Page 1 of 2

RPi as VPN Router and Wireless Access Point. Possible??

Posted: Wed Mar 22, 2017 8:52 pm
by NoBodyUKnow
Hello,

I'm trying desperately to setup my network as in the attached diagram, and as further described below the graphic:
VPN-Diagram (1).png
VPN-Diagram (1).png (12.8 KiB) Viewed 6149 times
My Raspberry Pi 3 running Jessie as a wireless access point ( wlan0 ) connected to a Linksys Router via ethernet (eth0). The devices in my home will connect via WiFi to the RPi, which will be running OpenVPN via a configuration script supplied by Expressvpn, my VPN provider.

I've found many tutorials on setting up the WiFi access point, and I find many tutorials on setting up the RPi as a VPN Router. However, I find none explaining how to do those together on one RPi.

I'm sensing there may be a conflict in the use of DHCPCD and DHCP between these two functions, because on the tutorial I find most reliable for setting up the VPN router, there's guidance to disable dhcpcd, to avoid having two ip addresses assigned to the Rpi:

http://www.dickson.me.uk/2016/06/21/set ... r-updated/

While in the tutorial that seems most useful for setting the Wireless Access Point, dhcpcd is an integral part of the final solution.

https://www.frillip.com/using-your-rasp ... h-hostapd/

Is it possible for my RPi to both broadcast a secure SSID and route all connections to that network through my VPN?

OpenVPN is setup on my Rpi and works fine ( at least when starting manually. I'm not yet sure how to incorporate the userid and password into a reboot startup).

I would sure appreciate some help with this, and i'm happy to provide any information that might help with that.

Thanks very much,

NBUK




.

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Wed Mar 22, 2017 9:02 pm
by jamesh
I've been writing new docs on access points - draft version here https://github.com/raspberrypi/document ... s-point.md

They might help, but you have brought up an interesting question of setting up VPN's which might be my next documentation task!

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Thu Mar 23, 2017 1:15 pm
by NoBodyUKnow
James,

This is a great writeup. More detailed and probably more correct than the others I've found, at least for my application.

A question - and this probably belongs in the newbie section - can I take the IP addresses you provided literally? In other words, because of the design of the network, can I use those exact numbers, or do they need to be adapted to the IP address and IP range of my router?

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Thu Mar 23, 2017 2:59 pm
by NoBodyUKnow
James,

I see now, in the preamble to the tutorial:

This documentation assumes we are using the standard 192.168.x.x IP addresses for our wireless network, so we will assign the server the IP address 192.168.0.1.

I did note that in your changes to /etc/network/interfaces to enable the access point, you didn't include a Broadcast IP. The tutorial I looked at before did include that parameter.

I'd made some changes to my RPi config and am going back to a fresh install of the latest version of Jessie. I don't want any changes I've made to complicate configuring this correctly, as this is what I purchased my RPi for.

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Thu Mar 23, 2017 3:21 pm
by jamesh
The documentation as it stands works as intended, do you don't AFAIK, need the broadcast ID. Since there are various ways of configuring this stuff, I've tried to keep it to the minimum!

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Thu Mar 23, 2017 3:26 pm
by DougieLawson
You only need IP address and netmask. Broadcast and network are superflous (because you and your linux system can calculate them knowing just the address and netmask).

You can use

Code: Select all

address 172.31.4.1
netmask 24
or

Code: Select all

address 172.31.4.1
netmask 255.255.255.0
(your choice) as they both mean the same thing

(Note: I'm a fan of using 172.31.4.0/24 for my example network address blocks as they're unlikely to clash with anyone's home router which tend to use 192.168.xx.xx or 10.0.0.xx address blocks).

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Thu Mar 23, 2017 5:33 pm
by NoBodyUKnow
Thanks Doug and James. Interesting... I accidentally deleted this, as I didn't see your responses and thought I was in the wrong thread. Sorry. Replacing my post:

After a fresh install of the 03/02/17 version of Jessie, this is what I have done:

Added ssh to boot
connected via putty changed pswd
ran update and upgrade (wolfram took a Loooooonnnnng time)
Enlarged partition, changed mem split to 16, set localization, enabled vncserver
reboot
connect via vnc
turn off wifi and bluetooth via GUI
install openvpn
Install hostapd and dnsmasq
stopped hostapd and dnsmasq
download openvpn config files from vpn expressvpn, move to /etc/openvpn and change names to xxx.conf
Created text file with user and password placed on desktop for logging in to vpn vi config file
tested openvpn connect - connects with "initialization complete" after manually entering credentials


However, I cannot access any webpages. This is where I sense some conflict in the setups for wifi AP and openvpn. I think I need to setup a static IP for Eth0 on my pi for openvpn to work. I had this before reinstalling, and I was able to access the internet and browse to webpages.

I am doing this headless, as I do not have a HDMI monitor. Therefore, I am concerned about any step that
jeopardizes my ability to connect via SSH.

James:

Is there any point in the tutorial you linked to, where I would be unable to connect via SSH and continue the setup?

Thanks so much...

NBUK

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Fri Mar 24, 2017 10:31 pm
by NoBodyUKnow
James,

It seems the link you posted above is dead.

You said it was a draft. Did you publish it w a different URL? I can no longer access it.

Thanks!

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Sat Mar 25, 2017 4:58 pm
by DougieLawson
NoBodyUKnow wrote:It seems the link you posted above is dead.
https://github.com/raspberrypi/document ... s-point.md is the current version.

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Sat Mar 25, 2017 5:40 pm
by NoBodyUKnow
DougieLawson wrote:
NoBodyUKnow wrote:It seems the link you posted above is dead.
https://github.com/raspberrypi/document ... s-point.md is the current version.
Thank you Doug. I searched Github but could not find it.

Working on this now...

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Sat Mar 25, 2017 7:40 pm
by NoBodyUKnow
So... This may seem like a stupid question, but....

The documentation has two sections: One for setting up an access-point on a standalone network and another on setting up an access-point to share an existing, wired connection (my scenario).

Do each of these sections stand alone, or do I follow the first section and then follow the second section, if applicable?

I've followed the second section, including the portion regarding configuring the wifi in hostapd.conf. I see no new SSID, as hoped. Here is my ifconfig output:

br0 Link encap:Ethernet HWaddr b8:27:eb:32:c6:55
inet addr:192.168.2.105 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::ba27:ebff:fe32:c655/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:66690 errors:0 dropped:0 overruns:0 frame:0
TX packets:85979 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4997339 (4.7 MiB) TX bytes:61836707 (58.9 MiB)

eth0 Link encap:Ethernet HWaddr b8:27:eb:32:c6:55
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:66716 errors:0 dropped:0 overruns:0 frame:0
TX packets:85979 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4998535 (4.7 MiB) TX bytes:62868115 (59.9 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:85 errors:0 dropped:0 overruns:0 frame:0
TX packets:85 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:6759 (6.6 KiB) TX bytes:6759 (6.6 KiB)

wlan0 Link encap:Ethernet HWaddr b8:27:eb:67:93:00
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:19 errors:0 dropped:19 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7088 (6.9 KiB) TX bytes:0 (0.0 B)

I've done nothing with dnsmasq, as yet...

Thanks!

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Sat Mar 25, 2017 7:48 pm
by DougieLawson
There's a tiny bit of overlap. You need to create a hostapd.conf file from part #1 (stand-alone AP) and modify that for part #2 (bridged AP). You'll end up with

Code: Select all

interface=wlan0
bridge=br0
# driver isn't needed for bridged APs
#driver=nl80211
ssid=MyPiBridgedAP
hw_mode=g
# Change channel to suit.
channel=8
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
# Set your password here
wpa_passphrase=somesecretpasswordhere
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
for the bridged access point.

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Sat Mar 25, 2017 7:54 pm
by NoBodyUKnow
Yessir... Got that part:

contents of /etc/hostapd/hostapd.conf:

#Original hostpd.conf is an empty file. No backup made This code configures wirless access point

interface=wlan0
bridge=br0
#driver=nl80211 This line was for access point without the bridge
ssid=Not This One
hw_mode=g
channel=7
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=mydogsxxxxxxxx
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Another silly question:

Does the SSID name allow spaces?

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Sat Mar 25, 2017 8:15 pm
by NoBodyUKnow
The deeper I get into this, the more I become concerned the "shared connection" scenario will not support my needs.

From looking at this:

https://agentoss.wordpress.com/2011/10/ ... bian-linux ,

I've come to understand that what is happening in the shared scenario, is that the router will be passing IP's to devices through my Pi. I need for the router to assign an IP to my Pi via ethernet, as well as assigning IP's to devices connected to it directly by Wif. SO my PI will be in the same network as devices connected to the router via wifi. I need a seperate WiFi network through which data will be passed through my Pi to the internet via the wired connection to the router. The network supported by the Pi will be passing (hopefully) through a VPN tunnel, supported by OpenVPN and a configuration file from my VPN provider.

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Sat Mar 25, 2017 8:26 pm
by DougieLawson
SSID is a plain string up to 32 character long. It looks like spaces are OK.

