Raspberry Pi as OpenVPN Gateway with or without Airplay Image Download

Deutsche Anleitung findest Du hier

Hello all,

after the NSA scandal I'm thinking about VPN gateways and create an image for Raspberry Pi:

What we need?

• Raspberry Pi 512MB Version B
• SD-Karte from 2GB
• Poweradapter with 1A
• Network cabel
• Case
• Nothing else

General information about the configuration of the images:

• without GUI
• 16MB graphic RAM
• HDMI Output active
• sshd, nntp, OpenVPN, IPTables, Netzwerk starts automatically
• Swap file with 190MB in /etc/fstab configured but disabled
• User: root Password: raspberry (raspberrz if you use a non german keyboard layout)

Raspberry Pi Image with OpenVPN and Airplay receiver:

• Linux raspberry-pi 3.6.11+
• From 2013-09-22 with rpi-update
• RAM usage 53MB
• Image for 2GB SD-card
• Shairport as Service
• Download

Raspberry Pi Image with OpenVPN:

• Linux raspberry-pi 3.2.27
• based on Raspbian minimal Image
• RAM usage 23MB
• Image for 2GB SD-card
• Sound not working without update
• Download

What I have to do with the image?

Load the imagefile on the sdcard eLinux.org

Use for Windows Win32 Disk Imager

Use for Linux DD:

umount /dev/sdX1

dd bs=1M if=~/.img of=/dev/sdX

sync

Use for Mac DD:

diskutil unmountDisk /dev/diskX

dd if=.img of=/dev/rdiskX bs=1m

Configuration:

Change the configurationsfiles in the folder openvpn on sdcard.
Its important that all configuration files are there. I don't wrote a failure suffered script ;) 

Here we go:

• interfaces

# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback 

auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
address 192.168.1.150
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
dns-nameservers 194.150.168.168 

auto eth0:1
iface eth0:1 inet static
address 192.168.1.254
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

Its important that we have two different virtual interfaces like that.
You can you also DCHP for eth0 if you like.

Choose any nameserver you like but not from europe or USA ;)

The standard gateway is your actual router.

eth0:1 is the new interface that will be routing for your network.

• example.ovpn

These is the important OpenVPN configuration file. You got these from your VPN provider. Usually you got the certificates included.

Otherwise you should add these certificates in the same folder and also the authentication informations like that:

username
passwort

They will copied in the folder /etc/openvpn automatically.
Add the necessary information in the .ovpn file:

CA: VPN123.se.ca.crt
TLS auth key: yes (VPN123.se.ta.key)
auth-user-pass password.txt

With any restart the configuration files will be copied again. So you can change the configuration anytime.

First start:

If you use a screen you will see the login.
Test your VPN connection with some Website.

Perhaps you have Windows 7/8 and it will close the firewall with the new gateway. Then you have to change the registry to 1:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\NetworkList\profiles\, wobei für den
Namen des Netzwerks steht.
Dann setzen Sie den DWORD-Wert Category auf den gewünschten Standort
(0 = public (öffentlich), 1 = privat(e), 2 = work (Arbeitsplatz))

Background information from Born (sorry in german).

Portforwarding:

If you need portforwarding for your ssh server for example you add some new iptables rules:

iptables -A PREROUTING -t nat -i tun0 -p tcp(udp) --dport 1234 -j DNAT --to :1234
iptables-save > /boot/openvpn/rulesiptables

You can add some safty rules also you like.

Configure your own Image like that:

Very short explanation:

• First I got the Minimal Image.
• Resized the swap file to 190MB because of trouble to fit it on 2GB sdcards. And disable the swap in /etc/fstab because of aging reasons.
• Installing some packages:

apt-get update

apt-get upgrade

apt-get install git git-core libao-dev libssl-dev libcrypt-openssl-rsa-perl libio-socket-inet6-perl libwww-perl avahi-utils pkg-config alsa-utils gcc make openssl openvpn

System update:

wget --no-check-certificate https://raw.github.com/Hexxeh/rpi-update/master/rpi-update -O /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update

rpi-update

Configuration OpenVPN:

echo 'AUTOSTART="standard"' >> /etc/default/openvpn

touch /etc/network/if-pre-up.d/iptables

echo "#!/bin/bash" >> /etc/network/if-pre-up.d/iptables

echo "/sbin/iptables-restore < /etc/rulesiptables" >> /etc/network/if-pre-up.d/iptables

chmod +x /etc/network/if-pre-up.d/iptables

The copy script copyovpn.sh is located in /boot/openvpn.

The configuration file Interfaces is located in /boot/openvpn and will copied to /etc/network.

The configuration file .ovpn will copied from /boot/openvpn to /etc/openvpn/standard.conf.

The configuration file for IPTABLES rulesiptables is located in/boot/openvpn and will be copied to /etc.

nano /etc/sysctl.conf and remove # from line: net.ipv4.ip_forward = 1.

The configuration file /etc/init.d/networking have to changed to load the files from/boot/openvpn .

Add the line "bash /boot/openvpn/copyovpn.sh" in the beginning after IFSTATE.

Configuration Kernel:

I had to recompile a new kernel to use the raspberry as gateway. If you use rpi-update its not necessary.

Configuration to add in .config:

IP_NF_IPTABLES=y

CONFIG_NF_NAT=y

CONFIG_IP_NF_IPTABLES=y

CONFIG_NF_NAT=y

CONFIG_IP_NF_CONNTRACK=y

CONFIG_IP_NF_FILTER=y

CONFIG_IP_NF_TARGET_MASQUERADE=y

CONFIG_NETFILTER=y

Airport:

echo "snd-bcm2835" >>/etc/modules

echo "hdmi_drive=2" >> /boot/config.txt

cpan Net::SDP

git clone https://github.com/albertz/shairport.git shairport

cd shairport

make

make DESTDIR=/opt/shairport install

mkdir /opt/shairport/etc   

mkdir /opt/shairport/etc/init.d

cp shairport.init.sample /opt/shairport/etc/init.d/shairport

nano /opt/shairport/etc/init.d/shairport

change DAEMON="/usr/local/bin/shairport.pl" to DAEMON="/opt/shairport/usr/local/bin/shairport.pl"

change DAEMON_ARGS="-w $PIDFILE -a $NAME" to DAEMON_ARGS="-w $PIDFILE -a AIRPORT"

ln -s /opt/shairport/etc/init.d/shairport /etc/init.d/

insserv shairport

optional change the sound output device.:

amixer cset numid=3 0

alsactl store

Auto: 0

Headphones (3,5): 1

HDMI: 2

End:

That's all guys, have fun :)