DIY VPN access point
August 16, 2020 — October 7, 2024
I would like to use an anonymising VPN in my house. I could install separate software on each device, but this is unsatisfactory. By default, our household devices should not have to route communications between one another via Amsterdam. This is terrible for sharing files from the network file server, copying photos, or streaming from the household media server, etc. Instead, our network should be a normal wifi network, but the wire that connects us to the outside world — everything that goes over that wire — should be encrypted.
To do that, one sets up a VPN router/access point. If you are taking one of the VPN options, an understanding of basic firewall management is advisable.
In hindsight, I made this harder for myself than I needed to by trying to combine the WAP and VPN functions on the same device.
Next time I might run a VPN on a separate device and just use a plain WAP as a WAP. Open source routers such as pfSense can be configured to route all traffic through a VPN.
1 Flash a router
Getting a non-VPN router and flashing it with VPN-friendly firmware is tedious. You need a fancy router, and the crappy free one you got from your ISP isn’t fancy. Basic routers typically have about 64MB RAM and unbelievably feeble CPUs. As computers, they would have seemed mediocre in the year 2000, but for some reason, we pay a giant premium to have them wired into the broadband in the 2020s. If I try to do something even mildly taxing, such as securing my communications using such devices, they fall over and die. I suppose there is a good antenna on these things or some other compensation. Generally, we need to buy a fancy router (or just a normal computer) and tweak the software. This requires more time, research, and money than I would ideally like.
General theory: use DD-WRT. Tomato is also popular.
- How to Flash Your NETGEAR Router with DD-WRT: 5 Easy Steps
- DD-WRT
- DD-WRT » Community
- Firmware FAQ - DD-WRT Wiki
VPN-specific:
Vyprvpn distributes custom router images on Tomato for certain routers.
ExpressVPN supports a custom VPN app on certain routers.
Addendum: Amusingly, I received a request from request1@express-vpn.org (notice the slightly different URL) asking me to remove this link to expressvpn.com.1 I presume someone (a competitor? a state? an internal marketing campaign?) dislikes ExpressVPN enough to pay someone to send emails to bloggers like me. Not sure what is going on there but it is intriguingly spicy and makes me inclined to recommend ExpressVPN just to keep things interesting. On the other hand, I contacted ExpressVPN about this and they took 6 months to get back to me and did not offer a pro-forma “thank you for taking the time,” and then they rejected my application to be an affiliate marketer, so maybe they are not the heroes of this story.
BlackVPN has good documentation on how you would use DD-WRT firmware to enable privacy on their system.
2 Pre-rolled VPN router
Gradually becoming more affordable although still expensive because decent modern routers are still remarkably expensive. If you trust the vendors, this might be a viable option. Techradar reviews some options. Flashrouters reconfigures third-party routers (affiliate link); Their surcharge is small; It is hard to imagine beating their total price unless you value your labour at nothing or work as a network tech and flash routers all day or something.
3 Make a spare laptop into a VPN access point
Any Linux machine with wifi can be a wireless access point—even, or especially, a crappy old spare laptop too slow for anything else. This is typically cheaper than buying a fancy router and even a crappy laptop is faster than most routers, although with worse antennae. If you want to understand what you are doing here without doing a whole IT degree, the smoothest theoretical intro I have found is Carla Schroder’s Linux Networking cookbook, (although it is no longer a practical intro because it came out more than a decade ago) and there are various explanations on the theory of netfilter. Also, Jim Salter’s rant that routers are terrible computers for the price, in the form of a HOWTO, is kinda interesting. You can even configure this whole thing with a GUI on recent Ubuntu. It seems that a minimally decent computer with a good antenna would be a better value proposition and also easier for idiots like me who want to plug in a keyboard or such. Nitty-gritty-I-don’t-care-why-tell-me-how intros? See this grumpy but simple and acclaimed stackoverflow answer. There are some wrinkles.
