Pro­tect Your Iden­tity with the VPiN

Maximum PC - - R&D - –ADAM OX­FORD

YOU’LL NEED THIS RASP­BERRY PI This credit-card sized com­puter costs around $35.

VPN SUB­SCRIP­TION We’re us­ing the Nord VPN ser­vice in this tu­to­rial.

CAR­ING ABOUT YOUR ON­LINE PRI­VACY and ac­tu­ally fol­low­ing best prac­tices to pro­tect it are two dif­fer­ent things. As a Max­i­mumPC reader, it’s likely that you know the prin­ci­ples of what you should do to avoid the great data col­lec­tors and geo-lo­ca­tors in the sky, but main­tain­ing con­stant vig­i­lance is an ef­fort that soon gets tire­some, if not down­right im­pos­si­ble.

For ex­am­ple, you know that you should be us­ing a VPN to avoid any ISP-level fil­ters. Set­ting up and us­ing a log-free VPN ser­vice from your desk­top is straight­for­ward enough, but what about all the other de­vices you have in your home? For ex­am­ple, if you use a games con­sole to watch Net­flix or YouTube on your TV, how do you route traf­fic from there ef­fec­tively? No con­soles have built-in VPN soft­ware. There’s no app in the PlayS­ta­tion store.

One so­lu­tion, of course, would be to buy a router that can con­nect di­rectly to a VPN ser­vice, pro­tect­ing all the traf­fic that trav­els around your home net­work at a sin­gle stroke. Or, if you have an older router, you could mod­ify it with OpenWRT firmware, and add con­trols such as th­ese in. Or, if you want a cheaper and more straight­for­ward so­lu­tion, you could al­ways use a Rasp­berry Pi….


With just a few fairly sim­ple scripts, you can con­fig­ure any Rasp­berry Pi to be a head­less VPN gate­way. This means that when it’s con­nected to your router, you can send traf­fic to it from other de­vices be­fore they con­nect to the out­side world— es­sen­tially putting them be­hind a VPN [ Image A]. Here, we’re us­ing a first-gen­er­a­tion Pi—it’s a nifty repur­pos­ing of a piece of gear that’s past its sell-by date for most other com­mon Pire­lated pro­jects.

>> To get started, you need four things: a Rasp­berry Pi, an SD card pre­loaded with the Rasp­bian op­er­at­ing sys­tem, and a sub­scrip­tion to a VPN ser­vice of your choice. We’re go­ing to use Nord VPN, which as­sures us that it doesn’t log user be­hav­ior or fil­ter for par­tic­u­lar ac­tiv­i­ties, such as P2P pro­to­cols. There are ser­vices that prom­ise even more anonymity, or are more af­ford­able, but Nord is a good place to start in­ves­ti­gat­ing op­tions.

>> The fourth thing you need is a copy of your provider’s OpenVPN con­fig­u­ra­tion files and en­cryp­tion cer­tifi­cates. There are usu­ally a lot of th­ese—one for each server you can con­nect to—so pick a hand­ful that you want to be able to quickly ac­cess. We opted for two US and two UK servers, choos­ing one that sup­ports the UDP pro­to­col and one that sup­ports TCP/IP.

>> You should find th­ese con­fig­u­ra­tion files on your VPN provider’s web­site. Down­load them, then un­zip them into a folder on your desk­top.


We want our Pi to run head­less; in other words, with­out a key­board and mon­i­tor at­tached, which means that once it’s up and run­ning, we’ll need to ac­cess it us­ing a re­mote shell and SSH. For the first run, it can be eas­ier to ac­cess the Pi di­rectly by plug­ging in pe­riph­er­als, at least un­til you’ve made sure it has a fixed IP ad­dress on your net­work—es­sen­tial for this project.

>> To do that, open a ter­mi­nal on the Pi desk­top, and type sudo nano /etc/net­work/in­ter­faces . Edit this file to look like this (you can choose any free IP ad­dress for the line that ends in “12”; bear in mind that the “1” in the third part of the ad­dress could be an­other num­ber): auto lo iface lo inet loop­back

auto eth0 al­low-hot-plug eth0 iface eth0 inet static ad­dress net­mask gate­way dns-name­servers

>> Press Ctrl-O to write out the file, and then press Ctrl-X to quit Nano.

>> Now turn the Pi off, and re­move all pe­riph­er­als, leav­ing just the net­work­ing cable in place. Then re­con­nect the power sup­ply to get it started again.

