After use as Proxy and TV client here now another possible use for a Raspberry Pi: as VPN gatewayIn this specific case to provide several devices with a VPN connection. Practical if not every device directly supports VPN.
Update from 14.05.2015: I have the Setup to the VPN gateway for the use of the Raspberry Pi 2 updated once again. Of course, the speed still depends on the used VPN provider or many other factors.
Although there is already a finished imagewhich provides a Raspberry Pi as OpenVPN gateway, but the complete setup did not turn out to be so complicated in the end that I couldn't add it to the already existing Raspberry Pi. The faster the Raspberry (or the used single-board computer of your choice), the more performance the VPN will have afterwards.
To use the Raspberry Pi as an OpenVPN gateway some requirements must be met:
- Raspberry Pi respectively Pi 2 integrated in the network with fixed IP address (not mandatory)
- VPN access (I use IPredator respectively PureVPN)
- A basic understanding of routing and Linux is advantageous because everything is done on the console
When you have all the parts together you can start the installation - the Instruction of IPredator helps, here are the most important cornerstones. First you have to install openvpn:
~ # sudo aptitude install openvpn
Then we need the .conf file of the respective provider, which also contains the necessary settings and keys. This file must be copied to /etc/openvpn can be copied. In the same directory we create an .auth file (the correct name of this file must be specified in the .conf file under auth-user-pass be registered). The .auth file contains only two lines with username and password for the VPN connection.
In the .conf file of the VPN connection the following entries must be added (may be obsolete depending on the provider, for PureVPN you don't need it):
script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf redirect-gateway
The call of the script update-resolv-conf when establishing and closing the VPN connection ensures that the correct DNS server is always used, redirect-gateway ensures that the data packets of the clients in the network are later passed through via the VPN connection. If all these settings are done, the first test run is started: with the command openvpn -config /etc/openvpn/meine-config.conf a VPN connection is established, in a second terminal you can see if it worked correctly. There you should see ifconfig display a new tun0 device:
tun0 Link encap:UNSPEC Hardware address 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet Address:x.x.x.x P-z-P:x.x.x.x Mask:255.255.255.0 UP POINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:6005 errors:0 dropped:0 overruns:0 frame:0 TX packets:6335 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 send queue length:100 RX bytes:1554591 (1.4 MiB) TX bytes:625622 (610.9 KiB)
So the VPN connection works already once, OpenVPN can now be activated regularly via /etc/init.d/openvpn start and also starts automatically after a restart - now only data packets from devices in the local network have to be routed over this connection.
Setting up the gateway
First of all, packet forwarding must be activated. Since we want it to remain active even after a reboot, in the file /etc/sysctl.conf remove the comment sign in front of the following entry:
net.ipv4.ip_forward=1. After restarting the Pi once, then we also know if the VPN connection is built automatically - if this is the case, enable forwarding in iptables (the following settings worked for me at least, but iptables can be a bit tricky - if necessary you have to experiment a bit here)
~ # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
~ # iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
If you want to use iptables with the same settings after a reboot, you can use the package iptables-persistent to install - this will save and reload the current iptables entries
Use of Wireguard
Using iptables you can redirect the traffic to the wireguard interface instead of the tun0 device of the OpenVPN connection. If you have a wireguard connection, the following command will show you what the network interface is called:
~ # ip a
In my setup, the interface is "wg0-client" - if you want to route traffic through this interface, the iptables rules have to be adjusted accordingly:
~ # iptables -t nat -A POSTROUTING -o wg0-client -j MASQUERADE
The challenge so far is to find a suitable VPN service that allows a wireguard connection to be established on the command line. If you know a suitable wireguard VPN service, feel free to share it in the comments - using a special app usually does not work.
Configuration of the end devices
The IP address of the Raspberry Pi must now only be entered as the router on the end devices. In my case it is 192.168.0.44, on an iOS 7 device the settings will look like on the left. As soon as this has been done, all data packets (except for the DNS resolution, which is still taken over by the router in the home network) are routed via the Raspberry Pi and from there via the VPN connection - easily recognizable by the location of e.g. wieistmeineip.comwhich Sweden claims to be a country.
Raspberry Pi 2 as VPN gateway
With the newer and significantly more powerful Raspberry PI 2 Model B this setup can of course be carried out in the same way. The speed depends mainly on the VPN provider used - and the server to which the connection is made. With a server in Sweden and PureVPN as provider, 15 Mbit/s are possible (i.e. something like an average DSL connection, connections to the USA are much slower: here a good 6.5 Mbit/s are reached. For Netflix this is still sufficient after some buffering.
To speed up the surfing on US pages I have also created a DNS cache on the Raspberry Pi 2 installed: pdnsd caches the DNS requests that would otherwise be sent over the VPN connection and thus ensures a faster "surfing experience" when using the VPN connection.
Speed of the OpenVPN gateway and conclusion
The speed of this construction naturally depends on various factors: how fast is the network connection of the Raspberry Pi, how fast is the VPN connection, how fast is the DSL connection to the Internet, how fast is the WLAN. In my scenario, an iPhone 5 connected via 2.4 GHz WLAN gets a good 6.7 Mbit/s download via the Raspberry Pi gateway and almost 600kb/s upload. Instead of IPredator you can of course use any other OpenVPN provider - e.g. PureVPN.
As always with the instructions for the Pi or Raspberry Pi 2, which are based on the standard Raspian, the whole thing could also be realized with an x86 PC - only then with a significantly higher power consumption.