Noob - Using a PI 4 as VPN AP

Hi there,

I'm a networking noob. I know very little, almost none, and hope for your advice on setting up my PI as a wireless AP with a wireguard VPN client for passed traffic.

Ideally I would like to expose a wireless network and use one of the ethernet ports for VPN internet access too, but WiFi is my priority.

I have a router/modem at home and run a ethernet cable to the ethernet port of the Pi. I managed the Pi to get an internet connection on the LAN interface, and now want to expose that on WiFi.

I select the LAN interface in the WiFi section, but it fails to start up when I check wifi status. Several messages in sys logs, some around eth devices not found.

No network is accessible from my phone.

Would appreciate some advice for first baby steps.

The wifi on board a Pi is very weak both in terms of antenna quality and in terms of chipsets capability. It's probably ok as a travel router or as a management interface but it's not going to work reliably outside the same room you're in.

That being said, can you screenshot the wireless page in the web interface, or upload the wireless config in a preformatted text block?

1 Like

Apologies for a late response. I'm planning on using this as a WireGuard VPN client for travel; ideally via a USB to ethernet dongle in the future - but WiFi is my first step.

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option country '00'
        option htmode 'VHT40'
        option noscan '1'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'ap101'
        option encryption 'psk2'
        option key 'test123123123'

And last few lines of logread:

Tue Mar  2 23:48:05 2021 user.notice nobody: sqm_collectd.sh more than 2
Tue Mar  2 23:48:35 2021 user.notice nobody: sqm_collectd.sh more than 2
Tue Mar  2 23:49:05 2021 user.notice nobody: sqm_collectd.sh more than 2
Tue Mar  2 23:49:35 2021 user.notice nobody: sqm_collectd.sh more than 2
Tue Mar  2 23:49:50 2021 daemon.notice netifd: radio0 (24838): command failed: No error information (-524)
Tue Mar  2 23:49:50 2021 daemon.notice netifd: radio0 (24838): command failed: I/O error (-5)
Tue Mar  2 23:50:05 2021 daemon.err collectd[21271]: processes plugin: Failed to open `/proc/25027/cmdline': No such process.
Tue Mar  2 23:50:05 2021 user.notice nobody: sqm_collectd.sh more than 2
Tue Mar  2 23:50:21 2021 daemon.notice netifd: radio0 (24838): Command failed: Request timed out
Tue Mar  2 23:50:21 2021 daemon.notice netifd: radio0 (24838): Command failed: Not found
Tue Mar  2 23:50:21 2021 daemon.notice netifd: radio0 (24838): Device setup failed: HOSTAPD_START_FAILED
Tue Mar  2 23:50:21 2021 daemon.notice netifd: radio0 (25113): WARNING: Variable 'data' does not exist or is not an array/object
Tue Mar  2 23:50:35 2021 user.notice nobody: sqm_collectd.sh more than 2
Tue Mar  2 23:51:05 2021 user.notice nobody: sqm_collectd.sh more than 2
Tue Mar  2 23:51:35 2021 user.notice nobody: sqm_collectd.sh more than 2
Tue Mar  2 23:52:05 2021 daemon.err collectd[21271]: processes plugin: read_file_contents: Reading file "/proc/25691/stat" failed.
Tue Mar  2 23:52:05 2021 daemon.err collectd[21271]: processes plugin: Failed to read from `/proc/25695/cmdline': No such process.
Tue Mar  2 23:52:05 2021 user.notice nobody: sqm_collectd.sh more than 2

country should be your 2-letter country code. Then of course channel selected needs to be legal in that country.
Remove noscan and cell_density lines.

2 Likes

That brought the network up - thank you so much!

Is there any general advice you can give for the end goal? My next step is to get a dongle and use the USB port as a WAN port into my device. All traffic going via this LAN to be passed through my Wireguard VPN subscription.

Particularly; are there any dongles + kernel drivers specifically that are known to work with this device.

The "VPN AP" use case you propose requires only one Ethernet port, connected to your LAN (or any network with a path to the Internet) as it is now, and a wifi AP. So you should not need to buy any more hardware.

Create a new network for vpn users. It needs a static IP that doesn't conflict with the "upstream" LAN, and a DHCP server. When someone connects to the AP, they get an IP address that has no connection to the LAN. Instead they will be forwarded into the VPN tunnel. This network can be a bridge even though it presently will have only one physical interface.

So now you need a VPN tunnel. See the wiki and your VPN company's instructions about setting up Wireguard.

The connection from vpn users to the vpn tunnel is through the firewall. Make two new firewall zones, e.g. vpnuser and vpntun and attach them to the respective interfaces. Have a forward from vpnuser to vpntun. And enable masquerade on the tunnel.

1 Like

Hi again mk24,

Instead of making a new thread I thought I'd reply in here. Your help is greatly appreciated. Here's what I did.

I made a new interface called VPNNET - a static address of 192.168.99.1, enabled DHCP server with DHCP options at 6,10.64.0.1 and 10.64.0.1 as my custom DNS server. Interface is ticked as a 'bridge'.

