You are not logged in.

atari

Moderator

  • "atari" is male
  • "atari" started this thread

Posts: 352

Activitypoints: 4,185

Date of registration: Oct 27th 2017

net.hawkes.userlevel.level 32 [?]

net.hawkes.userlevel.experience 383,264

net.hawkes.userlevel.nextlevel 453,790

Thanks: 220 / 247

  • Send private message

1

Saturday, May 9th 2020, 10:56pm

Raspberry Pi - OpenVPN Gateway how-to

hey,

how-to OpenVPN Gateway raspberry pi 4b....

#Connect raspberry ssh.

Quoted

sudo apt-get update
sudo apt-get full-upgrade


Quoted

sudo apt-get install openvpn
sudo systemctl enable openvpn




jetzt brauchen wir die .configs von NordVPN dien laden wir uns per wget aufs System

Quoted

cd /etc/openvpn
sudo wget nordvpn.com/api/files/zip



wir befinden sich immer noch in den selben Ordner

Quoted

sudo unzip zip


die .configs sind nun entpackt liegen in der Ordner Struktur

nun suchen wir uns ein Favoriten aus und nennen es um in .conf entweder im Terminal oder in der Desktop Ebene!

de75.nordvpn.com.udp1194.ovpn
. >> der Server ist ein Beispiel

wir sind immer noch im openvpn Ordner und erstellen eine auth.txt Datei wo die Zugangsdaten rein kommen

touch auth.txt

Editieren es und geben die Daten ein

Quoted

sudo nano auth.txt
User
Pass
Speichern!


Ausgang:
Wir haben die .ovpn umbenannt in z.b de75.conf
Und wir haben sie auth.txt!
jetzt editieren wir die .conf Datei.

Quoted

sudo nano de75.conf


Suchen die Zeile
auth-user-pass und fügen den Pfad hinzu

Quoted

auth-user-pass /etc/openvpn/auth.txt


nutzen wir pihole als DNS Server bitte am Ende das noch hinzufügen
push "dhcp-option DNS ip von raspberry pi". >> falls ihr schon pihole am laufen habt !
speichern.


#NordVPN Autostart.

Quoted

sudo nano /etc/default/openvpn


finde

Quoted

#AUTOSTART=„all“
und tragt hier euren Wunschserver ein z.b
AUTOSTART=„de75“

bitte auch auskommentieren #!


Speichern !

nach ändern der .conf müssen wir es neu laden mit.

Quoted

sudo systemctl daemon-reload


Jetzt zu den IP tables ich füge die IP tables für die nutzung von Pihole zusätzlich hinzu ich denke wer Raspberry Pi hat der sollte und nutzt Pihole !

#Raspberry Pi als Router

Quoted

sudo /bin/su -c "echo -e '\n#Enable IP Routing\nnet.ipv4.ip_forward = 1' > /etc/sysctl.conf"


Überprüfen können wir die Einstellung mit

Quoted

sudo sysctl -p


wo uns

net.ipv4.ip_forward = 1


Raspberry als Firewall

Nun benötigen wir eine iptables Konfiguration, damit der Raspberry als Firewall agiert und den Netzwerktraffic richtig über das NordVPN Tunnel-Netzwerk leitet.

#Als erstes aktivieren wir NAT, damit das richtige Gerät im Netzwerk auch den richtigen Traffic zugeordnet bekommt:

Quoted

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE


#Dann leiten wir den internen Netzwerktraffic eth0 über das Tunnel-Netzwerk tun0 und zurück.

Quoted

sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT


Letztere Option erlaubt nur eingehenden Traffic, wenn dieser vorher von einem Gerät innerhalb des Netzwerkes ausging.

#Außerdem müssen wir den eigenen Loopback-Traffic des Raspis erlauben:

Quoted

sudo iptables -A INPUT -i lo -j ACCEPT


#Außerdem wollen wir im nächsten Schritt, dass man den Raspi weiterhin pingen und über SSH erreichen kann.

Quoted

sudo iptables -A INPUT -i eth0 -p icmp -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT


#Und auch der Traffic vom Raspi darf zurückgegeben werden

Quoted

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#Als nächstes müssen wir noch, in Vorbereitung auf die Installation von PiHole, ein paar weitere Ports für das lokale Netzwerk freigeben, damit DHCP, DNS, eventuelle VPN-Verbindungen und das PiHole Webinterface auch funktionieren:

Quoted

sudo iptables -I INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p udp --destination-port 53 -j ACCEPT

sudo iptables -A INPUT -i eth0 -p udp --destination-port 1194 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --destination-port 1194 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --destination-port 80 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset
sudo iptables -A INPUT -p udp --dport 443 -j REJECT --reject-with icmp-port-unreachable


- die IP tables in rot sind für das Routen der DNS anfragen zum Pihole sowie https routing.

