2 2
G33RT

Pine64 VPN Gateway (PA641GB) tutorial

Recommended Posts

Hi,

 

I have a Pine64-1gb laying around collecting dust for more that a year and had the idea to replace my RPi3 whitch is now running as a VPN Router.

The RPi3 is restricted to 2 streams and cause cpu load to 100% so mabe the Pine64 could help here.

As I already setup the RPi3 as VPN Router I thought I use the same procedure for the Pine64 with Armbian Jessie.

 

This is what I use:

HW: Pine64 with 1gb ram (Model: PA641GB)

OS: ARMBIAN 5.38 stable Debian GNU/Linux 8 (jessie) 3.10.107-pine64

VPN software: OpenVPN

VPN Service: PIA

 

Here a small tutorial of the commands that I'v been used to create this VPN Gateway:

 

Fist start to setup a Static IP address like this: command ~#sudo nano /etc/network/interfaces

auto lo
iface lo inet loopback 
auto eth0
allow-hotplug eth0
iface eth0 inet static
	address 192.168.1.2
	netmask 255.255.255.0
	gateway 192.168.1.1
	dns-nameservers 1.1.1.1

I also used armbian-config to do this but I always received a message complaining about dnsmasq.

So I did this and the problem went away:

sudo apt-get update
sudo apt-get install dnsmasq

 

Setup the VPN Client

installing openvpn client

sudo apt-get install openvpn

Download and unzip PIA OpenVPN profiles

wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip openvpn.zip -d openvpn

 

Copy the profile and certificates to OpenVPN Folder

sudo cp openvpn/ca.rsa.2048.crt
openvpn/crl.rsa.2048.pem /etc/openvpn/
sudo cp openvpn/put-your-chosed-server-name-here.ovpn /etc/openvpn/-put-your-server-name-here-to-create.conf

notice that the extension has changed from ovpn to conf create a login file with username and password for PIA

sudo nano /etc/openvpn/login

add your username and password per line

put-your-username-here
put-your-password-here

now we need to change the config file to point to correct file locations

sudo nano /etc/openvpn/put-your-server-name-here-that-your-create-.conf

change the following lines and add the paths:

auth-user-pass 
ca ca.rsa.2048.crt
crl-verif crl.rsa.2048.pem

to:

auth-user-pass /etc/openvpn/login 
ca /etc/openvpn/ca.rsa.2048.crt
crl-verif /etc/openvpn/crl.rsa.2048.pem

Now reboot: sudo reboot

 

 

Now let's test the VPN

sudo openvpn --config /etc/openvpn/-put-your-created-server-name-here-.conf

to Exit use Ctrl + c Enable VPN at boot

 

sudo systemctl enable openvpn@-your-created-server-here-
example: sudo systemctl enable openvpn@Japan (you get the point)

 

Setup IPTables

sudo nano /etc/sysctl.conf

uncomment the # to allow forwarding

net.ipv4.ip_forward = 1

enable the service by typing this command:

sudo sysctl -p

IPTables this is best to just copy and past this to your ssh session. If you want to know more details about these rules, check out the video

sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT 
sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT 
sudo iptables -I INPUT -i eth0 -m comment --comment "In from LAN" -j ACCEPT 
sudo iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT 
sudo iptables -A OUTPUT -o eth0 -p udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT 
sudo iptables -A OUTPUT -o eth0 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT 
sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT 
sudo iptables -A OUTPUT -o eth0 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT 
sudo iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
sudo iptables -A FORWARD -i eth0 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT 
sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE

make the rules persistent when reboot:

sudo apt-get install iptables-persistent

the installer will ask to save the rules IPv4 select YES and also YES for IPv6.

sudo netfilter-persistent save

lets apply this netfilter to the startup:

sudo systemctl enable netfilter-persistent
sudo reboot

 

Enjoy !!!! :D

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
2 2