Raspberry Pi as a VPN wifi hotspot21 May 2016
This post is a notebook of the setup I use with one of my raspberry pi to get it running a wi-fi hotspot that routes all of its traffic through a VPN.
Basic Setup :
This setup uses a Raspberry Pi 3 model b, mostly because it has onboard Wi-Fi. I also conducted tests on a Raspberry Pi 2 model B with a Buffalo Wi-Fi dongle that supports the
The OS is an up-to-date Raspbian Jessie, which means that the init system is systemd.
The following needs to be installed :
- openvpn : to connect to the vpn server
- hostapd : to create the wifi hotspot
- udhcpd : to give IP adresses to the devices connected to the hotspot
sudo apt-get install openvpn hostapd udhcpd
iptables-persistent can also be installed to provide an easier way to persist iptables rules.
To set up the rapsi as a Wi-Fi hotspot, we need to set up the ethernet and the wireless interfaces. Only the latter needs to be set up with a static IP (since it will be the dhcp server for that network), but for convenience, I set both as static.
auto lo iface lo inet loopback auto eth0 allow-hotplug eth0 iface eth0 inet static address 192.168.11.42 netmask 255.255.255.0 gateway 192.168.11.1 dns-nameservers 18.104.22.168 22.214.171.124 auto wlan0 iface wlan 0 inet static addres 192.168.42.1 netmask 255.255.255.0 up iptables-restore < /etc/iptables.nat.vpn.secure
The last line imports the iptable rules at startup. Those rules are here to perform NAT between the internet and the internal network, and to make sure that all traffic is routed through the vpn.
VPN Login and configurations
The login informations for my VPN provider are stored in
/etc/openvpn/openvpn.login. Given that, the configuration files provided by the vendor are edited to replace the default authentication by a file based one. This is usually done by replacing
The following set of IP tables rules are saved in
*nat :PREROUTING ACCEPT [4:711] :INPUT ACCEPT [4:711] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o tun0 -j MASQUERADE -A POSTROUTING -o tun0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [65:4284] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [66:7192] -A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i tun0 -j DROP -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o tun0 -j ACCEPT -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i wlan0 -o tun0 -j ACCEPT COMMIT
They serve 2 purposes. The first part is here to ensure that NAT is performed betzeen the inside and the outside world. The second part ensures that all outgoing connection is using the VPN.
Start Everything on Boot
Everything gets started by systemd as follows :
sudo systemctl start hostapd sudo systemctl enable hostapd sudo systemctl start openvpn@configuration sudo systemctl enable openvpn@configuration sudo systemctl start udhcpd sudo systemctl enable udhcpd
Putting it all Together
An install script that automate all this process is available on my github page.