- Port 1194 bezieht sich auf UDP wer TCP nutzt bitte abändern

Danach können wir uns unser Werk betrachten und noch einmal nachvollziehen:

Quoted

sudo iptables -L
sudo iptables -L --line-numbers



#Speichern der Firewall-Einstellungen

Damit die Iptables auch nach dem Reboot erhalten bleiben, müssen wir noch ein kleines Hilfsprogramm installieren und die gerade gemachten Einstellungen speichern.

Quoted

sudo apt-get install iptables-persistent
sudo systemctl enable netfilter-persistent


Der erste Befehl installiert das Programm, der zweite speichert die entsprechenden Einstellungen.

Quoted

sudo systemctl restart openvpn


Im Grunde sollte das erstmal reichen. Jetzt dürft ihr euren Geräten im eigenen Netzwerk nur die IP von Raspberry zuweisen als Gateway und ihr seid im OpenVPN Netzwerk von NordVPN viel spaß!
#ip check
curl ifconfig.me
#speedcheck
sudo apt-get install speedtest-cli
#ausführen
speedtest-cli

Die Geräte laufen über OpenVPN und die DNS anfragen über euren Pihole, läuft auf dem Raspberry Pi 4 super Stabil selbst getestet.
Edit:

mein setup IPC, Samba, NAS, pihole, VPN, JDownloader2 headless.. 24/7

best regads
best regards,

I like PurE2 much more


Willkommen895

This post has been edited 2 times, last edit by "atari" (May 11th 2020, 11:39pm)


2 registered users thanked already.

Users who thanked for this post:

delfi (09.05.2020), terrajoe (10.05.2020)

delfi

PurE2-Teamleiter

Posts: 1,325

Activitypoints: 16,985

Date of registration: Mar 14th 2013

net.hawkes.userlevel.level 44 [?]

net.hawkes.userlevel.experience 3,678,748

net.hawkes.userlevel.nextlevel 4,297,834

Thanks: 1427 / 618

  • Send private message

2

Saturday, May 9th 2020, 11:12pm

Nice!

gorski

Pur-E2 Moderator

  • "gorski" is male

Posts: 953

Activitypoints: 10,330

Date of registration: Aug 12th 2017

net.hawkes.userlevel.level 37 [?]

net.hawkes.userlevel.experience 1,109,839

net.hawkes.userlevel.nextlevel 1,209,937

Thanks: 649 / 386

  • Send private message

atari

Moderator

  • "atari" is male
  • "atari" started this thread

Posts: 352

Activitypoints: 4,185

Date of registration: Oct 27th 2017

net.hawkes.userlevel.level 32 [?]

net.hawkes.userlevel.experience 383,264

net.hawkes.userlevel.nextlevel 453,790

Thanks: 220 / 247

  • Send private message

4

Sunday, May 10th 2020, 2:25pm

Thx for links but with manually Openvpn conf you can use everyone vpn Provider
best regards,

I like PurE2 much more


Willkommen895


gorski

Pur-E2 Moderator

  • "gorski" is male

Posts: 953

Activitypoints: 10,330

Date of registration: Aug 12th 2017

net.hawkes.userlevel.level 37 [?]

net.hawkes.userlevel.experience 1,109,839

net.hawkes.userlevel.nextlevel 1,209,937

Thanks: 649 / 386

  • Send private message

5

Sunday, May 10th 2020, 2:37pm

Yes, the principle is the same, except Surfshark uses a different username/password combination which they give you, for manual installation.....

Mind, we are still waiting for IKEv2 which would be better on all those platforms, given one would only lose around 10% of one's broadband speed....

With OpenVPN it's up to 90% losses, sadly, depending on the processor and so on...
http://braungardt.trialectics.com/philos…/enlightenment/ - I. Kant, "Political writings" (1784), the jolly text on Enlightenment, at the basis of Modernity...

atari

Moderator

  • "atari" is male
  • "atari" started this thread

Posts: 352

Activitypoints: 4,185

Date of registration: Oct 27th 2017

net.hawkes.userlevel.level 32 [?]

net.hawkes.userlevel.experience 383,264

net.hawkes.userlevel.nextlevel 453,790

Thanks: 220 / 247

  • Send private message

6

Sunday, May 10th 2020, 5:18pm

Not really @gorski with openvpn I’m have 50Mbit come in 45mbit very well ;) next I’m check WireGuard / Nordlynx
best regards,

I like PurE2 much more


Willkommen895


gorski

Pur-E2 Moderator

  • "gorski" is male

Posts: 953

Activitypoints: 10,330

Date of registration: Aug 12th 2017

net.hawkes.userlevel.level 37 [?]

net.hawkes.userlevel.experience 1,109,839

net.hawkes.userlevel.nextlevel 1,209,937

Thanks: 649 / 386

  • Send private message

7

Sunday, May 10th 2020, 5:35pm

Actually, I said "depending on your HW" and what that HW has built in, in terms of encryption on the HW level.

https://www.bestvpnanalysis.com/vpn-encryption-terms/

https://forum.netgate.com/topic/110214/o…-aes-ni-speed/9 - I tested it on different modems, I even bought a mini-PC to get the best possible support, alas... it was still quite slow... Only some processors in commercial modems have AES-NI supported.

If AES-NI encryption/acceleration is not supported, then you will use a lot of speed, especially if you do not have enough cores and raw computing power, up to 90%, in fact. I know, since I tested it for NordVPN. All they could say was "We are trying with IKEv2 but it is not yet implemented..."

IKEv2 has a different encryption and one loses a lot less speed...
http://braungardt.trialectics.com/philos…/enlightenment/ - I. Kant, "Political writings" (1784), the jolly text on Enlightenment, at the basis of Modernity...

atari

Moderator

  • "atari" is male
  • "atari" started this thread

Posts: 352

Activitypoints: 4,185

Date of registration: Oct 27th 2017

net.hawkes.userlevel.level 32 [?]

net.hawkes.userlevel.experience 383,264

net.hawkes.userlevel.nextlevel 453,790

Thanks: 220 / 247

  • Send private message

8

Sunday, May 10th 2020, 5:40pm

This Thread is raspberry pi 4 Gateway with openvpn
best regards,

I like PurE2 much more


Willkommen895


gorski

Pur-E2 Moderator

  • "gorski" is male

Posts: 953

Activitypoints: 10,330

Date of registration: Aug 12th 2017

net.hawkes.userlevel.level 37 [?]

net.hawkes.userlevel.experience 1,109,839

net.hawkes.userlevel.nextlevel 1,209,937

Thanks: 649 / 386

  • Send private message

9

Sunday, May 10th 2020, 5:46pm

If it is OpenVPN, then it has to deal with the same kind of encryption etc.

In this case, you Pi has 4 cores, right? How much RAM? Does it have AES-NI supported? Do you know which processor exactly?

Because, there are various versions of PI, are there not?

Which authentication is used?

All that plays a role...
http://braungardt.trialectics.com/philos…/enlightenment/ - I. Kant, "Political writings" (1784), the jolly text on Enlightenment, at the basis of Modernity...

atari

Moderator

  • "atari" is male
  • "atari" started this thread

Posts: 352

Activitypoints: 4,185

Date of registration: Oct 27th 2017

net.hawkes.userlevel.level 32 [?]

net.hawkes.userlevel.experience 383,264

net.hawkes.userlevel.nextlevel 453,790

Thanks: 220 / 247

  • Send private message

10

Monday, May 11th 2020, 12:40pm

it is a raspberry pi 4 / 4GB Ram - ARM Cortex A72 64Bit

@gorski but that's not a basic discussion, it's just a how-to thread
we would be happy to transfer that to other specialist threads
best regards,

I like PurE2 much more


Willkommen895


1 registered user thanked already.

Users who thanked for this post:

terrajoe (11.05.2020)

gorski

Pur-E2 Moderator

  • "gorski" is male

Posts: 953

Activitypoints: 10,330

Date of registration: Aug 12th 2017

net.hawkes.userlevel.level 37 [?]

net.hawkes.userlevel.experience 1,109,839

net.hawkes.userlevel.nextlevel 1,209,937

Thanks: 649 / 386

  • Send private message

11

Monday, May 11th 2020, 12:57pm

I think it's important for people to have a fuller information, to understand that different HW will give them different results, for various reasons.

My older Pi will not work as well as yours. So, it is better they don't jump to conclusions but base their decisions on fuller info.

What works well for you, with your HW, might not work as well for everybody with different HW.

That's my point: context is important here and it was missing.

Basic info on HW and encryption requirements.
http://braungardt.trialectics.com/philos…/enlightenment/ - I. Kant, "Political writings" (1784), the jolly text on Enlightenment, at the basis of Modernity...