Protect your identity with the VPiN
Adam Oxford turns an old Raspberry Pi into a VPN gateway for your home.
Caring about your online privacy and actually following best practices to protect it are two different things. As APC readers, it’s likely that you know the principles of what we should do to avoid the great data collectors and geo-locators in the sky, but maintaining constant vigilance is an effort that soon gets tiresome, if not downright impossible.
For example, you know that you should be using a VPN to avoid ISPlevel filters imposed by various pieces of the law. Setting up and using a log-free VPN service from your PC’s desktop is straightforward enough, but what about all the other devices in your home? For example, if you use a games console to watch Stan, Netflix or YouTube on your TV, how do you route traffic from there effectively? No consoles have built-in VPN software. There’s no app in the PlayStation Store.
One solution would be to buy a router that can connect directly to a VPN service, protecting all the traffic on your home network in a single stroke. Or, if you have an older router, to modify it with an OpenWRT firmware and add controls such as these in.
Or, if you want a cheaper and more straightforward solution, you could use a Raspberry Pi…
PI RIGHT THERE
With just a few fairly simple scripts, you can configure any Raspberry Pi to be a headless VPN gateway. This means that when it’s connected to your router, you can send traffic to it from other devices before they connect to the outside world – essentially putting them behind a VPN. Here, we’re using a first generation Pi – it’s a nifty repurposing of a piece of kit that’s past its sell-by date for most other common Pi-related projects.
To get started, you’ll need four things. A Raspberry Pi, an SD card preloaded with the Raspbian operating system and a subscription to a VPN service of your choice. We’re going to use NordVPN, which assures us that it doesn’t log user behaviour or filter for particular activities such as P2P protocols. There are services that promise even more anonymity, or are more affordable, but Nord is a good place to start investigating options.
The fourth thing you’ll need is a copy of your provider’s OpenVPN configuration files and encryption certificates. There are usually a lot of these — one for each server you can connect to — so pick a handful that you want to be able to quickly access. We opted for two US servers, choosing one that supports the UDP protocol and one that supports TCP/IP.
You should find these configuration files on your VPN provider’s website. Download them and unzip them into a folder on your desktop.
INSTALL PACKAGES
We want our Pi to be running headless, in other words without a keyboard and monitor attached, which means that once its up and running we’ll need to access it using a remote shell and SSH. For the first run it can be easier to access the Pi directly by plugging in peripherals, at least until you have made sure it has a fixed IP address on your network, which is essential for this walkthough.
To do that, open a terminal on the Pi desktop and type sudo nano /etc/ network/interfaces . Edit this file to look like this (you can choose any free IP address for the line that ends in 12, bear in mind that the 1 in the third part of the address could be another number).
auto lo iface lo inet loopback
auto eth0 allow-hotplug eth0 iface eth0 inet static address 192.168.1.12 netmask 255.255.255.0 gateway 192.168.1.1 dns-nameservers 1.1.1.1 1.0.0.1
Press Ctrl-O to write out the file, and then press Ctrl-X to quit nano.
Now turn the Pi off, and remove all peripherals leaving just the networking cable in place. Then reconnect the power supply to get it started again.
Once the Pi has booted up, you should be able to access it from another PC using SSH. In our case the command to connect is ssh pi@192.168.1.12 and the password is the default, ‘raspberry’. You’ll probably want to change the password.
The next thing you’ll need to do is install the OpenVPN packages with the following command: sudo install openvpn Next, navigate to the folder where you need to keep your OpenVPN configuration files by typing cd /etc/openvpn . You need to download the configuration files from your VPN provider, in our case we can do this using wget — don’t forget to use sudo because the etc/ folder isn’t writeable by ordinary users. In our case, the
“Now you can make your PS4 appear in another country without ever leaving the comfort of your lounge.”
command is sudo wget https://downloads.nordcdn.com/configs/archives/servers/ovpn.zip , followed by sudo unzip ovpn.zip to decompress it.
A quick ls command will show if you have been successful. There should be a list of files ending in .ovpn. Note that some VPN providers may have packaged these files with subdirectories, as an example for connections encrypted with optional 128- or 256-bit protection. You’ll need to move the files to the etc/openvpn directory using the mv command.
You can now open a connection to any of these servers using the command sudo openvpn example. ovpn –daemon , where example is the filename of the configuration file.
If you try this now, you’ll notice that the script asks for your username and password to authenticate the connection. Do test to see if the connection is working by typing
ifconfig . You should see a connection marked TUN, which is your VPN tunnel.
YOU SHALL NOT PASSWORD!
So far we have a slightly cumbersome way of connecting our Pi to a VPN via a terminal that requires you to enter your username and password when you want to connect. Good, but it could be better — we’re going to create a few scripts to automatically create your credentials to save you some time.
Take a look at the VPN files you downloaded to your desktop and open one of them. You should see that it starts the client and that there’s a list of commands. These include a line that contains auth-user-pass . We can alter this line to automatically feed a username and password to our config file when it is called.
Back in your SSH connection to the Pi, navigate back to /etc/openvpn and type sudo nano vpnlogin . This should open up the nano text editor. Create a text document that has nothing except your username for the VPN provider on the first line, and your password on the second. Hit Ctrl-O to write the contents to disk, then Ctrl-X to quit nano.
Once you’ve done that, pick the VPN connection you think you’ll use the most and edit the config file using
sudo nano example.ovpn . Change the line that says auth-user-pass to auth-user-pass vpnlogin .
Now when you start that connection using the openvpn command, it should connect directly without the password prompt. (See the boxout above for a way to change all the config files at once.)
So far so good, but we don’t want to have to type a long command every time we need to connect to a VPN. Remember that you took a note of your most likely used servers right back at
the start? Good, because we’re going to create a quick script that will enable you to start and switch between those with a simple command.
It begins with an instruction to close any open VPN connections, then starts the OpenVPN daemon filling in the credentials from the text file we just created. Back in your home folder, type
nano vpn1.sh : #!/bin/bash sudo killall openvpn sudo -b openvpn /etc/ openvpn/example.ovpn
Repeat this step for the three or four VPN connections that you think you’ll use the most, adding one to the number in the filename. Now you can start or switch your connection by SSHing into the Pi from any computer on the network and typing sudo ./vpn1.
sh . Finally, to route traffic via the Pi, you’ll need to go back to your PlayStation (or other device) and change the internet settings. Leave everything in its default setting apart from the Gateway and DNS servers.
Change Gateway to the IP address of your Pi, and set the DNS server to 1.1.1.1, 8.1.1.8.
And that’s it. Now you can make your PS4 or other networked device appear in another country without leaving the comfort of your lounge.