“When in Spain, tunnel your traffic to where it needs to originate from (or seem to originate from).”
This is what I did:
- I got myself a Raspberry Pi 3, an extra USB connected network “card”
- Installed Raspbian Debian Jessie, minimal
- apt-get install dnsmasq openvpn resolvconf unzip iptables-persistent (and some more, but these are the essentials)
- configure basic networking
- setup forwarding and a tunnel
- Set a fixed IP of (eth0) 192.168.16.99 on the public internet facing interface
- Set a fixed IP of (eth1) 192.168.32.254 on the private network facing interface
- Setup dnsmasq to offer leases on eth1
BARF/rant: what the eff did Raspbian do to networking in Jessie? All documentation and instructions in Jessie regarding networking DOES NOT APPLY, as Raspbian has introduced
dhcpcd instead. Do not disable dhcpcd and reboot, as this will make your pi go up without configuring your network adapters, even if the networking file is properly configured. GAH!
Instead of fighting
dhcpcd trying to use that 15 years of Debian based networking knowledge (which I did) - embrace the new excellent file format of
dhcpcd.conf (it’s terrible).
- /etc/default/networking - is not in play or at least doesn’t work as documented in the file, ignore
- /etc/networking/interfaces - is not in play, ignore, almost, … doesn’t work like Debian Jessie is documented, and there’s no other documentation to be found
- /etc/dhcpcd.conf - this is where the magic happens
The manual page for dhcpcd and dhcpcd.conf only includes an example of the
routers parameter, no proper documentation at all.
Source NAT, Masquerade
- make changes (more or less
iptables -t nat -A POSTROUTING -s 192.168.32.0 ! -d 192.168.32.0 -j MASQUERADE)
apt-get install -qy iptables-persistent(will install netfilter-persistent, and iptables-persistan provides a plugin that loads ipv4 and ipv6 table rules if found in
iptables-save > /etc/iptables/rules.v4
- Paid 10 € to Mullvad.net
- Downloaded the configuration zip (with ?server=se) from their site
- Unpacked into /etc/openvpn (remove one folder)
- Edit /etc/default/openvpn with
To check that it works, I
watch curl -fsSL ipinfo.io which shows geo-IP information. The first fix was to simply
ip route add default via 192.168.32.254 with an ip alias on my laptop.
- Plug Apple TV and other wired devices directly to eth1 instead of the “router”
- autossh to get a tunnel for remote debugging
- Freedns to get a name to the IP of the router
Setup wifi AP using the RPi’s Wifi card, and let users either use tunneled wifi, or the non-tunneled wifi.
Tinc works really well and is soo easy to setup. I should be able to make this work.
OpenVPN is not really hard to setup either, should fix my own configuration since I don’t care for anonymity that Mullvad brings (with lower bandwidth).