mullvad-openvpn

“When in Spain, tunnel your traffic to where it needs to originate from (or seem to originate from).”

This is what I did:

  • I got myself a Raspberry Pi 3, an extra USB connected network “card”
  • Installed Raspbian Debian Jessie, minimal
  • apt-get install dnsmasq openvpn resolvconf unzip iptables-persistent (and some more, but these are the essentials)
  • configure basic networking
  • setup forwarding and a tunnel

Basic networking

  • Set a fixed IP of (eth0) 192.168.16.99 on the public internet facing interface
  • Set a fixed IP of (eth1) 192.168.32.254 on the private network facing interface
  • Setup dnsmasq to offer leases on eth1

BARF/rant: what the eff did Raspbian do to networking in Jessie? All documentation and instructions in Jessie regarding networking DOES NOT APPLY, as Raspbian has introduced dhcpcd instead. Do not disable dhcpcd and reboot, as this will make your pi go up without configuring your network adapters, even if the networking file is properly configured. GAH!

Instead of fighting dhcpcd trying to use that 15 years of Debian based networking knowledge (which I did) - embrace the new excellent file format of dhcpcd.conf (it’s terrible).

  • /etc/default/networking - is not in play or at least doesn’t work as documented in the file, ignore
  • /etc/networking/interfaces - is not in play, ignore, almost, … doesn’t work like Debian Jessie is documented, and there’s no other documentation to be found
  • /etc/dhcpcd.conf - this is where the magic happens

The manual page for dhcpcd and dhcpcd.conf only includes an example of the routers parameter, no proper documentation at all.

Source NAT, Masquerade

  • make changes (more or less iptables -t nat -A POSTROUTING -s 192.168.32.0 ! -d 192.168.32.0 -j MASQUERADE)
  • apt-get install -qy iptables-persistent (will install netfilter-persistent, and iptables-persistan provides a plugin that loads ipv4 and ipv6 table rules if found in /etc/iptables/rules.vX)
  • iptables-save > /etc/iptables/rules.v4
  • Enable ip_forward in /etc/sysctl.conf

Tunnel

  • Paid 10 € to Mullvad.net
  • Downloaded the configuration zip (with ?server=se) from their site
  • Unpacked into /etc/openvpn (remove one folder)
  • Edit /etc/default/openvpn with AUTOSTART="mullvad_linux.conf"

Finally

To check that it works, I watch curl -fsSL ipinfo.io which shows geo-IP information. The first fix was to simply ip route add default via 192.168.32.254 with an ip alias on my laptop.

  • Plug Apple TV and other wired devices directly to eth1 instead of the “router”
  • autossh to get a tunnel for remote debugging
  • Freedns to get a name to the IP of the router

Issues

OpenVPN on Debian Jessie is not straight forward, lot’s of issues lurking - but the key was to systemctl enable openvpn@mullvad.conf

Manual work:

  • raspi-config
    • expand filesystem to use full disk size
    • set amount of RAM GPU should get
  • hostnamectl set-hostname

Wishlist

Setup wifi AP using the RPi’s Wifi card, and let users either use tunneled wifi, or the non-tunneled wifi.

Tinc works really well and is soo easy to setup. I should be able to make this work.

OpenVPN is not really hard to setup either, should fix my own configuration since I don’t care for anonymity that Mullvad brings (with lower bandwidth).

This work by Fredrik Wendt is licensed under CC by-sa.