Raspberry Pi VPN Gateway
Posted: Fri Aug 07, 2020 10:05 am
On the client side of my VPN I have a Roku which is quite literally a "black box" and cannot be configured to support a VPN. Many other devices will also present this problem. Once again a Raspberry Pi came to the rescue!
I configured one as a "VPN gateway" which means adding the following characteristics:
VPN Client
A VPN client of course needs to connect to a VPN server. See the article Raspberry Pi VPN Server for more about that. You will need to create a client configuration file on the server side.
On the client, install the openvpn package.
Then copy the configuration file into the directory /etc/openvpn/. You must rename the file so the name ends in ".conf". Then, on a reboot your VPN connection should be active and an ifconfig command should show a new "tun0" network interface.
Router
Because I did not want the performance penalty of wi-fi I chose to cable the Pi directly to my network's main router. The Roku box also needs an ethernet connection to the Pi, so a second ethernet port was in order. For this I purchased a USB-to-ethernet adapter from Amazon. If you connect the Pi to your main router via wi-fi then you won't need the extra adapter.
In my case Linux recognizes the built-in ethernet interface as "eth0" and the added USB/ethernet adapter as "eth1". The Roku will be connected to eth1 and the Pi will need to perform routing on behalf of that interface.
This ethernet port (for connection to the Roku) needs a static IP address that is not on your local network. I chose 192.168.9.1. For Raspbian 10 this is configured in the file /etc/dhcpcd.conf. To do that, insert lines like these at the end of this file:
The line "nolink" causes the interface to be configured even if it is not yet cabled to the Roku.
Now when you're a router, your job is to ensure that network packets entrusted to you are forwarded to their intended destination. This includes response packets that come back from the destinations of request packets. I won't go into all the details but this requires a feature called masquerading. This forwarding and masquerading are accomplished with the following script /root/bin/afterboot:
The script must be executable so do this after creating it:
I caused the script to be invoked at boot time by adding the following line to /etc/rc.local, just before the "exit 0" line:
DHCP Server
The Roku will expect to retrieve its IP address and other network configuration from the new router. So the Pi must run DHCP server software. Install the isc-dhcp-server package for this.
Note it would be very bad for this DHCP server to be exposed to your local network. It must be configured to listen only to requests on eth1, from the Roku. Configure it by editing the following files as shown below:
/etc/dhcp/dhcpd.conf should look something like this:
It also has many other lines that are commented out (beginning with #), and you can leave those unchanged.
Also the file /etc/default/isc-dhcp-server must have its INTERFACESv4 line changed so that it specifies the interface connecting to the Roku.
I configured one as a "VPN gateway" which means adding the following characteristics:
- It's a VPN client.
- It's a router.
- It's a DHCP server.
VPN Client
A VPN client of course needs to connect to a VPN server. See the article Raspberry Pi VPN Server for more about that. You will need to create a client configuration file on the server side.
On the client, install the openvpn package.
Code: Select all
sudo apt-get install openvpn
Router
Because I did not want the performance penalty of wi-fi I chose to cable the Pi directly to my network's main router. The Roku box also needs an ethernet connection to the Pi, so a second ethernet port was in order. For this I purchased a USB-to-ethernet adapter from Amazon. If you connect the Pi to your main router via wi-fi then you won't need the extra adapter.
In my case Linux recognizes the built-in ethernet interface as "eth0" and the added USB/ethernet adapter as "eth1". The Roku will be connected to eth1 and the Pi will need to perform routing on behalf of that interface.
This ethernet port (for connection to the Roku) needs a static IP address that is not on your local network. I chose 192.168.9.1. For Raspbian 10 this is configured in the file /etc/dhcpcd.conf. To do that, insert lines like these at the end of this file:
Code: Select all
interface eth1
static ip_address=192.168.9.1/24
nolink
Now when you're a router, your job is to ensure that network packets entrusted to you are forwarded to their intended destination. This includes response packets that come back from the destinations of request packets. I won't go into all the details but this requires a feature called masquerading. This forwarding and masquerading are accomplished with the following script /root/bin/afterboot:
Code: Select all
#!/bin/bash
sleep 5
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Code: Select all
chmod a+x /root/bin/afterboot
Code: Select all
/root/bin/afterboot &
The Roku will expect to retrieve its IP address and other network configuration from the new router. So the Pi must run DHCP server software. Install the isc-dhcp-server package for this.
Note it would be very bad for this DHCP server to be exposed to your local network. It must be configured to listen only to requests on eth1, from the Roku. Configure it by editing the following files as shown below:
/etc/dhcp/dhcpd.conf should look something like this:
Code: Select all
option domain-name "example.org";
option domain-name-servers 8.8.8.8, 8.8.4.4;
default-lease-time 86400;
max-lease-time 86400;
ddns-update-style none;
authoritative;
subnet 192.168.9.0 netmask 255.255.255.0 {
range 192.168.9.100 192.168.9.199;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.9.255;
option routers 192.168.9.1;
}
Also the file /etc/default/isc-dhcp-server must have its INTERFACESv4 line changed so that it specifies the interface connecting to the Roku.
Code: Select all
INTERFACESv4="eth1"