Differences

This shows you the differences between two versions of the page.

--- vpn-rpi4 [2020/04/29 21:42]
robm created
+++ vpn-rpi4 [2021/04/25 20:13] (current)
robm Reduce dropped INPUT traffic to just DHCP (was also blocking ARP requests, so my wired side would never find the MAC address of the Raspberry Pi)
@@ Line 6: / Line 6: @@
     * ''eth0'' (wired) connected to home network:
       * CIDR: ''192.168.167.0/24''
+      * DHCP range: ''192.168.167.100'' to ''192.168.167.250''
       * Gateway / router: ''192.168.167.1''
@@ Line 18: / Line 19: @@
   * ... via home network when it is now
+===== Strategy =====
+Create a new WiFi network (''teleport'') which is **bridged** with the wired network, so traffic can flow between them. For this to work, the DHCP ranges of the two networks should be in the _same subnet_ (''192.168.167.0/24''), but not overlap. Wired uses '.100' to '.250', so the new WiFi will use '.40' to '.50'
+The Raspberry Pi itself gets its internet connection via the wired network - i.e. it uses the same router as other wired hosts (192.168.167.1).
+DHCP requests from the WiFi network will be answered by the Raspberry Pi (using ''dnsmasq''), and _not_ answered by my wired network. Since the networks are bridged my home network's router will attempt to answer DHCP requests - so we'll need to:
+  - Prevent DHCP requests from WiFi stations being answered by home network
+  - Prevent DHCP requests from wired network being answered by Raspberry Pi
+The Raspberry Pi itself will not ask for IP addresses from the wired network. This keeps things simple, as the only IP on the Raspberry Pi will be on the bridge interface and it will be entirely predictable so we can embed it into the DHCP offers we give out (i.e. write it into ''/etc/dnsmasq.conf'')
+The Raspberry Pi's DHCP offers will nominate itself as the gateway (i.e. default route) and DNS server. It will have to perform Network Address Translation ("MASQUERADE") for all traffic leaving my house (e.g. via home network or VPN).
+ExpressVPN also tunnels DNS traffic, and *blocks* attempts to use DNS other than its own. This is a good thing, but I cannot get ExpressVPN and ''openresolv'' to play nicely: updates to ''/etc/resolv.conf'' either don't happen, or don't take affect. So I'll simply uninstall ''openresolv'' and/or disable ''systemd-resolved''.
 ===== Setup =====
@@ Line 46: / Line 63: @@
   # wired connection (we want to be the ones to answer DHCP requests, not our
   # ISP)
-  up   ebtables -t filter -A FORWARD --protocol 0x0800 --ip-protocol UDP --ip-destination-port 67 -j DROP
+  # UDP port 67: BOOTP server
-  down ebtables -t filter -D FORWARD --protocol 0x0800 --ip-protocol UDP --ip-destination-port 67 -j DROP
+  # UDP port 68: BOOTP client
+  up   ebtables -t filter -A FORWARD --protocol IPv4 --ip-protocol UDP --ip-destination-port 67:68 -j DROP
+  down ebtables -t filter -D FORWARD --protocol IPv4 --ip-protocol UDP --ip-destination-port 67:68 -j DROP
+  # Ethernet Bridging: Be deaf to DHCP requests originating on the wired
+  # connection (home network), we are not their DHCP server. (.. and dnsmasq
+  # cannot distinguish the source, as it all appears to be coming from br0)
+  # UDP port 67: BOOTP server
+  # UDP port 68: BOOTP client
+  up   ebtables -t filter -A INPUT --protocol IPv4 --ip-protocol UDP --ip-destination-port 67:68 -i eth0 -j DROP
+  down ebtables -t filter -D INPUT --protocol IPv4 --ip-protocol UDP --ip-destination-port 67:68 -i eth0 -j DROP
   # Internet Protocol Network Address Translation when using this bridge, and
@@ Line 62: / Line 89: @@
 sudo apt remove openresolv
 sudo apt install dnsmasq hostapd
+</code>
+Remove ''/etc/resolv.conf'' if it is a symbolic link, and recreate as a regular file:
+<code>
+nameserver 1.0.0.1
+nameserver 8.8.4.4
+nameserver 1.1.1.1
+nameserver 8.8.8.8
 </code>
 Modify ''/etc/dnsmasq.conf'':
 <code>
-dhcp-range=172.16.0.10,172.16.0.20,1h
+dhcp-range=192.168.167.40,192.168.167.47,1h
-except-interface=eth0
 dhcp-authoritative
+clear-on-reload
+bridge-interface=br0,wlan0
 </code>
@@ Line 145: / Line 181: @@
 ===== Debugging =====
-<code>
+<code>pi@raspberrypi4:~ $ ip -br link
+lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
+eth0             UP             dc:a6:32:20:f7:7d <BROADCAST,MULTICAST,UP,LOWER_UP>
+wlan0            UP             dc:a6:32:20:f7:7e <BROADCAST,MULTICAST,UP,LOWER_UP>
+br0              UP             dc:a6:32:20:f7:7d <BROADCAST,MULTICAST,UP,LOWER_UP>
+pi@raspberrypi4:~ $ ip -br addr
+lo               UNKNOWN        127.0.0.1/8 ::1/128
+eth0             UP
+wlan0            UP
+br0              UP             192.168.167.48/24 fe80::dea6:32ff:fe20:f77d/64
 pi@raspberrypi4:~ $ sudo iptables -t nat -nvL
 Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
@@ Line 155: / Line 204: @@
 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination
-35264 MASQUERADE  all  --  *      br0     0.0.0.0/0            0.0.0.0/0
+25981 MASQUERADE  all  --  *      br0     0.0.0.0/0            0.0.0.0/0
-  103K MASQUERADE  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0
+     0 MASQUERADE  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0
 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
@@ Line 174: / Line 223: @@
 pi@raspberrypi4:~ $ ip route
-.0.0.0/1 via 10.89.0.29 dev tun0
 default via 192.168.167.1 dev br0 onlink
-.0.0.0/8 via 192.168.167.1 dev br0
-.89.0.1 via 10.89.0.29 dev tun0
-.89.0.29 dev tun0 proto kernel scope link src 10.89.0.30
-.0.0.0/1 via 10.89.0.29 dev tun0
-.16.0.0/12 via 192.168.167.1 dev br0
-.168.0.0/16 via 192.168.167.1 dev br0
 .168.167.0/24 dev br0 proto kernel scope link src 192.168.167.48
-.159.81.39 via 192.168.167.1 dev br0
-pi@raspberrypi4:~ $ expressvpn status
+pi@raspberrypi4:~ $ journalctl -u hostapd
-A new version is available, download it from https://www.vlycgtx.com/latest?utm_source=linux_app.
+-- Logs begin at Wed 2020-04-29 22:45:20 BST, end at Wed 2020-04-29 22:47:25 BST. --
+Apr 29 22:45:56 raspberrypi4 systemd[1]: Starting Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator...
+Apr 29 22:45:56 raspberrypi4 hostapd[710]: Configuration file: /etc/hostapd/hostapd.conf
+Apr 29 22:45:56 raspberrypi4 hostapd[710]: wlan0: interface state UNINITIALIZED->COUNTRY_UPDATE
+Apr 29 22:45:56 raspberrypi4 systemd[1]: Started Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator.
-Connected to Netherlands - The Hague
-   - To protect your privacy if your VPN connection unexpectedly drops, you can enable Network Lock by typing 'expressvpn preferences set network_lock on'.
+pi@raspberrypi4:~ $ journalctl -u dnsmasq
-pi@raspberrypi4:~ $
+-- Logs begin at Wed 2020-04-29 22:45:20 BST, end at Wed 2020-04-29 22:47:25 BST. --
+Apr 29 22:45:56 raspberrypi4 systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server...
+Apr 29 22:45:56 raspberrypi4 dnsmasq[711]: dnsmasq: syntax check OK.
+Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: started, version 2.80 cachesize 150
+Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: DNS service limited to local subnets
+Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile
+Apr 29 22:45:56 raspberrypi4 dnsmasq-dhcp[751]: DHCP, IP range 192.168.167.40 -- 192.168.167.47, lease time 1h
+Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: reading /etc/resolv.conf
+Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: using nameserver 10.89.0.1#53
+Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: read /etc/hosts - 5 addresses
+Apr 29 22:45:56 raspberrypi4 systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
+Apr 29 22:46:16 raspberrypi4 dnsmasq-dhcp[751]: DHCPREQUEST(br0) 192.168.167.44 8c:85:90:53:bd:55
+Apr 29 22:46:16 raspberrypi4 dnsmasq-dhcp[751]: DHCPACK(br0) 192.168.167.44 8c:85:90:53:bd:55 Roberts-MBP
 </code>

RobMeerman.co.uk

User Tools

Site Tools

Differences

Page Tools