TMP - 26319-Raspberry Pi VPN Router GitHub1189864063

1/26/2017
RaspberryPiVPNRouterGitHub
Sign up for a GitHub account
Instantly share code, notes, and snippets.
Sign in
Create a gist now
superjamie / raspberrypivpnrouter.md
Last active 8 hours ago
Raspberry Pi VPN Router

raspberrypivpnrouter.md
Raspberry Pi VPN Router

This is a quickanddirty guide to setting up a Raspberry Pi as a "router on a stick" to PrivateInternetAccess VPN.
Requirements
Install Raspbian Jessie 20160527raspbianjessie.img to your Pi's sdcard.
Use the Raspberry Pi Configuration tool or sudoraspiconfig to:
Expand the root filesystem and reboot
Boot to commandline, not to GUI
Configure the right keyboard map and timezone
Configure the Memory Split to give 16Mb the minimum to the GPU
Consider overclocking to the Medium 900MHz setting on Pi 1, or High 1000MHz setting on Pi 2
IP Addressing
My home network is setup as follows:
Internet Router: 192.168.1.1
Subnet Mask: 255.255.255.0
Router gives out DHCP range: 192.168.100200
If your network range is different, that's fine, use your network range instead of mine.
I'm going to give my Raspberry Pi a static IP address of 192.168.1.2 by configuring /etc/network/interfaces like so:
autolo
ifaceloinetloopback
autoeth0
allowhotplugeth0
ifaceeth0inetstatic
address192.168.1.2
netmask255.255.255.0
gateway192.168.1.1
dnsnameservers8.8.8.88.8.4.4
You can use WiFi if you like, there are plenty tutorials around the internet for setting that up, but this should do:
https://gist.github.com/superjamie/ac55b6d2c080582a3e64
1/21
1/26/2017
autolo
ifaceloinetloopback
autoeth0
allowhotplugeth0
ifaceeth0inetmanual
autowlan0
allowhotplugwlan0
ifacewlan0inetstatic
wpassid"YourSSID"
wpapsk"YourPassword"
address192.168.1.2
netmask255.255.255.0
gateway192.168.1.1
dnsnameservers8.8.8.88.8.4.4
You only need one connection into your local network, don't connect both Ethernet and WiFi. I recommend Ethernet if
possible.
NTP
Accurate time is important for the VPN encryption to work. If the VPN client's clock is too far off, the VPN server will reject the
client.
You shouldn't have to do anything to set this up, the ntp service is installed and enabled by default.
Doublecheck your Pi is getting the correct time from internet time servers with ntpqp, you should see at least one peer
with a + or a * or an o, for example:
$ntpqp
remoterefidsttwhenpollreachdelayoffsetjitter
==============================================================================
0.time.xxxx.com104.21.137.302u47643240.4160.3660.239
+node01.jp.xxxxx226.252.532.92u39647241.0303.0710.852
*t.time.xxxx.net104.1.306.7692u38647127.1262.7280.514
+node02.jp.xxxxx250.9.592.8302u86417241.2124.7841.398
Setup VPN Client

Install the OpenVPN client:
sudoaptgetinstallopenvpn
Download and uncompress the PIA OpenVPN profiles:

wgethttps://www.privateinternetaccess.com/openvpn/openvpn.zip
sudoaptgetinstallunzip
unzipopenvpn.zipdopenvpn
Copy the PIA OpenVPN certificates and profile to the OpenVPN client:
sudocpopenvpn/ca.rsa.2048.crtopenvpn/crl.rsa.2048.pem/etc/openvpn/
sudocpopenvpn/Japan.ovpn/etc/openvpn/Japan.conf
You can use a diffrent VPN endpoint if you like. Note the extension change from ovpn to conf.
Create /etc/openvpn/login containing only your username and password, one per line, for example:
2/21
1/26/2017
user12345678
MyGreatPassword
Change the permissions on this file so only the root user can read it:
sudochmod600/etc/openvpn/login
Setup OpenVPN to use your stored username and password by editing the the config file for the VPN endpoint:
sudonano/etc/openvpn/Japan.conf
Change the following lines so they go from this:

caca.rsa.2048.crt
authuserpass
crlverifycrl.rsa.2048.pem
To this:
ca/etc/openvpn/ca.rsa.2048.crt
authuserpass/etc/openvpn/login
crlverify/etc/openvpn/crl.rsa.2048.pem
Test VPN
At this point you should be able to test the VPN actually works:
sudoopenvpnconfig/etc/openvpn/Japan.conf
If all is well, you'll see something like:
$sudoopenvpnconfig/etc/openvpn/Japan.conf
SatOct2412:10:542015OpenVPN2.3.4armunknownlinuxgnueabihf[SSL(OpenSSL)][LZO][EPOLL][PKCS11][MH][IPv6]builtonDec5
SatOct2412:10:542015libraryversions:OpenSSL1.0.1k8Jan2015,LZO2.08
SatOct2412:10:542015UDPv4linklocal:[undef]
SatOct2412:10:542015UDPv4linkremote:[AF_INET]123.123.123.123:1194
SatOct2412:10:542015WARNING:thisconfigurationmaycachepasswordsinmemoryusetheauthnocacheoptiontopreventthis
SatOct2412:10:562015[PrivateInternetAccess]PeerConnectionInitiatedwith[AF_INET]123.123.123.123:1194
SatOct2412:10:582015TUN/TAPdevicetun0opened
SatOct2412:10:582015do_ifconfig,tt>ipv6=0,tt>did_ifconfig_ipv6_setup=0
SatOct2412:10:582015/sbin/iplinksetdevtun0upmtu1500
SatOct2412:10:582015/sbin/ipaddradddevtun0local10.10.10.6peer10.10.10.5
SatOct2412:10:592015InitializationSequenceCompleted
Exit this with Ctrl+c
Enable VPN at boot

sudosystemctlenableopenvpn@Japan
Setup Routing and NAT

3/21
1/26/2017
Enable IP Forwarding:
echoe'\n#EnableIPRouting\nnet.ipv4.ip_forward=1'|sudoteea/etc/sysctl.conf
sudosysctlp
Setup NAT fron the local LAN down the VPN tunnel:
sudoiptablestnatAPOSTROUTINGotun0jMASQUERADE
sudoiptablesAFORWARDitun0oeth0mstatestateRELATED,ESTABLISHEDjACCEPT
sudoiptablesAFORWARDieth0otun0jACCEPT
Make the NAT rules persistent across reboot:

sudoaptgetinstalliptablespersistent
The installer will ask if you want to save current rules, select Yes
If you don't select yes, that's fine, you can save the rules later with sudonetfilterpersistentsave
Make the rules apply at startup:
sudosystemctlenablenetfilterpersistent
VPN Kill Switch

This will block outbound traffic from the Pi so that only the VPN and related services are allowed.
Once this is done, the only way the Pi can get to the internet is over the VPN.
This means if the VPN goes down, your traffic will just stop working, rather than end up routing over your regular internet
connection where it could become visible.
sudoiptablesAOUTPUTotun0mcommentcomment"vpn"jACCEPT
sudoiptablesAOUTPUToeth0picmpmcommentcomment"icmp"jACCEPT
sudoiptablesAOUTPUTd192.168.1.0/24oeth0mcommentcomment"lan"jACCEPT
sudoiptablesAOUTPUToeth0pudpmudpdport1198mcommentcomment"openvpn"jACCEPT
sudoiptablesAOUTPUToeth0ptcpmtcpsport22mcommentcomment"ssh"jACCEPT
sudoiptablesAOUTPUToeth0pudpmudpdport123mcommentcomment"ntp"jACCEPT
sudoiptablesAOUTPUToeth0pudpmudpdport53mcommentcomment"dns"jACCEPT
sudoiptablesAOUTPUToeth0ptcpmtcpdport53mcommentcomment"dns"jACCEPT
sudoiptablesAOUTPUToeth0jDROP
And save so they apply at reboot:

sudonetfilterpersistentsave
If you find traffic on your other systems stops, then look on the Pi to see if the VPN is up or not.
You can check the status and logs of the VPN client with:
sudosystemctlstatusopenvpn@Japan
sudojournalctluopenvpn@Japan
Configure Other Systems on the LAN

4/21
1/26/2017
Now we're ready to tell other systems to send their traffic through the Raspberry Pi.
Configure other systems' network so they are like:
Default Gateway: Pi's static IP address eg: 192.168.1.2
DNS: Something public like Google DNS 8.8.8.8 and 8.8.4.4
Don't use your existing internet router eg: 192.168.1.1 as DNS, or your DNS queries will be visible to your ISP and hence
may be visible to organizations who wish to see your internet traffic.
Optional: DNS on the Pi

To ensure all your DNS goes through the VPN, you could install dnsmasq on the Pi to accept DNS requests from the local LAN
and forward requests to external DNS servers.
sudoaptgetinstalldnsmasq
You may now configure the other systems on the LAN to use the Pi 192.168.1.2 as their DNS server as well as their
gateway.
harishpillay commented on Oct 24, 2015

Thanks for doing this, Jamie.
vepascal commented on Dec 7, 2015

Hi!
Very nice guide thanks.
Is working very well!!!
Thanks a lot.
Pay attention at the step:
sudo cp openvpn/Japan.ovpn /etc/openvpn/Japan.conf
danackerson commented on Jan 2, 2016

@vepascal due to the order of this howto, you won't be able to connect to any external servers until you get the VPN started due to the
iptables rules. Just reboot your Pi and then install dnsmasq.
jc1121 commented on Jan 12, 2016

I really appreciate this walk through. How do I create /etc/openvpn/login file?
vormworks commented on Jan 19, 2016

Very nice instuctions, worked for me, thank you jamie
sictona commented on Jan 20, 2016

I find this tutorial the best by far to create a vpn setup on the Raspberry Pi.
5/21
1/26/2017
I do have one strange thing happen to my setup from time to time though.
My setup is:
fiber 100/100 ISP provider into house Airport extreme as router/dhcpserver/dns connected to 8.8.8.8/8.8.4.4. 2x appleTV connected by dhcp
and a raspberry on dhcp but with reserved IP in the range.
This has worked as a charm from the moment I found this tutorial and I dont have any problems switching the appleTV:s from dhcp to manual,
pointing them to the raspberry IP and then access the american Netflix, but then sometimes....
At random times the vpn stops working. I havent found out why and the easiest and most lazy solution has been to just reinstall everything
using this tutorial.
Usually this works just fine and everything is back to normal with AppleTV and Netflix.
Sometimes though I get as far as I can list the content of the American Netflix I know what titles differ between Sweden and USA, but as soon
as I try to play any content I get the pesky Netflix error #139.
So what I am wondering is:
1 What would be the best way of error searching once the VPN stops working all together?
2 What on earth could create the strange error that makes me browse the content but not play it?
Any takers?
sictona commented on Jan 20, 2016

@jc1121 Just type sudo nano /etc/openvpn/login and the file will be created by nano. Type your info end then save/exit.
hokidzhao commented on Jan 20, 2016

how to set up purevpn client on Rasberry pi? I saw you used the openvpn.
sg6 commented on Jan 29, 2016

This is awesome! Thanks for that so much, it was really easy and now even my TV is connected to a VPN network!
MatusP commented on Feb 2, 2016

Hi there
I have been trying for a while now, but as soon as I enable the netfilter at startup sudo systemctl enable netfilterpersistent, my VPN would not
connect.
SO I just simply flushed all iptables:
sudo iptables A
and everything is working just fine.
I do not need the internet to stop if the vpn is down...
AdrianLThomas commented on Feb 4, 2016

Fantastic! Very easy and clear to follow. Worked perfectly for IPVanish! I may well script this in to something more reusable...
ididna commented on Mar 2, 2016

Short question: would it be possible to use the wired connection for the tunnel and in parallel the wireless one to share this tunnel? I have a Pi 1
and a wireless dongle and by following another tutorial http://elinux.org/RPIWirelessHotspot I was able to make it act as a wireless router it
does what it should; unfortunately as soon as I activated the vpn part as described by you above minus the kill switch, I omitted for the time
being this part the wireless clients can no longer access the Internet. There was an additional error in the vpn settingup but in the end this part
6/21
1/26/2017
works so, from the Pi I can browse the Internet via the tunnel. As I'm not an iptables specialist, I don't know exactly what to do to link the
wlan0 and the tun0. Would this be necessary, actually? Should this work without other modifications/additions to your tutorial and something
went wrong on my side? Thanks in advance.
donovision commented on Mar 10, 2016

This was very nice to follow. The one question I have is does the IP address in the following command need to be specific to my home network
or exactly as the command is in the tutorial?
sudo iptables A OUTPUT d 192.168.1.0/24 o eth0 m comment comment "lan" j ACCEPT
vepascal commented on Mar 11, 2016

@donovision
exactly as the command is in the tutorial
Jordan00Negative commented on Mar 15, 2016

Hello thank you for the tutorial. When I get to the part of "testing" the VPN, I get message saying AUTH FAILED. What should I do to correct this
problem. Thanks! ps using a RPi 2.
mgmsfd commented on Apr 2, 2016

Great document. Quick question, I need to also have inbound traffic so I can access my documents from the outside. Do you have a tutorial
similar to this one?
markfeldman commented on Apr 4, 2016

I feel REALLY stupid for asking... but the RasPi network capabilities are limited compared to a PC yes?
My PC's on board ethernet adapter reads as 10/100/1000
The specs on my RasPi 2 are 10/100 as in... not gigabit
My question is this: By using a VPN hosted on the Raspi, wouldn't that mean that EVERYTHING would be limited to the 10/100 speed ?
pir8s commented on Apr 9, 2016

Thanks for the tutorial, almost everything worked for me except for the VPN kill switch. If I stop the vpn service my real IP gets exposed.
I'm not using eth0 for my connection but wlan0 so I was wondering if all instances of eth0 should be replaced with wlan0 when setting up the
iptables rules.
Also why would someone use:
shouldn't we be using our network specific address range. ex. 192.168.3.0/24 in my case.
thanks for any clarification
sagarun commented on Apr 11, 2016

When tun0 goes down due to openvpn error or RPI is rebooting but tun0 is still not up, It seems to leak. what should be default gateway for the
raspberry pi ? It should be itself?
pir8s commented on Apr 11, 2016

the kill switch iptables rules specified here doesnt work for me! if tun0 goes down or I reboot the rpi the dns leaks. as @sagarun said.
7/21
1/26/2017
donovision commented on Apr 20, 2016

The one issues I have ran into is that I can no longer mount a cifs network share once the IPTABLES are in place. Any help would be appreciated.
I think I need to add a rule to allow access to the IP address of the NAS so that the cifs share can be mounted.
JvB94 commented on May 8, 2016

love your turtoial it works very well.
But the kill siwtch is not working...
Can someone post a working killswitch?
I need it very importend and don't find a working one in the internet.
Dedo21 commented on May 8, 2016 edited

Maybe you can try adding this rule?
sudoiptablesIFORWARDieth0!otun0jDROP
I think this would only protect the clients from leaking the real IP, not the Pi itself?
JvB94 commented on May 20, 2016

Works for me, thank you!!!
winedog commented on Jun 3, 2016 edited

One thing that I'm a little confused on. Does this require two network interfaces on the raspberry pi? Or can all of this be performed using the
builtin ethernet port on my RPi? My RPi also has a wireless dongle if I need a 2nd interface, in which case do I have the Pi configured to
establish the VPN connection through the wifi dongle and then anything connected to the ethernet port is routed through the Pi's VPN
connection?
branislavzlatkovic commented on Jun 4, 2016

Thanks for this great and simple tutorial!
How to force all NTP traffic to the default gateway instead?
My VPN blocks NTP, and it's needed both by the raspberry server and clients connecting through it
gomaaz commented on Jun 6, 2016

only one network device needed.
Killswitch isn't working and still necessary... please give adivce to that.
gomaaz commented on Jun 8, 2016 edited

I just started from the beginning and it works now...
Because my VPN connection also needs UDP 443 I just added didn't see this...I'm not familar with iptables...:
sudoiptablesAOUTPUToeth0pudpmudpdport443mcommentcomment"openvpn2"jACCEPT
and the killswitch only works with Dedo21's advice:

sudoiptablesIFORWARDieth0!otun0jDROP
8/21
1/26/2017
BUT after that: Clients now don't have access on homenetwork 192.168.1.0/16
any solution for that?
this setup on my BananaPi 32 Mb/s 4 MB/s gives throughput. As I have 64 Mb/s of linespeed I'll decide to get one of these odroid devices.
Cheers.
gregory0219998 commented on Jun 9, 2016

Hello guys, i want to run my raspberry pi as a router, the first ethernet port make the input for the network, for the output what can i use? and
for the ouput have i to make different config in ipttables?
Looking for a response thanks to all!
gomaaz commented on Jun 9, 2016

there is no second ethernet port. You can have it go through one ethernet port
winedog commented on Jun 14, 2016

Is there a way to do this using a PPTP VPN connection instead of OpenVPN? I got this working, but the OpenVPN's encryption taxes the
Raspberry Pi processing too much and I only get 34Mbps throughput. I think if I could do this with a PPTP connection the Pi would be able
handle this better?
Aecasorg commented on Jun 15, 2016 edited

Hi,
I have followed this guide to the letter however I cannot get it working. I left out the kill switch and DNS part in order not to complicate things.
What I am aiming to do is connect a SKY HD box > Ethernet cable > Raspberry Pi > WiFi > Router. I can get the VPN up and running fine
and it is all connected to internet however when I connect my laptop via ethernet cable to the RPi I cannot access internet. I've even changed
the iptables 'eth0' to 'wlan0' to see if that helped. I've set my laptop manually to go to the RPi as Gateway I use a Macbook Pro and Raspberry
Pi 3 but still no access. What am I doing wrong?
Any help on this matter would really be appreciated!
Thanks in advance,
Henrik
jeroenjota commented on Jul 17, 2016 edited

Thanks for the walkthrough
I changed the iptables rules:
The ip range
to to 192.168.2.0 as that is my subnet

