1

Im trying to setup a Pi Zero W as a wifi repeater with openVPN without using a USB wifi dongle, as a tiny travel router.

I tried using this tutorial - by @ingo raspberry-pi-zero-w-as-a-wifi-repeater as a starting point, i can connect to the AP created and ping the pi but could not get any internet connection on the AP (with everything exactly as per the tutorial - except IP of the router, and without static routes in router as i dont have access).

I have also managed to get openVPN setup and working on the pi but still cant access from the AP.

               wifi             Rpi             wifi              wan
mobile-phone <.~.~.~.~.> (ap0) (tun0) (wlan0) <.~.~.~.~.> router <-----> INTERNET
        \               /                \                  /
       (dhcp)   192.168.50.1           192.168.1.2    192.168.1.1

I Also need to be able to access via ssh on ap0 to change wifi SSID/Passphrase for the wlan0 interface, as it will change weekly and i also have no access for forwarding/routing in the router its connected to. i would like to block ssh coming from the tunnel side, but allow on both wlan0 and ap0

I dont need to access any other devices on the network, all traffic besides ssh can go through the tunnel. it would be nice to have a failover option if the openVPN cant connect just in case (possibly with a way to quickly enable/disable the failover)

Im sure its something simple I'm missing. Any suggestions on how to setup routing to achieve this?

Chris H
  • 11
  • 3

1 Answers1

1

I have made some router with VPN and you may get some ideas from How To Create A Private Subnet Behind Raspberry Pi? and from Raspberry pi as access point with vpn. But your wifi repeater does not work so I suggest to make it first running without fiddling with a VPN tunnel. If it works as expected then you should add the VPN tunnel. You also want to have special access conditions and a failover and no, there is nothing simple you missed ;-)

So lets start to improve this answer interactively in this steps:

  1. make access point running incl. ssh
  2. add VPN tunnel
  3. configure restrictions
  4. lets talk about failover

As far as I understand you can connect to the access point (AP) and you can connect another station also connected to the AP but you cannot get into the internet and you cannot ssh into the RasPi. Check if ip forwarding is active and the default route is set to the internet router:

rpi ~$ cat /proc/sys/net/ipv4/ip_forward   # should give 1
1

rpi ~$ ip route show
default via 192.168.1.1 dev wlan0 proto static
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.2
192.168.50.0/24 dev ap0 proto kernel scope link src 192.168.50.1

The line with default must point to the internet router and the device must be wlan0.

Then NAT (network address translation) must be enabled. Check with:

rpi ~$ sudo iptables --table nat --list POSTROUTING --verbose
Chain POSTROUTING (policy ACCEPT 5 packets, 355 bytes)
 pkts bytes target     prot opt in     out     source      destination
   13   974 MASQUERADE  all  --  any    wlan0   anywhere    anywhere

For ssh you should enable and start the service on the RasPi with:

rpi ~$ sudo systemctl enable ssh.service --now

and then from a linux computer try to connect with verbose messages and look what's going wrong:

station ~$ ssh -v pi@192.168.50.1

Belonging to name resolution you should first make it run only with ip addresses. If you are sure that DNS server can be addressed by ip address you can look what's wrong with DNS. Systemd-networkd presents default DNS server anywhere in the internet to the clients so you should be able to resolve internet names like google.com. If internet connection is broken then default DNS is also not working. If you use names in your local network managed by your own DNS server you can configure systemd-netword to present this server to its clients.

Check if you have enabled systemd name resolving with:

rpi ~$ sudo systemctl enable systemd-resolved.service
rpi ~$ sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

With cat /etc/resolv.conf systemd-networkd shows its default DNS server if you don't have configure some:

nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 2001:4860:4860::8888
# Too many DNS servers configured, the following entries may be ignored.
nameserver 2001:4860:4860::8844

For example with systemd-networkd on configuration for wlan0 you can define your own DNS server 192.168.10.10 for the RasPi itself with:

[Match]
Name=wlan0
[Network]
Address=192.168.10.2/24
Gateway=192.168.10.1
DNS=192.168.10.10 8.8.8.8

To give your own DNS server to the stations associated to the access point, set it on the configuration for ap0 with:

[Match]
Name=ap0
[Network]
Address=192.168.50.1/24
IPForward=yes
DHCPServer=yes
[DHCPServer]
DNS=192.168.10.10 8.8.8.8
Ingo
  • 42,107
  • 20
  • 85
  • 197
  • I've spent days trying to get it to work on a pi Zero W, i did manage to get some pings through the AP to the Web, but DNS wasnt working, and the packet loss was very high. – Chris H Oct 12 '18 at 13:37
  • @ChrisH Hmm... your comment doesn't help much. Is there a different between a RPi0W and a RPi3B+ belonging to the wifi? I haven't a RPi0W but as far as I know there is no difference. Have you tried the tests I suggested? What ssh -v complains that it cannot connect? For DNS if have updated my answer. – Ingo Oct 12 '18 at 14:06
  • Sorry been travelling for a few days, on the new network now and still the same issue. ssh is fine, i can access from either wlan0 or ap0. I can connect to the hotspot, and can ping IP's in the real world (8.8.8.8) and googles IP address (216.58.203.100) confirmed 'cat /proc/sys/net/ipv4/ip_forward' equals 1 – Chris H Oct 15 '18 at 12:20
  • the 'ip route show' shows default via 10.180.223.1 dev wlan0 proto dhcp src 10.180.223.30 metric 1024 10.0.0.0/24 dev br0 proto kernel scope link src 10.0.0.1 10.180.223.0/24 dev wlan0 proto kernel scope link src 10.180.223.30 10.180.223.1 dev wlan0 proto dhcp scope link src 10.180.223.30 metric 1024 the NAT result is identical to yours. So i think there is something with DNS. Any commands to check it out? – Chris H Oct 15 '18 at 12:36
  • One thing i have noticed, on a normal wifi connection my phone will show the DNS servers in the advanced section of the Network Details. When connected to the Hotspot on the Pi there is no DNS Sever listed. Does it need to be set in the DHCP for ap0.. in /etc/systemd/network/12-ap0.network? – Chris H Oct 15 '18 at 13:00
  • @ChrisH Seems everything works except DNS name resolution. I have updated my answer with some examples how to define DNS server. – Ingo Oct 16 '18 at 18:52
  • I can see some name servers in there /etc/resolv.conf, they are the same ones that my phone displays when i connect directly to the network that wlan0 connects to. Im hesitant to set a static IP on the wlan0 interface as there are hundreds of people connected and leases appear to be very short. is this a valid concern? or is the local DNS IP not exposed to the network wlan0 is connected to? I did try setting just googles dns ip in the /etc/systemd/network/12-ap0.network file as per above but still not working on my phone. – Chris H Oct 17 '18 at 12:05
  • as noted in another thread, DNS is not set properly from hostapd, i required dnsmasq for name resolution. another issue i found that dnsmasq didn't start correctly due to the port being used already. to fix this in /etc/systemd/resolved.conf add a line "DNSStubListener=No" – Chris H Jul 24 '19 at 09:10
  • According to your drawing the internet router has the ip address 192.168.1.1. I do not understand why your default route is set to default via 10.180.223.1 dev wlan0 proto dhcp src 10.180.223.30 metric 1024. In my setup there is no hostapd and dnsmasq used. So what you are trying? – Ingo May 19 '20 at 08:55