RobMeerman.co.uk

User Tools

Site Tools

You are here: RobMeerman.co.uk » ExpressVPN Access Point using a Raspberry Pi 4
Trace:
vpn-rpi4

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
vpn-rpi4 [2020/04/29 21:55]
robm [Setup] 		vpn-rpi4 [2020/04/30 09:16]
robm [Desired outcome]
Line 6: Line 6:
     * ''eth0'' (wired) connected to home network:     * ''eth0'' (wired) connected to home network:
       * CIDR: ''192.168.167.0/24''       * CIDR: ''192.168.167.0/24''
 +      * DHCP range: ''192.168.167.100'' to ''192.168.167.250''
       * Gateway / router: ''192.168.167.1''       * Gateway / router: ''192.168.167.1''
  
Line 18: Line 19:
   * ... via home network when it is now   * ... via home network when it is now
  
 +===== Strategy =====
 +
 +Create a new WiFi network (''teleport'') which is **bridged** with the wired network, so traffic can flow between them. For this to work, the DHCP ranges of the two networks should be in the _same subnet_ (''192.168.167.0/24''), but not overlap. Wired uses '.100' to '.250', so the new WiFi will use '.40' to '.50'
 +
 +The Raspberry Pi itself gets its internet connection via the wired network - i.e. it uses the same router as other wired hosts (192.168.167.1).
 +
 +DHCP requests from the WiFi network will be answered by the Raspberry Pi (using ''dnsmasq''), and _not_ answered by my wired network. Since the networks are bridged my home network's router will attempt to answer DHCP requests - so we'll need to:
 +
 +  - Prevent DHCP requests from WiFi stations being answered by home network
 +  - Prevent DHCP requests from wired network being answered by Raspberry Pi
 +
 +The Raspberry Pi itself will not ask for IP addresses from the wired network. This keeps things simple, as the only IP on the Raspberry Pi will be on the bridge interface and it will be entirely predictable so we can embed it into the DHCP offers we give out (i.e. write it into ''/etc/dnsmasq.conf'')
 +
 +The Raspberry Pi's DHCP offers will nominate itself as the gateway (i.e. default route) and DNS server. It will have to perform Network Address Translation ("MASQUERADE") for all traffic leaving my house (e.g. via home network or VPN).
 +
 +ExpressVPN also tunnels DNS traffic, and *blocks* attempts to use DNS other than its own. This is a good thing, but I cannot get ExpressVPN and ''openresolv'' to play nicely: updates to ''/etc/resolv.conf'' either don't happen, or don't take affect. So I'll simply uninstall ''openresolv'' and/or disable ''systemd-resolved''.
 ===== Setup ===== ===== Setup =====
  
Line 48: Line 65:
   up   ebtables -t filter -A FORWARD --protocol 0x0800 --ip-protocol UDP --ip-destination-port 67 -j DROP   up   ebtables -t filter -A FORWARD --protocol 0x0800 --ip-protocol UDP --ip-destination-port 67 -j DROP
   down ebtables -t filter -D FORWARD --protocol 0x0800 --ip-protocol UDP --ip-destination-port 67 -j DROP   down ebtables -t filter -D FORWARD --protocol 0x0800 --ip-protocol UDP --ip-destination-port 67 -j DROP
 +
 +  # Ethernet Bridging: Be deaf to DHCP requests originating on the wired
 +  # connection (home network), we are not their DHCP server. (.. and dnsmasq
 +  # cannot distinguish the source, as it all appears to be coming from br0)
 +  up   ebtables -t filter -A INPUT -d FF:FF:FF:ff:ff:ff -i eth0 -j DROP
 +  down ebtables -t filter -D INPUT -d FF:FF:FF:ff:ff:ff -i eth0 -j DROP
  
   # Internet Protocol Network Address Translation when using this bridge, and   # Internet Protocol Network Address Translation when using this bridge, and
vpn-rpi4.txt · Last modified: 2021/04/25 20:13 by robm

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki