NoBodyUKnow
Posts: 37
Joined: Wed Feb 15, 2017 3:44 am

RPi as VPN Router and Wireless Access Point. Possible??

Wed Mar 22, 2017 8:52 pm

Hello,

I'm trying desperately to setup my network as in the attached diagram, and as further described below the graphic:
VPN-Diagram (1).png
VPN-Diagram (1).png (12.8 KiB) Viewed 6067 times
My Raspberry Pi 3 running Jessie as a wireless access point ( wlan0 ) connected to a Linksys Router via ethernet (eth0). The devices in my home will connect via WiFi to the RPi, which will be running OpenVPN via a configuration script supplied by Expressvpn, my VPN provider.

I've found many tutorials on setting up the WiFi access point, and I find many tutorials on setting up the RPi as a VPN Router. However, I find none explaining how to do those together on one RPi.

I'm sensing there may be a conflict in the use of DHCPCD and DHCP between these two functions, because on the tutorial I find most reliable for setting up the VPN router, there's guidance to disable dhcpcd, to avoid having two ip addresses assigned to the Rpi:

http://www.dickson.me.uk/2016/06/21/set ... r-updated/

While in the tutorial that seems most useful for setting the Wireless Access Point, dhcpcd is an integral part of the final solution.

https://www.frillip.com/using-your-rasp ... h-hostapd/

Is it possible for my RPi to both broadcast a secure SSID and route all connections to that network through my VPN?

OpenVPN is setup on my Rpi and works fine ( at least when starting manually. I'm not yet sure how to incorporate the userid and password into a reboot startup).

I would sure appreciate some help with this, and i'm happy to provide any information that might help with that.

Thanks very much,

NBUK




.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 24679
Joined: Sat Jul 30, 2011 7:41 pm

Re: RPi as VPN Router and Wireless Access Point. Possible??

Wed Mar 22, 2017 9:02 pm

I've been writing new docs on access points - draft version here https://github.com/raspberrypi/document ... s-point.md

They might help, but you have brought up an interesting question of setting up VPN's which might be my next documentation task!
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
“I own the world’s worst thesaurus. Not only is it awful, it’s awful."

NoBodyUKnow
Posts: 37
Joined: Wed Feb 15, 2017 3:44 am

Re: RPi as VPN Router and Wireless Access Point. Possible??

Thu Mar 23, 2017 1:15 pm

James,

This is a great writeup. More detailed and probably more correct than the others I've found, at least for my application.

A question - and this probably belongs in the newbie section - can I take the IP addresses you provided literally? In other words, because of the design of the network, can I use those exact numbers, or do they need to be adapted to the IP address and IP range of my router?

NoBodyUKnow
Posts: 37
Joined: Wed Feb 15, 2017 3:44 am

Re: RPi as VPN Router and Wireless Access Point. Possible??

Thu Mar 23, 2017 2:59 pm

James,

I see now, in the preamble to the tutorial:

This documentation assumes we are using the standard 192.168.x.x IP addresses for our wireless network, so we will assign the server the IP address 192.168.0.1.

I did note that in your changes to /etc/network/interfaces to enable the access point, you didn't include a Broadcast IP. The tutorial I looked at before did include that parameter.

I'd made some changes to my RPi config and am going back to a fresh install of the latest version of Jessie. I don't want any changes I've made to complicate configuring this correctly, as this is what I purchased my RPi for.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 24679
Joined: Sat Jul 30, 2011 7:41 pm

Re: RPi as VPN Router and Wireless Access Point. Possible??

Thu Mar 23, 2017 3:21 pm

The documentation as it stands works as intended, do you don't AFAIK, need the broadcast ID. Since there are various ways of configuring this stuff, I've tried to keep it to the minimum!
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
“I own the world’s worst thesaurus. Not only is it awful, it’s awful."

User avatar
DougieLawson
Posts: 36900
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: RPi as VPN Router and Wireless Access Point. Possible??

Thu Mar 23, 2017 3:26 pm

You only need IP address and netmask. Broadcast and network are superflous (because you and your linux system can calculate them knowing just the address and netmask).

