Raspberry Pi VPN Gateway

Intro: Raspberry Pi VPN Gateway

Update 2018-01-07:

  • Updated things missing and changes made needed for the current version of Raspian.
  • Also created a specific guide for NordVPN.

There are a few different uses for VPN. Either you want to protect your privacy and private data from prying eyes or you need to source from another country. Sourcing from another country can be very useful to get access to services not provided in your country. There are a number of VPN services out there today and most of them offer easy to use software for your computer and apps for your tablet or phone. But if you have other devices not supported by the software that you want to go over the VPN? Then build a gateway that gives you internet access over the VPN.

If you look at your basic network setup you have a "default gateway" which is used for any ip-address not located in your current subnet (very simplified). So if you setup a gateway that can route internet traffic over an established VPN connection any network enabled device can take advantage of the VPN tunnel.

My major use case in my San Francisco apartment is a VPN tunnel to my native Sweden so I can stream Swedish play channels on my media players and smart TV. This is a pretty common use case for most people in need of a VPN tunnel. Since my media players and smart TV's aren't supported by the VPN software I built one out of a Raspberry Pi.

You can pick one up for under $40 on Amazon. I do however recommend that you buy a case and decent power adapter as well. For this instructable you need:

  • Raspberry Pi 2 or 3
  • A case of your liking
  • A decent power adapter
  • A network cable

Step 1: Choosing Your VPN Service

The important thing when selecting a VPN service is that it meets your requirements. For this use case I needed a VPN service with a Swedish exit point, that is the most important thing since I need the Swedish services to be convinced that I'm in Sweden. Over the years I have used several different supliers and below are the things I take into concideration when selecting the VPN supplier for the specific use case:

Free test

I want a free test period or a small amount of test data to get a feel for the software or app. Also I want to test the performance and overall experience before I pay for it. It's also nice to check that my idea will work before I start paying.

Privacy

If the implementation is for privacy concerns then it's really important what the privacy policy states. It's also important what country the company operates from and what laws are protecting your privacy. The really privacy concerned users should look at a service that states that no traffic logs are stored and allow anonymous payments via Bitcoin for example.

Allowed traffic

There might be limitations on what type of traffic you will be allowed to run. The more serious supliers usually block peer-to-peer traffic. This is not only to avoid legal issues but to be able to maintain performance for all users. There are how ever a lot of good suppliers out there that allows peer-to-peer and still deliver a high quality service. But if that isn't your main recuirment I recommend to select a service that doesn't allow peer-to-peer.

Data cap

Never use a service who keeps a data cap over their paying users. This will just run out at the worst possible time exactly like the data on your phone just before the funny part in a video clip!

Exit countrys

Depending on the use case this has different importance. For a use case like mine, where I need to end up in a specific country, of course that needs to be on the list. I also need to be allowed to select which country I exit in. There are services where you are unable to select exit country, stay away from those. You can end up in a country with bad performance or privacy laws. Even if you don't need a specific country you should still select a service with a few different countrys to show from to be able to find one with good performance.

Type of software and support

This is one of the main reasons why I prefer services with a free test. There are so many providers with bad software that are buggy, insecure or just don't work. For a Raspberry Pi implementation I need a provider that supports OpenVPN.

My selection

For this build I went with Tunnel Bear. A free test up to 500GB is offered so I could test that I could actually stream before I payed anything. They are based in Canada which, next to Sweden, have some of the strongest privacy laws in the world. No data cap on payed service and I'm also allowed to have several devices connected at once. So protection for my phone, tablet and computer while traveling on unsecure wifi is sorted as well. Exit node in Sweden is supported, it's actually provided via Bahnhof which is known for strong privacy in Sweden. For the payed plans they offer OpenVPN support. They do not for the free test but it was enough to run that from my laptop to make sure that the streaming services worked.

Step 2: Install the Raspberry Pi

For implementations like this I use the Raspbian Lite operating system. Since I have no need for the GUI at all. You can get the latest release here.

I use Win32DiskImager to load the .img file on the SD-card for the Raspberry Pi.

Once the Raspberry Pi have booted I look in my routers DHCP list to get the IP-address and then connect over SSH with Putty. Standard username and password are pi/raspberry

Once connected I run the raspi-config tool to change the basic settings.

sudo raspi-config

The most importent things to take care of in this config is:

  • Expand file system
  • Change password

You can also change the hostname of your Raspberry Pi if you like. My DHCP have very long leases and I can also reserve a specific address. If you don't have that ability you have to configure the Raspberry Pi to use a static IP-address. Since other devices will use this as there default gateway it is important that it keeps using the same IP-address. Here is a post I wrote about setting a static IP in Raspbian Jessie.

Then we need to upgrade everything to the latest version:

sudo apt-get update
sudo apt-get upgrade sudo apt-get dist-upgrade

Step 3: Install OpenVPN

Now we need to install OpenVPN on the Raspberry Pi.

sudo apt-get install openvpn

Then we need to make sure the service starts properly.

sudo systemctl enable openvpn

When the installation is finished we need to copy the OpenVPN config files and certificates to the box. This will be provided to you by your VPN provider. In my case, using TunnelBear, I found there blog post about Linux Support. On that page there is a link to zip file containing everything we need.

The file contains the certificate files and a .opvn configuration file for each country you can tunnel to. You need all the certificate files and the .opvn configuration file for the country of your choice, in my case Sweden. Unzip the files needed and the use winscp to upload the files to your Raspberry Pi. The same username/password as used for SSH will bring you to /home/pi, just drop the files there.

Then we go back to the SSH terminal and move the files over to the OpenVPN folder. First command is just to make sure we are in the /home/pi folder.

cd /home/pi
sudo mv * /etc/openvpn/

Now we need to do some modifications to the files. First we need to rename the configuration file from .ovpn to .conf. Any file ending in .conf in the /etc/openvpn folder will automatically start when the OpenVPN daemon is started. First we need to get into that directory.

cd /etc/openvpn

Then we change the name of the config file. You can name it anything you want as long as it ends in .conf. I prefer to use file names without blank spaces, in this case I'm going with swe.conf.

sudo mv *.ovpn swe.conf

Then we need an authentication file containing the username and password used for the VPN tunnel. Open up a text editor and write the username and password on separate lines. We will call this file auth.txt.

sudo nano auth.txt

The content should be like this example:

username
password

Then use CTRL + O to write to the file and the CTRL + X to exit the nano text editor. We also need to protect the auth.txt file containing our credentials.

sudo chmod 600 /etc/openvpn/auth.txt

Then we need to edit the config file to make sure all paths are correct and add a reference to the newly created auth.txt file.

sudo nano swe.conf

The lines that needs to be changed are the ones referring to other files, they need to be absolute paths. In this example this is what we are looking for:

ca CACertificate.crt
cert UserCertificate.crt
key PrivateKey.key

We change them to absolut paths like this:

ca /etc/openvpn/CACertificate.crt
cert /etc/openvpn/UserCertificate.crt
key /etc/openvpn/PrivateKey.key

Then at the end of the file we add a reference to the auth.txt file, like this:

auth-user-pass /etc/openvpn/auth.txt

Once again we use CTRL + O to save the file and then CTRL + X to exit nano. Now we can restart the OpenVPN daemon and see that the tunnel is working.

sudo service openvpn restart 

If you run the command ifconfig you should see a tun0 adapter in addition to your eth0 and lo adapters if the tunnel is up. You can also run the command this command to check your public IP:

wget http://ipinfo.io/ip -qO -

If you are having issues getting the tunnel up first try rebooting your Raspberry Pi and then double check the configuration for errors.

Step 4: Setup Routing

Now we need to enable IP forwarding. It enables the network traffic to flow in from one of the network interfaces and out the other. Essentially creating a router.

sudo /bin/su -c "echo -e '\n#Enable IP Routing\nnet.ipv4.ip_forward = 1' > /etc/sysctl.conf"

If you run sudo sysctl -p you should see this printed on the screen:

net.ipv4.ip_forward = 1

Now routing is enabled and traffic can go through the Raspberry Pi, over the tunnel and out on the internet.

Step 5: Setup Firewall and NAT

Since we will have several clients on the inside accessing the internet over one public IP address we need to use NAT. It stands for network address translation and will keep track on which client requested what traffic when the information returns over the tunnel. We also need to setup some security around the Raspberry Pi it self and the tunnel.

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Enabling NAT.

sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

Allowing any traffic from eth0 (internal) to go over tun0 (tunnel).

sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Allowing traffic from tun0 (tunnel) to go back over eth0 (internal). Since we specify the state RELATED,ESTABLISHED it will be limited to connection initiated from the internal network. Blocking external traffic trying to initiate a new connection.

sudo iptables -A INPUT -i lo -j ACCEPT

Allowing the Raspberry Pi's own loopback traffic.

sudo iptables -A INPUT -i eth0 -p icmp -j ACCEPT

Allowing computers on the local network to ping the Raspberry Pi.

sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

Allowing SSH from the internal network.

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allowing all traffic initiated by the Raspberry Pi to return. This is the same state principal as earlier.

sudo iptables -P FORWARD DROP
sudo iptables -P INPUT DROP
sudo iptables -L

If traffic doesn't match any of the the rules specified it will be dropped.

sudo apt-get install iptables-persistent
sudo systemctl enable netfilter-persistent

First line installs a peace of code that makes the iptable rules we just created persistent between reboots. The second one saves the rules after you changed them. This time it's enough to run the first one. If you change the rules run the second one to save. Iptable rules are in effect as soon as you add them if you mess up and lose access just reboot and the ones not already saved will revert.

Step 6: Conclusion

Now you can use this tunnel from any device or computer on the same network. Just change the default gateway to whatever IP-address your Raspberry Pi has. In my case both my Kodi media centers (one bedroom and one livingroom) uses this connection so I can stream my Swedish play channels. Of course there are other things you can use this for as well.

Just keep in mind that depending on the VPN supplier you chose and the speed of your internet connection there might be slow performance.

If you have any questions or want me to clarify anything let me know in the comments! For more tech post please visit my blogg Hackviking!

Share

    Recommendations

    • Electronics Tips & Tricks Challenge

      Electronics Tips & Tricks Challenge
    • Audio Contest 2018

      Audio Contest 2018
    • Plastics Contest

      Plastics Contest

    45 Discussions

    0
    None
    zzzuam

    1 year ago

    What a great tutorial. Exactly what I needed/wanted. Works great with my Apple TV. Small thing missing in the tutorial; SSH is off by default so you have to know how to enable it on a headless install.

    1 reply
    0
    None
    iancarbarnszzzuam

    Reply 2 months ago

    This probably didn't work when you wrote it, but current Raspbian releases allow you to do a completely headless setup (ie never having a keyboard, mouse or monitor connected). It's great for Pi Zero W with it's few physical connections!

    All you need do is:

    1. on your computer, open up the visible(non-linux) partition on SD card

    2. add an empty file called SSH (no extension, no content, just the filename)

    3. add a file called wpa_supplicant.conf
    with the following content added with Notepad++ (not a word processor - the file is very sensitive to format and CR vs CRLF). My example here will automatically connect the Pi to the first one of two networks (ie my 5GHz preferred to my 2.4GHz) - you can omit one of the blocks [and the priority=x lines] if you only have 1 network.

    In the below, the formatting has unfortunately been destroyed by this forum. Each of the lines starting ssid, psk, key, id and priority need to be indented by 4 spaces. Change the Network name and passphrase to match your network (Duh!!)

    ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
    update_config=1
    country=GB

    network={
    ssid="Network1name"
    psk="Network1passphrase"
    key_mgmt=WPA-PSK
    id_str="5Ghz"
    priority=9
    }

    network={
    ssid="Network2name"
    psk="Network2passphrase"
    key_mgmt=WPA-PSK
    id_str="2.4GHz"
    priority=8
    }

    Then when you reboot the Pi, it will connect to your network with SSH enabled so you can immediately log in over SSH. (you'll need to find its IP address eg from your router)

    Note that these 2 files are deleted when the Pi processes them, so you should keep copies for re-use (they can be in the same place on the SD card with different filenames)

    0
    None
    AdamC289

    1 year ago

    Hey, thanks for a great tutorial - got the pi up and running as instructed.

    However, my devices connect to the LAN via my router and if i redirect the gateway to the pi i don't receive an IP.

    So how would you configure a wireless laptop to go via the pi/vpn/router?

    Thanks again.

    2 replies
    0
    None
    HackvikingAdamC289

    Reply 1 year ago

    Just give it a fixed IP address in the same subnet and it should work just fine. A more "sexy" approach would be to add a DHCP server to the Pi but that would require some more work.

    0
    None
    iancarbarnsHackviking

    Reply 2 months ago

    That's not right (and you're the author!).

    For the device you want to give VPN'd access to (whether wireless or wired), you need to go into it's connection settings. Usually this will be set to automatic (so it gets it's settings from the router). Change this to 'Manual' (or change existing manual settings) so that the IP address for "Gateway" (called "Router" on some devices eg iPhone) is the IP address of Raspberry Pi, instead of that of your router.

    On a home network, this would often be a change from 192.168.1.1 to 192.168.1.xxx where xxx is the Pi's IP address.

    You may be forced to change the DNS server address as well. Try entering the Pi's IP address there as well; if that doesn't work, use 1.1.1.1 and 1.0.0.1 (the Cloudflare DNS servers; or you can use Google's 8.8.8.8 and 8.8.4.4 or any others you know and like ...)

    0
    None
    RobinPi

    1 year ago

    Thanks for the tutorial.

    I'd love to to take it one step further and enable the Pi to also act as a wireless access point.

    e.g This tutorial covers Part 1:

    Router >> Pi connected by Ethernet. Pi generates a VPN tunnel for wired devices.

    Part 2 would be:

    Turn Raspberry Pi's as a wireless access point with it's own SSID so that mobile, tablet, Chromecast, etc can also connect to the VPN over WiFi.

    But not sure how to do this last bit.

    3 replies
    0
    None
    HackvikingRobinPi

    Reply 1 year ago

    It's pretty straight forward if you search for tutorials setting up the pi as an access point (AP) and then more or less follow the steps again but against wlan0 instead of eth0.

    0
    None
    iancarbarnsRobinPi

    Reply 2 months ago

    Did you ever get this working?

    I've had a Pi running as per this tutorial and another running as a VPN Access Point. Then occurred to me that one Pi should be able to do both, and am nearly successful. The tip was that need to open a second VPN channel (eg, have 2x *.conf files). Then one loads as tun0 (used in iptables for eth0) and the second loads as tun1 (used in iptables for wlan0 set up as an access point as per other tutorials).

    Aside: For use as an access point, a finding not covered in other tutorials was a need to add @reboot (sleep 20;sudo service dnsmasq restart) & in crontab else the access point did not assign IP addresses.

    Presently, I have VPN sevice on LAN over the Pi's eth0, and can see WiFi with my new ssid, and can connect to it, but it's not providing internet access. I'm still trying fiddling with the many possible settings; hope to be successful soon and will share instructions if so.

    0
    None
    bigbadbobbyd

    Question 8 months ago on Step 1

    how can i forward ipv6 with ipv4? is that possible?

    0
    None
    bigbadbobbyd

    Question 9 months ago on Step 5

    is it save to add sudo iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
    or
    sudo iptables -A INPUT -i eth0 -p tcp --dport 3000 -j ACCEPT

    so I can run local html on the device, or will this open these ports accessable from tun0 as well? Sorry I am really new to setting up the iptables and dont want to make a mistake.

    0
    None
    MaciejK35

    9 months ago

    it works ok for me but only if I use OpenVPN. When I'm using openconnect to connect Junipier VPN it doesnt work correctly (it works ok on windows sharing, so its not a problem with VPN server) . I can ping hosts in VPN network but nothing more. I cant visit any website. DNS resolves names correctly but page doesn't load. MY iptables file below. I use wlan0 instead of eth0

    *filter

    :INPUT DROP [20:2342]

    :FORWARD DROP [10:480]

    :OUTPUT ACCEPT [128:18325]

    -A INPUT -i lo -j ACCEPT

    -A INPUT -i wlan0 -p icmp -j ACCEPT

    -A INPUT -i wlan0 -p tcp -m tcp --dport 22 -j ACCEPT

    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    -A FORWARD -i wlan0 -o tun0 -j ACCEPT

    -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT

    COMMIT

    # Completed on Tue Jan 9 14:54:37 2018

    # Generated by iptables-save v1.6.0 on Tue Jan 9 14:54:37 2018

    *nat

    :PREROUTING ACCEPT [275:30101]

    :INPUT ACCEPT [72:13471]

    :OUTPUT ACCEPT [349:21959]

    :POSTROUTING ACCEPT [136:8796]

    -A POSTROUTING -o tun0 -j MASQUERADE

    COMMIT

    # Completed on Tue Jan 9 14:54:37 2018

    0
    None
    BobD132

    9 months ago

    Hey, it might be a good idea to protect the auth.txt with

    sudo chmod 600 /etc/openvpn/auth.txt

    0
    None
    BobD132

    9 months ago

    Okay, now it is working finally, but the DNS resolver seems to fail when tested. I can use dnsleaktest.com to verify the vpn tunnel is working, but when I test using trace route it fails to resolve even the tunnel location. Is there a way to fix that?

    3 replies
    0
    None
    HackvikingBobD132

    Reply 9 months ago

    That means you have issues with your reverse DNS. IP -> domain names. Chekc what dns server you got from your VPN connection, if none use 8.8.8.8 and 8.8.4.4 over the VPN and you should be good to go.

    0
    None
    BobD132Hackviking

    Reply 9 months ago

    yes that worked, I had to add the DNS servers manually on my connection settings. thanks a million,

    0
    None
    BobD132BobD132

    Reply 9 months ago

    only thing is, the resolved dns is now that of google. I don't understand how to get the resoled dns to match the vpn tunnel. Oh well, more testing

    0
    None
    BobD132

    9 months ago

    I cannot seem to get this to work, my username and passwords aren't being supplied correctly to nordvpn, not tunnelbear

    1 reply
    0
    None
    HackvikingBobD132

    Reply 9 months ago

    I haven't tested nordVPN myself so I can't really say. Usually it's an issue with the config file not containing the username and password, since this will not prompt you for your password.

    0
    None
    gezza77

    12 months ago

    I have ipv6 on the main modem and all traffic on ipv6 bypasses this. ist there a way to route ipv6 with this method? Thanks