2

I have set up an access point with a bridge (bridge: I want to be able to access all other devices within my network) using this How-To (Setting up a Raspberry Pi as an access point - the easy way).

Here is my setup:

PC (OS:Win10, static IP from router2, 192.168.2.2):
< --------------------------- wired --------------- > router2

Denon AVR (static IP from router2, 192.168.2.5):
< --------------------------- wired --------------- > router2

RPi3B+ (OS:osmc with Kodi (light Debian), static IP from router2, 192.168.2.3):
< --------------------------- wired --------------- > router2

                              RPi4                         
                      ??<-----VPN----->??
               wifi   ┌──────bridge──────┐                  
mobile-phone <.~.~.~> │(wlan0) br0 (eth0)│ <-wired--> router2 <-wan-> router1 (CN ISP) <--> INTERNET
                      \         |        /           DHCP-server  /  DHCP-server?
(static IP               static IP                   192.168.2.1     192.168.1.1
from router2,            from router2,
192.168.2.4)             192.168.2.15)

Now I'm facing a serious problem: How to get the wifi connected devices to the VPN tunnel.

  • My router has 192.168.2.1 behind another router with 192.168.1.1 (provided by my Chinese ISP).
  • My RPi4 with the WLAN bridge has 192.168.2.15 (DHCP from the router 192.168.2.1).
  • expressvpn is running on the RPi4 (I live in China, without vpn no google & Co).
  • Everything is ok with Putty-SSH, google.de can be reached, public IP changed.

  • WiFi@RPi connected devices have internet in the browser, but they can not reach google.de because the traffic from device is not going through the vpn tunnel. The public IP (on wifi connected device) is still coming from the ISP and not from the vpn server. So I have to configure iptables if it is possible at all with this configuration.

  • How do I configure the IPTables?

Below are all changed files listed and here the output of:

pi@Pi4:~ $ sudo iptables -L -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
42675   13M xvpn       all  --  any    any     anywhere             anywhere

Chain xvpn (1 references)
 pkts bytes target     prot opt in     out     source               destination
42675   13M xvpn_dns   all  --  any    any     anywhere             anywhere
37923   13M xvpn_ks    all  --  any    any     anywhere             anywhere

Chain xvpn_dns (1 references)
 pkts bytes target     prot opt in     out     source               destination
42675   13M xvpn_dns_iface_exceptions  all  --  any    any     anywhere             anywhere
42675   13M xvpn_dns_ip_exceptions  all  --  any    any     anywhere             anywhere
  228 20176 DROP       udp  --  any    !lo     anywhere             anywhere             udp dpt:domain

Chain xvpn_dns_iface_exceptions (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain xvpn_dns_ip_exceptions (1 references)
 pkts bytes target     prot opt in     out     source               destination
 4157  260K ACCEPT     udp  --  any    any     anywhere             10.199.0.1           udp dpt:domain

Chain xvpn_ks (1 references)
 pkts bytes target     prot opt in     out     source               destination
37923   13M xvpn_ks_iface_exceptions  all  --  any    any     anywhere             anywhere
24548   11M xvpn_ks_ip_exceptions  all  --  any    any     anywhere             anywhere
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpts:bootps:bootpc
   11  1692 DROP       all  --  any    !lo     anywhere             anywhere

Chain xvpn_ks_iface_exceptions (1 references)
 pkts bytes target     prot opt in     out     source               destination
10900 1686K ACCEPT     all  --  any    tun0    anywhere             anywhere

Chain xvpn_ks_ip_exceptions (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     anywhere             10.0.0.0/8
    0     0 ACCEPT     all  --  any    any     anywhere             172.16.0.0/12
  722 81202 ACCEPT     all  --  any    any     anywhere             192.168.0.0/16
    0     0 ACCEPT     all  --  any    any     anywhere             169.254.0.0/16
   14  1411 ACCEPT     all  --  any    any     anywhere             base-address.mcast.net/24
20556 9294K ACCEPT     all  --  any    any     anywhere             45.84.213.70


root@Pi4:~ # cat /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
country=DE
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
    ssid="RPi4"
    mode=2
    frequency=2437
    #key_mgmt=NONE   # uncomment this for an open hotspot
    # delete next 3 lines if key_mgmt=NONE
    key_mgmt=WPA-PSK
    proto=RSN WPA
    psk="Entensalt"
}

root@Pi4:~ # cat /etc/systemd/network/02-br0.netdev
[NetDev]
Name=br0
Kind=bridge

root@Pi4:~ # cat /etc/systemd/network/04-br0_add-eth0.network
[Match]
Name=eth0
[Network]
Bridge=br0

    root@Pi4:~ # cat /etc/systemd/network/12-br0_up.network
    [Match]
    Name=br0
    [Network]
    MulticastDNS=yes
    DHCP=yes
    # to use static IP uncomment these and comment DHCP=yes
    #Address=192.168.50.60/24
    #Gateway=192.168.50.1
    #DNS=84.200.69.80 1.1.1.1

    root@Pi4:~ # cat wpa_supplicant@wlan0.service
    cat: wpa_supplicant@wlan0.service: No such file or directory
    #I don't know how to show you this file, but changes were made according your setup.

pi@Pi4:~ $ expressvpn status
Connected to Hong Kong - 4

   - If your VPN connection unexpectedly drops, internet traffic will be blocked to protect your privacy.
   - To disable Network Lock, disconnect ExpressVPN then type 'expressvpn preferences set network_lock off'.

pi@Pi4:~ $ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
    link/ether dc:a6:32:10:b5:18 brd ff:ff:ff:ff:ff:ff
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:9c:50:65:3a:36 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.15/24 brd 192.168.2.255 scope global dynamic br0
       valid_lft 82883sec preferred_lft 82883sec
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether dc:a6:32:10:b5:19 brd ff:ff:ff:ff:ff:ff
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.199.0.18 peer 10.199.0.17/32 scope global tun0
       valid_lft forever preferred_lft forever

pi@Pi4:~ $ curl ipinfo.io/ip
45.135.186.71

pi@Pi4:~ $ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.199.0.17     128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.2.1     0.0.0.0         UG    1024   0        0 br0
10.0.0.0        192.168.2.1     255.0.0.0       UG    0      0        0 br0
10.199.0.1      10.199.0.17     255.255.255.255 UGH   0      0        0 tun0
10.199.0.17     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
45.84.213.70    192.168.2.1     255.255.255.255 UGH   0      0        0 br0
128.0.0.0       10.199.0.17     128.0.0.0       UG    0      0        0 tun0
172.16.0.0      192.168.2.1     255.240.0.0     UG    0      0        0 br0
192.168.0.0     192.168.2.1     255.255.0.0     UG    0      0        0 br0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.2.1     0.0.0.0         255.255.255.255 UH    1024   0        0 br0

pi@Pi4:~ $ ip route
0.0.0.0/1 via 10.199.0.17 dev tun0
default via 192.168.2.1 dev br0 proto dhcp src 192.168.2.15 metric 1024
10.0.0.0/8 via 192.168.2.1 dev br0
10.199.0.1 via 10.199.0.17 dev tun0
10.199.0.17 dev tun0 proto kernel scope link src 10.199.0.18
45.84.213.70 via 192.168.2.1 dev br0
128.0.0.0/1 via 10.199.0.17 dev tun0
172.16.0.0/12 via 192.168.2.1 dev br0
192.168.0.0/16 via 192.168.2.1 dev br0
192.168.2.0/24 dev br0 proto kernel scope link src 192.168.2.15
192.168.2.1 dev br0 proto dhcp scope link src 192.168.2.15 metric 1024
Georg
  • 31
  • 4
  • @Ingo thank you, I followed your tutorial (as you may have realized). As I mentioned, VPN is a basic issue for me living in China. Unfortunately, I need access to the subnet 192.168.2.1 to control Kodi on another RPi 3B+ running osmc and AVR from iPhone/iPad for convenience. Therefore I would like to connect the WiFi devices to a raspberry with VPN but within the same subnet. Unfortunately, the raspberry running osmc can’t do tethering since last kernel update. That’s why I want to use my RPi4 as AP with bridge and VPN. VPN on the iDevices is unstable and needs manual reconnect. Cheers Georg – Georg Feb 11 '20 at 16:31
  • Can you provide a simple drawing about your network connections? There are many different parts and I don't get it together only from your description. – Ingo Feb 11 '20 at 18:06
  • @Ingo additional info: all devices should see each other and have access to each other (remote control apps, file transfer, SSH);

    RPi3B+ (OS:osmc/light Debian) is running OpenVPN (needed for access to TheTVDB in China) but osmc’s built-in tethering (AP) not working because RPi3B+ internal WiFi adapter nl80211 not supported in Debian kernel 4.19;

    running VPN on router2 is not wanted because sometimes need internet without vpn (CN internet access) and different vpn servers needed from time to time (only limited number of servers working in China and sometimes none)

     – Georg Feb 12 '20 at 04:01
  • Hi @Georg As you see, comments are not the right place for documentation. It is unreadable. Please edit (there is a link beneath the question) your question and add it there. Afterwards you can delete the comments. – Ingo Feb 12 '20 at 08:11
  • @Ingo Thank you for helping. I put the drawing in my question. – Georg Feb 12 '20 at 08:47
  • Can you please make an answer about the solution and accept it after two days? Only accepting an answer with a click on the tick on its left side will finish the question and it will not pop up again year for year. – Ingo Feb 16 '20 at 10:25

1 Answers1

1

I bought a router with AES-NI hardware support (Asus RT-AC86U) at a good price running now my VPN. Works very fine and faster than VPN on Win10 PC. Fortunately, and maybe also surprisingly, my iDevices and the PC can not connect to VPN at the moment due to successful great firewall blocking but the router can! The Bridge + OpenVPN way was too difficult for me to solve.

Georg
  • 31
  • 4