You can use

Code: Select all

address 172.31.4.1
netmask 24
or

Code: Select all

address 172.31.4.1
netmask 255.255.255.0
(your choice) as they both mean the same thing

(Note: I'm a fan of using 172.31.4.0/24 for my example network address blocks as they're unlikely to clash with anyone's home router which tend to use 192.168.xx.xx or 10.0.0.xx address blocks).
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

NoBodyUKnow
Posts: 37
Joined: Wed Feb 15, 2017 3:44 am

Re: RPi as VPN Router and Wireless Access Point. Possible??

Thu Mar 23, 2017 5:33 pm

Thanks Doug and James. Interesting... I accidentally deleted this, as I didn't see your responses and thought I was in the wrong thread. Sorry. Replacing my post:

After a fresh install of the 03/02/17 version of Jessie, this is what I have done:

Added ssh to boot
connected via putty changed pswd
ran update and upgrade (wolfram took a Loooooonnnnng time)
Enlarged partition, changed mem split to 16, set localization, enabled vncserver
reboot
connect via vnc
turn off wifi and bluetooth via GUI
install openvpn
Install hostapd and dnsmasq
stopped hostapd and dnsmasq
download openvpn config files from vpn expressvpn, move to /etc/openvpn and change names to xxx.conf
Created text file with user and password placed on desktop for logging in to vpn vi config file
tested openvpn connect - connects with "initialization complete" after manually entering credentials


However, I cannot access any webpages. This is where I sense some conflict in the setups for wifi AP and openvpn. I think I need to setup a static IP for Eth0 on my pi for openvpn to work. I had this before reinstalling, and I was able to access the internet and browse to webpages.

I am doing this headless, as I do not have a HDMI monitor. Therefore, I am concerned about any step that
jeopardizes my ability to connect via SSH.

James:

Is there any point in the tutorial you linked to, where I would be unable to connect via SSH and continue the setup?

Thanks so much...

NBUK

NoBodyUKnow
Posts: 37
Joined: Wed Feb 15, 2017 3:44 am

Re: RPi as VPN Router and Wireless Access Point. Possible??

Fri Mar 24, 2017 10:31 pm

James,

It seems the link you posted above is dead.

You said it was a draft. Did you publish it w a different URL? I can no longer access it.

Thanks!

User avatar
DougieLawson
Posts: 36900
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: RPi as VPN Router and Wireless Access Point. Possible??

Sat Mar 25, 2017 4:58 pm

NoBodyUKnow wrote:It seems the link you posted above is dead.
https://github.com/raspberrypi/document ... s-point.md is the current version.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

NoBodyUKnow
Posts: 37
Joined: Wed Feb 15, 2017 3:44 am

Re: RPi as VPN Router and Wireless Access Point. Possible??

Sat Mar 25, 2017 5:40 pm

DougieLawson wrote:
NoBodyUKnow wrote:It seems the link you posted above is dead.
https://github.com/raspberrypi/document ... s-point.md is the current version.
Thank you Doug. I searched Github but could not find it.

Working on this now...

NoBodyUKnow
Posts: 37
Joined: Wed Feb 15, 2017 3:44 am

Re: RPi as VPN Router and Wireless Access Point. Possible??

Sat Mar 25, 2017 7:40 pm

So... This may seem like a stupid question, but....

The documentation has two sections: One for setting up an access-point on a standalone network and another on setting up an access-point to share an existing, wired connection (my scenario).

Do each of these sections stand alone, or do I follow the first section and then follow the second section, if applicable?

I've followed the second section, including the portion regarding configuring the wifi in hostapd.conf. I see no new SSID, as hoped. Here is my ifconfig output:

br0 Link encap:Ethernet HWaddr b8:27:eb:32:c6:55
inet addr:192.168.2.105 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::ba27:ebff:fe32:c655/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:66690 errors:0 dropped:0 overruns:0 frame:0
TX packets:85979 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4997339 (4.7 MiB) TX bytes:61836707 (58.9 MiB)

eth0 Link encap:Ethernet HWaddr b8:27:eb:32:c6:55
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:66716 errors:0 dropped:0 overruns:0 frame:0
TX packets:85979 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4998535 (4.7 MiB) TX bytes:62868115 (59.9 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:85 errors:0 dropped:0 overruns:0 frame:0
TX packets:85 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:6759 (6.6 KiB) TX bytes:6759 (6.6 KiB)

wlan0 Link encap:Ethernet HWaddr b8:27:eb:67:93:00
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:19 errors:0 dropped:19 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7088 (6.9 KiB) TX bytes:0 (0.0 B)

I've done nothing with dnsmasq, as yet...

