RPI as VPN gateway


35 posts   Page 1 of 2   1, 2
by juekr » Sat Oct 06, 2012 9:54 am
Hey there!

I'm pretty sure that all the answers to my questions are already out there anywhere but I have to admit that I have trouble finding and/or understanding them.

My plan: I'd love to buy a second rpi to use it as VPN gateway. So I don't want to be able to connect from the internet to my home network (although that would be a nice plus) but the other way round: I want plug the rpi (logically) in between the router and the rest of the network to manage all of my internet traffic - so it should work as a standard gateway for the other pcs - but being able to send all traffic through a VPN tunnel as well (I'm a HideMyAss customer). What this all is about: I want to be able to switch easily and on demand (triggered by a hardware button, a http request, iphone, bluetooth, whatever) between the three VPN configurations "No VPN", "VPN USA" and "VPN UK". Maybe I'll even attach an arduino to manage the hardware button part and show the current connection state via lcd/led.

The most important question first: Will the rpi be kind of a bottleneck here? Or does it have enough power to handle VPN encryption and routing simultaneously?


This whole project surely isn't too hard for someone with medium Linux skills but it is more that I can handle without help. From my understanding I need ...

... to create some kind of vpn network interface - is there some easy to use commandline vpn client that I can use with the hidemyass configuration files? I've heard that the raspberry debian kernels lack some important components for VPN encryption ... Could someone please point me in the right direction here? (Oh wait ... I just found this: http://wiki.hidemyass.com/Linux_CLI_OpenVPN_Client - could this be my answer?)

... to bridge the ethernet connections to that VPN interface to have the rpi work as VPN router/gateway. How do I do that? And where do I route the traffic whenever I don't wanna use VPN? Can all of this be handled via iptables? Is it possible to implement rules like "always route request to German websites sites through the non-VPN connection?

... a few scripts to switch between the different connection states. That should be manageable even for a noob like me, don't you think?



Bonus: Would it be possible to have it also work as VPN server to connect to from outside? So that I could securely connect from office to home (to wherever I want) over VPN?

And another thing: I'd love to do this with the latest rpi Debian distribution - because this is the distro I'm most familiar with (with isn't very familiar).

So what do you think? Stupid? Manageable? Or maybe even easier than I imagined it? I'm almost certain that something like this has already been done before ... Or is there maybe even some kind of router linux distro that would handle those tasks with ease?

Thanks in advance!
Jürgen, the German guy
Posts: 6
Joined: Sat Jul 14, 2012 12:27 pm
by LetHopeItsSnowing » Sat Oct 06, 2012 12:30 pm
I use my Pi as a VPN server, it works really well, i had no problem setting up a pptp vpn, but eventually gave up creating an l2tp ipsec vpn after a couple of hours frustration.

I put some instructions on my blog for how to install a pptp vpn http://www.stuffaboutcode.com/2012/08/raspberry-pi-use-as-vpn-server.html.

Best of luck with your project.
"am I getting slower, or is stuff more complicated; either way I now have to write it down - stuffaboutcode.com"
User avatar
Posts: 209
Joined: Sat May 26, 2012 6:40 am
Location: UK
by juekr » Sat Oct 06, 2012 5:07 pm
Thanks for your reply but actually I'm trying to do the exact opposite: I mainly want to have the pi route the outgoing traffic from my home network through a VPN tunnel to a VPN server in the US (to get devices like the xbox, the apple tv and so on to play american content which they otherwise wouldn't).
Posts: 6
Joined: Sat Jul 14, 2012 12:27 pm
by ziggurat » Thu Oct 18, 2012 2:50 am
Hi,

I am playing with doing exactly what you are. Its not 100% finished yet but I have been testing with my xbox and services like hulu and Netflix and things seem to be working.

I use strongVPN as the provider in openvpn mode.

Feedback appreciated, there might be some gaps in this or even better ways to do things.

Change the default password

You want to secure this host - it will be exposed to traffic off your network. I found I could ssh directly to it using the external IP on the VPN side. More on firewall below.

OpenVPN Install and setup

Sudo apt-get install openvpn
Generate openvpn config file from provider and place file in /etc/openvpn
Add this line to config file to change the default route on connect:
redirect-gateway

Openvpn should start on system startup and automatically connect the tunnel and redirect the route

Bind DNS server install and setup

US location specific and content delivery networks are sensitive to where you are making DNS queries, and also if you make them from a local DNS server you will likely get directed to a server outside of the US. This may prevent you from using the service, or at best you will have a very long route and poor performance. Install the bind DNS server on the host, and configure your devices to use it

Sudo apt-get install bind9

Configure as a forwarding DNS server, with all requests sent to your VPN providers DNS servers

Add the following to /etc/bind/named.conf.options

Code: Select all
       forward first;
        forwarders {
                216.131.95.20; // primary VPN service DNS server
                216.131.94.5; // secondary VPN service DNS server
        };



Iptables setup

Connecting to the tunnel results in your host being exposed to the internet, even if indirectly, in the target location of the VPN. You don’t want some one owning your raspberry and having un firewalled access to your internal network.

You want to allow all services from inside your network, but only established connections allowed back through the tunnel interface. This will ensure no one can use (or attack) your DNS, squid, ssh, telnet, etc services on the raspberry.

Follow instructions outlined here http://wiki.debian.org/iptables

My setup is as follows, contents of /etc/iptables.up.rules

Code: Select all
# Generated by iptables-save v1.4.14 on Thu Oct 18 02:22:06 2012
*nat
:PREROUTING ACCEPT [1:148]
:INPUT ACCEPT [1:148]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Thu Oct 18 02:22:06 2012
# Generated by iptables-save v1.4.14 on Thu Oct 18 02:22:06 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-le
vel 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth0 -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Thu Oct 18 02:22:06 2012


Ip forwarding

The section in the nat table in iptables config above is needed to ensure NAT works on your router

Code: Select all
*nat
:PREROUTING ACCEPT [1:148]
:INPUT ACCEPT [1:148]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Thu Oct 18 02:22:06 2012

Also, you need to configure the kernel to allow forwarding of IP packets

sudo sysctl -w net.ipv4.ip_forward=1

Optional squid installation

Installing squid and then restricting access to local net clients only. You can then hook into the VPN by just changing the proxy settings on any client on your home network

Sudo apt-get install squid

Add the following to /etc/squid/squid.conf

Code: Select all
acl localnet src 192.168.1.0/255.255.255.0 (adjust to your local network)
#ALLOW HTTP FROM LOCALNET
http_access allow localnet


Configure your clients

For the clients who's internet should all be across the VPN, manually configure the default gateway to be the internal IP of the raspberry. Also manually configure the DNS to the internal IP of the raspberry

For clients that need casual access to the VPN, you can use the proxy server settings in the browser.
Posts: 9
Joined: Thu Oct 18, 2012 2:44 am
by ziggurat » Thu Oct 18, 2012 4:02 am
one edit

to configure ip forwarding and make it permanent between reboots
instead of

sudo sysctl -w net.ipv4.ip_forward=1

(which does not persist)

you need to edit /etc/sysctl.conf and uncomment the below line:

net.ipv4.ip_forward = 1
Posts: 9
Joined: Thu Oct 18, 2012 2:44 am
by thibaultd » Thu Oct 18, 2012 7:32 am
As LetHopeItsSnowing, I have tried to set up a VPN Server on the Pi, to be able to safe-connect my mobile devices on public WiFis.
Started with OpenVPN, then realized that no client for android and iOS without jail-breaking them.

You may be interested in the benchmark I made though.
Using the default BLOWFISH encryption, I was able to download max 10MBits/sec att 100% use of the CPU (@700MHz), max 5MBits in upload. (I have a 30/30 symmetrical ethernet connection).
This drops to 7/3Mbits/sec using AES-3EBE-CBC
So kindof a bottleneck.

Then, as LetHopeItsSnowing, I tried PPTP and had problems troubleshooting why it would work when I'm connected on the same network at home and not from a remote position.
At first I thought my router was badly routing PPTP and GRE 47, but I've tried to plug my RPi direct on the internet in place of the router (I have an Ethernet internet connectivity) and had the same timeout issue while establishing the PPTP connection.

Haven't tried l2tp yet.

I think you'll have the same kind of limitations using it as a VPN client. Encryption does consume a lot of CPU. Routing as well
Posts: 23
Joined: Mon Oct 01, 2012 7:30 pm
by juekr » Thu Oct 18, 2012 1:52 pm
Thanks for your help, guys, I'll definitely give ziggurat's solution a try. There're just two questions left:

1. How can I ensure that no traffic goes over the regular internet connection if a activated VPN (in case the vpn connection drops)?

2. How can I easily switch the traffic between VPN route and No-VPN route?

Thanks!
Posts: 6
Joined: Sat Jul 14, 2012 12:27 pm
by ziggurat » Mon Oct 22, 2012 1:23 am
Hi juekr,

I have not done much testing with mine when the VPN is down, but I think the iptables rules prevent the proper forwarding to occur without the tun0 / VPN interface available.

By the way, there were a few issues with the iptables rules I had posted earlier, and I have made a few additions as well. If you are interested I can PM them to you.

Over the weekend I enjoyed a few movies from US services and the performance was good. The CPU of the raspberry was at about 30%. It did not give me the HD version of the streams, but it was more than acceptable and did not jump / buffer once over 3-4 hours of viewing.

As for switching between VPN and no VPN. I am managing this at the device level. For example on my xbox, its a matter of updating the default gateway and DNS settings. A bit of a pain if you plan on doing it frequently I suppose. Since I mostly use mine for video playback and not gaming, this is ok for me. I get the feeling gaming on xbox live might not be ideal over the tunnel, I am still trying to get the right ports setup for that as xbox live seems to need additional connections that it would usually handle via UPNP.

For other devices I am using squid proxy and changing the browser settings as needed.

Alternatively you could create a script on the raspberry to disconnect the tunnel and apply some different iptables rules that would make it transparent at the client. Then just run / reverse this as you want to turn off the VPN.
Posts: 9
Joined: Thu Oct 18, 2012 2:44 am
by juekr » Mon Oct 22, 2012 7:25 am
Hey ziggurat, I'm definitely interested in the updated iptable rules (though I'm still waiting for my second raspberry pi to start with this whole vpn project) and maybe I can describe what I have in mind to make my goals more clear:

1. I just love your proxy idea - mainly to use it for fast-switching proxy-settings in the browser to access hulu, netflix and so on. Downside: I suppose I won't be able to switch between UK-proxy and US-proxy that way.

2. I also plan to get my xbox connected - just like you to watch videos and maybe access the us marketplace - but I would also need an easy way to switch back to direct connection as I also love online gaming.

3. If I'm ever going to use a bittorrent client via proxy, I just want to be sure that it definitely uses the vpn tunnel and immediately stops working as soon as the vpn connection is lost.

With my vpn provider (HideMyAss) there is not only one server to connect to but a list of like hundreds of possible servers. So it would be cool to have the ability to easily switch servers remotely (that shouldn't be too much of a problem with a webserver on the pi and an iPhone). There is a linux cli client for this but I'm not really sure yet how to use it.

Again: Thanks a lot ziggurat, I'll give some feedback as soon as I'm able to rebuild your setup!
Posts: 6
Joined: Sat Jul 14, 2012 12:27 pm
by Goss1982 » Mon Oct 22, 2012 6:29 pm
Hi
I succesfully have my pptp server running but it will only work when using wired ethernet. For an easier set-up I want to make the pi wireless, which also works fine.

Problem occurs when the VPN is accessed when the pi is wireless. The light on the wifi adapter goes out and ................... nothing.

Anybody else tried this? Not sure where to begin sorting this one out?

Andy
Posts: 13
Joined: Mon Jul 16, 2012 4:52 pm
by ziggurat » Wed Oct 24, 2012 8:55 am
Hi juekr,

1. I just love your proxy idea - mainly to use it for fast-switching proxy-settings in the browser to access hulu, netflix and so on. Downside: I suppose I won't be able to switch between UK-proxy and US-proxy that way.


Yeah, you still need to fiddle with the browser settings, and from then on you are all one way. I was thinking that I might be able to use one browser for proxy, and another browser for no proxy. I use IE and Chrome. Unfortunately chrome uses the IE settings so changing it in IE also changes it in Chrome..

2. I also plan to get my xbox connected - just like you to watch videos and maybe access the us marketplace - but I would also need an easy way to switch back to direct connection as I also love online gaming.


Perhaps if your current router supported it setting up a second wireless SSID (eg guest network?)where you just use the default / automatic settings. Or, if you have access to both wired and wireless, having one of these used for gaming (uses your normal network settings / DHCP) and the other manual (rigged to use raspberry for default gw and DNS) and then just connecting to the one you want at the time. Still a bit of a pain though.

3. If I'm ever going to use a bittorrent client via proxy, I just want to be sure that it definitely uses the vpn tunnel and immediately stops working as soon as the vpn connection is lost.


I am sure this is something you could achieve with iptables. Eg, configure your torrent client settings with specific ports, and then set iptables rules to deny any traffic on / destined to these ports through the eth0 interface, but allowed through the tun0 interface. Then if tun0 disappears, all the traffic will get blocked. Or something along those lines I'm a iptables noob :)
Posts: 9
Joined: Thu Oct 18, 2012 2:44 am
by juekr » Wed Oct 24, 2012 10:20 am
ziggurat wrote:Yeah, you still need to fiddle with the browser settings, and from then on you are all one way. I was thinking that I might be able to use one browser for proxy, and another browser for no proxy. I use IE and Chrome. Unfortunately chrome uses the IE settings so changing it in IE also changes it in Chrome.


It might help to use rule-based proxy-switching extensions for chrome like this one: https://chrome.google.com/webstore/detail/proxy-switchy/caehdcpeofiiigpdhbabniblemipncjj. Still you'd need a second proxy for switching between UK and US - or at least a remotely triggerable script for switching the pi's vpn connection. Actually that seems to be kind of a semi-comfortable way ...

ziggurat wrote:Perhaps if your current router supported it setting up a second wireless SSID (eg guest network?)where you just use the default / automatic settings. Or, if you have access to both wired and wireless, having one of these used for gaming (uses your normal network settings / DHCP) and the other manual (rigged to use raspberry for default gw and DNS) and then just connecting to the one you want at the time. Still a bit of a pain though.


I only have cable connection - maybe I should just switch to a roku or apple tv for watching stuff on my tv screen.

ziggurat wrote:I am sure this is something you could achieve with iptables. Eg, configure your torrent client settings with specific ports, and then set iptables rules to deny any traffic on / destined to these ports through the eth0 interface, but allowed through the tun0 interface. Then if tun0 disappears, all the traffic will get blocked. Or something along those lines I'm a iptables noob :)


I will have a look into that. If I only use the pi to route traffic through the vpn tunnel, maybe I could just remove the default gateway on the ethernet connection ... but I guess that would only work if the tunnel is active. Whenever I need to reconnect it, it surely wouldn't connect to the vpn server then.
Posts: 6
Joined: Sat Jul 14, 2012 12:27 pm
by rhayward » Tue Jan 08, 2013 3:29 pm
ziggurat wrote:Hi juekr,

By the way, there were a few issues with the iptables rules I had posted earlier, and I have made a few additions as well. If you are interested I can PM them to you.

.


Hi ziggurat - appologies for posting rather than PMing as requested, but i dont have PMing privileges yet. You appear to of achieved what i was looking to do so read this post with interest......would it be possible for you to post your updated iptables rules? (or you can PM me them - i presume i can receive PMs).

Also - what linux distribution did you use?

Thanks a lot for such a great post. Everything's very clear and will save me days probably :-)
Posts: 2
Joined: Tue Jan 08, 2013 3:16 pm
by ziggurat » Wed Jan 09, 2013 12:26 am
rhayward wrote:
ziggurat wrote:Hi juekr,

By the way, there were a few issues with the iptables rules I had posted earlier, and I have made a few additions as well. If you are interested I can PM them to you.

.


Hi ziggurat - appologies for posting rather than PMing as requested, but i dont have PMing privileges yet. You appear to of achieved what i was looking to do so read this post with interest......would it be possible for you to post your updated iptables rules? (or you can PM me them - i presume i can receive PMs).

Also - what linux distribution did you use?

Thanks a lot for such a great post. Everything's very clear and will save me days probably :-)



Hi Rhayward,

No worries. Its been working very well for me and I havnt had to tinker for a couple of months. Here are my current iptables rules.

Note the section for xbox was to try and address that xbox live (for gaming) is reporting that there are possible NAT issues and there could be reduced functionality. The rules don't seem to have fixed that, but since I don't use the xbox for a lot of online gaming its low on my list of things to do.

Code: Select all
*nat
:PREROUTING ACCEPT [1:148]
:INPUT ACCEPT [1:148]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Thu Oct 18 02:22:06 2012
# Generated by iptables-save v1.4.14 on Thu Oct 18 02:22:06 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT

################## The following are xbox live related rules####################
######

-A INPUT -i tun0 -d 192.168.1.212 -p tcp --dport 88 -j ACCEPT
-A INPUT -i tun0 -d 192.168.1.212 -p tcp --dport 3074 -j ACCEPT
-A INPUT -i tun0 -d 192.168.1.212 -p udp --dport 3074 -j ACCEPT
-A INPUT -i tun0 -d 192.168.1.212 -p tcp --dport 53 -j ACCEPT
-A INPUT -i tun0 -d 192.168.1.212 -p udp --dport 53 -j ACCEPT
-A INPUT -i tun0 -d 192.168.1.212 -p tcp --dport 80 -j ACCEPT

#####################################################################################

-A INPUT -i tun0 -p icmp -m icmp --icmp-type 8 -j REJECT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
Posts: 9
Joined: Thu Oct 18, 2012 2:44 am
by ziggurat » Wed Jan 09, 2013 12:43 am
Sorry forgot to add. I am using the standard wheezy image for this build.
Posts: 9
Joined: Thu Oct 18, 2012 2:44 am
by rhayward » Wed Jan 09, 2013 9:02 am
Perfect - thanks very much!
Posts: 2
Joined: Tue Jan 08, 2013 3:16 pm
by johnbeards » Wed Jan 09, 2013 11:09 am
Hey could you tell us what the speed is like?

I have router with vpn shared client, but i get only 5mb on a 20mb connection, was hoping using the rapsberry pi instead, it would be a lot faster?

many thanks
Posts: 7
Joined: Mon Jan 07, 2013 6:22 pm
by johnbeards » Sat Jan 19, 2013 8:57 am
Hey

I am having problems setting this up, I have the openvpn connected to strongvpn, but instead of tun it makes a tap0.

I have set the iptables rules with success.

When i change my gateway on the client windows computers, to the raspberry pi ip, i get nothing.

Not sure what i am doing wrong.
Posts: 7
Joined: Mon Jan 07, 2013 6:22 pm
by ziggurat » Sat Jan 19, 2013 9:44 am
hi johnbeards,

interesting its a different type of interface. so if you are getting a good vpn connection, are you actually able to send traffic through it directly from the pi ? what does a traceroute look like from the command line to something on the internet ?

you may need to check your routing table to make sure the default gateway has been updated when the tunnel is connected as this is a specific line you need to add to the vpn configuration file, see above.

if its looking good on the pi host itself, but still no luck with network hosts trying to route through it, could be that your ip forwarding has not stuck (see above I had to find the right way to make this persistent).

next to check your iptables rules. perhaps even revert to a very open set of rules to test. did you make adjustments to the rule set for the tap rather than tun interface on your setup ?
Posts: 9
Joined: Thu Oct 18, 2012 2:44 am
by johnbeards » Sat Jan 19, 2013 10:01 am
hey

Yes i tested the pi, it has the vpn connection and using it
Code: Select all
 1  10.10.10.1 (10.10.10.1)  39.326 ms  38.992 ms  38.686 ms
 2  hosted.******* (*.17.*.*)  39.218 ms  39.072 ms  41.157 ms
 3  te0-7-0-3.*.*.*.net (*.212.*.*)  41.043 ms  40.737 ms  40.571 ms
 4  ge-1-3-0.pat1.ams.yahoo.com (195.69.145.110)  40.097 ms  39.642 ms  44.019 ms
 5  ge-1-2-0.pat2.ams.yahoo.com (66.196.65.73)  43.730 ms  43.449 ms  43.022 ms
 6  xe-0-1-0.msr1.ch1.yahoo.com (66.196.65.69)  70.934 ms  76.641 ms  76.681 ms
 7  te-8-4.bas-a1.ch1.yahoo.com (87.248.127.9)  91.848 ms te-8-4.bas-a2.ch1.yaho0


I changed the iptables rules to tap0

Code: Select all
*nat
:PREROUTING ACCEPT [1:148]
:INPUT ACCEPT [1:148]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tap0 -j MASQUERADE
COMMIT
# Completed on Thu Oct 18 02:22:06 2012
# Generated by iptables-save v1.4.14 on Thu Oct 18 02:22:06 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-l$
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth0 -j ACCEPT
-A OUTPUT -j ACCEPT
-A INPUT -i tap0 -p icmp -m icmp --icmp-type 8 -j REJECT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-l$
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tap0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tap0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT

COMMIT


I edited /etc/sysctl.conf

net.ipv4.ip_forward = 1

The clients, all i have to do is change the gateway e.g. windows 7

Open network and sharing center - change adaptor setting - properties - Internet Protocol 4 - Use following ip address

e.g.
192.168.1.12
255.255.255.0
Gateway as raspberry pi - 192.168.1.10

Many thanks
Posts: 7
Joined: Mon Jan 07, 2013 6:22 pm
by ziggurat » Sat Jan 19, 2013 10:14 am
yes that should be all you have to do on the client side.

what does a traceroute look like from the windows host ? does it just fail at the first hop ? can you ping the internal interface of the pi ?
Posts: 9
Joined: Thu Oct 18, 2012 2:44 am
by johnbeards » Sat Jan 19, 2013 4:17 pm
hey

I did tracert from windows 7 machine, and i get unable to resolve target system name www.yahoo.co.uk

I can ping my raspberry pi, and get response from it .

Driving me insane lol
Posts: 7
Joined: Mon Jan 07, 2013 6:22 pm
by johnbeards » Tue Jan 22, 2013 10:50 am
Update

Finally got it working, the problem was which i am not sure how to fix, as i want to have some blocking rules, is when i put this in iptables

Code: Select all
iptables -A FORWARD -j REJECT --reject-with icmp-port-unreachable


It stops working. When i left it out, it works, but all ports are open

Any advise?

Many thanks
Posts: 7
Joined: Mon Jan 07, 2013 6:22 pm
by ziggurat » Tue Jan 22, 2013 11:03 am
Hi John,

It seems that line appears twice in your rules further above, if it is still there you might want to clean it up a little and check again

You could also add some logging options to check that's your forward accept lines are being matched as you expect ?
Posts: 9
Joined: Thu Oct 18, 2012 2:44 am
by OnkelBen » Thu Mar 07, 2013 7:30 pm
Hi, is there any update on your problem?

At the moment, i am facing exactly the same...
I can ping the Raspberry Pi, but if I set on my client the RPi as Gateway/DNS, it gets a timout error...

But this only happens when the vpn connection is up on the Pi, so without openvpn started it works.
Also squid works fine, even with openvpn.

I configured my system exactly as you described (since I have no experience with iptables...)

Do you have any sugestions what I can do to find my error?

Thanks in advance
Posts: 1
Joined: Thu Mar 07, 2013 7:26 pm