server list on NordVPN to select the proper server. For this example I am using us1306.nordvpn.com.udp1194.

First we need to store our NordVPN credentials in a file.

sudo nano /etc/openvpn/nordvpn_auth.txt

Add your username and password on separate lines like this

username
password

Use CTRL + O to save the file and CTRL + X to exit nano. Now we need to secure this file since it contains our credentials.

chmod 600 /etc/openvpn/nordvpn_auth.txt

OpenVPN only autostart tunnel configs that end in .conf so we need to rename our selected config file.

sudo mv /etc/openvpn/us1306.nordvpn.com.udp1194.ovpn /etc/openvpn/us1306.nordvpn.com.udp1194.conf

Then we need to edit it to take care of the credentials.

sudo nano /etc/openvpn/us1306.nordvpn.com.udp1194.conf

Locate the line auth-user-pass which signals to OpenVPN to ask for your credentials and replace that with this:

auth-user-pass /etc/openvpn/nordvpn_auth.txt

Once again we use CTRL + O to save and CTRL + X to exit nano. Then restart OpenVPN to test the connection.

sudo service openvpn restart

Now you can check that you have a new public IP by running this.

wget  http://ipinfo.io/ip  -qO -

Now we need to enable IP forwarding. It enables the network traffic to flow in from one of the network interfaces and out the other. Essentially creating a router.

sudo /bin/su -c "echo -e '\n#Enable IP Routing\nnet.ipv4.ip_forward = 1' > /etc/sysctl.conf"

If you run sudo sysctl -p you should see this printed on the screen:

net.ipv4.ip_forward = 1

Now routing is enabled and traffic can go through the Raspberry Pi, over the tunnel and out on the internet.

Since we will have several clients on the inside accessing the internet over one public IP address we need to use NAT. It stands for network address translation and will keep track on which client requested what traffic when the information returns over the tunnel. We also need to setup some security around the Raspberry Pi it self and the tunnel.

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Enabling NAT.

sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

Allowing any traffic from eth0 (internal) to go over tun0 (tunnel).

sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Allowing traffic from tun0 (tunnel) to go back over eth0 (internal). Since we specify the state RELATED,ESTABLISHED it will be limited to connection initiated from the internal network. Blocking external traffic trying to initiate a new connection.

sudo iptables -A INPUT -i lo -j ACCEPT

Allowing the Raspberry Pi's own loopback traffic.

sudo iptables -A INPUT -i eth0 -p icmp -j ACCEPT

Allowing computers on the local network to ping the Raspberry Pi.

sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

Allowing SSH from the internal network.

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allowing all traffic initiated by the Raspberry Pi to return. This is the same state principal as earlier.

sudo iptables -P FORWARD DROP
sudo iptables -P INPUT DROP
sudo iptables -L

If traffic doesn't match any of the the rules specified it will be dropped.

sudo apt-get install iptables-persistent
sudo systemctl enable netfilter-persistent

First line installs a peace of code that makes the iptable rules we just created persistent between reboots. The second one saves the rules after you changed them. This time it's enough to run the first one. If you change the rules run the second one to save. Iptable rules are in effect as soon as you add them if you mess up and lose access just reboot and the ones not already saved will revert.

Now you can use this tunnel from any device or computer on the same network. Just change the default gateway to whatever IP-address your Raspberry Pi has. In my case both my Kodi media centers (one bedroom and one livingroom) uses this connection so I can stream my Swedish play channels. Of course there are other things you can use this for as well.

Just keep in mind that depending on the VPN supplier you chose and the speed of your internet connection there might be slow performance. If you have any questions or want me to clarify anything let me know in the comments! For more tech post please visit my blogg Hackviking!