Sonntag, 22. September 2013

Raspberry Pi as OpenVPN Gateway with or without Airplay Image Download

Deutsche Anleitung findest Du hier

Hello all,

after the NSA scandal I'm thinking about VPN gateways and create an image for Raspberry Pi:

What we need?


  • Raspberry Pi 512MB Version B
  • SD-Karte from 2GB
  • Poweradapter with 1A
  • Network cabel
  • Case
  • Nothing else
General information about the configuration of the images:

  • without GUI
  • 16MB graphic RAM
  • HDMI Output active
  • sshd, nntp, OpenVPN, IPTables, Netzwerk starts automatically
  • Swap file with 190MB in /etc/fstab configured but disabled
  • User: root Password: raspberry

Raspberry Pi Image with OpenVPN and Airplay receiver:

  • Linux raspberry-pi 3.6.11+
  • From 2013-09-22 with rpi-update
  • RAM usage 53MB
  • Image for 2GB SD-card
  • Shairport as Service
  • Download
Raspberry Pi Image with OpenVPN:

What I have to do with the image?

Load the imagefile on the sdcard eLinux.org

Use for Windows Win32 Disk Imager

Use for Linux DD:

umount /dev/sdX1
dd bs=1M if=~/.img of=/dev/sdX
sync
Use for Mac DD:

diskutil unmountDisk /dev/diskX
dd if=.img of=/dev/rdiskX bs=1m
Configuration:

Change the configurationsfiles in the folder openvpn on sdcard.
Its important that all configuration files are there. I don't wrote a failure suffered script ;) 

Here we go:


  • interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
 
auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
address 192.168.1.150
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
dns-nameservers 194.150.168.168
 
auto eth0:1
iface eth0:1 inet static
address 192.168.1.254
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
Its important that we have two different virtual interfaces like that.
You can you also DCHP for eth0 if you like.

Choose any nameserver you like but not from europe or USA ;)

The standard gateway is your actual router.

eth0:1 is the new interface that will be routing for your network.

  • example.ovpn
These is the important OpenVPN configuration file. You got these from your VPN provider. Usually you got the certificates included.
Otherwise you should add these certificates in the same folder and also the authentication informations like that:
username
passwort
They will copied in the folder /etc/openvpn automatically.
Add the necessary information in the .ovpn file:


CA: VPN123.se.ca.crt
TLS auth key: yes (VPN123.se.ta.key)
auth-user-pass password.txt

With any restart the configuration files will be copied again. So you can change the configuration anytime.

First start:

If you use a screen you will see the login.
Test your VPN connection with some Website.

Perhaps you have Windows 7/8 and it will close the firewall with the new gateway. Then you have to change the registry to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\NetworkList\profiles\, wobei für den
Namen des Netzwerks steht.
Dann setzen Sie den DWORD-Wert Category auf den gewünschten Standort
(0 = öffentlich, 1 = privat, 2 = Arbeitsplatz)
Background information from Born (sorry in german).

Portforwarding:

If you need portforwarding for your ssh server for example you add some new iptables rules:

iptables -A PREROUTING -t nat -i tun0 -p tcp(udp) --dport 1234 -j DNAT --to :1234
iptables-save > /boot/openvpn/rulesiptables

You can add some safty rules also you like.

Configure your own Image like that:

Very short explanation:

  • First I got the Minimal Image.
  • Resized the swap file to 190MB because of trouble to fit it on 2GB sdcards. And disable the swap in /etc/fstab because of aging reasons.
  • Installing some packages:
apt-get update
apt-get upgrade
apt-get install git git-core libao-dev libssl-dev libcrypt-openssl-rsa-perl libio-socket-inet6-perl libwww-perl avahi-utils pkg-config alsa-utils gcc make openssl openvpn

System update:

wget --no-check-certificate https://raw.github.com/Hexxeh/rpi-update/master/rpi-update -O /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update
rpi-update

Configuration OpenVPN:

echo 'AUTOSTART="standard"' >> /etc/default/openvpn
touch /etc/network/if-pre-up.d/iptables
echo "#!/bin/bash" >> /etc/network/if-pre-up.d/iptables
echo "/sbin/iptables-restore < /etc/rulesiptables" >> /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables

The copy script copyovpn.sh is located in /boot/openvpn.
The configuration file Interfaces is located in /boot/openvpn and will copied to /etc/network.
The configuration file .ovpn will copied from /boot/openvpn to /etc/openvpn/standard.conf.
The configuration file for IPTABLES rulesiptables is located in/boot/openvpn and will be copied to /etc.
nano /etc/sysctl.conf and remove # from line: net.ipv4.ip_forward = 1.
The configuration file /etc/init.d/networking have to changed to load the files from/boot/openvpn .
Add the line "bash /boot/openvpn/copyovpn.sh" in the beginning after IFSTATE.

Configuration Kernel:

I had to recompile a new kernel to use the raspberry as gateway. If you use rpi-update its not necessary.

Configuration to add in .config:
IP_NF_IPTABLES=y
CONFIG_NF_NAT=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_NF_NAT=y
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_NETFILTER=y

Airport:

echo "snd-bcm2835" >>/etc/modules
echo "hdmi_drive=2" >> /boot/config.txt
cpan Net::SDP
git clone https://github.com/albertz/shairport.git shairport
cd shairport
make
make DESTDIR=/opt/shairport install
mkdir /opt/shairport/etc   
mkdir /opt/shairport/etc/init.d
cp shairport.init.sample /opt/shairport/etc/init.d/shairport
nano /opt/shairport/etc/init.d/shairport
change DAEMON="/usr/local/bin/shairport.pl" to DAEMON="/opt/shairport/usr/local/bin/shairport.pl"
change DAEMON_ARGS="-w $PIDFILE -a $NAME" to DAEMON_ARGS="-w $PIDFILE -a AIRPORT"
ln -s /opt/shairport/etc/init.d/shairport /etc/init.d/
insserv shairport

optional change the sound output device.:

amixer cset numid=3 0
alsactl store

Auto: 0
Headphones (3,5): 1
HDMI: 2

End:

That's all guys, have fun :)

Kommentare:

  1. Is it possible that you post an example .ovpn file? The gateway is working, but somehow there is no VPN tunnel.

    AntwortenLöschen
    Antworten
    1. Hello,

      my ovpn looks like that:

      client
      dev tun
      auth-user-pass
      proto udp
      remote u738208.nvpn.so 1194
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      comp-lzo
      ca nVPN.crt
      auth-user-pass password.txt
      verb 3

      is also on your folder in the image.

      best regards
      Paul

      Löschen
    2. I found my problem: most of the provided OpenVPN files are made for windows machines, so some config files won't work with Linux. In my case the "route-method exe" and maybe also the "route-delay" was hindering the built up of the connection. Now it's fine. Thanks for the image

      Löschen
  2. Thanks, this is awesome. Unfortunately, I'm in the same situation. My gateway is working but not the VPN side. I checked for the "route-method" and "route delay" in the config but it's not there. I checked to make sure my password.txt has the right information. Any clues on how to troubleshoot this? Thanks.

    AntwortenLöschen
    Antworten
    1. Hello,

      Whats the actual errormessage from openvpn? Do you read it?

      best regards
      Paul

      Löschen
    2. Thanks Paul. I found out the issue. I looked in the syslog and it said:

      VERIFY ERROR: depth=1, error=certificate is not yet valid:

      I then checked pi's date and saw that it was set to 1 Jan 1970. I fixed the timezone and date and now it's good.

      Mar 1 12:29:02 raspberry-pi ovpn-standard[764]: [server] Peer Connection Initiated with [AF_INET]
      Mar 1 12:29:04 raspberry-pi ovpn-standard[764]: TUN/TAP device tun0 opened

      Checked whatsmyip for last verification step on a couple of devices and it's also different than before it was working. Hope this helps someone else who also forgot to init the sys time.

      Thanks again for the image and the quick response.

      Löschen
  3. What is the purpose/advantage of having the virtual interface eth0:1 instead of doing something like iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ?

    AntwortenLöschen