How to use Raspberry Pi 3 Model B as a VPN access point
Making a VPN access point by using a Raspberry Pi 3
The Raspberry Pi 3 full of capabilities and fun. You can do anything you want with a raspberry. In this case we are going to build a VPN access point(hotspot). What I mean is that we are going to create a wifi network which automatically redirects our normal traffic into the VPN network.
I tried to make a network topology in order to explain it visually.
Requirements
- Raspberry Pi 3 Model B
- I used Raspbian Stretch Lite(version 2018-10-09) image and SSH is activated
- Ethernet cable
- A computer in order to setup raspberry via ssh
- A subscription of a VPN service provider which supports OpenVPN or just a OpenVPN config file(
.ovpn)
Step 1: Update the Raspbian repositories[1]
1 | sudo apt-get update |
After the upgrade finishes reboot the Pi, sudo reboot
Step 2: Install the wireless access point packages
We are going to use two packages in order to make our raspberry into a wireless access point. The packages are:
- hostapd - this is the package that lets us to create wifi hotspot
- dnsmasq - this is a easy-to-use DHCP and DNS server package.
Let’s install these,
1 | sudo apt-get install hostapd dnsmasq -y |
Since we’re going to configure these packages we should stop them in order to prevent errors.
1 | sudo systemctl stop hostapd |
Step 3: Set a static IP for wlan0 interface
Use a text editor to edit /etc/dhcpcd.conf file and add the following lines to the end of the file. I use vim editor to do that.
1 | sudo vim /etc/dhcpd.conf |
Add the followings to the end of the /etc/dhcpd.conf file.
1 | interface wlan0 |
I set 192.168.1.40 IP for wlan0 interface due to the DHCP server of my home router gives an IP like 192.168.1.xx
The last two lines which are starting with deny are needed for the next steps(in order to make our bridge setup work).
Step 4: Configure DHCP server(dnsmasq)
As I said before we are going to use dnsmasq package as our DHCP server. “Dynamic Host Configuration Protocol (DHCP) is a protocol for assigning dynamic IP addresses to devices on a network”[2].
Since dnsmasq’s default configuration file is contains lots of unnecessary information(unnecessary for our case) it’s easier to start from strach. Let’s rename the default file and create an new one.
1 | sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig |
Add the followings into the new file that we have just created with vim.
1 | interface=wlan0 |
With this config file I tell dnsmasq to give an IP to every hotspot client within the range of 192.168.1.41-192.168.1.80
Step 5: Configure the wifi access point(hostapd)
Create a config file into /etc/hostapd/ folder and call it hostapd.conf by using the following command.
1 | sudo vim /etc/hostapd/hostapd.conf |
And add the followings into this file
1 | interface=wlan0 |
The last two lines are our new wifi access point name and its password. Edit these as you wish, NETWORK is the wifi name and PASSWORD is the wifi password.
Now, we need to show the system the location of the hostapd config file.
Open the /etc/default/hostapd file with your favorite text editor.
1 | sudo vim /etc/default/hostapd |
In this file find the #DAEMON_CONF=”” line and change it with this DAEMON_CONF="/etc/hostapd/hostapd.conf" and check that # symbol is removed from beginning of the line.
Step 6: Enable traffic forwarding
We need to enable traffic forwarding in order to let our wlan0 traffic flows into eth0 interface, to do that we need to edit another configuration file.
Open /etc/sysctl.conf file
1 | sudo vim /etc/sysctl.conf |
Find this line
1 | #net.ipv4.ip_forward=1 |
And delete the # symbol then leave the rest as it is, so that the line should be like this
1 | net.ipv4.ip_forward=1 |
After that, start the services that we’ve stopped at step 2:
1 | sudo systemctl start hostapd |
Step 7: Add a new iptables rule
In this step, we’re going to add IP masquerading for outbound traffic on eth0 using iptables:
1 | sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
Since iptables doesn’t restore previous rules on reboot therefore we need to install another package in order to make iptables rules persistent on reboot.
1 | sudo apt install iptables-persistent -y |
While apt installing iptables-persistent package it will ask you to save current rules, you need to select yes option. If you selected no option then you need to save it manually by using this command sudo netfilter-persistent save
Step 8: Enable internet connection
We’re almost done with the access point part. So far, we’ve built the access point but we cannot use Pi’s internet connection. You may check with your devices, the wifi network that we’ve set at step 5 should be appeared to your devices now. You can connect to the wifi network but you’ll see there is no internet connection.
In order to connect to the internet we should create a bridge between wlan0 and eth0 interfaces.
To build the bridge we need to install another package:
1 | sudo apt-get install bridge-utils |
After it’s installed we’re ready to add a new bridge called br0
1 | sudo brctl addbr br0 |
Next, connect the eth0 interface to our bridge:
1 | sudo brctl addif br0 eth0 |
Then, edit the /etc/network/interfaces file
1 | sudo vim /etc/network/interfaces |
Finally, add the followings to the end of the file.
1 | auto br0 |
So far so good, let’s reboot the Pi and try to connect Pi’s wifi network.
If there is was no error or misconfigured package it should work as a normal wireless access point which extends your ethernet network. If everything is OK then continue with the next part which is routing over the VPN.
Step 9: Install OpenVPN Package
1 | sudo apt install openvpn |
And reboot again sudo reboot
Step 10: Connecting to the VPN
As I said in the requirements section we need a OpenVPN config file which you can easily download your VPN service provider’s website or if you have your own OpenVPN server then use its config file. I’m using ProtonVPN[3] therefore I’m going to use ProtonVPN‘s OpenVPN config file.
I copied my config file into the Pi’s home directory and called it open.ovpn. The location of the config file is /home/pi/open.vpn and I also copied my VPN credentials into the same directory and called it pass.
Let’s test if we can connect to VPN:
1 | sudo openvpn --config open.ovpn --auth-user-pass pass |
If there was no error or misconfiguration we should see these magical words Initialization Sequence Completed.
Step 11: Reconfigure iptables
To creating and testing the access point we add a iptables rule. Now we need to change the iptables rules. Execute the following commands to erase old iptables rules.
1 | sudo iptables -F |
And add the new ones:
1 | sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE |
After that, we need to save iptables rules. Remember the command from step 7 sudo netfilter-persistent save
Step 12: Set OpenVPN starts on boot
We don’t want to start OpenVPN manually every time Pi starts therefore we need to edit one last config file /etc/rc.local
1 | sudo vim /etc/rc.local |
And add the followings into this file but just above the line exit 0 with respect to your config and credentials file.
1 | sleep 5 |
Final step: Reboot
Just reboot the Pi one last time then sit back and connect your devices to Pi’s Wifi over VPN
Testing from my mobile phone the IP address results from the website ipsorgu.com
When I connect to my normal wifi my IP address ends with 234
When I connect to Pi’s wifi my IP address ends with 216
Reference: