Sourced from http://www.adafruit.com
• Raspberry Pi 3 - Model B - ARMv8 with 1G RAM
• 5V 2.4A Switching Power Supply with 20AWG MicroUSB Cable
• Pi Model B+ / Pi 2 / Pi 3 Case Base - Smoke Gray
• Raspberry Pi Model B+ / Pi 2 / Pi 3 Case Lid - Smoke Gray
• 8GB SD Card with Raspbian Jessie Operating System
NOTE: Performance for a personal VPN with one or two connections runs perfectly well on the original Raspberry Pi 1
Download and install raspbian-ua-netinst from here, flash your SD Card, and follow the instructions from the site to install a minimal Raspberry Pi OS. Once the card flashing is complete, do the following:
Install raspi-copies-and-fills for improved memory management performance
# apt-get install raspi-copies-and-fills
# dd if=/dev/zero of=/swap bs=1M count=512 && mkswap /swap && chmod 600 /swap
This example creates a 512MB file. Once done, enable it on boot by appending
# echo '/swap none swap sw 0 0' >> /etc/modules
to /etc/fstab.
Leverage hardware randomization capabilities by installing and enabling bcm2708-rng kernel module
# apt-get install rng-tools
then add bcm2708-rng to /etc/modules
# echo 'bcm2708-rng' >> /etc/modules
Additionally, I recommend commenting out the snd-bcm2835 module from /etc/modules to decrease memory and resource usage.
# sed -i -e 's/^snd-bcm2835/# snd-bcm2835/' /etc/modules
Update the /etc/network/interfaces file to have a static IP address. Here is an example:
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
bridge_ports eth0
bridge_stp off
bridge_waitport 0
bridge_maxwait 0
bridge_fd 0
post-up ip link set br0 address {MAC address of physical interface}
address {vpn server ip address}
netmask {vpn server netmask}
network {vpn server network}
broadcast {vpn server broadcast address}
gateway {vpn server gateway address}
allow-hotplug eth0
iface eth0 inet manual
When done, reboot your Pi, then Update the Pi to be running the latest patches and updates.
# apt-get update && apt-get dist-update
Install VPN Software Packages:
# apt-get install strongswan libcharon-extra-plugins
See my write-up on Becoming your own X.509 Certificate Authority to generate certificate files:
/etc/ipsec.d/private/root-ca.key # Root CA private key
/etc/ipsec.d/private/intermediate-ca.key # Intermediate CA priavte Key
/etc/ipsec.d/cacerts/rootca.crt # Root CA certificate
/etc/ipsec.d/cacerts/intermediate.crt # Root CA intermediate certificate
/etc/ipsec.d/certs/vpn-host-certificate.crt # VPN host certificate
update /etc/ipsec.conf by removing all existing text and replacing it with the following. Change leftid and rightid as appropriate.
# ipsec.conf - strongSwan IPsec configuration file
Configuration Setup
# Allows few simultaneous connections with one user account.
# By default only one active connection per user allowed.
# This option also usefull if you have limited rightsourceip pool
# and want to kick your ghost connection while reconnecting.
uniqueids=no
# Increase debug level
# charondebug = ike 3, cfg 3
conn %default
# More advanced ciphers. Uncomment if you need it.
# Default ciphers will works on most platforms.
# ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
# esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
# Dead peer detection will ping clients and terminate sessions after timeout
dpdaction=clear
dpddelay=35s
dpdtimeout=2000s
keyexchange=ikev2
auto=add
rekey=no
reauth=no
fragmentation=yes
#compress=yes
# left - local (server) side
leftcert=vpn-host-certificate.crt # Filename of certificate located at /etc/ipsec.d/certs/
leftsendcert=always
# Routes pushed to clients.
leftsubnet=0.0.0.0/0
# right - remote (client) side
eap_identity=%identity
# ipv4 subnets that assigns to clients.
rightsourceip=10.1.1.0/24
rightdns=8.8.8.8
# Windows and BlackBerry clients usually goes here
conn ikev2-mschapv2
rightauth=eap-mschapv2
# Apple clients usually goes here
conn ikev2-mschapv2-apple
rightauth=eap-mschapv2
leftid={public domain or IP address}
Update the /etc/ipsec.secrets file to reflect your configuration and accounts
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc
# This is the private key located at /etc/ipsec.d/private/privatekey.pem
{vpn server ip} : RSA /etc/ipsec.d/private/vpn-privatekey.key
# Users
username : EAP "super secret password here"
Configure the system to forward packets by updating or adding the follwing to /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Active the changes
# sysctl -p
Setup firewall to accept and forward VPN traffic.
# iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source {VPN server IP}
# iptables -A INPUT -p udp --dport 500 -j ACCEPT
# iptables -A INPUT -p udp --dport 4500 -j ACCEPT
# iptables -A INPUT -p esp -j ACCEPT
NOTE: I know there is a right way to make these rules persist across reboots, but I cheated and added them to /etc/rc.local. Will get back to doing it the right way later when I have more time.
Lastly, which you must research how to do on your own, set up your router to forward from your ISP's router to your Raspberry Pi
Copyright - Jeffrey Belt - All Rights Reserved