4 Single-board-computer VPN access points
One can do this especially economically using a single board computer such as the Raspberry Pi, which even out-of-the-box has respectable wireless performance. This seems like a good idea when you first think of it. My, you think, that will use little power and require little space and I can keep the computer stuck to the ceiling somewhere and that will be fine. In practice, it has been much more difficult for me since the reason that the computer is so tiny and efficient is that it has no screen or keyboard, and inevitably something breaks down in the network stack and I need a screen and keyboard attached to diagnose it and they are both really hard to attach to a tiny computer stuck to the ceiling. Many hours have I lost in diagnosing a problem, thinking it was fixed forever and then the moment I put the raspberry pi somewhere inconvenient, everything falls apart. This is the nature of networking problems in general, of course.
If you are doing this with a raspberry pi 4, do not use a case unless it has a fan, or the device will overheat and crash.
There is a hard limit of 7 clients for a raspberry pi in access point mode, which is not many for a modern IoT household.
Basic WAP (Wireless access point) setup is supported by the rasppi folks themselves.
The inbuilt wifi is acceptable but I notice that in a bigger space it might not be powerful enough. A USB Wifi dongle with a 5dBi gain antenna might be better. I would like to know if the purported decreased robustness of 802.11ac versus 802.11n is worth it. Reviews of USB wifi dongles here. Note there are also PoE (“Power over ethernet”) hats available which might be helpful for this usage.
Here is their recommended setup that worked fine for me as a vanilla (non-VPN) AP. I did run into problems with the iptables-restore
not running after a VPN reconnect. Mustafa Çalap’s setup is even simpler but seems to handle VPN disconnection with even less grace. The Zentralwerkstatt howto uses a slightly different software profile (adding in isc-dhcp-server
and iptables-persistent
) than the others, which means you can avoid some of the manual iptables
configuration but I’m less familiar with what is going on. I will try this next in the hope it is more reliable. AFAICS the necessary bits of the classic dovyez universal firewall are
#hostAP stuff
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state \
--state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
# HostAP requires the lines below to both be ACCEPT to function
iptables -A INPUT -j ACCEPT >> /dev/null 2>&1
iptables -A OUTPUT -j ACCEPT >> /dev/null 2>&1
The ZadenRB one includes a hand-rolled web interface, which looks convenient but also flaky. 🤷♂ I ignored the bits about web interfaces with this howto. I had the problem that the dnsmasq
configuration would never update after openvpn
launched on restart, which seemed to be about setup of the /etc/dnsmasq.conf
being fragile when things booted up in the wrong order. Also, it made lots of rules to enable VPN access TO the pi externally, which is not an extra attack surface I need right now.
So far, even though it looks long, the two part pimylifeup write-up seems to have worked best. It’s only long because it over-explains; there are not in fact many steps and the setup seems fairly robust.
For any of these, one should also secure the pi.
Bonus tip: the wifi might crash for issues related to the brcmfmac
driver. Possibly a firmware update helps. I have experienced this bug on the Raspberry pi 3B+ but it is not clear to me how widespread it is, and I have not reproduced it on recent raspbian builds. Update: this firmware update seems better.
To make sure your intranet does not leak information during a VPN disconnect, perhaps vpnfailsafe would be a good idea.
In practice, even the simplest options are stupidly complex for something that should be a ubiquitous default. Realistically, what I do is usually: try to configure an access point, then discover that there is some weird kernel error/bug specific to the particular device I am using, which has never been seen on the internet, which requires a specialist network nerd, and which I don’t have time to fix. The latest version of the pi and its OS work fine, mind you, but this kind of challenge is typical of trying to cobble together security for non-spooks.
I am somewhere in the topmost single-digit percentiles of the population in terms of fluency in stupid geeky shit like this and it is at best marginally feasible for me to work this stuff out and set it up. Realistically, most of my friends who have a worse ROI on time spent doing this are not using VPNs and therefore too much data is being leaked to unaccountable surveillance programs. The world is awful.
Footnotes
Hi Dan, I am reaching out on behalf of ExpressVPN. We have recently run an audit of our backlink profile and are now working on removing some backlinks. Would it be possible for you to remove your links to our website, www.expressvpn.com, from the following pages? Once you’ve removed the links, could you please let me know? All help is greatly appreciated. Thank you in advance. Kind regards, Request Team @ ExpressVPN↩︎