3

I want to use my raspberry pi 3 as a wireless AP that I could connect to via my laptop or cell phone for use with my VPN subscription (PIA).

Simultaneously, I want to keep my static eth0 IP address 192.168.0.222 so that I can keep SSHing from my main PC over my LAN.

I have already set up an access point that allowed my phone to connect to the pi via wlan0 and bridge through to eth0 but not tun0. This setup kept my 192.168.0.222 for local SSH, and provided internet to my laptop and phone. But this setup didn't route traffic over wlan0 to my VPN.

I also set up the access point such that it successfully sent traffic coming into wlan0 to tun0 (tested by going to ipinfo.io on my phone while connected to raspberry pi wifi network and seeing that i was indeed connected to a VPN server somewhere far far away). But when I got this successfully set up, it stopped me from being able to SSH over LAN at all: no more 192.168.0.222 static ip, and the assigned IP didn't work in putty either.

How can I get this set up to work? I followed these guides for AP and VPN AP respectively: Raspberry Pi Wireless Access Point

https://pimylifeup.com/raspberry-pi-vpn-access-point/

I also used a script stored in /etc/ipstartup file, that is run using crontab @reboot:

ip address flush dev eth0
ip address add 192.168.0.222 dev eth0
ip link set eth0 up
ip route add default via 192.168.0.1
printf "nameserver 8.8.8.8\nnameserver 8.8.4.4" > /etc/resolv.conf

Note: The above script worked to get my eth0 connection going for the access point without vpn, but no longer kept my static ip (did it's job) when I went forward with trying to set up a VPN wireless AP.

Thanks in advance, and sorry if my unix/ networking lingo is bad!

EDIT: It works now. For anyone that might run into this issue themselves, here's what I did:

  1. reverted all networking files to defaults (dhcpcd.conf, wpa_supplicant, etc.)

  2. Followed this guide on setting up an access point except, and here's the important part, instead of doing step 18 I followed the troubleshooting provided by Ingo in the selected best answer below. Namely the flushing of the iptables section, and the iptables rules they provided.

  3. I then continued with the AP guide through to the end.
  4. To maintain my static IP of 192.168.0.222, I continued to use my crontab script that runs at boot.
codeNoob
  • 33
  • 1
  • 5

2 Answers2

3

Brdging an access point together with a wired ethernet interface is possible but connect to a local network with internet access together with using a vpn tunnel is a routing problem. So you can only use routing instead of bridging but that requires different subnets e.g. for your wifi, the vpn tunnel and for your local network. A working solution of this problem I have made with Raspberry pi as access point with vpn.

Your setup seems to look similar to this (asuming unknown ip addresses):

                             10.10.10.2                       +----------+   10.10.10.1
                                /           vpn-tunnel        |          |       \
                             (tun0) =============\\    //======================> VPN-SERVER
PHONE ~.~.~.~.~.~> (wlan0)RPI(eth0) ------------> ROUTER ---> | INTERNET |
     \    wifi       /          \    ethernet    /       wan  |          |
192.168.4.2   192.168.4.1   192.168.0.222   192.168.0.1       +----------+

troubleshooting
iptables as firewall only restricts communication so for troubleshooting make sure iptables is complete transparent. If routing works then we can set up a firewall. If you have some rules there then save them (out of scope here) before flushing [1]:

rpi3 ~$ sudo -Es
rpi3 ~# iptables --policy INPUT ACCEPT
rpi3 ~# iptables --policy FORWARD ACCEPT
rpi3 ~# iptables --policy OUTPUT ACCEPT
rpi3 ~# iptables --table nat --flush
rpi3 ~# iptables --table mangle --flush
rpi3 ~# iptables --table raw --flush
rpi3 ~# iptables --flush
rpi3 ~# iptables --delete-chain
rpi3 ~# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
rpi3 ~# exit
rpi3 ~$

ip forwarding works without iptables. Check if ip_forward is set to 1:

rpi3 ~$ cat /proc/sys/net/ipv4/ip_forward
1

From your mobile phone you can ping the raspi. This should always work. If not you have a general problem with your wifi, e.g. wrong ssid, wrong password, low signal or something else.

phone: ping 192.168.4.1
64 bytes from 192.168.4.1: icmp_seq=1 ttl=64 time=0.663 ms
[...]

You must have set the default gateway on your phone to 192.168.4.1. Then you should see the other side (forwarding the ip) of the raspi:

phone: ping 192.168.0.222
64 bytes from 192.168.0.222: icmp_seq=1 ttl=64 time=0.663 ms
[...]

Your internet router isn't capable of static routing. So we have to fake it that all packets are comming from the raspi even that from your phone. We do this with NAT:

rpi3 ~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

On an internet router with static routes you have to set one destination subnet to 192.168.4.0/24 or 192.168.4.0 netmask 255.255.255.0 and the gateway to 192.168.0.222. Names vary from model to model. The router will then send all packets for 192.168.4.0/24 to the raspi (192.168.0.222). The raspi knows where to forward them. Don't set a NAT if you have a static route. Other clients connected to your internet router can then connect to your phone and other clients on that subnet. That isn't possible with NAT.

Now you should be able to ping the internet router from the phone:

phone: ping 192.168.0.1
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.663 ms
[...]

And you should get responses out from the internet, e.g. from the google nameserver. First try from the raspi then from the phone:

rpi3 ~$ ping -I 192.168.0.222 -nc1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=2 ttl=61 time=12.4 ms
[...]
rpi3 ~$ ping -I 192.168.4.1 -nc1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=2 ttl=61 time=12.4 ms
[...]

phone: ping 8.8.8.8
64 bytes from 8.8.8.8: icmp_seq=2 ttl=61 time=20.3 ms
[...]

