User Tools

Site Tools


vpn-pi

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
vpn-pi [2020/04/05 14:09]
robm created
vpn-pi [2020/04/29 16:54] (current)
robm
Line 8: Line 8:
  
 In order to use the WiFi chipset as an access point, we need default Raspberry Pi desktop environment (etc) from using it as a client. In order to use the WiFi chipset as an access point, we need default Raspberry Pi desktop environment (etc) from using it as a client.
 +
 +One-off:
  
 <code>sudo wpa_cli terminate</code> <code>sudo wpa_cli terminate</code>
  
-TODOAutomate this, so restarting the Pi doesn't require this to be done every time+ForeverDisabling the service permanently is tricky, as lots of events can cause it to be started. A better solution is to exclude ''wlan0'' from being managed by it, by adding ''nohook wpa_supplicant'' to ''/etc/network/interfaces.d/wlan0'' (created in the next section).
  
 ===== Configure WiFi settings ===== ===== Configure WiFi settings =====
Line 18: Line 20:
  
 <code> <code>
 +auto wlan0
 iface wlan0 inet static iface wlan0 inet static
-  address 172.16.0.1/16+  address 172.16.0.1/24 
 +  nohook wpa_supplicant  # Conflicts with hostapd (WPA is for clients, not access points)
 </code> </code>
  
Line 25: Line 29:
  
 <code> <code>
-sudo ifconfig wlan0 down  # Take interface offline, so when we bring it back it uses our conf +sudo ifdown --verbose wlan0  # Take interface offline, so when we bring it back it uses our conf 
-sudo ifup wlan0+sudo ifup --verbose wlan0
 </code> </code>
  
Line 33: Line 37:
 <code> <code>
 root@raspberrypi4:~# ip -br addr show wlan0 root@raspberrypi4:~# ip -br addr show wlan0
-wlan0            UP             172.16.0.1/16 169.254.114.246/16 fe80::3592:65db:94e0:c992/64+wlan0            UP             172.16.0.1/24 169.254.114.246/16 fe80::3592:65db:94e0:c992/64
 </code> </code>
  
 ===== DHCP & DNS Services ===== ===== DHCP & DNS Services =====
 +
 +Disable the default ''systemd-resolved'' service which runs on localhost, as it takes control of ''/etc/resolv.conf'', which in turn prevents the DHCP + DNS server we're about to install from noticing when expressvpn changes the DNS server.
 +
 +It's important that ''dnsmasq'' notices when ''/etc/resolv.conf'' changes, or DNS lookups will fail entirely due to ExpressVPN adding firewall rules to drop all DNS queries that don't go via ExpressVPN.
 +
 +<code>
 +sudo systemctl disable --now systemd-resolved
 +</code>
  
 <code> <code>
 sudo apt update \ sudo apt update \
 && sudo apt install dnsmasq && sudo apt install dnsmasq
-<code>+</code>
  
 Then test this in the foreground so you can see debug messages, etc Then test this in the foreground so you can see debug messages, etc
Line 49: Line 61:
 && sudo dnsmasq \ && sudo dnsmasq \
   --no-daemon \   --no-daemon \
-  --dhcp-range=172.160.0.50,172.16.0.150,12h \+  --dhcp-range=172.16.0.10,172.16.0.20,1h \
   --except-interface=eth0 \   --except-interface=eth0 \
   --dhcp-authoritative \   --dhcp-authoritative \
 +  --log-queries \
   --clear-on-reload   --clear-on-reload
 </code> </code>
 +
 +Later on, we'll want to move these settings into ''/etc/dnsmasq.conf''
  
 ===== WiFi Access Point ===== ===== WiFi Access Point =====
Line 134: Line 149:
  
 Then try to connect from another device (e.g. mobile phone). The WiFi network should be visible, and when you connect you should get an IP address, but probably an error about no internet connection. That's next. Then try to connect from another device (e.g. mobile phone). The WiFi network should be visible, and when you connect you should get an IP address, but probably an error about no internet connection. That's next.
 +
 +===== Network Address Translation =====
 +
 +Enable Network Address Translation (NAT) on any traffic that leaves us via ExpressVPN's ''tun0'' interface.
 +
 +Note that the interface doesn't exist until you run ''expressvpn connect'', but you can add the rule to ''iptables'' without issue.
 +
 +<code>
 +iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
 +</code>
 +
 +Note that is this is the **only** MASQUERADE rule (check with ''iptables -t nat -nvL'') then devices using this access point will experience 100% packet loss when ExpressVPN is not connected. I consider this a feature, but if you don't you can add another rule for ''eth0'':
 +
 +<code>
 +iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 +</code>
 +
vpn-pi.1586095791.txt.gz · Last modified: 2020/04/05 14:09 by robm