RobMeerman.co.uk

User Tools

Site Tools

You are here: RobMeerman.co.uk » ExpressVPN Access Point using a Raspberry Pi 4
Trace:
vpn-rpi4

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
Next revision Both sides next revision
vpn-rpi4 [2020/04/29 21:42]
robm created 		vpn-rpi4 [2020/04/30 08:59]
robm [ExpressVPN Access Point using a Raspberry Pi 4]
Line 6: Line 6:
     * ''eth0'' (wired) connected to home network:     * ''eth0'' (wired) connected to home network:
       * CIDR: ''192.168.167.0/24''       * CIDR: ''192.168.167.0/24''
 +      * DHCP range: ''192.168.167.100'' to ''192.168.167.250''
       * Gateway / router: ''192.168.167.1''       * Gateway / router: ''192.168.167.1''
  
Line 48: Line 49:
   up   ebtables -t filter -A FORWARD --protocol 0x0800 --ip-protocol UDP --ip-destination-port 67 -j DROP   up   ebtables -t filter -A FORWARD --protocol 0x0800 --ip-protocol UDP --ip-destination-port 67 -j DROP
   down ebtables -t filter -D FORWARD --protocol 0x0800 --ip-protocol UDP --ip-destination-port 67 -j DROP   down ebtables -t filter -D FORWARD --protocol 0x0800 --ip-protocol UDP --ip-destination-port 67 -j DROP
 +
 +  # Ethernet Bridging: Be deaf to DHCP requests originating on the wired
 +  # connection (home network), we are not their DHCP server. (.. and dnsmasq
 +  # cannot distinguish the source, as it all appears to be coming from br0)
 +  up   ebtables -t filter -A INPUT -d FF:FF:FF:ff:ff:ff -i eth0 -j DROP
 +  down ebtables -t filter -D INPUT -d FF:FF:FF:ff:ff:ff -i eth0 -j DROP
  
   # Internet Protocol Network Address Translation when using this bridge, and   # Internet Protocol Network Address Translation when using this bridge, and
Line 62: Line 69:
 sudo apt remove openresolv sudo apt remove openresolv
 sudo apt install dnsmasq hostapd sudo apt install dnsmasq hostapd
 +</code>
 +
 +Remove ''/etc/resolv.conf'' if it is a symbolic link, and recreate as a regular file:
 +<code>
 +nameserver 1.0.0.1
 +nameserver 8.8.4.4
 +nameserver 1.1.1.1
 +nameserver 8.8.8.8
 </code> </code>
  
 Modify ''/etc/dnsmasq.conf'': Modify ''/etc/dnsmasq.conf'':
 <code> <code>
-dhcp-range=172.16.0.10,172.16.0.20,1h +dhcp-range=192.168.167.40,192.168.167.47,1h
-except-interface=eth0+
 dhcp-authoritative dhcp-authoritative
 +clear-on-reload
 +bridge-interface=br0,wlan0
 </code> </code>
  
Line 145: Line 161:
 ===== Debugging ===== ===== Debugging =====
  
-<code>+<code>pi@raspberrypi4:~ $ ip -br link 
 +lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP> 
 +eth0             UP             dc:a6:32:20:f7:7d <BROADCAST,MULTICAST,UP,LOWER_UP> 
 +wlan0            UP             dc:a6:32:20:f7:7e <BROADCAST,MULTICAST,UP,LOWER_UP> 
 +br0              UP             dc:a6:32:20:f7:7d <BROADCAST,MULTICAST,UP,LOWER_UP> 
 + 
 + 
 +pi@raspberrypi4:~ $ ip -br addr 
 +lo               UNKNOWN        127.0.0.1/8 ::1/128 
 +eth0             UP 
 +wlan0            UP 
 +br0              UP             192.168.167.48/24 fe80::dea6:32ff:fe20:f77d/64 
 + 
 pi@raspberrypi4:~ $ sudo iptables -t nat -nvL pi@raspberrypi4:~ $ sudo iptables -t nat -nvL
 Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
Line 155: Line 184:
 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination  pkts bytes target     prot opt in     out     source               destination
-  426 35264 MASQUERADE  all  --  *      br0     0.0.0.0/           0.0.0.0/0 +  386 25981 MASQUERADE  all  --  *      br0     0.0.0.0/           0.0.0.0/0 
-  804  103K MASQUERADE  all  --  *      tun0    0.0.0.0/           0.0.0.0/0+        MASQUERADE  all  --  *      tun0    0.0.0.0/           0.0.0.0/0
  
