Some places, if you read my blog at: http://beboblog.johnbebo.com/2013/03/01/ssh-tunnel-for-tcp-ports.aspx are Nazis on blocking traffic. Even traffic that nobody should block (like secure VPNs).
So if you want to get around a crazy fireawall, or get around interception of your traffic, you could use an SSH tunnel, like I gave instructions for in that post.
But, some devices (like iPads, iPhones, etc) won't let you connect to your own VPN, (iPads and iPhones can't have a tap device), so there is no solid way to secure their traffic through a hostile network.
Raspberry Pi to the rescue!
Here's how to set up a Raspberry Pi to be an OpenVPN Client to an OpenVPN server (your own, or a service like HideMyAss, etc), and have the Raspberry Pi serve up it's own wireless Access Point and pump all its packets out through the OpenVPN tunnel, so that all your devices (computer, phone, tablet, etc) can connect through the tunnel securely! Here's how I did it:
I had already set up my home router (a dd-wrt flashed router) to be an OpenVPN server with the instructions at: http://beboblog.johnbebo.com/2012/11/10/openvpn-server-on-dd-wrt-router.aspx
To get around crazy firewall rules, I moved my then standard UDP port 1194 VPN (which was blocked by the Man) to TCP Port 443, which would appear to be normal HTTPS traffic. The instructions to do that are on the bottom of that blog (just swap udp to tcp, and 1194 to 443). This will provide a slower tunnel than a UDP tunnel, as I'm wrapping TCP in TCP, but it is a way around stupid firewalls.
Next was to set up the Raspberry Pi.
Using the instructions at: http://learn.adafruit.com/setting-up-a-raspberry-pi-as-a-wifi-access-point/ I set up my Raspberry Pi as an AP. Next, I needed to set it up as an OpenVPN Client.
This involved just doing an apt-get update, and an apt-get install openvpn.
Then, I put the ca.crt, client.crt, & client.key certificates in a folder called 'keys', and connected to my OpenVPN with the script:
443 tcp --client --ca /path-to-keys/ca.crt --cert /path-to-keys/client.crt --key /path-to-keys/client.key --nobind --dev tap0 --persist-tun --persist-key --reneg-sec 1200 --verb 5 --ifconfig 192.168.200.5 192.168.200.1
This will connect you to the OpenVPN server, but will ONLY route VPN Subnet traffic to that VPN (Normal Internet traffic will NOT go through the VPN).
If you want ALL of your traffic to go through the VPN, change the OpenVPN script a little to add "--redirect-gateway def1" at the end, like so:
443 tcp --client --ca /path-to-keys/ca.crt --cert /path-to-keys/client.crt --key /path-to-keys/client.key --nobind --dev tap0 --persist-tun --persist-key --reneg-sec 1200 --verb 5 --ifconfig 192.168.200.5 192.168.200.1 --redirect-gateway def1
(In the above, 192.168.200.5 is the Raspberry VPN IP address, and 192.168.200.1 is the VPN Gateway address). This will route all of the Raspberry Pi's traffic through the VPN.
However, this still left any Wireless Clients unable to connect to the Internet. To fix that, you'll also need to update the Pi IPTABLES so that it routes all the wlan clients to the tap device.
You can do that by running the below script, which I named Change-Firewall-Rules.sh:
echo "Changing IPTables"
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i wlan0 -j ACCEPT
iptables -A OUTPUT -o wlan0 -j ACCEPT
iptables -A POSTROUTING -t nat -o tap0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -j ACCEPT
You might ask how I run a script in the Pi while I'm ssh'd into it, and already running my OpenVPN script. I use 'screen' to do that. I LOVE screen, so if you haven't tried it before, this would be a great opportunity to see it's power. Screen isn't installed by default on the Pi, so I installed it with 'apt-get install screen' Then, after I ssh into my Pi, I run:
and a screen terminal will pop up. I run my first script with:
then, after I've seen it establish a good VPN Tunnel, I disconnect from that screen terminal with 'ctrl+a' then 'd'
If I wanted to see the screen terminal list, I could type 'screen -list' but I usually just run my firewall script, which exits cleanly, by typing:
Then I return to my screen terminal with 'screen -r' to watch my OpenVPN script (in case it runs into problems)
That was it! Sometimes getting work done, like checking on the home security cameras, getting files off of the home NAS, having my phone gets its email, allowing for Magic Jack calls (a bit slower, but better-than-nothing), etc. isn't all that hard! You just gotta be smarter than da Man.