>> Once the Pi has booted up, you should be able to ac­cess it from an­other PC us­ing SSH. In our case, the com­mand to con­nect is ssh [email protected] and the pass­word is the de­fault, “rasp­berry.” You’ll prob­a­bly want to change the pass­word.

>> The next thing you need to do is in­stall the OpenVPN pack­ages with the fol­low­ing com­mand: sudo in­stall openvpn.

>> Next, nav­i­gate to the folder where you need to keep your OpenVPN con­fig­u­ra­tion files by typ­ing cd /etc/openvpn . You need to down­load the con­fig­u­ra­tion files from your VPN provider. In our case, we can do this us­ing wget —don’t for­get to use

sudo be­cause the “etc/” folder isn’t writable by or­di­nary users. In our case, the com­mand is sudo wget https://down­loads. nord­­figs/ar­chives/servers/ fol­lowed by sudo un­zip to de­com­press it. >> A quick ls com­mand shows if you have been suc­cess­ful. There should be a list of files end­ing in “.ovpn.” Note that some VPN providers may have pack­aged th­ese files with sub­di­rec­to­ries, as an ex­am­ple for con­nec­tions en­crypted with op­tional 128 or 256-bit pro­tec­tion. You need to move the files to the “etc/openvpn” direc­tory us­ing the mv com­mand.

>> You can now open a con­nec­tion to any of th­ese servers us­ing the com­mand sudo openvpn ex­am­ple.ovpn –dae­mon , where ex­am­ple is the file­name of the con­fig­u­ra­tion file.

>> If you try this now, you’ll no­tice that the script asks for your user­name and pass­word to au­then­ti­cate the con­nec­tion. Do test to see if the con­nec­tion is work­ing by typ­ing if­con­fig . You should see a con­nec­tion marked “TUN,” which is your VPN tun­nel.


So far, we have a slightly cum­ber­some way of con­nect­ing our Pi to a VPN via a ter­mi­nal that re­quires you to en­ter your user­name and pass­word when you want to con­nect. Good, but it could be bet­ter—we’re go­ing to cre­ate a few scripts to au­to­mat­i­cally cre­ate your cre­den­tials.

>> Take a look at the VPN files you downloaded to your desk­top and open one of them. You should see that it starts the client and that there’s a list of com­mands. Th­ese in­clude a line that con­tains auth-user-pass . We can al­ter this line to au­to­mat­i­cally feed a user­name and pass­word to our con­fig file when it is called.

>> Back in your SSH con­nec­tion to the Pi, nav­i­gate back to “/etc/openvpn,” and type sudo nano vpn­lo­gin . This should open up the Nano text ed­i­tor. Cre­ate a text doc­u­ment that has noth­ing ex­cept your user­name for the VPN provider on the first line, and your pass­word on the se­cond. Hit Ctrl-O to write the con­tents to disk, then Ctrl-X to quit Nano.

>> Once you’ve done that, pick the VPN con­nec­tion you think you’ll use the most, and edit the con­fig file us­ing sudo nano ex­am­ple.ovpn . Change the line that says auth-user-pass to auth-user-pass vpn­lo­gin .

>> Now when you start that con­nec­tion us­ing the openvpn com­mand, it should con­nect di­rectly with­out the pass­word prompt. (See box­out below to change all the con­fig files at once.)

>> So far so good, but we don’t want to have to type a long com­mand ev­ery time we need to con­nect to a VPN. Re­mem­ber tak­ing a note of your most likely used servers right back at the start? Good, be­cause we’re go­ing to cre­ate a quick script that will en­able you to start and switch be­tween those with a sim­ple com­mand.

>> It be­gins with an in­struc­tion to close any open VPN con­nec­tions, then starts the OpenVPN dae­mon, fill­ing in the cre­den­tials from the text file we just cre­ated.

>> Back in your home folder, type nano :

#!/ bin/ bash sudo kil­lall openvpn sudo -b openvpn /etc/openvpn/ex­am­ple.ovpn

>> Re­peat this step for the three or four VPN con­nec­tions you think you’ll use the most, adding one to the num­ber in the file­name. Now you can start or switch your con­nec­tion by SSHing into the Pi from any com­puter on the net­work, and typ­ing sudo ./ .

>> Fi­nally, to route traf­fic via the Pi, you need to go back to your PlayS­ta­tion (or other de­vice), and change the In­ter­net set­tings [ Image B]. Leave ev­ery­thing in its de­fault set­ting apart from the Gate­way and DNS servers.

>> Change Gate­way to the IP ad­dress of your Pi, and set the DNS server to,

>> And that’s it. Now you can make your PS4 ap­pear in an­other coun­try with­out leav­ing your liv­ing room.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.