On the RPI 3B, I would like to use the wlan solely as a VPN WiFi hotspot. I installed OpenVPN and create_ap, they both work independantly, but the traffic from create_ap is not routed to the VPN. I had limited success with the vpnfailsafe script (AUR), but I would like to use a more straightforward approach. I tried fiddling with iptables without success, and frankly it is quite obscure for me. This seems to have no effects:
$this->bbcode_second_pass_code('', 'sysctl net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "Use VPN IP for eth0"
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE -m comment --comment "Use VPN IP for tun0"
iptables -A FORWARD -s 192.168.0.0/24 -i wlan0 -o eth0 -m conntrack --ctstate NEW -j REJECT -m comment --comment "Block traffic from clients to eth0"
iptables -A FORWARD -s 192.168.0.0/24 -i wlan0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT -m comment --comment "Allow only traffic from clients to tun0"
systemctl start iptables')
ifconfig output:
$this->bbcode_second_pass_code('', 'eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.198 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::ba27:ebff:fe88:5812 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:88:58:12 txqueuelen 1000 (Ethernet)
RX packets 1836 bytes 413975 (404.2 KiB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 1683 bytes 236471 (230.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.0.10.6 netmask 255.255.255.255 destination 10.0.10.5
inet6 fe80::5b25:6c33:668f:96ba prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 19 bytes 1046 (1.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::ba27:ebff:fedd:d47 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:dd:0d:47 txqueuelen 1000 (Ethernet)
RX packets 828 bytes 109404 (106.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 815 bytes 362598 (354.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0')
route -n
$this->bbcode_second_pass_code('', 'Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 1024 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
10.22.11.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.1 0.0.0.0 255.255.255.255 UH 1024 0 0 eth0')
/etc/openvpn/client/America.conf
$this->bbcode_second_pass_code('', '# servers
remote ca-montreal.privateinternetaccess.com 1198
remote ca-toronto.privateinternetaccess.com 1198
remote ca-vancouver.privateinternetaccess.com 1198
remote us-west.privateinternetaccess.com 1198
remote us-washingtondc.privateinternetaccess.com 1198
remote us-texas.privateinternetaccess.com 1198
remote us-seattle.privateinternetaccess.com 1198
remote us-newyorkcity.privateinternetaccess.com 1198
remote us-siliconvalley.privateinternetaccess.com 1198
remote us-lasvegas.privateinternetaccess.com 1198
remote us-houston.privateinternetaccess.com 1198
remote us-florida.privateinternetaccess.com 1198
remote us-east.privateinternetaccess.com 1198
remote us-denver.privateinternetaccess.com 1198
remote us-chicago.privateinternetaccess.com 1198
remote us-california.privateinternetaccess.com 1198
remote mexico.privateinternetaccess.com 1198
remote-random
# load common auth file
auth-user-pass client.key
# failsafe
script-security 2
route-noexec # Ignore "RTNETLINK answers: File exists" error
ping-timer-rem # Don't ping until connected to remote
#up /etc/openvpn/vpnfailsafe.sh
#down /etc/openvpn/vpnfailsafe.sh
#keepalive 10 30 # Ping every 10s, timeout and restart after 30s (replaced with keepalive.service)
# ignore ipv6-related configuration
pull-filter ignore "ifconfig-ipv6 "
pull-filter ignore "route-ipv6 "
# generic PIA config
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
...
-----END X509 CRL-----
</crl-verify>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
disable-occ')
/etc/create_ap.conf
$this->bbcode_second_pass_code('', 'CHANNEL=default
GATEWAY=10.0.0.1
WPA_VERSION=2
ETC_HOSTS=0
DHCP_DNS=gateway
NO_DNS=0
HIDDEN=0
MAC_FILTER=0
MAC_FILTER_ACCEPT=/etc/hostapd/hostapd.accept
ISOLATE_CLIENTS=0
SHARE_METHOD=nat
IEEE80211N=0
IEEE80211AC=0
HT_CAPAB=[HT40+]
VHT_CAPAB=
DRIVER=nl80211
NO_VIRT=0
COUNTRY=
FREQ_BAND=2.4
NEW_MACADDR=
DAEMONIZE=0
NO_HAVEGED=0
WIFI_IFACE=wlan0
INTERNET_IFACE=tun0
SSID=ssid-vpn
PASSPHRASE=password
USE_PSK=0')