Skip to content

Setting up a Linux VPN Router

Steps 1. Install Linux (Ubuntu Server, Raspberry Pi) 2. Install Wireguard 3. Set up routing 4. hostapd 5. Pihole 6. SQM (QOS settings) 7. vnstat 8. Set up TINC VPN 9. NTP

Install Linux

Install our default config for new system.

Create a new SSHkey with ssh-keygen -t ed25519. Copy that key to git.chriswong.org and clone the login repository

mkdir ~/projects
cd ~/projects
ssh://git@git.chriswong.org:2222/clw/login.git
cd login
./install.pl

sudo apt -y install unzip
cd ~/.ssh
unzip ssh_keys.zip

Install wireguard

sudo apt install wireguard resolvconf

After this installed, copy the config file from the VPN server. I use pivpn to create and manage config files for each server. Copy the file to /etc/wireguard/wg_server.conf

To start wireguard

sudo systemctl start wg-quick@wg_server

To stop

sudo systemctl stop wg-quick@wg_server

To enable on boot

sudo systemctl enable wg-quick@wg_server

Routing

We need to edit the wireguard config file to apply iptables and route it through the VPN. Add to the [Interface] section in the wireguard config.

MTU = 1360
PostUp = iptables -A FORWARD -i wlp2s0 -o wg_server -j ACCEPT; iptables -A FORWARD -i wg_server -o wlp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -A POSTROUTING -o wg_server -j MASQUERADE; iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
PostDown = iptables -D FORWARD -i wlp2s0 -o wg_server -j ACCEPT; iptables -D FORWARD -i wg_server -o wlp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -D POSTROUTING -o wg_server -j MASQUERADE; iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Set routing for eth0

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

sudo apt install iptables-persistent
sudo iptables-save

Wifi AP (hostapd, dnsmasq and systemd-resolved)

This sets up the wifi AP

hostapd

sudo apt install hostapd dnsmasq

edit hostapd.conf. sudo emacs /etc/hostapd/hostapd.conf

ssid=WIFIAP <------------ CHANGEME
wpa_passphrase=password <----------------- CHANGEME
interface=wlan0 <------------ CHECKME
#bridge=br0 <--------- CHECKME - if we use another usb ethernet adapter, we'll use this bridge option
driver=nl80211
hw_mode=g
channel=6

# 802.11n
wmm_enabled=1
ieee80211n=1
ht_capab=[HT40-][SHORT-GI-20][DSSS_CCK-40][DSSS_CCK-40][DSSS_CCK-40]

# WPA
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Turn off resolv in systemd-resolved. Edit /etc/systemd/resolved.conf. Add the line

DNSStubListener=no

In /etc/dnsmasq.d/ create 02-hostapd.conf. This creates the dhcp server for our wireless wlan0.

read-ethers
interface=wlan0
no-dhcp-interface=eno1
dhcp-range=192.168.29.20,192.168.29.254,255.255.255.0,12h
dhcp-option=6,192.168.4.55 <--------CHANGEME TO DNS Server. That points to my pihole

Edit /etc/dnsmasq.conf. It should look like this. This uses Cloudflare, but you can use any other DNS servers as well (8.8.8.8, opendns)

conf-dir=/etc/dnsmasq.d
no-resolv
cache-size=10000
server=1.1.1.1
server=1.0.0.1

Static IP for wlan0

Ubuntu uses netplan to set the ip address.

Create a new file in /etc/netplan/00-installer-config.yaml

network:
    ethernets:
        eth0:
            dhcp4: true
        wlan0:
            dhcp4: false
            addresses:
            - 192.168.29.1/24
            nameservers:
                addresses:
                - 1.1.1.1
                search: []
    version: 2

Apply the new static ip

sudo netplan apply

At this point routing and VPN should be working.

Optional Installs

PiHole

https://github.com/pi-hole/pi-hole/#one-step-automated-install

curl -sSL https://install.pi-hole.net | bash

Under choose an interface, select wlan0.

Reset password.

sudo pihole -a -p

Enable it in systemd, and turn off dnsmasq if it is enabled.

sudo systemctl enable --now pihole
sudo systemctl disable dnsmasq

vnstat

Shows hourly, daily and monthly bandwidth usage.

sudo apt install vnstat

# add interfaces to vnstat as needed. First start the wireguard connection
sudo vnstat --add -i wg_lucy

tuptime

Uptime data

sudo apt install tuptime

SQM (QOS)

Find sqm scripts here: https://github.com/tohojo/sqm-scripts

cd ~
mkdir projects; cd projects;
git clone git@github.com:tohojo/sqm-scripts.git
cd sqm-scripts
sudo make install

etckeeper

Stores /etc in a git repository

sudo apt install etckeeper

sudo -s
# this will initialize the it repository for /etc, and commit the initial commit
etckeeper init

systemctl enable --now etckeeper.timer

We need to set it so it automatically pushes changes to the remote repository.

Create an ssh key for root, and add the key to the the remote repository

# As root user
ssh-keygen -t ed25519

Copy the contents of .ssh/id_ed25519.pub to git's remote repository for ssh access.

Add your remote git repository:

git remote add origin ssh://git@git.chriswong.org:2222/clw/etckeeper_rpi4.git
git push --set-upstream origin master

Edit the PUSH_REMOTE option in /etc/etckeeper/etckeeper.conf, with the name of the remote repository you want etckeeper to push to. For example:

PUSH_REMOTE="origin"

If we are running pihole, we want to exclude pihole-FTL.db. Edit /etc/.gitignore and add to the end of the file.

pihole/pihole-FTL.db

We have to remove the file from the repository. Run in terminal.

git rm --cached pihole/pihole-FTL.db

Commit the changes with

etckeeper commit

That should create a new commit and push the changes to the remote repository automatically.