RASPBERRY PI 4 VPN ROUTER

LUIS SABALA

SETUP NEW RASPBERRY PI 4 REFERENCE

1. Setup Raspberry Pi (No OpenWRT – Not related to this project)
• https://youtu.be/BpJCAafw2qE?si=5TQloTDTJp8cTff1
• https://www.crosstalksolutions.com/getting-started-with-raspberry-pi-4/
2. Raspberry Pi Router (OpenWRT)
• https://youtu.be/jlHWnKVpygw?si=NWPTkgomV87iGrht
• https://youtu.be/i33nJ1clybE?si=2B2-RkKgwBRP6Q0X
• https://youtu.be/BV2O3XPdRVU?si=ZEbSqU81-84gQeGZ
• https://forum.openwrt.org/t/setup-nordvpn-on-openwrt/167034
• https://support.nordvpn.com/hc/en-us/articles/20340177222289-OpenWrt-setup-with-NordVPN

​

​

2

TOOLKIT

Raspberry Pi 4 B (Preferred)

Power Supply

Micro SD Card

USB Micro SD Card Reader

Ethernet Cable

USB WIFI Adapter

QUICK SUMMARY

• The onboard WIFI adapter of the Raspberry Pi will connect to home/public wireless networks
• The external wireless WIFI adapter will provide us with WIFI & VPN Internet access (broadcasting SSID)
• Open WRT will be flashed onto RPI4
• Open WRT is flexible & allows applications to be added/removed via a package management system without having to rebuild firmware
• In my scenario I will be utilizing an ISP router as my home gateway to provide Internet. The RPI will be acting as a VPN termination point utilizing my ISP router with the default gw of the clients being the RPI & not my ISP router

4

STEP 1 – INSTALL OPEN WRT

1. Install OpenWRT
• https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi
2. Scroll & locate your Raspberry Pi version & click on OpenWRT Firmware link

5

STEP 2 – INSTALL RASPBERRY PI IMAGER

1. Plug in Raspberry Pi Micro SD Card to PC using the USB microSD Card Reader
2. Install Open-Source Raspberry Pi Imager
• https://www.raspberrypi.com/software/
3. Format SD Card using File Explorer
4. Open RPI Imager App
5. Select “Choose OS” > “Use Custom”
6. Select openWRT .img file from step 1
7. Select “Choose Storage”
8. Select Raspberry Pi SD Card
9. Select “Next” then “NO” then “Yes” to Write then “Continue”

6

STEP 2 – REFERENCE IMAGES

7

STEP 2 – REFERENCE IMAGES

8

STEP 2 – REFERENCE IMAGES

9

STEP 3 – (NETWORK) CONFIGURE OPENWRT NETWORK

1. Plug in RPI4 to PC via Ethernet
2. By Default, RPI4 will have a static IP of 192.168.1.1
3. Change PC Ethernet adapter settings to an IP in the 192.168.1.0/24 range
4. SSH to RPI4 using Putty software
5. Set Raspberry Pi password using passwd command
6. Change directory
• cd /etc/config

​

10

7. Backup these three files
• cp firewall firewall.bk
• cp network network.bk
• cp wireless wireless.bk
8. Issue “vi network” command
9. Modify LAN IP address to another subnet that is different from your home router’s DHCP scope scheme in the RFC1918 range
10. Add “option force_link ‘1’” in the LAN section
11. Add 2 Interfaces under LAN interface

• config interface ‘wwan’
• option proto ‘dhcp’
• option peerdns ‘0’
• option force_link ‘1’
• config interface ‘vpnclient’
• option device ‘tun0’
• option proto ‘none’
• option type ‘bridge’

​

​

STEP 3 – REFERENCE IMAGES

11

STEP 3 – REFERENCE IMAGES

12

STEP 3 – REFERENCE IMAGES

13

STEP 3 – REFERENCE IMAGES

14

STEP 4 – (FIREWALL) CONFIGURE OPENWRT NETWORK

1. Commands
• vi firewall
2. Change ‘option input’ under wan config zone from ‘REJECT’ to ‘ACCEPT’
3. Reboot Raspberry Pi
• reboot

