This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
vpn-rpi4 [2020/04/29 21:42] robm created |
vpn-rpi4 [2021/04/25 20:13] (current) robm Reduce dropped INPUT traffic to just DHCP (was also blocking ARP requests, so my wired side would never find the MAC address of the Raspberry Pi) |
||
---|---|---|---|
Line 6: | Line 6: | ||
* '' | * '' | ||
* CIDR: '' | * CIDR: '' | ||
+ | * DHCP range: '' | ||
* Gateway / router: '' | * Gateway / router: '' | ||
Line 18: | Line 19: | ||
* ... via home network when it is now | * ... via home network when it is now | ||
+ | ===== Strategy ===== | ||
+ | |||
+ | Create a new WiFi network ('' | ||
+ | |||
+ | The Raspberry Pi itself gets its internet connection via the wired network - i.e. it uses the same router as other wired hosts (192.168.167.1). | ||
+ | |||
+ | DHCP requests from the WiFi network will be answered by the Raspberry Pi (using '' | ||
+ | |||
+ | - Prevent DHCP requests from WiFi stations being answered by home network | ||
+ | - Prevent DHCP requests from wired network being answered by Raspberry Pi | ||
+ | |||
+ | The Raspberry Pi itself will not ask for IP addresses from the wired network. This keeps things simple, as the only IP on the Raspberry Pi will be on the bridge interface and it will be entirely predictable so we can embed it into the DHCP offers we give out (i.e. write it into ''/ | ||
+ | |||
+ | The Raspberry Pi's DHCP offers will nominate itself as the gateway (i.e. default route) and DNS server. It will have to perform Network Address Translation (" | ||
+ | |||
+ | ExpressVPN also tunnels DNS traffic, and *blocks* attempts to use DNS other than its own. This is a good thing, but I cannot get ExpressVPN and '' | ||
===== Setup ===== | ===== Setup ===== | ||
Line 46: | Line 63: | ||
# wired connection (we want to be the ones to answer DHCP requests, not our | # wired connection (we want to be the ones to answer DHCP requests, not our | ||
# ISP) | # ISP) | ||
- | up | + | |
- | down ebtables -t filter -D FORWARD --protocol | + | # UDP port 68: BOOTP client |
+ | | ||
+ | down ebtables -t filter -D FORWARD --protocol | ||
+ | |||
+ | # Ethernet Bridging: Be deaf to DHCP requests originating on the wired | ||
+ | # connection (home network), we are not their DHCP server. (.. and dnsmasq | ||
+ | # cannot distinguish the source, as it all appears to be coming from br0) | ||
+ | # UDP port 67: BOOTP server | ||
+ | # UDP port 68: BOOTP client | ||
+ | up | ||
+ | down ebtables -t filter -D INPUT --protocol IPv4 --ip-protocol UDP --ip-destination-port 67:68 -i eth0 -j DROP | ||
# Internet Protocol Network Address Translation when using this bridge, and | # Internet Protocol Network Address Translation when using this bridge, and | ||
Line 62: | Line 89: | ||
sudo apt remove openresolv | sudo apt remove openresolv | ||
sudo apt install dnsmasq hostapd | sudo apt install dnsmasq hostapd | ||
+ | </ | ||
+ | |||
+ | Remove ''/ | ||
+ | < | ||
+ | nameserver 1.0.0.1 | ||
+ | nameserver 8.8.4.4 | ||
+ | nameserver 1.1.1.1 | ||
+ | nameserver 8.8.8.8 | ||
</ | </ | ||
Modify ''/ | Modify ''/ | ||
< | < | ||
- | dhcp-range=172.16.0.10,172.16.0.20,1h | + | dhcp-range=192.168.167.40,192.168.167.47,1h |
- | except-interface=eth0 | + | |
dhcp-authoritative | dhcp-authoritative | ||
+ | clear-on-reload | ||
+ | bridge-interface=br0, | ||
</ | </ | ||
Line 145: | Line 181: | ||
===== Debugging ===== | ===== Debugging ===== | ||
- | < | + | < |
+ | lo | ||
+ | eth0 | ||
+ | wlan0 UP | ||
+ | br0 UP | ||
+ | |||
+ | |||
+ | pi@raspberrypi4: | ||
+ | lo | ||
+ | eth0 UP | ||
+ | wlan0 UP | ||
+ | br0 UP | ||
+ | |||
pi@raspberrypi4: | pi@raspberrypi4: | ||
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) | Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) | ||
Line 155: | Line 204: | ||
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) | Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) | ||
pkts bytes target | pkts bytes target | ||
- | | + | |
- | | + | |
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) | Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) | ||
Line 174: | Line 223: | ||
pi@raspberrypi4: | pi@raspberrypi4: | ||
- | 0.0.0.0/1 via 10.89.0.29 dev tun0 | ||
default via 192.168.167.1 dev br0 onlink | default via 192.168.167.1 dev br0 onlink | ||
- | 10.0.0.0/8 via 192.168.167.1 dev br0 | ||
- | 10.89.0.1 via 10.89.0.29 dev tun0 | ||
- | 10.89.0.29 dev tun0 proto kernel scope link src 10.89.0.30 | ||
- | 128.0.0.0/1 via 10.89.0.29 dev tun0 | ||
- | 172.16.0.0/ | ||
- | 192.168.0.0/ | ||
192.168.167.0/ | 192.168.167.0/ | ||
- | 203.159.81.39 via 192.168.167.1 dev br0 | ||
- | pi@raspberrypi4: | + | pi@raspberrypi4: |
- | A new version is available, download it from https://www.vlycgtx.com/latest? | + | -- Logs begin at Wed 2020-04-29 22:45:20 BST, end at Wed 2020-04-29 22:47:25 BST. -- |
+ | Apr 29 22:45:56 raspberrypi4 systemd[1]: Starting Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator... | ||
+ | Apr 29 22:45:56 raspberrypi4 hostapd[710]: | ||
+ | Apr 29 22:45:56 raspberrypi4 hostapd[710]: | ||
+ | Apr 29 22:45:56 raspberrypi4 systemd[1]: Started Advanced IEEE 802.11 AP and IEEE 802.1X/ | ||
- | Connected to Netherlands - The Hague | ||
- | - To protect your privacy if your VPN connection unexpectedly drops, you can enable Network Lock by typing ' | + | pi@raspberrypi4: |
- | pi@raspberrypi4: | + | -- Logs begin at Wed 2020-04-29 22:45:20 BST, end at Wed 2020-04-29 22:47:25 BST. -- |
+ | Apr 29 22:45:56 raspberrypi4 systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server... | ||
+ | Apr 29 22:45:56 raspberrypi4 dnsmasq[711]: | ||
+ | Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: | ||
+ | Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: | ||
+ | Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: | ||
+ | Apr 29 22:45:56 raspberrypi4 dnsmasq-dhcp[751]: | ||
+ | Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: | ||
+ | Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: | ||
+ | Apr 29 22:45:56 raspberrypi4 dnsmasq[751]: | ||
+ | Apr 29 22:45:56 raspberrypi4 systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. | ||
+ | Apr 29 22:46:16 raspberrypi4 dnsmasq-dhcp[751]: | ||
+ | Apr 29 22:46:16 raspberrypi4 dnsmasq-dhcp[751]: | ||
</ | </ |