Goal:
The goal is setup a Raspberry Pi model B+ as a virtual private network router to use with a FireTV.
An inexpensive solution to gain the privacy of using a VPN without significant software changes to the FireTV. Also the ability to add more devices to use through the VPN service would be helpful.
Background Info:
I purchased a FireTV and sideloaded it with Kodi media center app, and wanted to use my Private Internet Access account for VPN service but did not want to root the FireTV.
The FireTV in this setup is meant to be a replacement for a power hogging htpc running Kodi.
I used bits and pieces of several instructionals found on the web in combination with some trial and error. Most setups I found were using a single NIC for DHCP, WIFI, or were for VPN server applications.
This setup will need to use a VPN client on the internal wired NIC via OpenVPN with NAT to a second wired USB NIC running a DHCP server on a seperate LAN subnet.
Links:
Zentyal - just what I use for my home setup, not needed for this project to work.
PIA_VPN - use your VPN service (this informational only covers my use of OpenVPN)
Parts we will need:
- Raspberry Pi (I used a model B+, a model 2 should be even better)
- 4GB MicroSD with Raspbian Image
- USB NIC -
- Raspberry Pi power supply
- HDMI cable (for setup)
- keyboard/mouse (for setup)
Skill Level Needed:
- ability to use linux command line for basic file navigation, unzip/copy/move/ect...
- basic networking knowledge for home type networks
The setup is as follows:
I use the ISP supplied WAN router for my internet service connected to a Zentyal community edition server to manage my LAN DHCP and access points.
I needed an inexpensive way to use my PIA VPN service on the FireTV. I found several tutorials about rooting the device so that the needed files could be installed to make a VPN client work, but only certain firmware revisions of the FireTV seemed to be listed as able to work this way. Mine was not one of them.
This is the setup I have found to work for me, it may not work for you.
First, let's get the Pi setup with Raspbian:
Either purchase a pre-loaded SD card with the Raspbian image on it or download the image yourself from here: Raspberry Pi downloads page
On the Raspberry Pi site there are instructions on how to image your SD card depending on your computer platform, and how to do a basic setup.
- insert imaged SD card, connect network to wired internal interface, power up
- if you are using NOOBS, select Raspbian
- I enabled 'boot to desktop' but is not necessary
- expand the filesystem to use the rest of your SD card
- enable SSH in the advanced options
- change your password
- on an previously setup Pi, you can change these options via (sudo raspi-config)
Now that you have your Pi all setup, let's install OpenVPN:
we will not be using a graphical network manager for vpn access selection. This will be a manual setup.
A tutorial that I found useful: http://www.kbhusain.com/raspberry/use-the-raspberry-pi-as-a-vpn-gateway/
- sudo apt-get install openvpn
- cd /etc/openvpn
- sudo mkdir -p /etc/openvpn/PIA
- wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
- sudo unzip openvpn.zip
- move the crl.pem, ca.crt, PIA_access.ovpn files to /etc/openvpn where 'PIA_access' is the corresponding file to the VPN network access point you want to use. In my case I like to use US Texas.ovpn which I renamed to USTexas.ovpn because my Pi didn't want to accept the 'space' in the file name.
- sudo nano /etc/openvpn/user.txt //this file needs 2 lines with nothing but your vpn username and password
- sudo nano /etc/openvpn/PIA_access.ovpn
- had a hard time figuring out how to 'bind' the VPN created tun0 interface to the correct hardware NIC turns out it's easy :)
- comment out with # the 'nobind' line,
- add line 'local your.NIC.IP.address' this will be your NIC that connects to your main router/modem in my case it's 'eth0' (the internal wired NIC on the Pi) if you don't comment out the 'nobind' line it will fuss at you
- now, set the paths for 'ca' (/etc/openvpn/ca.crt), crl-verify (/etc/openvpn/crl.pem), and auth-user-pass (/etc/openvpn/user.txt)
- we will start the VPN after our network interfaces are setup and with a script file on reboot later.....
- sudo nano /etc/network/interfaces //make it look like this only use your IP's
- notice I commented out all the wireless options and am using static IP's for both wired NIC's
- sudo service networking restart //this will restart the network
- check your basic network configuration with sudo ifconfig
- you should see both your interfaces populated with their respective IP's
- you can check your VPN setup now if you wish by running:
- sudo iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
- sudo openvpn /etc/openvpn/PIA_access.ovpn
Now let's setup the DHCP server on NIC 'eth1' :
I found this tutorial http://raspberrypihq.com/how-to-turn-a-raspberry-pi-into-a-wifi-router/ useful for setting up the DHCP server.
- sudo apt-get install isc-dhcp-server
- sudo nano /etc/dhcp/dhcpd.conf
- I changed the option lines to look like this (use your own domain-name/servers):
- uncomment the 'authoritative;' line
- set your subnet definition for the dhcp network on 'eth1' with your IP's
- I set this to issue dhcp addresses from 192.168.42.10 to 192.168.42.20 for devices on this subnet, you can choose whatever range you would like
- sudo nano /etc/default/isc-dhcp-server
- set INTERFACES="eth1"
- you can start the dhcp server with:
- sudo service isc-dhcp-server start
Enable NAT:
- sudo nano /etc/sysctl.conf
- add this line to the end of the file: net.ipv4.ip_forward=1
- sudo update-rc.d isc-dhcp-server enable //this starts the dhcp server when the system starts up
Startup Script:
Create a startup script to start the VPN manually and enable iptables nat postrouting to the VPN interface.
- sudo nano /home/pi/startrouter.bash - add the following lines
- #!/bin/bash
- sudo iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
- sleep 2
- sudo openvpn /etc/openvpn/PIA_access.ovpn #see note in openvpn setup section
- sleep 2
- sudo service isc-dhcp-server restart #not sure this is necessary
- sudo chmod +x /home/pi/startrouter.bash
- use sudo crontab -e to run the startup script at boot, add this line
- @reboot /home/pi/startrouter.bash
- reboot
I prefer https://www.whatismyip.com/
Then connect a device to the LAN interface 'eth1', open a browser and check to make sure the VPN connection is being forwarded to the LAN connected device by using the same site example as above.