 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
Line 174: Line 203:
  
 pi@raspberrypi4:~ $ ip route pi@raspberrypi4:~ $ ip route
-0.0.0.0/1 via 10.89.0.29 dev tun0 
 default via 192.168.167.1 dev br0 onlink default via 192.168.167.1 dev br0 onlink
-10.0.0.0/8 via 192.168.167.1 dev br0 
-10.89.0.1 via 10.89.0.29 dev tun0 
-10.89.0.29 dev tun0 proto kernel scope link src 10.89.0.30 
-128.0.0.0/1 via 10.89.0.29 dev tun0 
-172.16.0.0/12 via 192.168.167.1 dev br0 
-192.168.0.0/16 via 192.168.167.1 dev br0 
 192.168.167.0/24 dev br0 proto kernel scope link src 192.168.167.48 192.168.167.0/24 dev br0 proto kernel scope link src 192.168.167.48
-203.159.81.39 via 192.168.167.1 dev br0 
  
  
-pi@raspberrypi4:~ $ expressvpn status +pi@raspberrypi4:~ $ journalctl -u hostapd 
-A new version is availabledownload it from https://www.vlycgtx.com/latest?utm_source=linux_app.+-- Logs begin at Wed 2020-04-29 22:45:20 BSTend at Wed 2020-04-29 22:47:25 BST. -- 
 +Apr 29 22:45:56 raspberrypi4 systemd[1]: Starting Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator..
 +Apr 29 22:45:56 raspberrypi4 hostapd[710]: Configuration file: /etc/hostapd/hostapd.conf 
 +Apr 29 22:45:56 raspberrypi4 hostapd[710]: wlan0: interface state UNINITIALIZED->COUNTRY_UPDATE 
 +Apr 29 22:45:56 raspberrypi4 systemd[1]: Started Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator.
  
-Connected to Netherlands - The Hague 
  
-   - To protect your privacy if your VPN connection unexpectedly drops, you can enable Network Lock by typing 'expressvpn preferences set network_lock on'. +pi@raspberrypi4:~ $ journalctl -u dnsmasq 
-pi@raspberrypi4:~ $+-- Logs begin at Wed 2020-04-29 22:45:20 BST, end at Wed 2020-04-29 22:47:25 BST. -- 
 +Apr 29 22:45:56 raspberrypi4 systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server... 
 +Apr 29 22:45:56 raspberrypi4 dnsmasq[711]: dnsmasq: syntax check OK. 
 +Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: started, version 2.80 cachesize 150 
 +Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: DNS service limited to local subnets 
 +Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile 
 +Apr 29 22:45:56 raspberrypi4 dnsmasq-dhcp[751]: DHCP, IP range 192.168.167.40 -- 192.168.167.47, lease time 1h 
 +Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: reading /etc/resolv.conf 
 +Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: using nameserver 10.89.0.1#53 
 +Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: read /etc/hosts - 5 addresses 
 +Apr 29 22:45:56 raspberrypi4 systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. 
 +Apr 29 22:46:16 raspberrypi4 dnsmasq-dhcp[751]: DHCPREQUEST(br0) 192.168.167.44 8c:85:90:53:bd:55 
 +Apr 29 22:46:16 raspberrypi4 dnsmasq-dhcp[751]: DHCPACK(br0) 192.168.167.44 8c:85:90:53:bd:55 Roberts-MBP
 </code> </code>
vpn-rpi4.txt · Last modified: 2021/04/25 20:13 by robm

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki