Tuesday, December 22, 2015

Raspberry Pi router and Openvpn client

I wanted a cheap VPN proxy service. As per my previous post I set up a small cloud server with openvpn plus dnscache. You add squid proxy too depending on your needs.

I decided to use a Raspberry Pi as a cheap router. I bought a Edimax USB ethernet adaptor to give me two ports.

I got myself a stripped down version of Wheezy (I wasn't up to tackling that piece of junk called systemd)

This is for a V1 Pi :

https://www.linuxsystems.it/raspbian-wheezy-armhf-raspberry-pi-minimal-image/

There are others for a v2 out there. The choice is yours.

Once installed we need to do the following:

apt-get install fake-hwclock ntp ntpstat lsusb usbutils firmware-realtex nmap vnstat nload bmon htop mc openvpn dnsmasq net-tools resolvconf

# Make sure dnsmaq for dhcp/dns is running
root@raspberry-pi:~# grep -v '^$\|^#' /etc/default/dnsmasq
ENABLED=1

# Setup the interfaces and DHCP range it wil serve to clients
root@raspberry-pi:/etc# grep -v '^$\|^#' /etc/dnsmasq.conf
interface=eth1
domain=local.net
dhcp-range=192.168.50.50,192.168.50.150,12h

# Make sure forwarding is set
root@raspberry-pi:/etc# grep -v '^$\|^#' /etc/sysctl.conf
net.ipv4.ip_forward=1
vm.min_free_kbytes = 8192

# Forward everything to the VPN tunnel
root@raspberry-pi:/etc# grep -v '^$\|^#' /etc/iptables.conf
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.50.0/24 -o tun0 -j MASQUERADE
COMMIT

# SSHD
# Set some keys in ssh, change the default port and and disable ssh password authentication !


# Copy your keys and configs to /etc/openvpn

# For DNS you can use /etc/openvpn/update-resolv-conf
# add this to your client config /etc/openvpn/myclient.conf
# It could be added to your server so it is added to the conf
up /etc/openvpn/update-resolv-conf

#We can also add this but if you run as a restricted user e.g. nobody it will fail
down /etc/openvpn/update-resolv-conf

# If you don't use resolvconf, make sure your DNS is sent to your resolver - you will have to set a static IP on eth0
# or this wil get overwrittent
root@raspberry-pi:/etc# cat /etc/resolv.conf
nameserver 192.168.95.1


root@raspberry-pi:/etc# cat /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

allow-hotplug eth0
# Note above comments re DNS
iface eth0 inet dhcp

allow-hotplug eth1
iface eth1 inet static
   address 192.168.50.1
   netmask 255.255.255.0
   network 192.168.50.0
   broadcast 192.168.50.255


# Make sure you have some time servers...

root@raspberrypi:/etc/resolvconf# grep -v '^$\|^#' /etc/ntp.conf
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1

# Connect to your Pi

Check that your connection works with places like whatsmyip.net and dnsleaktest.com

No comments:

Post a Comment