Secure All the Wifi With a VPN - Access Point!

As more and more of our lives are sent to the great cloud in the sky that is the internet, it's getting harder to stay secure and private in your personal internet adventures. Whether you're accessing sensitive information you wish to keep private, trying to circumvent limits placed on where or what you can browse to on your network, or whether you just want a more secure browsing experience, the most common advice I hear to staying secure on the internet is to use a Virtual Private Network (or VPN for short).

VPN's offer two great services in one package, in that they encrypt all of the packets of information that are sent through them, and they make remote services that are on the same network as the VPN local for the machine you use to connect. If my VPN server is in Germany and I connect to my VPN from a laptop in Australia, my laptop will now have an IP address from Germany!

A major sticking point with the more popular VPN services though, are that many types of devices are in situations to where they either cannot be configured to use a VPN client, or don't have a VPN client available for use. So we want our devices to be connected to our VPN, but for these other machines that can't connect with a simple VPN client, we want them to be connected to our VPN without even knowing they are connected! Enter a VPN Access Point!

Materials for this project are low, but all items are required.

Other than your home router (which I'm assuming you should have), you'll need

- 1 Raspberry Pi (preferably the Raspberry Pi 3 or better, but as long as it can support an ethernet connection it should be fine!)

- 1 Ethernet cord

- 1 wifi dongle (unless you are using a Raspberry Pi 3, in which case you can use the built in wifi

- 1 5V 2amp power supply for the Raspberry Pi

Before setting up the VPN connection for our Raspberry Pi Access Point, we have to set the Pi up as an access point. To do this, we'll be using the hostapd and dnsmasq packages for the Raspberry Pi. Hostapd is a user space daemon for setting wireless access points and authentication servers, while dnsmasq provides network infrastructure (DNS, DHCP, network boot, etc.) for small networks and small network routers.

So before getting started, make sure you have a clean image of Raspbian OS running on the Pi, with the latest updates applied. You also want to make sure your Raspberry Pi is connected to your router via hardline Ethernet connection, NOT wifi! Eventually we'll be accepting connection requests from other devices through our wifi module, so you don't want to be connected to your router through the same module. If you're using a Raspberry Pi Zero or an older addition (that doesn't have built in wifi), you can still use that Raspberry Pi, you just need a USB wifi dongle.

After connecting to your Raspberry Pi (via SSH or with a monitor up) check that it's up to date

sudo apt-get update
sudo apt-get upgrade

Next, you'll want to download and install hostapd and dnsmasq

sudo apt-get install hostapd dnsmasq

Once the packages are installed, both programs will start up automatically, but we want to make changes to their configs before running them. So we'll reach out to system control to stop the services tied to these programs

sudo systemctl stop hostapd 
sudo systemctl stop dnsmasq

With the services now stopped, we'll want to assign ourselves a static IP address, using the dhcpcd config file found at /etc/dhcpcd.conf

Before we do that though, we want to make sure we're referencing the correct interface when assigning the static IP address. If using a Raspberry Pi 3b or Raspberry Pi Zero W, it should be listed as wlan0. If you are using a wifi dongle, I normally find it's a little easier to connect the wifi dongle to the router, grab a new IP address and then check your connection to find your interface. You can check your interface by running the following command

ifconfig

If you check the top image attached to this step, you can see (minus the redacted IP addresses) the interfaces assigned to my Raspberry Pi. In my case, I'm using wlan0, but it depends on your setup. As I mentioned earlier, if you use a wifi dongle, connect to your network, run the ifconfig command, and whatever interface comes up that has a valid IP address and isn't "eth0" or "lo" will be the interface you want to use.

Now that I know which interface is for my wifi adapter, I can assign a static IP address to it in the dhcpcd config file! Bring up the config in your favorite editor (I'm using nano).

sudo nano /etc/dhcpcd.conf

At the bottom of the config, we want to add the following lines, but replace "wlan0" with whatever your interface is:

interface wlan0<br>    static ip_address=192.168.220.1/24
    nohook wpa_supplicant

What this command is doing is establishing a static ip of 192.168.220.1 and then telling the wlan0 interface to not link up to the wpa_supplicant driver that typically is used for this interface to connect to other networks. We do this so that (eventually) we can broadcast our own signal through the wlan0 interface, rather then connecting to a network through this interface.

If you're using nano to make these changes, save the changes by hitting ctrl+x and then Y and then enter to save the file and exit out of nano. (keep in mind we'll be entering and exiting out of nano quite a bit in this tutorial).

Finally, for these changes to take effect, you'll have to either restart your Pi, or just restart the dhcpcd service to reload the configuration and apply these changes

sudo systemctl restart dhcpcd

Wait for a moment, and then run the ifconfig command again to check and see if your changes took effect. I admit, sometimes I've tried this and my router still has a valid lease on the IP address I was using, so it'll keep the old address. If this is the case, double check everything in your config, and restart the dhcpcd service again.

Our wifi adapter (should) now have a static IP address!

Next up, the hostapd and dnsmasq configuration!

With the dhcpcd.conf changes out of the way, time to get started with hostapd! Start off by creating a new hostapd.conf file in your favorite text editor (once again in nano for me!)

sudo nano /etc/hostapd/hostapd.conf

When you bring up the config file, copy the following text and paste it into the config.

<p>interface=wlan0<br>driver=nl80211</p><p>
hw_mode=g
channel=6
ieee80211n=1
wmm_enabled=0
macaddr_acl=0
ignore_broadcast_ssid=0</p><p>
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP</p><p>
# Wifi network name and password YOU SHOULD CHANGE THIS
ssid=Pi-WifiFoLife
# The network passphrase
wpa_passphrase=Y0uSh0uldCh@ng3M3</p>

Once you have that pasted in find the final section at the bottom that has "ssid=" and "wpa_passphrase=". This is what the wifi network we are setting up will be called and what the password is to connect to the wifi network we are setting up. SO BE SURE TO CHANGE THIS TO SOMETHING ELSE! You have been warned.

Also, if you are using a wifi dongle instead of built-in wifi, you'll have to change the interface section at the top of the config to match the interface for your wifi dongle. You might also have to change the driver, depending on the model of the wifi dongle you are using. For a (mostly comprehensive) list of compatible wifi dongles, their corresponding drivers, and support pages, I found this page very useful! Also check the support page for the product you are using if you get stuck. Remember, if you were able to connect to your network earlier in the tutorial with your wifi dongle, it means there should be a working driver for the dongle on your pi somewhere!!!

Now that we have our new config file, we have to make sure that we tell the hostapd processes to reference the new config file! start with the following:

<p>sudo nano /etc/default/hostapd</p>

Find the line in the file we just opened that reads #DAEMON_CONF="" and change this to read DAEMON_CONF="/etc/hostapd/hostapd.conf" (be sure you're taking the # sign off at the beginning to uncomment the field!)

There's one more configuration file for hostapd that we need to update. Run the following command:

sudo nano /etc/init.d/hostapd

This change is almost identical to the previous one. Find the the section DAEMON_CONF= and replace it with DAEMON_CONF=/etc/hostapd/hostapd.conf

Then save and exit out of that file!

Hostapd is now configured!

With hostapd now configured (though not running yet), we can now move on to dnsmasq!

Before jumping in with editing config files, we can go ahead and rename one of the original config files, since we aren't going to be using anything that's in this particular config file.

Doing a quick mv command with a new filename ought to do the trick

sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.old

Then create a new config file!

sudo nano /etc/dnsmasq.conf

Without getting too into this one, I'd just copy the following and paste it into the new file

interface=wlan0       # Use interface wlan0 (or whatever interface is your wireless)  
server=1.1.1.1       # Cloudfare
dhcp-range=192.168.220.50,192.168.220.150,12h # IP range and lease time

The top line of this config is for the interface we are using to broadcast our signal, the middle line is for our Doman Name Service Provider, and then the bottom line is the range of IP addresses the Pi will be assigning to users that connect to the Pi Wifi. Go ahead and save this file and then exit out of nano (or vim, or whatever you are using for file changes).

Next up, we have to set the systctl.conf config file to forward all traffic that comes onto the wireless interface to route through the ethernet connection

sudo nano /etc/sysctl.conf

Inside this config file, all you have to do is uncomment the line that is #net.ipv4.ip_forward=1 and save/exit out of this config file.

Now that we have forwarding set up, we want to set up a NAT (Network Address Translation) between the wireless interface (wlan0) and the ethernet interface (eth0). This helps to forward all traffic from the wifi over to the ethernet (and eventually VPN!) connection.

Add a new rule to the iptable for the NAT forwarding

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The rule is now set up, but the iptable is flushed everytime the Raspberry Pi is rebooted, so we have to save this rule so that it can be (re)loaded everytime our Pi is restarted.

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

The rule is now saved, but we have to update the Pi's local rc.local config file to make sure it's loaded everytime!

Open up the rc.local file in your favorite editor

sudo nano /etc/rc.local

and find the section that says exit 0

Right above that line (don't delete it!) add the following command that will reload the NAT rule we set up. It should now look like this

iptables-restore < /etc/iptables.ipv4.nat
exit0

Save and exit out of this file, and now all of our configurations should be done for the access point!

All we have to do is start up the hostapd and dnsmasq services, and reboot our Raspberry Pi!

sudo service hostapd start
sudo service dnsmasq start

Test to make sure you can see your new AP. If everything is set up right, you should now have a wifi access point on your Raspberry Pi! Now restart the pi

sudo reboot

Next up, setting up an OpenVPN connection!

Now that our Pi is broadcasting out wifi, time to get openvpn set up! We'll start off by installing openvpn through apt-get install

sudo apt-get install openvpn -y

After openvpn finishes installing, we have to navigate to where we'll be storing our authentication credentials and openvpn config file.

cd /etc/openvpn

First thing we'll do here (within /etc/openvpn) is set up a text file that we'll store our username and password for the VPN service that we're using.

sudo nano auth.txt

All we need is to store the username and password in this file, nothing else.

username
password

I should add that at this point, you should have an idea of who you want to use as a VPN service for your connections. There's wide debate as far as what service is the best or safest, so shop around and check reviews on them too! For the purposes of this tutorial, I'm using Private Internet Access (PIA). They're fairly cheap, and are recognized around for being very reliable! You can also setup your VPN to end in pretty much any major region of the world! Canada? Russia? Japan? Not a problem!

If you use Private Internet Access, they also have a handy part of their site, where you can put together the type of openvpn config file that you can use in this setup! There are other types of openvpn configs you can use with other providers, but I decided to pick this one.

Whichever service provider you end up picking, you need an openvpn connection file (should end in .ovpn for the filetype) from said service provider in order to connect. For simplicity, I renamed mine "connectionprofile.ovpn" before loading it onto my Raspberry Pi. Once you either download the .ovpn file on the Pi, or transfer it onto the Pi, make sure the file is in /etc/openvpn on your Pi.

After moving the open vpn file to the correct folder, we then have to change the filetype since openvpn expects a config file that ends in .conf instead of .ovpn. When I did this, I still wanted to keep the original file intact, just in case anything funky happened, so I just used a cp command (since you're in /etc/openvpn, you'll need to use sudo permissions to run this command)

sudo cp /etc/openvpn/connectionprofile.ovpn /etc/openvpn/connectionprofile.conf

With the openvpn profile config created, we need to make a quick change to supply our credentials, so time to break out nano again!

sudo nano /etc/openvpn/connectionprofile.conf

You'll want to find the line auth-user-pass and replace that with auth-user-pass auth.txt

This tells openvpn to grab the credentials file we used earlier to use when authenticating the profile we supplied.

Save and exit out of the profile config file!

That should be everything for the VPN setup, but we'll want to test that all of our configuration was setup correctly before setting the VPN service up to start automatically. Run the following command to test the VPN connection

sudo openvpn --config "/etc/openvpn/connectionprofile.conf"

You should see a bunch of text scrolling as the Pi makes connection attempts to the VPN Service Provider (hopefully no error messages!) but you want to leave it until you see Initialization Sequence Completed in the window. If you end up seeing that, it means your Pi is connected to your VPN Service Provider! You can go ahead and kill the process by hitting ctrl + c in the terminal window.

Now that the VPN works, we have to clear out the current iptables. We can complete that with the following three commands

<p>sudo iptables -F<br>sudo iptables -t nat -F
sudo iptables -X</p>

Since we flushed out the iptables though, we have to reset the nat rule we had created earlier in this tutorial by running the following command (this command should look familiar!)

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Now we can save this configuration over the previous configuration that we put together back in the previous step. (this command should also look familiar!)

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

Now that we have the NAT rules set back up, we have to change the default config for openvpn to use the profile we setup. We do this by editing the config file in /etc/default/openvpn

sudo nano /etc/default/openvpn

Find the line that says #autostart="all", uncomment out this line, and change it to the name of your openvpn config file (minus the .conf of course!) So in my case, I change the line to autostart="connectionprofile"

and then save and exit out of this config file!

That should be everything for the VPN setu! Just restart the Pi, and verify that everything is working by connecting to the hotspot and checking your IPaddress through a site such as whatismyip.com.

With this configuration, there is a possibility that your router's IP address could be leaked through a DNS leak. We can fix this by changing the DNS we reference in the dhcpcd.conf file to point at an external DNS service, such as Cloudflare!

Open up the dhcpcd.conf file in your favorite editor:

sudo nano /etc/dhcpcd.conf

Find the line in the config #static domain_name_servers=192.168.0.1, uncomment the line, and change it to the following: static domain_name_servers=1.1.1.1 and save/exit out of the config file. Restart the Pi once more, and now you can double check that your router's IP address isn't being leaked through ipleak.net.

Another thing to be aware of is your router's IP address possibly being leaked through WebRTC. WebRTC is a platform that is used by all modern browsers to better standardize communications including instant messaging, video conference, and streaming audio and video. A by-product of this platform is that if left unchecked, it can leak your router's IP address if you are connected to a VPN. The easiest way you can prevent this by using browser extensions or plugins, such as webrtc-leak-prevent.

With everything setup on your pi now, if you want to ensure all of your internet traffic is encrypted, you can connect to this hotspot, and all of your traffic willbe encrypted through the VPN!

Hope you enjoyed my Instructable, now go secure all the wifi!!