Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

HOWTO: Raspberry Pi 3 as Access Point, OpenVPN Client

Guides, HOWTOs etc on how to setup Cryptostorm on PCs, smartphones, tablets and routers.

Topic Author
dccc
Posts: 27
Joined: Mon Jan 12, 2015 10:57 pm

HOWTO: Raspberry Pi 3 as Access Point, OpenVPN Client

Postby dccc » Mon Mar 13, 2017 7:55 pm

Prerequisites

- Raspberry Pi 3
- Raspbian Jessie Lite installed (my tutorial is based on: March 2017, Kernel 4.4)

I've tried many tutorials, but nothing really worked for the Raspberry Pi 3. Finally I've found a guide to setup a DHCP server and Access Point/NAT configuration. Follow these steps:

- https://cdn-learn.adafruit.com/downloads/pdf/setting-up-a-raspberry-pi-as-a-wifi-access-point.pdf

-----------------------------------

Install OpenVPN

After your AP is finally up and working, you can install OpenVPN with:

Code: Select all

sudo apt-get install openvpn


Choose one of the UDP .ovpn files from Cryptostorms GitHub page:

- https://github.com/cryptostorm/cryptostorm_client_configuration_files/tree/master/linux

and copy i.e. "cstorm_linux-frankfurt_udp.ovpn" into:

Code: Select all

/etc/openvpn/


Now, edit the file locally with:

Code: Select all

nano


or any other editor of your choice.

Find the row with

Code: Select all

auth-user-pass
in your .ovpn file. Edit to

Code: Select all

auth-user-pass /etc/openvpn/pass.txt


I'm not sure if it's mandatory, but the .ovpn file, has to be a .conf file. I've renamed the file to "openvpn.conf". Full path should look like this:

Code: Select all

/etc/openvpn/openvpn.conf


Next step. Create the pass.txt file with

Code: Select all

sudo nano pass.txt
in your [/etc/openvpn/[/code] folder. First row of this file is the hash of your token. You can calculate the hash of your token here:

- https://cryptostorm.is/sha512.html

Your pass.txt should look like this:

Code: Select all

34594f982a480971258bce1419b77b7cb69126dd0c9a5a309a74a19d9b2af63a66feee1465a35dc7dc8ad964636030e2bc8fd46e714a6bf900820e7a2fd951df
FuckTheNSA


You're ready to start the OpenVPN service with:

Code: Select all

sudo service openvpn start


I did a reboot of the Pi and then checked, if

Code: Select all

tun0
appears in the list of the command

Code: Select all

ifconfig


Now we need to add new rules to our iptables to add a network translation between

Code: Select all

wlan0
and

Code: Select all

tun0


Code: Select all

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
sudo iptables -A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i tun0 -j DROP


Important: after you've executed the iptable rules above, go on and save it in the same iptables file we created before for our AP. The rules will apply, even when you restart your Raspberry Pi 3.

Code: Select all

sudo sh -c "iptables-save > /etc/iptables/rules.v4"


Reboot again and everything should work just fine. Oh, don't forget the final security test:

- Verify if your connection is secure to prevent DNS, IPv6, IP, WebRTC leaks via https://ipleak.net/, https://www.dnsleaktest.com/

- Download a packet analyzer to verify a encrypted connection


----------------
References

- Parts of the OpenVPN setup above with help from this tutorial: https://alphaloop.blogspot.de/2014/01/r ... ccess.html

- Original post (but without the Cryptostorm specific tutorial) from here (I'm the author there too): https://www.raspberrypi.org/forums/view ... 4#p1128934


Topic Author
dccc
Posts: 27
Joined: Mon Jan 12, 2015 10:57 pm

Re: HOWTO: Raspberry Pi 3 as Access Point, OpenVPN Client

Postby dccc » Sat Mar 25, 2017 4:53 pm

Forgot to mention in the first post:

- Do not add the iptables as shown in the linked adafruit tutorial. The iptables as shown in the following OpenVPN steps are sufficient.


pedro_cucaracha_3

Re: HOWTO: Raspberry Pi 3 as Access Point, OpenVPN Client

Postby pedro_cucaracha_3 » Mon Jul 24, 2017 11:10 am

@OP

Great tutorial and i works so far. Unfortunately the connection drops every 1-2h with inactivity timeout. Any ideas on that?

Thanks in advance!

Code: Select all

ul 23 13:49:26 my-macbook-pro ovpn-client[6507]: 21 variation(s) on previous 3 message(s) suppressed by --mute
Jul 23 13:49:26 my-macbook-pro ovpn-client[6507]: [server] Inactivity timeout (--ping-restart), restarting
Jul 23 13:49:26 my-macbook-pro ovpn-client[6507]: TCP/UDP: Closing socket
Jul 23 13:49:26 my-macbook-pro ovpn-client[6507]: SIGUSR1[soft,ping-restart] received, process restarting
Jul 23 13:49:26 my-macbook-pro ovpn-client[6507]: Restart pause, 5 second(s)
Jul 23 13:49:31 my-macbook-pro ovpn-client[6507]: Re-using SSL/TLS context
Jul 23 13:49:31 my-macbook-pro ovpn-client[6507]: LZO compression initialized
Jul 23 13:49:31 my-macbook-pro ovpn-client[6507]: Control Channel MTU parms [ L:1604 D:140 EF:40 EB:0 ET:0 EL:0 ]
Jul 23 13:49:31 my-macbook-pro ovpn-client[6507]: Socket Buffers: R=[87380->131072] S=[16384->131072]
Jul 23 13:49:31 my-macbook-pro ovpn-client[6507]: Data Channel MTU parms [ L:1604 D:1450 EF:104 EB:135 ET:0 EL:0 AF:3/1 ]
Jul 23 13:49:31 my-macbook-pro ovpn-client[6507]: Local Options String: 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Jul 23 13:49:31 my-macbook-pro ovpn-client[6507]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Jul 23 13:49:31 my-macbook-pro ovpn-client[6507]: Local Options hash (VER=V4): '06d8c75c'
Jul 23 13:49:31 my-macbook-pro ovpn-client[6507]: Expected Remote Options hash (VER=V4): 'b20ffe30'
Jul 23 13:49:31 my-macbook-pro ovpn-client[6507]: Attempting to establish TCP connection with [AF_INET]46.165.222.248:443 [nonblock]


pedro_cucaracha_3

Re: HOWTO: Raspberry Pi 3 as Access Point, OpenVPN Client

Postby pedro_cucaracha_3 » Tue Jul 25, 2017 10:31 am

Okay, i compiled openvpn 2.4.3 from source and installed it. Maybe it was openvpn 2.3.4 which was simply too old


Return to “guides, HOWTOs & tutorials”

Who is online

Users browsing this forum: blurb and 5 guests

Login