And also the port 1194 in

to 1198
as that's what my Netherlands.conf file is saying
sudoiptablesAOUTPUToeth0pudpmudpdport**1198**mcommentcomment"openvpn"jACCEPT
Things seem to be working now ;
Tubbs2u commented on Aug 6, 2016
9/21
1/26/2017
Also here, the above said it should look like this:
ca ca.crt
authuserpass
crlverify crl.pem
However, it looks like this:
ca ca.rsa.2048.crt
authuserpass
crlverify crl.rsa.2048.pem
When I changed it to this:
ca /etc/openvpn/ca.crt
authuserpass /etc/openvpn/login
crlverify /etc/openvpn/crl.pem
I keeping getting errors in those lines, which its asking me to correct.......Any help would be welcome, and thanks in advance.
sogseal commented on Aug 6, 2016 edited

Also here, the above said it should look like this:
ca ca.crt
authuserpass
crlverify crl.pem
However, it looks like this:
ca ca.rsa.2048.crt
authuserpass
crlverify crl.rsa.2048.pem
When I changed it to this:
ca /etc/openvpn/ca.crt
crlverify /etc/openvpn/crl.pem
I keeping getting errors in those lines, which its asking me to correct.......Any help would be welcome, and thanks in advance.
Change it to, unless you renamed them:
ca /etc/openvpn/ca.rsa.2048.crt
crlverify /etc/openvpn/crl.rsa.2048.pem
Tubbs2u commented on Aug 6, 2016 edited

Thanks for your reply sogseal, however this is what I am getting below::: sudo cp openvpn/ca.crt openvpn/crl.pem /etc/openvpn
*Options error: ca fails with '/etc/openvpn/ca.rsa.2048.crt': No such file or directory
*Options error: crlverify fails with '/etc/openvpn/crl.rsa.2048.pem': No such file or directory
*Options error: Please correct these errors.
Use help for more information.
OK..I now know why I was getting Errors,: sudo cp openvpn/ca.crt openvpn/crl.pem /etc/openvpn....Should look like this:::::::
sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/
Thanks......Tubbs

Thanks for your reply sogseal, however this is what I am getting below::: sudo nano /etc/openvpn/Japan.conf
*Options error: ca fails with '/etc/openvpn/ca.rsa.2048.crt': No such file or directory
*Options error: crlverify fails with '/etc/openvpn/crl.rsa.2048.pem': No such file or directory
*Options error: Please correct these errors.
Use help for more information.
10/21
1/26/2017
Also when I put this command line::sudo cp openvpn/ca.crt openvpn/crl.pem /etc/openvpn/........I am getting the below errors
*cp: cannot stat openvpn/ca.crt: No such file or directory
*cp: cannot stat openvpn/crl.pem: No such file or directory
Really don't know what i am doing wrong
Thanks for any help in advance..Tubbs
So, when you downloaded wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
you should have this files
ca.rsa.2048.crt
crl.rsa.2048.pem
You need to make sure that both of these files, Japan.conf and your login files are in this directory /etc/openvpn
then
sudonano/etc/openvpn/Japan.confAndmakesurethatyouhavethefullpathforthis3lines
authuserpass/etc/openvpn/login
Also FYI, PIA changed their port number to 1198. Hope it works
I would also edit this:
sudovim/etc/default/openvpn
Look for line OPTARGS="" and change it to:

OPTARGS="authnocache"
this should prevent to cache password in memory
Tubbs2u commented on Aug 7, 2016

Thanks you Sogseal... Will have another attempted again today....wish me luck lol, I am new to all this, but eager to learn.

Thanks you Sogseal... Will have another attempted again today....wish me luck lol, I am new to all this, but eager to learn.
let me know, ill help with what i can.

Done this, however I don't think its working properly, don't know what I am doing wrong
sudo nano /etc/openvpn/Japan.conf
client
dev tun
proto udp
remote japan.privateinternetaccess.com 1198
resolvretry infinite
nobind
persistkey
persisttun
cipher aes128cbc
auth sha1
tlsclient
remotecerttls server
complzo
verb 1
renegsec 0
crlverify /etc/openvpn/crl.rsa.2048.pem
11/21
1/26/2017
ca /etc/openvpn/ca.rsa.2048.crt
disableocc
And done this like this
My raspberry Pi address added above 192.168.0.5
sudo iptables A OUTPUT o eth0 p udp m udp dport 1194 m comment comment "openvpn" j ACCEPT
Also add this port 1198 in
Test VPN
At this point you should be able to test the VPN actually works:
sudo openvpn config /etc/openvpn/Japan.conf
When I tested I'm getting this:
pi@raspberrypi ~ $ sudo openvpn config /etc/openvpn/Japan.conf
Sun Aug 7 23:30:43 2016 OpenVPN 2.3.4 armunknownlinuxgnueabihf [SSL OpenSSL] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23
2016
Sun Aug 7 23:30:43 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Sun Aug 7 23:30:43 2016 UDPv4 link local: [undef]
Sun Aug 7 23:30:43 2016 UDPv4 link remote: [AF_INET]161.202.72.147:1198
Sun Aug 7 23:30:44 2016 WARNING: this configuration may cache passwords in memory use the authnocache option to prevent this
Sun Aug 7 23:30:45 2016 [a256e14cb98c429b76e86d08cc3856ad] Peer Connection Initiated with [AF_INET]161.202.72.147:1198
Sun Aug 7 23:30:48 2016 AUTH: Received control message: AUTH_FAILED
Sun Aug 7 23:30:48 2016 SIGTERM[soft,authfailure] received, process exiting
Doesn't look as its working properly tho lol
And
Done this:
sudo vim /etc/default/openvpn
Look for line OPTARGS="" and change it to:
OPTARGS="authnocache"

check your username and password are correct and did you do sudo chmod 600 /etc/openvpn/login ?
This guide is good, there is only few changes. Make sure you follow exactly the steps above and chage this in your Japan.conf:
authuserpass/etc/openvpn/tmp
and your iptables

Here is my lsalh/etc/openvpn/ output:

total28K
drwxrxrx2rootroot4.0KAug620:03.
drwxrxrx115rootroot4.0KAug711:54..
rwrr1rootroot2.0KAug614:51ca.rsa.2048.crt
rwrr1rootroot869Aug614:51crl.rsa.2048.pem
rwrr1rootroot422Aug619:59East.conf
rw1rootroot86Aug614:53tmp
rwxrxrx1rootroot1.3KJan232016updateresolvconf
Here is my .conf if it'll helps you:

client
devtun
protoudp
remoteuseast.privateinternetaccess.com1198
resolvretryinfinite
nobind
persistkey
12/21
1/26/2017
persisttun
cipheraes128cbc
authsha1
tlsclient
remotecerttlsserver
authuserpass/etc/openvpn/tmp
complzo
verb1
renegsec0
disableocc
scriptsecurity2
up/etc/openvpn/updateresolvconf
down/etc/openvpn/updateresolvconf

Thanks once again for your time and patiant Sogseal.....I can get this ::
pi@raspberrypi ~ $ ls alh /etc/openvpn/
total 28K
drwxrxrx 2 root root 4.0K Aug 7 14:00 .
drwxrxrx 112 root root 4.0K Aug 7 14:49 ..
rwrr 1 root root 2.0K Aug 8 22:05 ca.rsa.2048.crt
rwrr 1 root root 869 Aug 8 22:05 crl.rsa.2048.pem
rwrr 1 root root 422 Aug 8 22:10 Japan.conf
rw 1 root root 15 Aug 7 14:00 login
rwxrxrx 1 root root 1.3K Jan 23 2016 updateresolvconf
What do I do now to check if the vpn is working m8.....trying to get my mobile phone to connect, but its not doing so, I don,t think i am that far
away
sogseal commented on Aug 8, 2016

Do a quick check by:
curlipinfo.io/json
If you see your real public ip thats not good... then run this command:
sudoserviceopenvpnstatus
and look for "Running" if you see then you are good to go if you see "Existed" then need to troubleshoout.

Sogseal, when I write this command: sudo curl ipinfo.io/json
I get this....:curl: 7 Failed to connect to ipinfo.io port 80: Connection timed out
And when I run this command : sudo service openvpn status
I got this.....
openvpn.service OpenVPN service
Loaded: loaded /lib/systemd/system/openvpn.service; enabled
Active: active exited since Tue 20160809 00:17:17 BST; 17h ago
Main PID: 596 code=exited, status=0/SUCCESS
CGroup: /system.slice/openvpn.service
Nothing with the word "Running"....., however I see the word "Exited", which means something is wrong somewhere m8, not sure where to next,
other than do a fresh install, have you got any suggestions m8ty.
And thanks once again for your time and effort m8
scoobyd00 commented on Aug 12, 2016 edited
13/21
1/26/2017
Excellent tutorial. Got my VPN up and working great.
Does anyone know how to write a small bash file to swap locations?. Im currently using the PIA london node but sometimes wish to use one
from the netherlands.
How can I stop the current vpn connection to London and quickly connect it the netherlands one? I have copied over the correct ovpn to the
correct directory etc.

Managed to figure this one out.
I edited openvpn in /etc/default and selected AUTOSTART = "none"
I then created a simple bash script to select different VPN's using
sudo service openvpn@nameofvpn start to select the VPN
and
sudo service openvpn@nameofvpn stop to stop the VPN
dumpster99 commented on Aug 13, 2016

Great work and thanks for the effort to publish your results. I started with the vpn gateway running on a raspberry pi. But for better
performance I am actually now running a virtualbox debian VM with a similar config. I spent some time to tweak the iptables part of the setup. I
created a iptables_vpn.sh file that I can execute to load up the rules. Here is what I am using:
!/bin/bash
start fresh
iptables flush
iptables deletechain
iptables t nat F
default drop
iptables P INPUT DROP
iptables P FORWARD DROP
iptables P OUTPUT DROP
setup logging chain logs to var log messages

iptables N LOGGING
iptables N BADPKT_LOGGING
loopback ok
iptables A INPUT i lo m comment comment "loopback" j ACCEPT
iptables A OUTPUT o lo m comment comment "loopback" j ACCEPT
traffic that is ok by default

iptables I INPUT i eth0 m comment comment "In from LAN" j ACCEPT
iptables I OUTPUT o tun+ m comment comment "Out to VPN" j ACCEPT
OPENVPN on socket 1198 ok

14/21
1/26/2017
iptables A OUTPUT o eth0 p udp dport 1198 m comment comment "openvpn" j ACCEPT
NTP on socket 123 ok

iptables A OUTPUT o eth0 p udp dport 123 m comment comment "ntp" j ACCEPT
DHCP ok
iptables A OUTPUT p UDP dport 67:68 m comment comment "dhcp" j ACCEPT
DNS traffic to bring up tunnel ok

iptables A OUTPUT o eth0 p udp dport 53 m comment comment "dns" j ACCEPT
allow forwarding if VPN alive

iptables A FORWARD i tun+ o eth0 m state state RELATED,ESTABLISHED j ACCEPT
iptables A FORWARD i eth0 o tun+ m comment comment "LAN out to VPN" j ACCEPT
NAT the gateway

iptables t nat A POSTROUTING o tun+ j MASQUERADE
All TCP sessions should begin with SYN and drop bad packets
iptables A INPUT p tcp ! syn m state state NEW j BADPKT_LOGGING
iptables A INPUT m state state INVALID j BADPKT_LOGGING
iptables A INPUT p tcp tcpflags ALL NONE j BADPKT_LOGGING
iptables A INPUT p tcp tcpflags ALL ALL j BADPKT_LOGGING
iptables A INPUT f m comment comment "Drop FRAGS" j BADPKT_LOGGING
iptables A INPUT p tcp tcpflags ALL ACK,RST,SYN,FIN j BADPKT_LOGGING
iptables A INPUT p tcp tcpflags SYN,FIN SYN,FIN j BADPKT_LOGGING
iptables A INPUT p tcp tcpflags SYN,RST SYN,RST j BADPKT_LOGGING
Accept inbound VPN initiated traffic

iptables A INPUT i tun+ m state state ESTABLISHED,RELATED j ACCEPT
Accept outbound into the LAN packets on initited traffic

iptables A OUTPUT o eth0 m state state RELATED,ESTABLISHED j ACCEPT
setup logging for dropped traffic must be the last rules

iptables A INPUT m comment comment "LOG and DROP" j LOGGING
iptables A OUTPUT m comment comment "LOG and DROP" j LOGGING
LOGGING chain
iptables A LOGGING m limit limit 2/sec j LOG logprefix "IPTablesDropped: " loglevel 4
iptables A LOGGING j DROP
LOGGING BADPACKETS chain
15/21
1/26/2017
LOGGING BADPACKETS chain

iptables A BADPKT_LOGGING m limit limit 2/sec j LOG logprefix "IPTables BADPACKETS: " loglevel 4
iptables A BADPKT_LOGGING j DROP

Has anyone tried this on a raspberry pi 3?
Im running it on my raspberry pi 2 at the moment, pi overclocked to maxium and on my 200mb internet connection im getting a throughput of
about 23mb via the vpn sometimes peaking to 27mb.
Does anyone whose using this on a PI3 get better performance?.
I know openvpn takes a hit on speed and its also affected by cpu so just wondering if the PI3 would gain any better throughput.
dumpster99 commented on Aug 23, 2016

I did try my setup with a RPi2, PRi3 and ODROID C2 before going to my current virtualbox debian setup. My downlink speed maxes out at
60Mb/s. I was able to max the link with the ODROID C2 running as the gateway. However the VPN tunnel kept interrupting and not recovering
for some unknown reason. I don't remember the exact thruput I got with the RPi3, but it was somewhere between 3050Mb/s. I did write down
some of the openssl speed benchmark numbers which are not exactly Mb/s but give you some idea of the performance.
Here is the command:
openssl speed evp AES128CBC
This runs a benchmark using openssl which is the main routine for CPU usage in openvpn.
Here is what I got 1024 length:
ASUS RTAC56 29,202 my router for comparison
Rasp Pi 2 21,000
Rasp Pi 3 51,400
scoobyd00 commented on Aug 24, 2016

Thanks for the reply @dumpster99.
It looks like the Pi3 can nearly double the throughput of the PI2.
I'll hold on using my PI2 for the time being, mostly stream HD content through it so its fine at around 20mb at the moment.
I will need to stream some 4k content in the future and they recommend a min of 25mb so will look at upgrading to the PI3 or even the PI4 if it
gets released!.
khromov commented on Sep 4, 2016 edited

Getting RTNETLINKanswers:Fileexists error when trying to connect with the openvpn command, here is the log:
SunSep406:56:492016TUN/TAPdevicetun0opened
SunSep406:56:492016TUN/TAPTXqueuelengthsetto100
SunSep406:56:492016do_ifconfig,tt>ipv6=0,tt>did_ifconfig_ipv6_setup=0
SunSep406:56:492016/sbin/iplinksetdevtun0upmtu1500
SunSep406:56:492016/sbin/ipaddradddevtun010.251.4.68/24broadcast10.251.4.255
SunSep406:56:492016/sbin/iprouteadd155.4.14.28/32via192.168.2.1
RTNETLINKanswers:Fileexists
SunSep406:56:492016ERROR:Linuxrouteaddcommandfailed:externalprogramexitedwitherrorstatus:2
SunSep406:56:492016InitializationSequenceCompleted
16/21
1/26/2017
Note it's a different VPN provider
Any ideas? @superjamie ? :
superjamie commented on Sep 19, 2016
Owner
@khromov Your VPN provider sends down the route to the internet endpoint 155.4.14.28/32via192.168.2.1 twice. It will have no effect,
but you can raise it to their tech support if you like.
phenomarc commented on Sep 22, 2016

It's possible to connect only one PC to the VPN client, and the others to the normal router?
klausberberich commented on Oct 7, 2016

Great instructions, Jamie, thanks a lot! With your help I now have two Wifi networks in my house, one that connects straight to the internet and
a second one that connects via the VPN. Depending on what I want to do I can connect my clients to either Wifi.
The setup is:
A Wifi router from my internet provider, connected directly to the internet.
A Raspberry Pi 3 configured as described here and connected to the Wifi router above via ethernet.
A second Wifi router that is connected to the router above via ethernet and uses the Raspberry Pi as default gateway and DNS server.
For a while this setup didn't work until I found that dnsmasq is set to localservice by default. There are a few workarounds for that, the
one that works best for me is to specify the interface for dnsmasq to listen to eth0 in my case which will inactivate the localservice
option. See https://techtuts.info/2014/04/dnsmasq269suddentimeouts/ for details.
I also had an issue with syslog not providing proper output and instead showing something like
Oct702:03:12raspberryrsyslogd2007:action'action17'suspended,nextretryisWedOct702:03:422015[try
http://www.rsyslog.com/e/2007]
As described here you can fix this by commenting out the last 4 lines of your /etc/rsyslog.conf file like this:
#daemon.*;mail.*;\
#news.err;\
#*.=debug;*.=info;\
#*.=notice;*.=warn|/dev/xconsole
mvilrokx commented on Oct 8, 2016

Very cool, works like a charm! I added a rule for my VNC as well:
sudo iptables I INPUT m state state NEW p tcp m tcp dport 5901 m comment comments "vnc" j ACCEPT
fferroni commented on Oct 23, 2016

Hi. Thank you. I added the RPi as the default gateway and now works for IPv4. What do I do to forward also IPv6?
bhatsu commented on Nov 13, 2016

`Create /etc/openvpn/login containing only your username and password, one per line, for example:
user12345678
MyGreatPassword`
17/21
1/26/2017
Which username and password do we need to enter in /etc/openvpn/login file ?
austinjmorlan commented on Nov 14, 2016

@bhatsunny Those would be the username and password of your Private Internet Access account.
bytemon commented on Nov 27, 2016 edited

OK, followed instructions I believe. Directly from the client, it seems to work ok if I go to whatsmyip.org, it reports the proper IP address.
But, try as I may from a Windows 10 machine on the network, if I set up a static IP with a gateway of the OPENVPN machine, it does not work
it says no connection to the internet. If I use the OPENVPN as the DNS reslover, a ping finds the internet ip address, but can not access.
Here is my "status printout:
geoff@rpisiete:~$sudosystemctllstatusopenvpn@USWest
openvpn@USWest.serviceOpenVPNconnectiontoUSWest
Loaded:loaded(/lib/systemd/system/openvpn@.service;enabled)
Active:active(running)sinceSun2016112707:46:15MST;6hago
Process:418ExecStart=/usr/sbin/openvpndaemonovpn%istatus/run/openvpn/%i.status10cd/etc/openvpnconfig/etc/openvpn/%i.conf(cod
MainPID:484(openvpn)
CGroup:/system.slice/systemopenvpn.slice/openvpn@USWest.service
484/usr/sbin/openvpndaemonovpnUSWeststatus/run/openvpn/USWest.status10cd/etc/openvpnconfig/etc/openvpn/USWest.conf
Nov2707:46:15rpisieteovpnUSWest[418]:OpenVPN2.3.4armunknownlinuxgnueabihf[SSL(OpenSSL)][LZO][EPOLL][PKCS11][MH][IPv6]builtonJ
Nov2707:46:15rpisieteovpnUSWest[418]:libraryversions:OpenSSL1.0.1t3May2016,LZO2.08
Nov2707:46:15rpisieteovpnUSWest[418]:RESOLVE:Cannotresolvehostaddress:uswest.privateinternetaccess.com:Temporaryfailureinnamereso
Nov2707:46:15rpisieteovpnUSWest[484]:RESOLVE:Cannotresolvehostaddress:uswest.privateinternetaccess.com:Temporaryfailureinnamereso
Nov2707:46:15rpisietesystemd[1]:StartedOpenVPNconnectiontoUSWest.
Nov2707:46:20rpisieteovpnUSWest[484]:UDPv4linklocal:[undef]
Nov2707:46:20rpisieteovpnUSWest[484]:UDPv4linkremote:[AF_INET]104.200.151.75:1198
Nov2707:46:20rpisieteovpnUSWest[484]:WARNING:thisconfigurationmaycachepasswordsinmemoryusetheauthnocacheoptiontopreventthi
Nov2707:46:20rpisieteovpnUSWest[484]:[f328c7b07e90db3b9882f2157dc21269]PeerConnectionInitiatedwith[AF_INET]104.200.151.75:1198
Nov2707:46:23rpisieteovpnUSWest[484]:TUN/TAPdevicetun0opened
Nov2707:46:23rpisieteovpnUSWest[484]:do_ifconfig,tt>ipv6=0,tt>did_ifconfig_ipv6_setup=0
Nov2707:46:23rpisieteovpnUSWest[484]:/sbin/iplinksetdevtun0upmtu1500
Nov2707:46:23rpisieteovpnUSWest[484]:/sbin/ipaddradddevtun0local10.38.10.6peer10.38.10.5
Nov2707:46:23rpisieteovpnUSWest[484]:InitializationSequenceCompleted
Nov2713:00:59rpisieteovpnUSWest[484]:[f328c7b07e90db3b9882f2157dc21269]Inactivitytimeout(pingrestart),restarting
Nov2713:00:59rpisieteovpnUSWest[484]:SIGUSR1[soft,pingrestart]received,processrestarting
Nov2713:01:04rpisieteovpnUSWest[484]:PreservingpreviousTUN/TAPinstance:tun0
Nov2713:01:04rpisieteovpnUSWest[484]:NOTE:Pulledoptionschangedonrestart,willneedtocloseandreopenTUN/TAPdevice.
Nov2713:01:04rpisieteovpnUSWest[484]:/sbin/ipaddrdeldevtun0local10.38.10.6peer10.38.10.5
Nov2713:04:08rpisieteovpnUSWest[484]:[f328c7b07e90db3b9882f2157dc21269]Inactivitytimeout(pingrestart),restarting
Nov2713:04:08rpisieteovpnUSWest[484]:SIGUSR1[soft,pingrestart]received,processrestarting
Nov2713:04:13rpisieteovpnUSWest[484]:PreservingpreviousTUN/TAPinstance:tun0
Nov2713:04:13rpisieteovpnUSWest[484]:NOTE:Pulledoptionschangedonrestart,willneedtocloseandreopenTUN/TAPdevice.
Nov2713:04:13rpisieteovpnUSWest[484]:/sbin/ipaddrdeldevtun0local10.42.10.6peer10.42.10.5
Not sure why I'm getting the "RESOLVE" message, but again browsing from the OPENVPN client works
18/21
1/26/2017
Perhaps I don't know now to either setup the Windows 10 machine, or know how to connect:
For connection, I'm simply using a wired ethernet connection for both the OPENVPN machine and the Windows 10 client.
For the Windows 10 machine, I'm setting up a static ip with the gateway assigned to the OPENVPN machine, and using Google's dns settings.
Where am I going wrong?
reillychase commented on Dec 20, 2016

It works on my Raspberry Pi 1 B. Thanks!
mdestagnol commented 28 days ago edited

I'm trying to find a clean way to enable/disable the traffic to go through the VPN tunnel, without having to change anything on the client side.
With the current tutorial, when I stop openvpn the traffic isn't going through anymore since tun0 isn't used anymore.
I'm not super familiar with iptable configs. Do you know what should I do in order to let the traffic flow through the raspberry pi gateway when
it doesn't go through the VPN?
DropbearNinja commented 24 days ago

Hi, thanks for the guide! How do I direct certain traffic to NOT use the VPN?
For example I'd like outbound SMTP traffic to just not use the VPN since SMTP is blocked by my VPN by default I can request for it to not be
blocked, but this is jsut an example.
I'm assuming some iptables rules are needed?
Thanks,
winedog commented 11 days ago edited

Is there any possibility this setup could allow information from ISPs IP address to be leaking through?
Everything is working fine for me, but when I set my windows 10 machine to route through the PI some sites detect that I'm using a proxy/vpn.
I've confirmed that my external IP address and routing looks like it is coming out of my VPN servers destination location.
However, if I login to the exact same VPN server that the Pi is configured to connect to with a VPN client from Windows 10 i.e. Viscosity, I
don't get any proxy/vpn detection errors. All I can think is I'm leaking some sort of data that is tripping off the proxy/VPN detection.
EDIT: Further evaluation shows that the problem looks like DNS leaking. And it seems OpenVPN for the PI is really outdated at version 2.3.4.
Struggling to figure out how I can upgrade to 2.4.0 OpenVPN on the Pi
winedog commented 9 days ago

even after getting OpenVPN brought up to 2.4.0 and using the blockoutsidedns command in the .conf files or adding this:
scriptsecurity2up/etc/openvpn/updateresolvconfdown/etc/openvpn/updateresolvconf
I still can't manage to stop the DNS from leaking. I'm using the DNSMasq option and have my pi

So I've tried adding the killswitch, which I wasn't using before, and it doesn't work for me. When adding the tables everything works fine until I
add the last line at which case clients routing through the pi lose connection.
sudo iptables A OUTPUT o eth0 j DROP
19/21
1/26/2017
Also, if I hardcode my client DNS to something like an opendns server or google DNS, my DNS leak stops. So maybe it is some problem with
DNSMasq allowing the leak as well?
chrish619 commented 9 days ago edited

I'm leaving this here for posterity, in case it helps anyone:
Please note: My Raspberry Pi is currently configured purely as a VPN Client / Router, and is not used for browsing:
My IpTables rules are as follows:
ChainINPUT(policyACCEPT4027Kpackets,5310Mbytes)
pktsbytestargetprotoptinoutsourcedestination
ChainFORWARD(policyDROP124Kpackets,8718Kbytes)
3594K4391MACCEPTalltun0eth0anywhereanywherestateRELATED,ESTABLISHED
3262K254MACCEPTalleth0tun0anywhereanywhere/*LANouttoVPN*/
ChainOUTPUT(policyACCEPT2302Kpackets,509Mbytes)
I've not applied any OUTPUT rules, but primarily what worked for forwarding to VPN, and only VPN was
sudoiptablesPFORWARDDROP which sets up the default rule for FORWARDing to DROP unless matched by another rule
If the vpn connection is down, then no routed clients can connect. But the Raspberry Pi can still connect for updates, browsing, problem solving,
etc
Hope this helps.
maartenjd commented 8 days ago edited

Excellent guide!
I have been struggeling for hours to get it working for PureVPN, until I found out that this provider uses port 80 for openvpn via tcp. So I
changed
into
sudoiptablesAOUTPUToeth0ptcpmtcpdport80mcommentcomment"openvpn"jACCEPT
so tcp instead of udp and port 80 instead of 1198 to enable openvpn to contact the vpnserver.

I still cannot figure out anyway to stop DNS leaking when using the DNSMasq with the Pi and setting clients to the Pi's IP address for DNS. I'm
using Ironsocket rather than PIA, but don't see how that should make any difference.
ab77 commented 4 days ago

iptablestnatAPREROUTINGieth0ptcpmtcpdport53jDNATtodestination127.0.0.1 will rewrite any DNS request made by
the clients behind the router to the locally running DNS server e.g. dnsmasq on the router.
Once the request is there, you can handle it appropriately. No more DNS leaks.
ab1
jakky567 commented 3 days ago
20/21
1/26/2017
When I got to installing iptablespersistent in the guide, it would show an error that netfilterpersistent was not configured yet.
sivaarja commented 8 hours ago

what is the need to make a vpn server on raspberry pi , can't we install that server and use it in a same pc laptop?please help me out of this..
Sign up for free
to join this conversation on GitHub. Already have an account? Sign in to comment
21/21

TMP - 26319-Raspberry Pi VPN Router GitHub1189864063

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TMP - 26319-Raspberry Pi VPN Router GitHub1189864063

Uploaded by

Copyright:

Available Formats

1/26/2017

Instantly share code, notes, and snippets.

Create a gist now

Raspberry Pi VPN Router

Raspberry Pi VPN Router

Setup VPN Client

Download and uncompress the PIA OpenVPN profiles:

Change the following lines so they go from this:

If all is well, you'll see something like:

Exit this with Ctrl+c

Enable VPN at boot

Setup Routing and NAT

Make the NAT rules persistent across reboot:

VPN Kill Switch

And save so they apply at reboot:

Configure Other Systems on the LAN

Optional: DNS on the Pi

harishpillay commented on Oct 24, 2015

vepascal commented on Dec 7, 2015

danackerson commented on Jan 2, 2016

jc1121 commented on Jan 12, 2016

vormworks commented on Jan 19, 2016

sictona commented on Jan 20, 2016

sictona commented on Jan 20, 2016

hokidzhao commented on Jan 20, 2016

sg6 commented on Jan 29, 2016

MatusP commented on Feb 2, 2016

AdrianLThomas commented on Feb 4, 2016

ididna commented on Mar 2, 2016

donovision commented on Mar 10, 2016

vepascal commented on Mar 11, 2016

Jordan00Negative commented on Mar 15, 2016

mgmsfd commented on Apr 2, 2016

markfeldman commented on Apr 4, 2016

pir8s commented on Apr 9, 2016

sagarun commented on Apr 11, 2016

pir8s commented on Apr 11, 2016

donovision commented on Apr 20, 2016

JvB94 commented on May 8, 2016

Dedo21 commented on May 8, 2016 edited

JvB94 commented on May 20, 2016

winedog commented on Jun 3, 2016 edited

branislavzlatkovic commented on Jun 4, 2016

gomaaz commented on Jun 6, 2016

gomaaz commented on Jun 8, 2016 edited

and the killswitch only works with Dedo21's advice:

gregory0219998 commented on Jun 9, 2016

gomaaz commented on Jun 9, 2016

winedog commented on Jun 14, 2016

Aecasorg commented on Jun 15, 2016 edited

jeroenjota commented on Jul 17, 2016 edited

to to 192.168.2.0 as that is my subnet

And also the port 1194 in

Things seem to be working now ;

Tubbs2u commented on Aug 6, 2016

sogseal commented on Aug 6, 2016 edited

Tubbs2u commented on Aug 6, 2016 edited

sogseal commented on Aug 6, 2016 edited

Look for line OPTARGS="" and change it to:

this should prevent to cache password in memory

Tubbs2u commented on Aug 7, 2016

sogseal commented on Aug 7, 2016 edited

Tubbs2u commented on Aug 7, 2016 edited