Raspberry Pi VPN Gateway

Post Reply
User avatar
rod
Site Admin
Posts: 37
Joined: Wed Jul 31, 2019 7:19 am
Location: Boambee East, NSW
Contact:

Raspberry Pi VPN Gateway

Post by rod »

On the client side of my VPN I have a Roku which is quite literally a "black box" and cannot be configured to support a VPN. Many other devices will also present this problem. Once again a Raspberry Pi came to the rescue!

I configured one as a "VPN gateway" which means adding the following characteristics:
  • It's a VPN client.
  • It's a router.
  • It's a DHCP server.
Discussion of configuring each of these aspects follows. I used a Pi model 2 because one was handy, but other models should work as well. Its operating system is Raspbian 10.

VPN Client

A VPN client of course needs to connect to a VPN server. See the article Raspberry Pi VPN Server for more about that. You will need to create a client configuration file on the server side.

On the client, install the openvpn package.

Code: Select all

sudo apt-get install openvpn
Then copy the configuration file into the directory /etc/openvpn/. You must rename the file so the name ends in ".conf". Then, on a reboot your VPN connection should be active and an ifconfig command should show a new "tun0" network interface.

Router

Because I did not want the performance penalty of wi-fi I chose to cable the Pi directly to my network's main router. The Roku box also needs an ethernet connection to the Pi, so a second ethernet port was in order. For this I purchased a USB-to-ethernet adapter from Amazon. If you connect the Pi to your main router via wi-fi then you won't need the extra adapter.

In my case Linux recognizes the built-in ethernet interface as "eth0" and the added USB/ethernet adapter as "eth1". The Roku will be connected to eth1 and the Pi will need to perform routing on behalf of that interface.

This ethernet port (for connection to the Roku) needs a static IP address that is not on your local network. I chose 192.168.9.1. For Raspbian 10 this is configured in the file /etc/dhcpcd.conf. To do that, insert lines like these at the end of this file:

Code: Select all

interface eth1
static ip_address=192.168.9.1/24
nolink
The line "nolink" causes the interface to be configured even if it is not yet cabled to the Roku.

Now when you're a router, your job is to ensure that network packets entrusted to you are forwarded to their intended destination. This includes response packets that come back from the destinations of request packets. I won't go into all the details but this requires a feature called masquerading. This forwarding and masquerading are accomplished with the following script /root/bin/afterboot:

Code: Select all

#!/bin/bash
sleep 5
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
The script must be executable so do this after creating it:

Code: Select all

chmod a+x /root/bin/afterboot
I caused the script to be invoked at boot time by adding the following line to /etc/rc.local, just before the "exit 0" line:

Code: Select all

/root/bin/afterboot &
DHCP Server

The Roku will expect to retrieve its IP address and other network configuration from the new router. So the Pi must run DHCP server software. Install the isc-dhcp-server package for this.

Note it would be very bad for this DHCP server to be exposed to your local network. It must be configured to listen only to requests on eth1, from the Roku. Configure it by editing the following files as shown below:

/etc/dhcp/dhcpd.conf should look something like this:

Code: Select all

option domain-name "example.org";
option domain-name-servers 8.8.8.8, 8.8.4.4;
default-lease-time 86400;
max-lease-time 86400;
ddns-update-style none;
authoritative;
subnet 192.168.9.0 netmask 255.255.255.0 {
  range 192.168.9.100 192.168.9.199;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.9.255;
  option routers 192.168.9.1;
}
It also has many other lines that are commented out (beginning with #), and you can leave those unchanged.

Also the file /etc/default/isc-dhcp-server must have its INTERFACESv4 line changed so that it specifies the interface connecting to the Roku.

Code: Select all

INTERFACESv4="eth1"
Post Reply