Setting up a Raspberry PI as an OpenVPN Router without additional NICs

During one of my latest shopping sprees I decided to buy myself a new Raspberry PI. These credit-card sized computers have always intrigued me for their endless potential. Many use them as set-top boxes, others for pentesting (my favorite use of the Pi so far), others simply use them as cheap computers.

RASPBERRY_PI_B_PLUS_02

The Raspberry PI Model B+

One thing I wanted from some time to use a rPI for was certainly protecting my network against attackers. I’m a fan of OpenVPN and all my devices have a client installed, but I wanted something better.

Commercial routers sometimes do have OpenVPN support, however they lack enough speed for the strong crypto required by it. This was the case for my old WRT54GL that would max out at barely 300kbps with OpenVPN on. I figured that a rPI would handle that traffic in a far more efficient way.

Also: I do not have an USB NIC or WiFi card available, so I decided to use the single ethernet NIC integrated in my Model B+.

So, let’s begin with the OS image. I decided to go with Raspbian, in particular with this image because of it’s light weight. After you get that on a MicroSD card, boot it up and hook up a mouse, a keyboard and an HDMI cable to your rPI.
Root password will be “raspberry” by default. Be sure to change this, as SSH will be available and attackers will be able to SSH in with a very simple dictionary attack.

Once you get to a shell, we need to set up everything we need in order to get our setup working. A DHCP server is not required, but in order to correctly VPNify your traffic you will have to specify a different gateway on your devices, pointing to the Raspberry PI’s IP.

apt-get update

apt-get install isc-dhcp-server openvpn

After you’re done installing, put your VPN files in /etc/openvpn/ and rename your .ovpn configuration file into config.ovpn. Proceed by removing /etc/init.d/openvpn since it looks like it won’t work at boot.

Routing is going to be pretty simple. My setup works like this: I have a WiFi router with a 4-port switch and a WAN port. I connected the WAN port to my internet modem and my iMac and Raspberry PI to one of the switch ports. The router connects to WAN and creates a LAN on the 192.168.0.0/24 subnet. The router’s IP is 192.168.0.1 and I disabled DHCP to let the Raspberry handle it. The Raspberry is configured so eth0 has 192.168.1.1 as a static ip and eth0:0 (an alias of eth0) has 192.168.0.2 as a static ip.
The VPN connects using 1.1.1.1 (as an example) as server. Since the Raspberry needs a time source, I decided to let NTP traffic flow unencrypted on the network. Pinging pool.ntp.org gave me 129.250.35.251 as an address, and I decided to use that as my NTP server IP.

cat > /etc/ntp.conf << EOF

server 129.250.35.251

driftfile /var/lib/ntp/ntp.drift

statistics loopstats peerstats clockstats

filegen loopstats file loopstats type day enable

filegen peerstats file peerstats type day enable

filegen clockstats file clockstats type day enable

restrict -4 default kod notrap nomodify nopeer noquery

restrict -6 default kod notrap nomodify nopeer noquery

restrict 127.0.0.1

restrict ::1

EOF

This requires us to route 1.1.1.1/32 and 129.250.35.251/32 to the 192.168.0.1 gateway (which is my WiFi router), 0.0.0.0/0 (aka “default”) to the VPN’s gateway. To achieve this, just use post-up in /etc/network/interfaces.

cat > /etc/network/interfaces << EOF

auto lo

iface lo inet loopback

auto eth0

iface eth0 inet static

     address 192.168.1.1

     netmask 255.255.255.0

 auto eth0:0

iface eth0:0 inet static

     address 192.168.0.2

     post-up route del -host 1.1.1.1 || :

     post-up route del -host 129.250.35.251 ||:

     post-up route add -host 192.168.0.1 eth0 ||:

     post-up route add -host 1.1.1.1 gateway 192.168.0.1 eth0 ||:

     post-up route add -host 129.250.35.251 gateway 192.168.0.1 eth0 ||:

EOF

 

To run OpenVPN at boot, but only after NTP sets the correct date, simply do:

cat > /etc/rc.local << EOF

(

while [[ “$(date +’%s’)” -lt 1400000000 ]]; do sleep 1; done

openvpn /etc/openvpn/config.ovpn >> /etc/openvpn/ovpn.log

) &

EOF

To correctly configure routing after OpenVPN starts, you’ll have to add two lines to your config.ovpn file, by doing something along the lines of:

cat >> /etc/openvpn/config.ovpn << EOF

script-security 2

up /etc/openvpn/up.sh

EOF

And then create the /etc/openvpn/up.sh script with these contents, without forgetting to chown +x it:

#!/bin/bash

route del -host 1.1.1.1 gateway 192.168.1.1

route add default gateway “$5”

iptables –table nat -F POSTROUTING

iptables –table nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE

iptables –table nat -A POSTROUTING -o tun0 -j SNAT –to-source “$4”

echo 1 > /proc/sys/net/ipv4/ip_forward

This should do the trick, but DHCP is still not configured. Simply run:

cat > /etc/dhcp/dhcpd.conf << EOF

ddns-update-style none;

option domain-name-servers 8.8.8.8;

default-lease-time 600;

max-lease-time 7200;

log-facility local7;

subnet 192.168.1.0 netmask 255.255.255.0 {

  range 192.168.1.16 192.168.1.254;

  option domain-name-servers 8.8.8.8;

  option routers 192.168.1.1;

  default-lease-time 600;

  max-lease-time 7200;

}

EOF

Now, run “sync” a couple times to write everything down to the SD card and reboot. Things should “just work”.

9 thoughts on “Setting up a Raspberry PI as an OpenVPN Router without additional NICs

  1. Hi Luck, amazing to see how many steps you had to take to get the JB alive. Sad to here you are going to leave the JB community and I want to thank you sincerely for all your hard work from the last couple of years, RESPECT!! Greetings from a fan in the Netherlands🙏👏🙏

  2. This blog was a good read and its amazing how much work goes into what you do, keep it up and you have many fans like myself from Trinidad & Tobago

  3. You are a very hard worker , But there is one major bug , my phone is now stuck on apple logo because of this jailbreak.

  4. Hey Luca, I think you’re great man!! I want to thank you for releasing Yalu to the public. YOU ROCK!! I have been your fan since even before the release, and even when people questioned your legitimacy, I corrected them. I completely respect your decision to not work on future jailbreaks. I personally think you are way to great to quit though, but that is your choice man, you’ve already done so much for everybody!! I admittedly did want to see you keep giving Apple some more competition!! I also loved that you used Kim Jong Un as the Yalu icon hahaha I think Apple is communist, I felt like you made a great statement! 😀

  5. Thanks to hell for the jailbreak of iOS 10-10.2. That you chose to link it means so damn much for me, and there are not many like you who had managed it !! Love you ❤️

Leave a Reply

Your email address will not be published. Required fields are marked *