Skip to main content

Raspberry Pi OpenVPN Client

Some places, if you read my blog at: http://beboblog.johnbebo.com/2013/03/01/ssh-tunnel-for-tcp-ports.aspx are Nazis on blocking traffic.  Even traffic that nobody should block (like secure VPNs).  

So if you want to get around a crazy fireawall, or get around interception of your traffic, you could use an SSH tunnel, like I gave instructions for in that post. 

But, some devices (like iPads, iPhones, etc) won't let you connect to your own VPN,  (iPads and iPhones can't have a tap device), so there is no solid way to secure their traffic through a hostile network.

Raspberry Pi to the rescue!  

Here's how to set up a Raspberry Pi to be an OpenVPN Client to an OpenVPN server (your own, or a service like HideMyAss, etc), and have the Raspberry Pi serve up it's own wireless Access Point and pump all its packets out through the OpenVPN tunnel, so that all your devices (computer, phone, tablet, etc) can connect through the tunnel securely!  Here's how I did it:

I had already set up my home router (a dd-wrt flashed router) to be an OpenVPN server with the instructions at: http://beboblog.johnbebo.com/2012/11/10/openvpn-server-on-dd-wrt-router.aspx

To get around crazy firewall rules, I moved my then standard UDP port 1194 VPN (which was blocked by the Man) to TCP Port 443, which would appear to be normal HTTPS traffic.  The instructions to do that are on the bottom of that blog (just swap udp to tcp, and 1194 to 443).  This will provide a slower tunnel than a UDP tunnel, as I'm wrapping TCP in TCP, but it is a way around stupid firewalls.   

Next was to set up the Raspberry Pi.  
Using the instructions at: http://learn.adafruit.com/setting-up-a-raspberry-pi-as-a-wifi-access-point/ I set up my Raspberry Pi as an AP.  Next, I needed to set it up as an OpenVPN Client.

This involved just doing an apt-get update, and an apt-get install openvpn.  

Then, I put the ca.crt, client.crt, & client.key certificates in a folder called 'keys', and connected to my OpenVPN with the script:

#/!bin/bash
openvpn --remote  443 tcp --client --ca /path-to-keys/ca.crt --cert /path-to-keys/client.crt --key /path-to-keys/client.key --nobind --dev tap0 --persist-tun --persist-key --reneg-sec 1200 --verb 5 --ifconfig 192.168.200.5 192.168.200.1

This will connect you to the OpenVPN server, but will ONLY route VPN Subnet traffic to that VPN (Normal Internet traffic will NOT go through the VPN).

If you want ALL of your traffic to go through the VPN, change the OpenVPN script a little to add "--redirect-gateway def1" at the end, like so:

#/!bin/bash
openvpn 443 tcp --client --ca /path-to-keys/ca.crt --cert /path-to-keys/client.crt --key /path-to-keys/client.key --nobind --dev tap0 --persist-tun --persist-key --reneg-sec 1200 --verb 5 --ifconfig 192.168.200.5 192.168.200.1 --redirect-gateway def1

(In the above, 192.168.200.5 is the Raspberry VPN IP address, and 192.168.200.1 is the VPN Gateway address).  This will route all of the Raspberry Pi's traffic through the VPN.  
However, this still left any Wireless Clients unable to connect to the Internet.  To fix that, you'll also need to update the Pi IPTABLES so that it routes all the wlan clients to the tap device. 

You can do that by running the below script, which I named Change-Firewall-Rules.sh:

#/!bin/bash

echo "Changing IPTables"
iptables -F
iptables -X

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i wlan0 -j ACCEPT
iptables -A OUTPUT -o wlan0 -j ACCEPT

iptables -A POSTROUTING -t nat -o tap0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -j ACCEPT
 
You might ask how I run a script in the Pi while I'm ssh'd into it, and already running my OpenVPN script.   I use 'screen' to do that.  I LOVE screen, so if you haven't tried it before, this would be a great opportunity to see it's power.   Screen isn't installed by default on the Pi, so I installed it with 'apt-get install screen'   Then, after I ssh into my Pi, I run:

screen bash

and a screen terminal will pop up.  I run my first script with:

/root/key/Connect-To-OpenVPN-TCP443-All-Traffic.sh

then, after I've seen it establish a good VPN Tunnel, I disconnect from that screen terminal with 'ctrl+a' then 'd'

If I wanted to see the screen terminal list, I could type 'screen -list' but I usually just run my firewall script, which exits cleanly, by typing:

/root/key/Change-Firewall-Rules.sh

Then I return to my screen terminal with 'screen -r' to watch my OpenVPN script (in case it runs into problems)

That was it!  Sometimes getting work done, like checking on the home security cameras, getting files off of the home NAS, having my phone gets its email, allowing for Magic Jack calls (a bit slower, but better-than-nothing), etc. isn't all that hard!  You just gotta be smarter than da Man.   

Happy VPN'ing!

Comments

Popular posts from this blog

HP c6180 Printer and Vista

Hp c6180 driver issues with Vista Home Premium My wife has a Vista Home Premium laptop, and the HP C6180 Photosmart printer keeps disappearing from her available printers.  The only way I've found to fix the problem is to reinstall all the HP software. When I do this, I have to download the (large..507M software from HP, or reinstall the printer (ONLY the printer, not the scanner) with the installation disk, as the drivers are not discovered with a "Windows Update" setting.  My guess is that is because HP doesn't like people to install only the printer driver, which would be easy, but they want folks to install all their crapware as well, so they are withholding the drivers from the on-line Microsoft printer database.  So keep your installation CD!  I've also found that unless I install everything on the CD or in the Full Version download (HP Customer Participation Program, HP Imaging Device functions, HP OCR SW, HP All-In-one SW, HP Photosm...

atftpd vs tftpd-hpa

Recently I was trying to tftp files from a Windows computer to a Kali box.   One version of Windows worked, but another didn't.    After much troubleshooting, here were my symptoms: I could tftp a file from-to any Kali box from-to another Kali box I could NOT tftp files to a specific Windows 7 box from any Kali box I could NOT tftp files to a Chrooted-Ubuntu-Chromebook box from a Kali box After MUCH troubleshooting, going through every setting in atftpd, it seemed like it literally was a client OS problem.  Different clients simply would not download files---unacceptable. Thus, I switched to tftpd-hpa.   To install: apt-get install tftpd-hpa files go to/come from /srv/tftp, but it needs to be a tftp user. Thus, I needed to: chroot -R /srv/tftp Also, if you want to be able to put files ON the tftp server (from a client), you need to modify /etc/default/tftpd-hpa: change "TFTP_OPTIONS="--secure"  to "TFTP_OPTIONS="--secure --create" ...

Security Onion on the Antsle

My Setup of Security Onion on the Antsle: Recently my IDS box, an Intel Atom D2500 Fanless Mini-ITX PC, D2500CCE, died.  Truth be told, I think it came from the factory in a bad state, as I originally thought I had a bad graphics driver, but I then noticed that, after much troubleshooting, it wasn't a driver issue at all.  The box just sometimes wouldn't boot up correctly with video.  It seems heat related, something like not enough thermal paste on the CPU, as after it is powered off for a while it is more likely to boot than when it is warm.  Along with that issue, this box maxed out at 4GB of RAM (only has 2 memory slots, each of which will only take a 2GB card max) and had a single processor, so it was under powered for Security Onion. So, I decided to quit limping along on P.O.S. boxes, and buy a little more heavyweight box for my networked IDS.   Security Onion requires a minimum of 8GB of RAM, and 4 cores per their specs page htt...