So more recently I have started to make use of Cloud based systems, VPN’s, Web Services / Servers etc. One of the things I have wanted to build for a while is a portable Router / WiFi hub that can support a VPN connection.

There has recently been a lot of published warnings about people being exposed while surfing the internet at cafes or other public WiFi hot spots.

The idea of this project is to make use of a Raspberry PI, a second Ethernet Dongle, a Wifi Dongle and a VPN connection. One of the Raspberry Pi’s Ethernet sockets plugs into the public internet while the other (and soon to come WiFi Access Point) acts as its own private network, tunneling all data to the internet via a VPN connection.

Below are some of my notes about how I have build a Raspberry PI, VPN secured Router:

Raspberry Pi VPN Router Config

eth0 (on the PI) connected to the internal network
eth1 (USB to Ethernet) connected to the internet / network
tun0 The VPN Tunnel created when the PI connects to the VPN server
wlan0 (Usb to Wifi) Not Configured

Start with a NEW blank image of Raspberry ArmHF from http://www.raspberrypi.org/downloads

The first thing you should do is run:

sudo apt-get update && sudo apt-get install ca-certificates

which will update and upgrade your PI’s base image and also install certificates information

Once all the updates and installs have taken place we need to reboot the pi:

Sudo shutdown now -r

From here we need to configure all the network interfaces 1st
Then configure the VPN, test the vpn, and then install all the packages to make the Pi into a VPN’ed Router

To configure the network interfaces we need to edit the following file:

/etc/network/interfaces to do this we will use nano:

sudo nano /etc/network/interfaces

To keep things flexible and easy to manage we will want the INTERNET facing ethernet socket to be a DHCP Client, remember this is the USB to Ethernet port (eth1). We want the INTERNAL facing Ethernet socket (On the Pi, eth0) to be static and issue out IP addresses to connected computers. When the VPN connection goes live we will link the Eth0 to Tun0 so that all data traffic from Eth0 goes via the VPN connection.

Inside /etc/network/interfaces we need to add the following (removing the old data):


# interfaces(5) file used by ifup(8) and ifdown(8)

auto lo
iface lo inet loopback

#Onboard NIC connecting to the Internal Network
auto eth0
iface eth0 inet static
address 192.168.50.1
netmask 255.255.255.0
network 192.168.50.0
broadcast 192.168.50.255
gateway 192.168.50.1
#USB NIC serving as internet gateway
auto eth1
iface eth1 inet dhcp

Save the file and close the editor, as it stands now, your file has been saved but not loaded. You can load the file by either rebooting the PI or rebooting networking interfaces:

sudo /etc/init.d/networking restart

You can either do this now or in my case, wait and install all packages needed and then give the system a reboot to load everything in one go.
From here we need to install the following tools:

bind9 isc-dhcp-server perl libnet-ssleay-perl openssl openvpn libauthen-pam-perl libpam-runtime libio-pty-perl libdigest-md5-perl apt-show-versions libapt-pkg-perl this is done by:

sudo apt-get install bind9 isc-dhcp-server perl libnet-ssleay-perl openssl openvpn libauthen-pam-perl libpam-runtime libio-pty-perl libdigest-md5-perl apt-show-versions libapt-pkg-perl

Installing the VPN Tunnel:
With OpenVPN installed we can load our provided .OVPN file. This will have been generated (or provided from your VPN provider) by your server and needs to be loaded into:

/etc/openvpn/

In my case, i have the file loaded on an internal webserver so I just issue the commands:

cd /etc/openvpn/

sudo wget http://server.local/files/PI_VPN.ovpn

This downloads the .ovpn file to the directory, now we need to edit the file’s name so that OpenVPN picks it up on the next reload.

sudo mv PI_VPN.ovpn openvpn.conf

Now you need to reboot the VPN Server to pick up the new settings:

sudo /etc/init.d/openvpn restart

Installing the Router section:
Now we need to edit the DHCP server config details so that when users connect to the PI it will issue a DHCP address and resolve DNS Queries.

sudo nano /etc/dhcp/dhcpd.conf

As we want this DHCP server to have command of the IP network we need to make it authoritative, so you need to find and remove the # uncommenting out the following line:

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

Now we need to add a new subnet to the network:

subnet 192.168.50.0 netmask 255.255.255.0 {
range 192.168.50.10 192.168.50.250;
option broadcast-address 192.168.50.255;
option routers 192.168.50.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name “local”;
option domain-name-servers 8.8.8.8, 8.8.4.4;
}

This sets the reference IP range from 192.168.50.10 to 192.168.50.250 – more than enough for a small local network.
The networks domain is called ‘local’ you can also change this to anything you want ie home

Ive also appended the DNS Settings for Google’s Domain servers to this note, this means any DNS lookups perfomed by the PI will resolve against Google and not your ISP. If your using a custom DNS Server this is the place to change the information to reflect this.

Now Save the file and exit.

You can reboot the DHCP Service by typing in:

sudo /etc/init.d/isc-dhcp-server restart

You should recieve two OK messages.

If you have more than one device connected to your (new) internal network you should be able to ping them by typing in:

Ping 192.168.50. 55 (assuming your ping’ing device has an IP of 192.168.50.55) but it wont allow you to connect out to the wider world just yet.

Now we need to edit the IP Tables of the PI, to allow the forwarding of traffic from the VPN gateway into the internal network.

To do this type:

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

which will allow the forwarding of IPV4 IP traffic, we also need to edit:

sudo nano /etc/sysctl.conf

and uncomment out (remove the #) around the line:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Save the file and exit.

Now we need to edit the IP Tables rules to allow for traffic. Type in:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Unfortunately, due to the nature of IP Tables if the PI looses power, it will reset it the IP tables back, loosing all your settings (not handy if you plan on moving the PI about) so we need to now backup and save your new settings.
This is done by saving your IP Tables as a rule file:

sudo iptables-save > /etc/iptables.up.rules

You can call the saved file anything you like, but it helps to keep things organised.
Now we need to create and edit a script to load the IP Tables Rule file:

sudo nano /etc/network/if-pre-up.d/iptables

and insert:

#!/bin/sh
#This script restores iptables upon reboot

iptables-restore < /etc/iptables.up.rules

exit 0

Now we need to edit the ownership & permissions of this file so it will run on boot:

sudo chown root:root /etc/network/if-pre-up.d/iptables && sudo chmod +x /etc/network/if-pre-up.d/iptables && sudo chmod 755 /etc/network/if-pre-up.d/iptables

You should now be able to reboot your PI as much as you like and it will retain all your data settings! (YaY).

Its worth giving your PI a reboot now, Given all the things you have now loaded onto the PI you will need to give it a reboot to get it going properly.