Secure home network with raspberry pi based VPN gateway

First walk through https://www.mka.in/wp/create-own-wifi-router-using-raspberry-pi-4/ to configure raspberry pi as wireless router.

To build VPN gateway, I have used openvpn software and VPN services from https://www.cactusvpn.com, as it offered free 3 day trial without saving payment options.

After making openvpn functional as gateway for entire home, I can change to other VPN providers or can extend cactusvpn services.

Install openvpn

aptitude install openvpn

Visit https://www.cactusvpn.com and create new account. After verifying email, login to cactusvpn portal and go to “Settings -> VPN Username and Password”. Here, if you want you can update username and password.

Next go to “Support -> How to start -> VPN -> Setup an VPN” and look for “Download OpenVPN config files” and click. It pops up a new page and from here download OpenVPN configuration files and OpenVPN Certificate (ca.crt).

Place both these downloads in /etc/openvpn/client/ and unzip CactusVPN-OpenVPN-Config.zip

Now you are good to launch openvpn using location file of choice. For eg, I have used US-Seattle-CactusVPN-UDP.ovpn

openvpn /etc/openvpn/client/US-Seattle-CactusVPN-UDP.ovpn 

2022-12-19 09:09:55 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2022-12-19 09:09:55 OpenVPN 2.5.1 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2022-12-19 09:09:55 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
🔐 Enter Auth Username: xxxxxxx
🔐 Enter Auth Password: *******                 

After successful connection, you should see tun0 interface in list of network interfaces.

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet xx.xx.xx.xx  netmask 255.255.255.255  destination xx.xx.xx.xx
        inet6 xxxxxxxxxxxxxxxx  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 25197  bytes 23654444 (22.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 21502  bytes 2851338 (2.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

In https://www.mka.in/wp/create-own-wifi-router-using-raspberry-pi-4/, I had used eth0 interface to MASQUERADE traffic. Now you direct traffic via tun0, delete eth0 rule and add tun0 in iptables.

iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Make iptables changes persistent

netfilter-persistent save

Thats all ! You can verify VPN connection on any device connected to raspberry pi SSID by looking at your public IP using https://www.whatismyip.com/ kind of portals.

Later I tried nordvpn using same VPN gateway.