If you have established the vpn tunnel you should also see the endpoint of it on the raspi:

phone: ping 10.10.10.2
64 bytes from 10.10.10.2: icmp_seq=2 ttl=61 time=20.3 ms

But the vpn server on the other side of the tunnel will not response because it does not know where to send responses to 192.168.4.2. For this it must have a static route to this subnet. But I think we don't have any chance to do that. So we also have to fake the server with a NAT. On the raspi set:

rpi3 ~$ sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Be aware that the workarounds with NAT restricts communication in your local network. Devices connected to the raspi through wifi will see your mobile phone but devices connected to your internet router will not see your phone because of the NAT to the internet router.


references:
[1]: best way to clear all iptables rules

Ingo
  • 40,606
  • 15
  • 76
  • 189
  • "You wrote that you have wlan0 bridged through to eth0." I used bridge-utils following this documentation (second half of the page): https://www.raspberrypi.org/documentation/configuration/wireless/access-point.md. I will now investigate the link you posted and see where it takes me. I'll update after I've gone through it. – codeNoob May 20 '18 at 13:28
  • @codeNoob Yes I know that official tutorial you have linked. It is one of the "bridge" solutions with NAT on Layer 3 (not really bridging). Thanks for your investigation. I'm interested to your results. Please address me with _@Ingo_ otherwise I don't get an info about your comment. – Ingo May 20 '18 at 15:05
  • My router (SBG6580) isn't capable of static routing.I went thru the guide, I am now at a point where my raspi is a router with wlan0 IP 192.168.4.1, eth0 IP of 192.168.0.222. I can connect to the raspi network on my phone, I can't connect to the internet on my phone. I use these IP table settings: `iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT iptables -A FORWARD -i tun0 -o wlan0 -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.4.2,192.168.4.20 -o tun0 -j MASQUERADE` as suggested by this: https://www.reddit.com/r/linuxadmin/comments/34yof6/route_wlan0_traffic_trought_openvpn/ – codeNoob May 20 '18 at 16:06
  • read above, sorry I am new to posting here. @Ingo – codeNoob May 20 '18 at 16:12
  • @codeNoob I have added "troubleshooting" to my answer. Tell me where it does not work. – Ingo May 20 '18 at 19:50
  • Been real busy with work past week, sorry about late response. Following your troubleshooting: No phone pinging worked at all, so for the following I used my laptop instead: [worked] laptop:~ $ ping 192.168.4.1. [worked] laptop:~ $ ping 192.168.0.222. [failed] rpi3 ~$ ping -I 192.168.0.222 -nc1 8.8.8.8. [failed] rpi3 ~$ ping -I 192.168.4.1 -nc1 8.8.8.8. [failed] laptop:~ $ ping 8.8.8.8. Didn't bother trying to ping vpn tunnel. VPN confirmed to be up though on my pi. rpi3~$ ping 8.8.8.8 works fine. – codeNoob May 27 '18 at 17:14
  • look above, sorry again, "@"ing isn't working in my comments or I'm just dumb. @Ingo – codeNoob May 27 '18 at 17:20
  • It worked. I fully uninstalled hostapd, dnsmasq, and reverted all my networking configuration files to default. Then I went through the AP guide that I linked to earlier up until the point where it does iptables stuff. Then I followed your troubleshooting guide and it worked after doing that thorough iptables flushing, and the iptables rules you provided in the troubleshooting. – codeNoob May 28 '18 at 16:13
  • @codeNoob glad to help you :-). But be aware that you now have limited security. You may consider to improve settings in iptables for security. – Ingo May 28 '18 at 17:13
  • @codeNoob Did you got it working ? thats exactly what I am looking forward for ! – Ciasto piekarz Sep 21 '19 at 18:37
  • @codeNoob In the third sentence of my answer you can read "*A working solution of this problem I have made with [Raspberry pi as access point with vpn](https://superuser.com/a/1320566)*". This answer here is for troubleshooting it. – Ingo Sep 21 '19 at 20:16
  • Excelent guide to debug issue with routing!! Banged my hear a lot until I arrived at your porst but then managed to accomplish my objective which was to route all my traffic from tun0 (openvpn) to eth1 (alternate nic) – BirdOfPrey Sep 18 '20 at 13:43
0

The Ethernet Bridge could be the tool that is suitable for you.

Install it with sudo apt install bridge-utils

First create a bridge:

sudo brctl addbr br0

Creates a bridge named br0.

And then add the interfaces:

sudo brctl addif br0 wlan0
sudo brctl addif br0 tun0

This will bridge wlan0 and tun0 in the same bridge.

More reading: https://drjohnstechtalk.com/blog/2014/03/bridging-with-the-raspberry-pi/

MatsK
  • 2,478
  • 3
  • 12
  • 20
  • The tutorial behind the link you have given is more than 4 years old. It bridges two ethernet interfaces. That's ok but bridging wifi on OSI layer 2 does not work with Raspberry Pi because [lack of WDS (Wireless Distribution System) and support for `4addr`](https://raspberrypi.stackexchange.com/a/81518/79866). – Ingo May 19 '18 at 21:40
  • I will need to investigate more on this OSI layer 2 and WDS, I am unfamiliar with these terms, but I can confirm that bridge-utils did not get my desired functionality working. – codeNoob May 20 '18 at 13:32
  • @Ingo I am looking to set up static route on a router, I just picked up one capable of it. Do you know a good way to do this? ...Also going to be starting a new question when I have more time about getting rid of DNS leak (resolvconf and my lack of knowledge have wasted like 4 hours of my life trying to set PIA's DNS servers). Will also be going into security with setting up iptables. – codeNoob May 30 '18 at 02:24
  • @codeNoob I have added Info for a static route to my answer just after the first NAT rule. – Ingo May 30 '18 at 12:23