Thanks!

User avatar
DougieLawson
Posts: 36900
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: RPi as VPN Router and Wireless Access Point. Possible??

Sat Mar 25, 2017 7:48 pm

There's a tiny bit of overlap. You need to create a hostapd.conf file from part #1 (stand-alone AP) and modify that for part #2 (bridged AP). You'll end up with

Code: Select all

interface=wlan0
bridge=br0
# driver isn't needed for bridged APs
#driver=nl80211
ssid=MyPiBridgedAP
hw_mode=g
# Change channel to suit.
channel=8
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
# Set your password here
wpa_passphrase=somesecretpasswordhere
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
for the bridged access point.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

NoBodyUKnow
Posts: 37
Joined: Wed Feb 15, 2017 3:44 am

Re: RPi as VPN Router and Wireless Access Point. Possible??

Sat Mar 25, 2017 7:54 pm

Yessir... Got that part:

contents of /etc/hostapd/hostapd.conf:

#Original hostpd.conf is an empty file. No backup made This code configures wirless access point

interface=wlan0
bridge=br0
#driver=nl80211 This line was for access point without the bridge
ssid=Not This One
hw_mode=g
channel=7
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=mydogsxxxxxxxx
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Another silly question:

Does the SSID name allow spaces?

NoBodyUKnow
Posts: 37
Joined: Wed Feb 15, 2017 3:44 am

Re: RPi as VPN Router and Wireless Access Point. Possible??

Sat Mar 25, 2017 8:15 pm

The deeper I get into this, the more I become concerned the "shared connection" scenario will not support my needs.

From looking at this:

https://agentoss.wordpress.com/2011/10/ ... bian-linux ,

I've come to understand that what is happening in the shared scenario, is that the router will be passing IP's to devices through my Pi. I need for the router to assign an IP to my Pi via ethernet, as well as assigning IP's to devices connected to it directly by Wif. SO my PI will be in the same network as devices connected to the router via wifi. I need a seperate WiFi network through which data will be passed through my Pi to the internet via the wired connection to the router. The network supported by the Pi will be passing (hopefully) through a VPN tunnel, supported by OpenVPN and a configuration file from my VPN provider.

User avatar
DougieLawson
Posts: 36900
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: RPi as VPN Router and Wireless Access Point. Possible??

Sat Mar 25, 2017 8:26 pm

SSID is a plain string up to 32 character long. It looks like spaces are OK.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

NoBodyUKnow
Posts: 37
Joined: Wed Feb 15, 2017 3:44 am

Re: RPi as VPN Router and Wireless Access Point. Possible??

Sat Mar 25, 2017 10:02 pm

Thanks...

I tried to revert everything to the standalone network scenario and locked myself out of SSH access, perhaps because the bridge was still in place. Not sure. I had restored the .conf and .interface files I had backed up and performed the setups specified in the first section.

Any ideas for regaining SSH access, aside from refreshing the image? I have an HDMI television of course, and a bluetooth keyboard. However, I shut off bluetooth on my Pi, during the initial setup.

Another thing I noticed is that I now have a new mac address ( after setting up hostapd or dnsmasq??)

User avatar
DougieLawson
Posts: 36900
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: RPi as VPN Router and Wireless Access Point. Possible??

Sat Mar 25, 2017 10:09 pm

[ALT]+[SYSRQ]+

Wait for it to reboot then scan your network to see what address it's been assigned.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

NoBodyUKnow
Posts: 37
Joined: Wed Feb 15, 2017 3:44 am

Re: RPi as VPN Router and Wireless Access Point. Possible??

Sat Mar 25, 2017 11:39 pm

Thanks Doug,

Yes, I did that. I showed two IP addresses in the DHCP Table: One the same as before and another new IP with a new mac address. I could not SSH in via either one. I deleted the two entries in the dhcp table and rebooted my pi. The DHCP entries for my R Pi never came back, even though I also rebooted my router.

Adding via edit: My Pi does not show up in my network IP Scanner either.

To clarify, I saw those two IP addresses in my router's DHCP assignments. Those leases were probably no longer active. I didn't look in the network scanner until the very end.

User avatar
DougieLawson
Posts: 36900
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: RPi as VPN Router and Wireless Access Point. Possible??

Sun Mar 26, 2017 12:53 pm

Connect a TV, keyboard and mouse and take a look at what your RPi thinks it's doing in /var/log/daemon.log.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

NoBodyUKnow
Posts: 37
Joined: Wed Feb 15, 2017 3:44 am

Re: RPi as VPN Router and Wireless Access Point. Possible??

Sun Mar 26, 2017 2:59 pm

I've refreshed the image and done the basic setups once more, including backups of config and interface files.

My setup has my Pi connected to a wireless router via an ethernet cable. The router has its own SSID with devices connected to it that I DO NOT want to pass through the VPN. I want to setup my Pi with a wireless access point with its own SSID, to which only devices I WANT to pass through the VPN tunnel will connect. I hope to run OpenVPN on my Pi, using a configuration file downloaded from my VPN provider. I've tested the VPN and it works, as long as the ethernet connection has a static IP. Testing this, I've assigned eth0 a static IP in dhcpcd.conf, as below:

interface eth0

static ip_address=192.168.0.10/24
static routers=192.168.0.1
static domain_name_servers=192.168.0.1

The documentation James shared (top portion for setting up a standalone network) requires setting up a static IP for wlan0 by denying wlan0 an interface in dhcpd.conf and defining wlan0 in /etc/network/interfaces.

Unless I am missing something, this means my Pi will have two static IP addresses: One for the connection to the router (eth0) and one for the access point (wlan0). Is this correct? Will this work? It seems "strange" to me to have one device - as configured, basically a router - with two IP addresses.

NoBodyUKnow
Posts: 37
Joined: Wed Feb 15, 2017 3:44 am

Re: RPi as VPN Router and Wireless Access Point. Possible??

Sun Mar 26, 2017 5:03 pm

Followed the doc for setting up standalone network access point

https://github.com/raspberrypi/document ... s-point.md

I see no SSID, unfortunately. When I restarted hostapd, I got message:

wpa_supplicant[411]: rfkill: WLAN soft blocked

Rebooted and checked all setups, but the SSID I defined in hostapd.config is not on the air.

NoBodyUKnow
Posts: 37
Joined: Wed Feb 15, 2017 3:44 am

Re: RPi as VPN Router and Wireless Access Point. Possible??

Sun Mar 26, 2017 5:09 pm

Did some restarts and the new SSID appeared. I was able to connect to it with a wireless device, but there's no internet connectivity through the AP. I'm on the web on the PI via SSH/VNC

This is where I'm really wondering about the two static ip addresses I mentioned above...

User avatar
DougieLawson
Posts: 36900
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: RPi as VPN Router and Wireless Access Point. Possible??

Sun Mar 26, 2017 5:15 pm

You've either missed a step or you need to go for part #2 (the bridged network/access point).

The docs you're following are known to work and have been tested by the author and by me.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

NoBodyUKnow
Posts: 37
Joined: Wed Feb 15, 2017 3:44 am

Re: RPi as VPN Router and Wireless Access Point. Possible??

Sun Mar 26, 2017 9:35 pm

Doug,

It is functioning. I checked everything in the first part and followed the steps in the second part of the document, EXCEPT for adding "denyinterfaces eth0" in /etc/dhcpcd.conf. I'm afraid that if I add that, I'm going to be left with no working TCP/IP interfaces and locked out of network access to my Pi.

I will need a static IP address to support OpenVPN. In the documentation it says

It is possible to use a static IP address for the bridge if required...

Do I set that up in /etc/network/interfaces, as with ethx and wlanx? Then perhaps it will be safe to deny eth0 an IP address via DHCPD?

Feeling my way along here....

Thanks!

User avatar
DougieLawson
Posts: 36900
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: RPi as VPN Router and Wireless Access Point. Possible??

Mon Mar 27, 2017 12:46 am

Add the

Code: Select all

denyinterfaces eth0
to dhcpcd.conf and add

Code: Select all

netmask 24
address 192.168.3.14
(change to taste) to your interfaces file to set a static address.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Return to “Advanced users”