“When in Spain, tunnel your traffic to where it needs to originate from (or seem to originate from).”

This is what I did:

  • I got myself a Raspberry Pi 3, an extra USB connected network “card”
  • Installed Raspbian Debian Jessie, minimal
  • apt-get install dnsmasq openvpn resolvconf unzip iptables-persistent (and some more, but these are the essentials)
  • configure basic networking
  • setup forwarding and a tunnel

Basic networking

On the “client” side:

  • Set a fixed IP of (eth0) on the internet facing public internet (upstream)
  • Set a fixed IP of (eth1) on the private network facing local network (downstream)
  • Setup dnsmasq to offer leases on eth1

BARF/rant: what the eff did Raspbian do to networking in Jessie? All documentation and instructions in Jessie regarding networking DOES NOT APPLY, as Raspbian has introduced dhcpcd instead. Do not disable dhcpcd and reboot, as this will make your pi go up without configuring your network adapters, even if the networking file is properly configured. GAH!

Instead of fighting dhcpcd trying to use that 15 years of Debian based networking knowledge (which I did) - embrace the new excellent file format of dhcpcd.conf (it’s terrible).

  • /etc/default/networking - is not in play or at least doesn’t work as documented in the file, ignore
  • /etc/networking/interfaces - is not in play, ignore, almost, … doesn’t work like Debian Jessie is documented, and there’s no other documentation to be found
  • /etc/dhcpcd.conf - this is where the magic happens

The manual page for dhcpcd and dhcpcd.conf only includes an example of the routers parameter, no proper documentation at all.

Serve Side Of Things

In essence: setup Source NAT, Masquerade.

  • make changes (more or less iptables -t nat -A POSTROUTING -s ! -d -j MASQUERADE)
  • apt-get install -qy iptables-persistent (will install netfilter-persistent, and iptables-persistan provides a plugin that loads ipv4 and ipv6 table rules if found in /etc/iptables/rules.vX)
  • iptables-save > /etc/iptables/rules.v4
  • Enable ip_forward in /etc/sysctl.conf


  • Paid 10 € to
  • Downloaded the configuration zip (with ?server=se) from their site
  • Unpacked into /etc/openvpn (remove one folder)
  • Edit /etc/default/openvpn with AUTOSTART="mullvad_linux.conf"


To check that it works, I watch curl -fsSL which shows geo-IP information. The first fix was to simply ip route add default via with an ip alias on my laptop.

  • Plug Apple TV and other wired devices directly to eth1 instead of the “router”


OpenVPN on Debian Jessie is not straight forward, lot’s of issues lurking - but the key was to systemctl enable openvpn@mullvad.conf

Manual work:

  • raspi-config
    • expand filesystem to use full disk size
    • set amount of RAM GPU should get
  • hostnamectl set-hostname


Setup wifi AP using the RPi’s Wifi card, and let users either use tunneled wifi, or the non-tunneled wifi.

Tinc works really well and is soo easy to setup. I should be able to make this work.

OpenVPN is not really hard to setup either, should fix my own configuration since I don’t care for anonymity that Mullvad brings (with lower bandwidth).

OpenVPN Static Key Setup

Mullvad works and provides great anonymity, but the cost is super poor network performance. So I took the time to fix my own setup:

  • start or gain access to a machine on a network where the endpoint is located where you want it (GleSYS)
  • fix OpenVPN + iptables conf on server
  • fix OpenVPN config on “client”


  • no service here
  • DNS setting on client must be reachable from server (so no local DNS bouncer)

On server

  • needs port 1194 publicly accessible
# openvpn --genkey --secret static.key
# cat > static.conf
dev tun
secret static.key
keepalive 10 60

Allow forwarding of IPv* traffic:

vim /etc/systcl.conf
# reload

Setup IPtable rule:

iptables -t nat -A POSTROUTING -s -o venet0 -j MASQUERADE

Use iptables-save

Start openvpn static.conf

Client setup

  • copy the static.key
  • config openvpn
  • enjoy

Configuring OpenVPN

dev tun
secret static.key
keepalive 10 60
redirect-gateway def1


  • It took some time before I found out that static keys setup, doesn’t allow “push”ing new routes, hence the directive of including redirect-gateway def1 to the client side configuration. k Apple TV content may be cached, so a reboot may be required for each change to every logical network topology change.

Setting it up as as service is not hard, but buggy:

remove LimitNPROC from /lib/systemd/system/openvpn@.service
systemctl daemon-reload
systemctl enable openvpn@static
systemctl start openvpn@static
This work by Fredrik Wendt is licensed under CC by-sa.