/etc/config/network

config interface 'vpnnet'
        option proto 'static'
        option type 'bridge'
        option ipaddr '192.168.99.1'
        list dns '10.64.0.1'

I selected the wireless network from before to attach to this newly created 'vpnnet'.

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option country 'GB'
        option htmode 'VHT40'
        option channel '36'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'ap101'
        option encryption 'psk2'
        option key 'hardtoguesspassword'
        option network 'vpnnet'

I've set up a new interface as per mullvad wireguard instructions. Generated a private + public key, used mullvad API and my account number to get the IP address of the wireguard interface. Enabled force link, added a peer with a public key of the peer, endpoint host and a endpoint port. Set the allowed IPs field to 0.0.0.0/0.

config wireguard_WGINTERFACE
        option description 'gb29 mullvad'
        option public_key 'uaBPua4Tnbluy51WbNOahHx77RGJFGRr/MAqWFILJhI='
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host 'gb29-wireguard.mullvad.net'
        option endpoint_port '51820'

Went to firewall; created a "vpntun" zone for tunelling - covered network as "vpnnet" - which is what my WiFi AP is attached to. Accept on input, output and forward. Masquerading enabled.

config zone
        option name 'vpntun'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'vpnnet'
        option forward 'ACCEPT'

Another zone "vpnusr". This time the covered network is "WGINTERFACE" which is the wireguard interface with mullvad settings. Allowed forwards to destination zone "vpntun" (and on the receiving end allow from source from this new zone as well). Accept on everything.

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'vpnusr'
        option network 'WGINTERFACE'

This made me lose my LAN to WAN connection - when I SSH into the PI there is no internet. WiFi network still exists. I see packets on all three interfaces (lan, vpnnet, wginterface) - but no connection.

Any advice appreciated guys.

vpnnet is the users (the AP) and vpntun is the tunnel. You have this backwards in the firewall. Also you need a config forwarding from vpnusr to vpntun. masq is always on the destination zone, that is vpntun.

Running route to examine the routing table should show how it works. Once brought up, the default is for all Internet access from the router OS to also go by VPN. Except that there is one exception to go to the VPN server directly.

1 Like

Thanks! The config forwarding rule is already there:

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'vpnusr'
        option network 'vpnnet'

config zone
        option name 'vpntun'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option forward 'ACCEPT'
        option network 'WGINTERFACE'

config forwarding
        option src 'vpnusr'
        option dest 'vpntun'

Swapped the covered network on vpnusr to vpnnet and vpntun to WGINTERFACE. Still no connection via the AP or internet on LAN in the raspberry PI :frowning:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd75:fddf:4d3d::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.254'
        list dns '192.168.1.254'

config interface 'vpnnet'
        option proto 'static'
        option type 'bridge'
        option ipaddr '192.168.99.1'
        list dns '10.64.0.1'

config interface 'WGINTERFACE'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxx'
        list addresses '10.71.240.227'
        option force_link '1'

config wireguard_WGINTERFACE
        option description 'gb29 mullvad'
        option public_key 'uaBPua4Tnbluy51WbNOahHx77RGJFGRr/MAqWFILJhI='
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host 'gb29-wireguard.mullvad.net'
        option endpoint_port '51820'

Some failures in logread:

Wed Mar  3 19:39:10 2021 daemon.crit dnsmasq[6547]: inconsistent DHCP range at line 34 of /var/etc/dnsmasq.conf.cfg01411c
Wed Mar  3 19:39:10 2021 daemon.crit dnsmasq[6547]: FAILED to start up
Wed Mar  3 19:39:15 2021 daemon.crit dnsmasq[6717]: inconsistent DHCP range at line 34 of /var/etc/dnsmasq.conf.cfg01411c
Wed Mar  3 19:39:15 2021 daemon.crit dnsmasq[6717]: FAILED to start up
Wed Mar  3 19:39:20 2021 daemon.crit dnsmasq[6718]: inconsistent DHCP range at line 34 of /var/etc/dnsmasq.conf.cfg01411c
Wed Mar  3 19:39:20 2021 daemon.crit dnsmasq[6718]: FAILED to start up
Wed Mar  3 19:39:25 2021 daemon.crit dnsmasq[6719]: inconsistent DHCP range at line 34 of /var/etc/dnsmasq.conf.cfg01411c
Wed Mar  3 19:39:25 2021 daemon.crit dnsmasq[6719]: FAILED to start up
Wed Mar  3 19:39:26 2021 daemon.err uhttpd[3253]: luci: accepted login on / for root from 192.168.1.118
Wed Mar  3 19:39:30 2021 daemon.crit dnsmasq[6868]: inconsistent DHCP range at line 34 of /var/etc/dnsmasq.conf.cfg01411c
Wed Mar  3 19:39:30 2021 daemon.crit dnsmasq[6868]: FAILED to start up
Wed Mar  3 19:39:30 2021 daemon.info procd: Instance dnsmasq::cfg01411c s in a crash loop 6 crashes, 0 seconds since last crash

Line 34 is:

dhcp-range=set:vpnnet,192.168.99.2,192.168.99.0,255.255.255.255,12h

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.