GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → moio → raspberry-openvpn-gateway

moio / raspberry-openvpn-gateway

Licence: BSD-3-Clause license
A Raspberry Pi-based OpenVPN sharing gateway

Programming Languages

SaltStack
118 projects
shell
77523 projects

Raspberry Pi OpenVPN sharing gateway

This project allows you to give access to a VPN tunnel through multiple machines via a Raspberry Pi (1 or 2) with two network interfaces.

Network topology follows:

 +--------------+
 |              |                                                                                   X XXXXXX
 |    host 1    +------+                                                                          XX        XXX
 |              |      |                                                                         X            X
 +--------------+      |                                                                       XX              XX XX XX
                       |                                                                       X                        XX
 +--------------+      |     +----------------+    eth0    +----------------+   eth1       XXXXX                         XX         +-----------------+
 |              |      +---->|                | integrated |                |   USB      XXX                               X        |                 |
 |    host 2    +----------->|     switch     +----------->+  Raspberry Pi  +----------> X              Internet          XX ------>+  VPN endpoint   |
 |              |      +---->|                |            |                |            X                               XX         |                 |
 +--------------+      |     +----------------+            +----------------+             XXX     XXX                    XX         +-----------------+
                       |                                                                     XXX X  XX          X        X
 +--------------+      |                                                                             XX        XXX    XXX
 |              |      |                                                                               XXX XXXX   XXXX
 |   host 3     +------+
 |              |
 +--------------+

Raspberry Pi acts as router, very basic firewall, DHCP server, DNS cache and VPN endpoint. This project provides SaltStack files to configure the Pi.

Hardware requirements

Raspberry Pi base image preparation

Follow the official instructions to install Raspbian Lite. On a Linux host, you can also use the following quicker ones:

wget http://director.downloads.raspberrypi.org/raspbian_lite/images/raspbian_lite-2017-04-10/2017-04-10-raspbian-jessie-lite.zip
unzip *.zip
sudo dd bs=4M if=`ls *.img` of=/dev/mmcblk0 # replace with your SD device (check journalctl)

Enable SSH, as it's by disabled by default

mkdir -p /tmp/raspberrypi
sudo mount -t vfat /dev/mmcblk0p1 /tmp/raspberrypi # see above for the device name
touch /tmp/raspberrypi/ssh
sudo umount /tmp/raspberrypi

Boot your Raspberry PI

Connect your Raspberry PI (just Ethernet and power, you do not need a screen).

Providing configuration

Prepare OpenVPN configuration

You need to have a proper OpenVPN configuration file, say VPN.conf, to use this project (for a starting point, see the official HOWTO. It is recommended to test it separately.

Copy that file and any other file it refers to in salt/openvpn/etc_openvpn. The configuration script will copy them to /etc/openvpn, so any file reference should point there (eg. ca, cert, key, etc.).

Ensure your configuration file contains the following lines:

# reads username and password from the first two lines of login.settings
auth-user-pass login.settings

# runs when the connection is up
up /etc/openvpn/up.sh

Copy salt/openvpn/etc_openvpn/login.settings.default to salt/openvpn/etc_openvpn/login.settings and edit it. This file must contain your VPN credentials, if any are needed, for the VPN to be started automatically.

Finally, make a copy of salt/openvpn/etc_openvpn/dnsmasq.settings.default by saving as salt/openvpn/etc_openvpn/dnsmasq.settings to configure any VPN-specific dnsmasq options (eg. search domains to be resolved inside the VPN, domain names to be resolved by DNS servers from inside the VPN, etc.).

SSH configuration

Copy the public SSH key you want to use to access the Raspberry Pi in salt/sshd/authorized_keys (password authentication is disabled in the next step). From the repo directory you can use:

cp ~/.ssh/id_rsa.pub salt/sshd/authorized_keys

Salt installation

This project uses Salt to configure the Raspberry Pi.

To install it, insert the SD card in your Raspberry Pi and connect it to a network where you can access it. Don't connect the USB Ethernet interface yet, and run the following commands:

ssh [email protected] # password is raspberry

sudo raspi-config
# change password
# advanced options -> expand filesystem
# localisation options -> change locale (personal preference: en-US.UTF-8)
# localisation options -> change timezone
# finish and reboot

echo deb http://debian.saltstack.com/debian jessie-saltstack main | sudo tee --append /etc/apt/sources.list
gpg --keyserver pgpkeys.mit.edu --recv-key  B09E40B0F2AE6AB9
gpg -a --export B09E40B0F2AE6AB9 | sudo apt-key add -
sudo apt-get update
sudo apt-get -y install salt-minion
sudo chown -R pi /srv

Now copy configuration files from this project onto the Raspberry Pi:

scp -r . [email protected]://srv

Run Salt to configure it and finally reboot:

ssh [email protected]

sudo salt-call --local state.highstate
sudo shutdown -h now

Now change your network cables to the configuration above, done!

Post-install access

A personal user has been created as you defined in pillar/config.sls. Password for this user has been set to changeme. Upon the first connection, (remember to use your SSH key that you copied in salt/sshd/authorized_keys), you will be asked to change it.

SSH is configured to accept connections on port 22. Note that security settings are tuned as per recent recommended standards, including the fact that the RSA key is regenerated with key length 4096 bits, so you will get warnings on first connection attempt.

Tweaking

You can change the domain name for the Raspberry Pi subnetwork in pillar/config.sls.

The Raspberry Pi subnet is 192.168.188.0/24 as specified in salt/dnsmasq/dnsmasq.settings and salt/networking/interfaces. You have to change those files if you want a different subnetwork.

Any other aspect can be tweaked directly in SaltStack files, which should be pretty self-explainatory.

If you make an improvement don't forget to open a pull request!

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].