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Sat Mar 25, 2017 10:02 pm
by NoBodyUKnow
Thanks...

I tried to revert everything to the standalone network scenario and locked myself out of SSH access, perhaps because the bridge was still in place. Not sure. I had restored the .conf and .interface files I had backed up and performed the setups specified in the first section.

Any ideas for regaining SSH access, aside from refreshing the image? I have an HDMI television of course, and a bluetooth keyboard. However, I shut off bluetooth on my Pi, during the initial setup.

Another thing I noticed is that I now have a new mac address ( after setting up hostapd or dnsmasq??)

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Sat Mar 25, 2017 10:09 pm
by DougieLawson
[ALT]+[SYSRQ]+

Wait for it to reboot then scan your network to see what address it's been assigned.

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Sat Mar 25, 2017 11:39 pm
by NoBodyUKnow
Thanks Doug,

Yes, I did that. I showed two IP addresses in the DHCP Table: One the same as before and another new IP with a new mac address. I could not SSH in via either one. I deleted the two entries in the dhcp table and rebooted my pi. The DHCP entries for my R Pi never came back, even though I also rebooted my router.

Adding via edit: My Pi does not show up in my network IP Scanner either.

To clarify, I saw those two IP addresses in my router's DHCP assignments. Those leases were probably no longer active. I didn't look in the network scanner until the very end.

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Sun Mar 26, 2017 12:53 pm
by DougieLawson
Connect a TV, keyboard and mouse and take a look at what your RPi thinks it's doing in /var/log/daemon.log.

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Sun Mar 26, 2017 2:59 pm
by NoBodyUKnow
I've refreshed the image and done the basic setups once more, including backups of config and interface files.

My setup has my Pi connected to a wireless router via an ethernet cable. The router has its own SSID with devices connected to it that I DO NOT want to pass through the VPN. I want to setup my Pi with a wireless access point with its own SSID, to which only devices I WANT to pass through the VPN tunnel will connect. I hope to run OpenVPN on my Pi, using a configuration file downloaded from my VPN provider. I've tested the VPN and it works, as long as the ethernet connection has a static IP. Testing this, I've assigned eth0 a static IP in dhcpcd.conf, as below:

interface eth0

static ip_address=192.168.0.10/24
static routers=192.168.0.1
static domain_name_servers=192.168.0.1

The documentation James shared (top portion for setting up a standalone network) requires setting up a static IP for wlan0 by denying wlan0 an interface in dhcpd.conf and defining wlan0 in /etc/network/interfaces.

Unless I am missing something, this means my Pi will have two static IP addresses: One for the connection to the router (eth0) and one for the access point (wlan0). Is this correct? Will this work? It seems "strange" to me to have one device - as configured, basically a router - with two IP addresses.

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Sun Mar 26, 2017 5:03 pm
by NoBodyUKnow
Followed the doc for setting up standalone network access point

https://github.com/raspberrypi/document ... s-point.md

I see no SSID, unfortunately. When I restarted hostapd, I got message:

wpa_supplicant[411]: rfkill: WLAN soft blocked

Rebooted and checked all setups, but the SSID I defined in hostapd.config is not on the air.

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Sun Mar 26, 2017 5:09 pm
by NoBodyUKnow
Did some restarts and the new SSID appeared. I was able to connect to it with a wireless device, but there's no internet connectivity through the AP. I'm on the web on the PI via SSH/VNC

This is where I'm really wondering about the two static ip addresses I mentioned above...

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Sun Mar 26, 2017 5:15 pm
by DougieLawson
You've either missed a step or you need to go for part #2 (the bridged network/access point).

The docs you're following are known to work and have been tested by the author and by me.

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Sun Mar 26, 2017 9:35 pm
by NoBodyUKnow
Doug,

It is functioning. I checked everything in the first part and followed the steps in the second part of the document, EXCEPT for adding "denyinterfaces eth0" in /etc/dhcpcd.conf. I'm afraid that if I add that, I'm going to be left with no working TCP/IP interfaces and locked out of network access to my Pi.

I will need a static IP address to support OpenVPN. In the documentation it says

It is possible to use a static IP address for the bridge if required...

Do I set that up in /etc/network/interfaces, as with ethx and wlanx? Then perhaps it will be safe to deny eth0 an IP address via DHCPD?

Feeling my way along here....

Thanks!

Re: RPi as VPN Router and Wireless Access Point. Possible??

Posted: Mon Mar 27, 2017 12:46 am
by DougieLawson
Add the

Code: Select all

denyinterfaces eth0
to dhcpcd.conf and add

Code: Select all

netmask 24
address 192.168.3.14
(change to taste) to your interfaces file to set a static address.