“When in Spain, tunnel your traffic to where it needs to originate from (or seem to originate from).”
This is what I did:
- I got myself a Raspberry Pi 3, an extra USB connected network “card”
- Installed Raspbian Debian Jessie, minimal
apt-get install dnsmasq openvpn resolvconf unzip iptables-persistent(and some more, but these are the essentials)
- configure basic networking
- setup forwarding and a tunnel
On the “client” side:
- Set a fixed IP of (eth0) 192.168.16.99 on the internet facing public internet (upstream)
- Set a fixed IP of (eth1) 192.168.32.254 on the private network facing local network (downstream)
- Setup dnsmasq to offer leases on eth1
BARF/rant: what the eff did Raspbian do to networking in Jessie? All documentation and instructions in Jessie regarding networking DOES NOT APPLY, as Raspbian has introduced
dhcpcd instead. Do not disable dhcpcd and reboot, as this will make your pi go up without configuring your network adapters, even if the networking file is properly configured. GAH!
Instead of fighting
dhcpcd trying to use that 15 years of Debian based networking knowledge (which I did) - embrace the new excellent file format of
dhcpcd.conf (it’s terrible).
- /etc/default/networking - is not in play or at least doesn’t work as documented in the file, ignore
- /etc/networking/interfaces - is not in play, ignore, almost, … doesn’t work like Debian Jessie is documented, and there’s no other documentation to be found
- /etc/dhcpcd.conf - this is where the magic happens
The manual page for dhcpcd and dhcpcd.conf only includes an example of the
routers parameter, no proper documentation at all.
Serve Side Of Things
In essence: setup Source NAT, Masquerade.
- make changes (more or less
iptables -t nat -A POSTROUTING -s 192.168.32.0 ! -d 192.168.32.0 -j MASQUERADE)
apt-get install -qy iptables-persistent(will install netfilter-persistent, and iptables-persistan provides a plugin that loads ipv4 and ipv6 table rules if found in
iptables-save > /etc/iptables/rules.v4
- Paid 10 € to Mullvad.net
- Downloaded the configuration zip (with ?server=se) from their site
- Unpacked into /etc/openvpn (remove one folder)
- Edit /etc/default/openvpn with
To check that it works, I
watch curl -fsSL ipinfo.io which shows geo-IP information. The first fix was to simply
ip route add default via 192.168.32.254 with an ip alias on my laptop.
- Plug Apple TV and other wired devices directly to eth1 instead of the “router”
OpenVPN on Debian Jessie is not straight forward, lot’s of issues lurking - but the key was to
systemctl enable email@example.com
- expand filesystem to use full disk size
- set amount of RAM GPU should get
Setup wifi AP using the RPi’s Wifi card, and let users either use tunneled wifi, or the non-tunneled wifi.
Tinc works really well and is soo easy to setup. I should be able to make this work.
OpenVPN is not really hard to setup either, should fix my own configuration since I don’t care for anonymity that Mullvad brings (with lower bandwidth).
OpenVPN Static Key Setup
Mullvad works and provides great anonymity, but the cost is super poor network performance. So I took the time to fix my own setup:
- start or gain access to a machine on a network where the endpoint is located where you want it (GleSYS)
- fix OpenVPN + iptables conf on server
- fix OpenVPN config on “client”
- no service here
- DNS setting on client must be reachable from server (so no local DNS bouncer)
- needs port 1194 publicly accessible
# openvpn --genkey --secret static.key # cat > static.conf dev tun ifconfig 10.8.0.1 10.8.0.2 secret static.key comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key
Allow forwarding of IPv* traffic:
vim /etc/systcl.conf # reload
Setup IPtable rule:
iptables -t nat -A POSTROUTING -s 10.8.0.2/32 -o venet0 -j MASQUERADE
- copy the
- config openvpn
remote 126.96.36.199 dev tun ifconfig 10.8.0.2 10.8.0.1 secret static.key comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key redirect-gateway def1
- It took some time before I found out that static keys setup, doesn’t allow “push”ing new routes, hence the directive of including
redirect-gateway def1to the client side configuration. k Apple TV content may be cached, so a reboot may be required for each change to every logical network topology change.
Setting it up as as service is not hard, but buggy:
remove LimitNPROC from /lib/systemd/system/openvpn@.service systemctl daemon-reload systemctl enable openvpn@static systemctl start openvpn@static