====== VPN via Raspberry Pi 4 ======

  * Use a Raspberry Pi 4 (B) as WiFi access point
  * Home network (and internet connection) attached via Ethernet cable
  * Pi will run ExpressVPN

===== Disassociate WiFi =====

In order to use the WiFi chipset as an access point, we need default Raspberry Pi desktop environment (etc) from using it as a client.

One-off:

<code>sudo wpa_cli terminate</code>

Forever: Disabling the service permanently is tricky, as lots of events can cause it to be started. A better solution is to exclude ''wlan0'' from being managed by it, by adding ''nohook wpa_supplicant'' to ''/etc/network/interfaces.d/wlan0'' (created in the next section).

===== Configure WiFi settings =====

Create ''/etc/network/interfaces.d/wlan0'' and populate it with:

<code>
auto wlan0
iface wlan0 inet static
  address 172.16.0.1/24
  nohook wpa_supplicant  # Conflicts with hostapd (WPA is for clients, not access points)
</code>

Note the IP address has to be in the same range as ''--dhcp-range'' in the following section on ''dnsmasq''.

<code>
sudo ifdown --verbose wlan0  # Take interface offline, so when we bring it back it uses our conf
sudo ifup --verbose wlan0
</code>

Check it has the IP you chose by running ''ip -br addr show wlan0'', e.g.:

<code>
root@raspberrypi4:~# ip -br addr show wlan0
wlan0            UP             172.16.0.1/24 169.254.114.246/16 fe80::3592:65db:94e0:c992/64
</code>

===== DHCP & DNS Services =====

Disable the default ''systemd-resolved'' service which runs on localhost, as it takes control of ''/etc/resolv.conf'', which in turn prevents the DHCP + DNS server we're about to install from noticing when expressvpn changes the DNS server.

It's important that ''dnsmasq'' notices when ''/etc/resolv.conf'' changes, or DNS lookups will fail entirely due to ExpressVPN adding firewall rules to drop all DNS queries that don't go via ExpressVPN.

<code>
sudo systemctl disable --now systemd-resolved
</code>

<code>
sudo apt update \
&& sudo apt install dnsmasq
</code>

Then test this in the foreground so you can see debug messages, etc

<code>
sudo systemctl stop dnsmasq \
&& sudo dnsmasq \
  --no-daemon \
  --dhcp-range=172.16.0.10,172.16.0.20,1h \
  --except-interface=eth0 \
  --dhcp-authoritative \
  --log-queries \
  --clear-on-reload
</code>

Later on, we'll want to move these settings into ''/etc/dnsmasq.conf''

===== WiFi Access Point =====

<code>
sudo apt update \
&& sudo apt install hostapd \
&& sudo vim /etc/default/hostapd
</code>

... and set ''DAEMON_CONF'' to point at a file we'll make in a moment:

<code>
DAEMON_CONF="/etc/hostapd/hostapd.conf"
</code>

Now create: ''/etc/hostapd/hostapd.conf''

<code>
sudo vim /etc/hostapd/hostapd.conf
</code>

Note that the country code has to be set to US for this to work. Something to do with regulatory issues about shipping "open" devices or something. Shrug.

(Taken from https://github.com/raspberrypi/linux/issues/2619#issuecomment-410703338 )

<code>
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
auth_algs=1
beacon_int=100

ssid=raspi-webgui
wpa_passphrase=ChangeMe

country_code=US

interface=wlan0
driver=nl80211

wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

macaddr_acl=0

logger_syslog=0
logger_syslog_level=4
logger_stdout=-1
logger_stdout_level=0

hw_mode=a
wmm_enabled=1

# N
ieee80211n=1
require_ht=1
ht_capab=[MAX-AMSDU-3839][HT40+][SHORT-GI-20][SHORT-GI-40][DSSS_CCK-40]

# AC
ieee80211ac=1
require_vht=1
ieee80211d=0
ieee80211h=0
vht_capab=[MAX-AMSDU-3839][SHORT-GI-80]
vht_oper_chwidth=1
channel=36
vht_oper_centr_freq_seg0_idx=42

ignore_broadcast_ssid=0
</code>

Test using the following command (so its all runs in the foreground and prints stuff you can read in case it doesn't work):

<code>
sudo systemctl stop hostapd   # Stop the background service, if it was running
sudo hostapd -dd /etc/hostapd/hostapd.conf
</code>

Then try to connect from another device (e.g. mobile phone). The WiFi network should be visible, and when you connect you should get an IP address, but probably an error about no internet connection. That's next.

===== Network Address Translation =====

Enable Network Address Translation (NAT) on any traffic that leaves us via ExpressVPN's ''tun0'' interface.

Note that the interface doesn't exist until you run ''expressvpn connect'', but you can add the rule to ''iptables'' without issue.

<code>
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
</code>

Note that is this is the **only** MASQUERADE rule (check with ''iptables -t nat -nvL'') then devices using this access point will experience 100% packet loss when ExpressVPN is not connected. I consider this a feature, but if you don't you can add another rule for ''eth0'':

<code>
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
</code>