4 years ago

Using your Raspberry Pi as a VPN access point

I wanted easy/secure access to my home network.  I had a Raspberry Pi sat in my office doing nothing and this would make a nice project for it.

I had a play around with the Pi when it first came out (this Pi came from the initial batch that had been released) so the SD card had a very old version of Raspbian linux.  So I went over to Raspbian and downloaded the latest image and installed in onto the SD card. I used RPI SD card builder as I was using a Mac but this guide will help if you are running other operating systems.

Installing Point-to-Point Tunnelling Protocol

Once you have your Pi up and running you need to install Point-to-Point Tunnelling (PPTP) on your Pi.

sudo apt-get install pptpd

This will install the neccessary packages.  Then you need to setup 

Now you need to edit the PPTP configuration file which is located 

/etc/pptpd.conf

you need to add the following lines to the bottom of this file

localip 192.168.1.2
remoteip 192.168.2.100-150

The localip setting is the IP address of the Pi.  To avoid having to change this value it is worth either setting your home route to always give out this IP address.  If this is not possible then you need to configure the Pi for static IP (more on this later).

The remoteip setting is the set/range of IP addresses which will be issued to clients that connect to your VPN.  In the above example the setting specifies that 50 IP addresses will be available.  You can specify IP addresses in a comma separated list or in ranges (or combination).  So the following is valid

remoteip 192.168.2.100-150,192.168.2.160,192.168.2.170-180

Once you have got these settings how you want you need to edit the file 

/etc/ppp/pptpd-options

Find the lines the lines (about half way down the file)

#ms-dns 10.0.0.1
#ms-dns 10.0.0.2

These lines specify the DNS server that the clients connected to your VPN will use.  If you have machines in your internal home network which can be addressed by name rather than IP then you will need to change this setting to your internal DNS gateway (probably your routers address).  But if you don't need this facility then set these values to Google's Public DNS server.

So now the settings should look like this (I am using Google's DNS)

ms-dns 8.8.8.8
ms-dns 8.8.4.4

You don't need two lines, so if you are using your internal router for this setting then you would only require one ms-dns setting. 

Now go to the bottom of the file and add the following lines

nobsdcomp
noipx
mtu 1490
mru 1490

You may find some of these settings already there, possibly commented out (have a # character in front).  If so simply add the settings you don't have and comment out any that you need to.

Now we need to add users to our VPN setup. Edit the file

/etc/ppp/chap-secrets

This file will probably look like this

# Secrets for authentication using CHAP
# client	server	secret			IP addresses

Modify this file so it looks like this (change your username and password to what you want)

# Secrets for authentication using CHAP
# client	server	secret			IP addresses<
james	*	testpassword	*

This gives this user full access to your home network.

Now you need to modify the Raspberry Pi's internal firewall/routing tables by editing the file

/etc/rc.local

and putting the following towards the top of the file below the comments.

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Now the Pi will know how to correctly route packets coming through the VPN.

Now if you don't want to setup static ip for your Pi go straight to the bottom.

Setting up a static IP

Edit the file

/etc/network/interfaces 

and find the line

iface eth0 inet dhcp

and comment it out.  You then need to manually add the settings which normally would come from your DHCP server in your router.

I added the following

iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1

to my file.  Address is the static IP you would like the Pi to have.  This setting needs to match the localip setting in the /etc/pptp.conf file.  Use the netmask that you router was already using and set the gateway setting to be the address of your router.

Finish

Now you need to configure your router to forward all traffic from the external port 1723 to your Pi on the same port.  Follow guidance from your router provider on how to do this as it varies from router to router.

Reboot your Pi and configure your devices to use the VPN.  You will need to know the external IP address of your internet connection which can be found either in your router's settings or by visiting http://www.whatsmyip.org on a computer from inside your home network.