​

15

STEP 4 – (FIREWALL) CONFIGURE OPENWRT NETWORK

1. Modify PC Ethernet Adapter settings to an IP address in the range of the IP you assigned the RPI4
2. This is needed so you can SSH back into RPI4 along with the configured password

​

16

STEP 5 – CONNECT OPENWRT TO WIFI

1. Access Raspberry Pi GUI using HTTP
2. Login using Credentials
3. Open Network > Wireless
4. Select “Scan” under radio0 interface
5. Locate your home SSID & select “Join Network”
6. Enable “Replace wireless configuration” checkbox
7. Enter home SSID PSK
8. Leave Assign firewall-zone to “wan”

17

9. Select “Submit”
10. Scroll down & under “Advanced Settings” add wlan0 to “Interface name” text box
11. Select “Save & Apply”
12. Select Status > Overview to verify DHCP IP address assignment
13. Select Network > Interfaces
14. Select “Edit” on wwan interface & under “Advanced Settings” insert ‘1.1.1.1’ & ‘8.8.8.8’ under ‘Use custom DNS servers’
15. Select “Save” then “Save & Apply”
16. Test internet connectivity by issuing ping from RPI4 terminal

​

STEP 5 – REFERENCE IMAGES

18

STEP 5 – REFERENCE IMAGES

19

STEP 5 – REFERENCE IMAGES

20

STEP 5 – REFERENCE IMAGES

21

STEP 5 – REFERENCE IMAGES

22

STEP 5 – REFERENCE IMAGES

23

STEP 6 – SETUP THE USB WIRELESS ADAPTER

1. Driver Install Commands
• opkg update
• Note: If failure reboot raspberry Pi & retry
• opkg install kmod-mt7921u kmod-rt2800-lib kmod-rt2800-usb kmod-rt2x00-lib kmod-rt2x00-usb kmod-usb-core kmod-usb-uhci kmod-usb-ohci kmod-usb2 usbutils openvpn-openssl luci-app-openvpn
• Issue “lsusb” command prior to inserting USB wireless adapter
• Issue command again & notice your usb adapter name for reference
2. Enable USB adapter
• Ifconfig wlan1 up
• ifconfig

​

24

3. Wlan0 role is to connect to public wifi
4. Wlan1 will be configured to act as an access point to provide clients with wi-fi & VPN

STEP 6 – REFERENCE IMAGES

25

STEP 6 – REFERENCE IMAGES

26

STEP 7 – WIRELESS NETWORK SETUP

1. Edit Wireless configuration file
• Commands
• vi /etc/config/wireless
2. Change “option disabled” value under radio1 to “0”
3. Change “option ssid” value under default_radio1 interface to an SSID of your choice
4. Change “option encryption” value under default_radio1 interface to “psk2”
5. Add “option key ‘string’” under option encryption field
• String will be the pre-shared key of your choice
6. Confirm changes using “uci commit wireless” & “wifi” commands
7. Under Network > Wireless select “Edit” on your radio1 SSID & add “wlan1” under Interface name in “Advanced Settings”

​

​

27

STEP 7 – REFERENCE IMAGES

28

SSID: Luis_Travel

IP Address: 192.168.30.202

Network tested & working

STEP 7 – REFERENCE IMAGES

29

ROUTER ACCESS POINT

1. At this point, you have set up an access point on your raspberry pi 4
2. Clients are able to use the RPI4 as their default gateway & access Internet via home ISP router
3. We will now configure VPN so clients connecting to the RPI4 SSID can surf the Internet anonymously using a VPN IP address supplied with a subscription of a VPN provider
4. This is beneficial as VPN will be enabled per wireless client at the source (router) rather than setting up per device

30

STEP 8 – VPN SETUP (NORDVPN)

1. Download OpenVPN UDP config file
• https://nordvpn.com/servers/tools/
2. Access OpenWRT & open System > Software
3. Select “Update lists…” under Actions
4. Under “Filter:” install the following packages
• openvpn-openssl
• luci-app-openvpn
5. Upon URL refresh a VPN heading should appear
6. Select VPN > OpenVPN

​

​

31

STEP 8 – REFERENCE IMAGES

32

STEP 8 – REFERENCE IMAGES

33

STEP 8 – REFERENCE IMAGES

34

STEP 8 – VPN SETUP (NORDVPN)

1. Select “Choose File” under OVPN configuration file upload & insert the .ovpn file downloaded at the NordVPN site
2. Give the OVPN file an instance name of your choosing
3. Select “Upload”
4. Select “Edit” under the instance
5. In the lower text box insert your NordVPN service username & on a new line insert password
6. Look for ‘auth-user-pass’ in the config file above & next to the field insert the full path of the credential file listed underneath (xxx.auth)
7. Select “Save”

​

​

35

1. Steps to get your NordVPN service credentials
• Login to your NordVPN account dashboard
• Select “NordVPN” under services
• Scroll down & select “Set up NordVPN manually”
• Verify access with email if prompted
• Service Credentials will be listed when redirected

​

STEP 8 – REFERENCE IMAGES

36

STEP 8 – REFERENCE IMAGES

37

STEP 8 – VPN SETUP (NORDVPN)

1. Select Network > Firewall
2. Under General Settings ensure the following
• Input: accept
• Output: accept
• Forward: reject
3. Select “Add” under Zones
• Name: vpnclient
• Input: reject
• Output: accept
• Forward: reject
• Masquerading: Enabled
• MSS clamping: Enabled
• Covered networks: vpnclient
• Allow forward to destination zones: unspecified
• Allow forward from source zones: lan

​

​

​

38

4. Select “Save”
5. Select “Edit” on lan zone
• Input: accept
• Output: accept
• Forward: accept
• Masquerading: Enabled
• MSS clamping: Disabled
• Covered networks: lan
• Allow forward to destination zones: vpnclient
• Allow forward from source zones: unspecified
6. Removing wwan from forward destination zone will make it so clients will be unable to access Internet if VPN goes down (security)
7. Select “Save & Apply”

​

​

STEP 8 – REFERENCE IMAGES

39

STEP 8 – REFERENCE IMAGES

40

STEP 8 – VPN SETUP (NORDVPN)

1. Select Network > DHCP and DNS
2. Under ‘DNS forwardings’ add in NordVPNs DNS servers
• 103.86.96.100 & 103.86.99.100
• 1.1.1.1 & 8.8.8.8
3. Under ‘Resolv and Hosts Files’ tab enable ‘Ignore resolv file’ checkbox
4. Select “Save & Apply”
5. Select VPN > OpenVPN
6. Enable & click ‘start’ on your OpenVPN instance & then click ‘Save & Apply’
7. Upon “Save & Apply” the instance should be started
• If no start, there may be a credential issue in the instance config file

​

​

​

41

1. Select Network > Interfaces
2. Vpnclient interface should be in an up state upon starting VPN services with the OVPN instance

​

​

​

STEP 8 – REFERENCE IMAGES

42

STEP 8 – REFERENCE IMAGES

43

STEP 9 – TEST ON CLIENTS!

1. For testing purposes stop the OVPN instance & ensure the clients are unable to access the Internet due to the firewall rule we configured previously
2. If for some reason your RPI4 SSID you configured is not broadcasting it may be that WIFI is turned off
3. Select ‘Network > Wireless’ & ensure the SSID is broadcasting
4. There is an alternative option to enable wifi broadcasting by issuing command ‘wifi’ directly on the RPI terminal

​

​

44

STEP 9 – (VPN DISABLED – NO INTERNET ACCESS)

45

STEP 9 – (VPN ENABLED – SECURE INTERNET)

46

STEP 10 – OPENWRT LED FEATURES

1. OpenWRT supports LED features for OpenVPN
2. Select ‘System > LED Configuration’
3. Select ‘Add LED action’
4. We will create 2 actions
• One to notify us that VPN is enabled/disabled
• One to notify us when the RPI4 is receiving Internet traffic
5. When OpenVPN is working as intended the RPI4 will light red on one of its LEDs
6. Receive traffic will be indicated with a green LED

​

​

47

STEP 10 – REFERENCE IMAGES

48

NEXT STEPS

1. Next steps I will be showing you how to connect to public WIFI using the RPI4 to provide our hungry mobile devices protected Internet browsing
2. To be continued..

49

THANK YOU

Luis Sabala