RobMeerman.co.uk

User Tools

Site Tools

You are here: RobMeerman.co.uk » ExpressVPN Access Point using a Raspberry Pi 4
Trace: ExpressVPN Access Point using a Raspberry Pi 4
vpn-rpi4

This is an old revision of the document!

Table of Contents

ExpressVPN Access Point using a Raspberry Pi 4

  • Hardware: Raspberry Pi 4, model B
  • OS: Raspbian GNU/Linux 10 (buster)
  • Network:
    • eth0 (wired) connected to home network:
      • CIDR: 192.168.167.0/24
      • Gateway / router: 192.168.167.1

Desired outcome

  • Raspberry Pi 4 acting as WiFi access point
  • Provides own DHCP service, so it can nominate …
  • … itself as gateway
  • … itself as DNS server
  • Provides internet access to WiFi client stations …
  • … via ExpressVPN when that's connected
  • … via home network when it is now

Setup

Create the following in /etc/network/interfaces.d/ as root:

eth0: 

auto eth0
iface eth0 inet manual

wlan0: 

auto wlan0
iface wlan0 inet manual
  nohook wpa_supplicant	# Conflicts with running in Access Point mode

br0: 

auto br0
iface br0 inet static
  address 192.168.167.48
  gateway 192.168.167.1
  bridge_ports eth0 wlan0

  # Ethernet Bridging: Block DHCP from our WiFi stations going out over our
  # wired connection (we want to be the ones to answer DHCP requests, not our
  # ISP)
  up   ebtables -t filter -A FORWARD --protocol 0x0800 --ip-protocol UDP --ip-destination-port 67 -j DROP
  down ebtables -t filter -D FORWARD --protocol 0x0800 --ip-protocol UDP --ip-destination-port 67 -j DROP

  # Internet Protocol Network Address Translation when using this bridge, and
  # any ExpressVPN tun0 which come and go with VPN connections
  up   iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
  up   iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
  down iptables -t nat -D POSTROUTING -o br0 -j MASQUERADE
  down iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE

Then run: 

sudo apt remove openresolv
sudo apt install dnsmasq hostapd

Modify /etc/dnsmasq.conf: 

dhcp-range=172.16.0.10,172.16.0.20,1h
except-interface=eth0
dhcp-authoritative

Restart dnsmasq service to pick up changes: 

sudo systemctl restart dnsmasq

Modify /etc/default/hostapd and change value of DAEMON_CONF: 

DAEMON_CONF="/etc/hostapd/hostapd.conf"

Create /etc/hostapd/hostapd.conf: 

ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
auth_algs=1
beacon_int=100

ssid=teleport
wpa_passphrase=CHANGEME

country_code=US

interface=wlan0
bridge=br0
driver=nl80211

wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

macaddr_acl=0

logger_syslog=0
logger_syslog_level=4
logger_stdout=-1
logger_stdout_level=0

hw_mode=a
wmm_enabled=1

# N
ieee80211n=1
require_ht=1
ht_capab=[MAX-AMSDU-3839][HT40+][SHORT-GI-20][SHORT-GI-40][DSSS_CCK-40]

# AC
ieee80211ac=1
require_vht=1
ieee80211d=0
ieee80211h=0
vht_capab=[MAX-AMSDU-3839][SHORT-GI-80]
vht_oper_chwidth=1
channel=36
vht_oper_centr_freq_seg0_idx=42

ignore_broadcast_ssid=0

Restart service hostapd to pick up changes: 

sudo systemctl restart hostapd

Now apply network changes, and disable DHCP client daemon since we don't want our bridge's slave interfaces getting ideas above their station. 

systemctl disable --now dhcpcd systemd-resolved
ifdown --verbose --all
ifup   --verbose --all

Debugging

pi@raspberrypi4:~ $ sudo iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  426 35264 MASQUERADE  all  --  *      br0     0.0.0.0/0            0.0.0.0/0
  804  103K MASQUERADE  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination


pi@raspberrypi4:~ $ sudo ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 1, policy: ACCEPT
-p 0x800 --ip-proto udp --ip-dport 67 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT


pi@raspberrypi4:~ $ ip route
0.0.0.0/1 via 10.89.0.29 dev tun0
default via 192.168.167.1 dev br0 onlink
10.0.0.0/8 via 192.168.167.1 dev br0
10.89.0.1 via 10.89.0.29 dev tun0
10.89.0.29 dev tun0 proto kernel scope link src 10.89.0.30
128.0.0.0/1 via 10.89.0.29 dev tun0
172.16.0.0/12 via 192.168.167.1 dev br0
192.168.0.0/16 via 192.168.167.1 dev br0
192.168.167.0/24 dev br0 proto kernel scope link src 192.168.167.48
203.159.81.39 via 192.168.167.1 dev br0


pi@raspberrypi4:~ $ expressvpn status
A new version is available, download it from https://www.vlycgtx.com/latest?utm_source=linux_app.

Connected to Netherlands - The Hague

   - To protect your privacy if your VPN connection unexpectedly drops, you can enable Network Lock by typing 'expressvpn preferences set network_lock on'.
pi@raspberrypi4:~ $
vpn-rpi4.1588196522.txt.gz · Last modified: 2020/04/29 21:42 by robm

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki