3 months ago

How to VPN Your IoT & Media Devices using a Raspberry Pi PIA Routertraffic « Null Byte :: WonderHowTo

Virtual private networks, or VPNs, are well-liked for helping you stay anonymous online by changing your IP address, encrypting traffic, in addition to also hiding your location. However, common IoT devices, media players, in addition to also smart TVs are hard to connect to a VPN, yet we have a solution: Turn a Raspberry Pi into a router running through PIA VPN, which will ensure every connected device gets the VPN treatment.

This kind of’s best to think of what we are building as an add-on to your home router. We will link the Pi directly to the home router in addition to also set up a VPN client on This kind of. We can then simply point devices on our network to the Pi, which will take the traffic, encrypt This kind of, in addition to also run This kind of through our VPN.

This kind of makes This kind of much easier to secure traffic by Internet of Things (IoT) devices, such as a Chromecast in addition to also Apple TV, in addition to also helps decrease the CPU usage on our computers by having the Pi do all the hard work. The real hidden gem here can be that will This kind of system will only count as one device.

Let me explain. Many VPN providers limit the number of devices you can have connected at the same time. For example, PIA, or Private Internet Access, limits us to all 5. By directing the traffic through the Pi, This kind of appears as only one device to PIA, in addition to also our Pi build can handle 5–6 devices connected to This kind of, depending on how much data they use.

This kind of can be super helpful if you have a lot of little devices in your house. By using all 5 Pis like the one we are about to build, you could have 25–30 devices connected on one PIA subscription.

Image by SADMIN/Null Byte

Let’s dive in in addition to also get started off. If you already have a Raspberry Pi up in addition to also running, then you can skip steps two, three, in addition to also four below.

Don’t Miss: How to Set Up a Headless Raspberry Pi Hacking Platform Running Kali Linux

What You’ll Need to Get started off

Step 1: Sign-Up for Private Internet Access

To begin, we will need a Private Internet Access membership. We picked PIA because of its reputation for not logging in addition to also its not bad standing inside the community, yet This kind of’s important to be aware that will with any VPN provider, you simply can’t know for sure that will there can be no logging.

Some services may collect metadata like DNS requests, who you connect to, in addition to also what exit node you connect to, which can be enough to cover themselves in addition to also arrest you for doing anything definitely bad. Very few VPN providers might be willing to go to jail for crazy stuff you do on their service. PIA supports the Electronic Frontier Foundation in addition to also works with open-source projects to protect privacy, so we recommend their service.

PIA will run you $6.95/month in addition to also you can cancel at any time. If you want to save a little money, you could get their 6-month plan for $35.95 (which equals out to $5.99/month) also, yet their best plan can be the yearly one at $39.95 (equaling $3.33/month). If you don’t like the service within 7 days of testing This kind of out, you can ask for a full refund.

Once you sign up, you will get an email that will includes your username in addition to also password. Make sure to write down your username in addition to also password, as we will need these later.

Step 2: Install a BitTorrent Client (If You Don’t Have One)

inside the next step, we’ll be downloading Raspbian for the Raspberry Pi. The fastest way to do that will can be using a BitTorrent client. If you already have one, then that will’s great! Use This kind of. Otherwise, we need to download one. This kind of guide uses Deluge which works for Windows, Mac, in addition to also Linux. Once you navigate to the Deluge website, download the latest variation for the operating system you are using in addition to also follow the on-screen instructions to install This kind of.

Step 3: Download the Raspbian Image

currently that will we have Deluge (or another BitTorrent client) installed, we can use This kind of to download Raspbian via torrent. Once the file can be downloaded, you only need to click on This kind of in addition to also Deluge should open in addition to also start downloading This kind of.

Step 4: Flash the Image to the MicroSD Card

We need to write the image to our microSD card. The best practice can be to unplug any external hard drives or various other USB devices you have, in addition to also then insert your microSD into its adapter in addition to also plug This kind of in. This kind of can be important because you don’t want to accidentally flash the wrong device.

If you already have a program to flash the image to the card, then you can use that will. Otherwise, install Etcher, as This kind of’s the easiest to use for creating bootable SD cards. This kind of works on Windows, Mac, in addition to also Linux, while also having a simple to use interface.

Etcher should detect what operating system you are using, yet if not, make sure you download the correct variation based on your operating system, then open the file in addition to also follow the on-screen installation directions. Open Etcher (if This kind of doesn’t automatically open after installation), in addition to also select the image you just downloaded.

Next, be sure the proper drive can be selected in addition to also flash the image. Once This kind of’s done, This kind of will safely eject the SD card.

There can be a rare chance that will Etcher will cause an error. If that will does happen, use ApplePiBaker for Mac or Win32 Disk Imager for Windows.

If you plan on using a Secure Shell (SSH) to access your Pi, then you will want to add an empty file ssh with no file type to the boot folder on the microSD card.

Step 5: Start Your Pi

Insert the SD card into the slot at the bottom of your Raspberry Pi in addition to also plug the Pi into both Ethernet in addition to also power. The various other end of the Ethernet cable goes into your router (which can be wired or wirelessly connected to your computer).

You can currently connect to your Pi however you like. I’m old-school, so I just SSH into the Pi using PuTTY or the Secure Shell extension for Chrome.

Remember the username can be pi in addition to also the password can be raspberry. After you connect, make sure to change the password with passwd, in addition to also then update your Pi:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

Step 6: Enable a Static IP Address

currently, we are ready to get started off setting our Pi up to route traffic through our VPN. To do that will, we’ll need to know which gateway to point our devices at, thus we need to create a static IP address. To begin, let’s open the proper file for editing with:

sudo nano /etc/network/interfaces

in addition to also then, let’s add the following.

auto lo
iface lo inet loopback

auto eth0
allow-hotplug eth0
iface eth0 inet static

You may need to change the exact IP address, depending on how your network can be set up in addition to also what you want This kind of to be. inside the end, This kind of should look something like This kind of:

currently you are ready to save the file with Ctrl-X in addition to also Y, then Enter.

Step 7: Set Up the VPN Client

We will use OpenVPN just for This kind of build, yet our Pis don’t have This kind of pre-installed, so we can download This kind of currently by typing sudo apt-get install openvpn into a terminal.

Then we can download the PIA files, such as the certificates we will need, with wget, in addition to also then unzip in addition to also copy them over to OpenVPN. To do so, we’ll type the following.

wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip openvpn.zip -d openvpn
sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/

Move to the OpenVPN directory with cd openvpn, in addition to also look at your region choices with ls.

Remember those locations close to you will be faster with less lag, yet will also cause your IP to appear to come by that will area. Once you decide on one, we need to copy This kind of over too. Say I wanted to use US East, I might need to type in:

sudo cp US East.ovpn /etc/openvpn/US.conf

Don’t forget, you need to put a in front of spaces for the file name.

Next, we need to give the program our PIA login credentials by before. To do This kind of, we will create a login file with

sudo nano /etc/openvpn/login

Then we put our username on one line, in addition to also the password on the next.

Just as before, when using nano, save the file with Ctrl-X in addition to also Y, then Enter. currently, we will configure the file by before in order that will This kind of knows where to find everything. Open This kind of with sudo nano /etc/openvpn/US.conf, then edit the following lines seen inside the screenshot below.

Change them to read like as below. Note you are not deleting any lines, just changing those three.

auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt

You know the drill: Save the file with Ctrl-X in addition to also Y, then Enter. Then, reboot the system to apply all the improvements we have made by typing sudo reboot.

Step 8: Test the VPN

If we did all the previous steps right, we should have a working VPN currently! Just reconnect to the Pi after This kind of reboots. We can test that will This kind of can be working by running:

sudo openvpn –config /etc/openvpn/US.conf

If all can be working, the last line should read some date, then “Initialization Sequence Completed,” in addition to also you shouldn’t have a command prompt. You can exit out with Ctrl-C. If This kind of fails for some reason, then the most likely cause can be that will you put in your login information wrong, so go back in addition to also check This kind of before retrying.

Once we have tested that will the VPN can be connected to PIA in addition to also running properly, then we are ready to tell the Pi to run This kind of on boot by typing the command:

sudo systemctl enable openvpn@US

by currently on, our Pi will connect every time This kind of starts.

Step 9: Enable Forwarding

Great, currently we have a working VPN, yet to use This kind of as we intend, we need to be able to forward network traffic to the Pi. Just in case you thought we hadn’t played around with enough conf files yet, we get to open another one by typing:

sudo nano /etc/sysctl.conf

This kind of’s a big file, yet we only need to uncomment one line by deleting the “#” before “net.ipv4.ip_forward = 1.” When done, This kind of should look like the picture below.

Save the file in addition to also restart the service to finalize the improvements we made. To do This kind of, you could reboot, if you definitely wanted to, or just do This kind of the easy way with sudo sysctl -p.

Next, we need to change the rules for the IPTables. Just copy in addition to also paste by below to save time. Copy each line individually in addition to also press Enter after each one, not the whole thing together.

sudo iptables -A INPUT -i lo -m comment –comment “loopback” -j ACCEPT
sudo iptables -A OUTPUT -o lo -m comment –comment “loopback” -j ACCEPT
sudo iptables -I INPUT -i eth0 -m comment –comment “In by LAN” -j ACCEPT
sudo iptables -I OUTPUT -o tun+ -m comment –comment “Out to VPN” -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp –dport 1198 -m comment –comment “openvpn” -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp –dport 123 -m comment –comment “ntp” -j ACCEPT
sudo iptables -A OUTPUT -p UDP –dport 67:68 -m comment –comment “dhcp” -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp –dport 53 -m comment –comment “dns” -j ACCEPT
sudo iptables -A FORWARD -i tun+ -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun+ -m comment –comment “LAN out to VPN” -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE

The first two lines above enable loopback for those services that will require This kind of, in addition to also the next two lines allow traffic in by the LAN network in addition to also out to the VPN.

After that will, we enable sockets then NTP (Network Time Protocol) in order that will the Pi in addition to also VPN can synchronize clocks. Then we enable DHCP (Dynamic Host Configuration Protocol) in addition to also output through the VPN tunnel. Next, in addition to also probably most importantly, we install a kind of kill switch which only allows forwarding when the VPN can be alive. In practical terms, This kind of means that will once we have a device connected to our Pi, This kind of will be disconnected by the internet whenever the VPN stops working.

Unless you definitely want to reconfigure that will every time you start up the Pi, you need to make those improvements persistent. To do that will, we use the iptables-persistent service, which you can download by running the command:

sudo apt-get install iptables-persistent

You will be asked about saving the rules. Naturally, you want to save the current ones, so select “Yes” in addition to also press Enter.

If you ever need to update or change the rules for whatever reason, you can do so with the sudo netfilter-persistent save command.

Since we already did that will, we currently only need to tell the Pi to run these settings on boot. To do This kind of, type:

sudo systemctl enable netfilter-persistent

At This kind of point, we are all done with the Pi side of things! Just reboot to make sure all the updates are working properly. You can do This kind of by running sudo reboot.

Step 10: Direct Traffic to Your Pi

The last thing left to do can be point whatever devices you want to be using PIA to the Pi’s static IP address. This kind of’s impossible to go over every device you might want to do This kind of on, yet to just give an idea of what needs to be done, let’s look at how to do This kind of on Windows 10.

To test the result, google “IP” in your browser, in addition to also at the top of the search results, Google should tell you your public IP address. Note This kind of down or keep the tab open.

Next, go to “Control Panel” -> “Network in addition to also Internet” -> “Network Connections,” in addition to also select “Ethernet” or “Wi-Fi,” based on how you’re currently connected. I’m on Wi-Fi, so I’ll double-click on that will, then click on “Details” inside the pop-up window.

I’m looking for my computer’s current IP, you’ll want to write that will down. You can also find the IP of devices on your network using a program like Nmap or Fing, which can be quite helpful when connecting something like an Apple TV.

Return to the first popup in addition to also click on “Properties.” Select “IPv4” by clicking This kind of. You will be brought to a window like the one below. You want your device to keep the same local IP, so fill that will in by before. The Subnet mask should be, in addition to also then the Default gateway can be our Pi, so enter our static IP of These may be different depending on how you have your network set up in addition to also what you put as your static IP back in Step 5.

Last, we are using the Google DNS, so change the DNS server to be in addition to also, in addition to also the whole thing should look something like This kind of when complete.

currently we can go back to Google in addition to also search “IP” as we did before. If This kind of’s working, This kind of time our IP address should be different. Congratulations, your device can be currently running on a VPN!

In general, when connecting devices, just remember to do these steps:

  1. Locate the device IP address.
  2. Go to “Advanced Wi-Fi/Network” settings.
  3. Keep the same IP as before yet use the Pi’s IP as the gateway.

All of Your Devices Can currently Use a VPN

currently you can connect any device on your network to PIA to secure your IP address in addition to also encrypt your data. In a future article, we will look at how to make This kind of a more mobile setup by turning the Pi into a mobile hotspot that will we can take with us anywhere. Thanks for reading! If you have any questions, you can ask them here or hit me up on Twitter @The_Hoid.

Cover image by Sadmin/Null Byte; Screenshots by Hoid/Null Byte

Leave a Comment

Your email address will not be published. Required fields are marked *

6 − 1 =