ab1
Posts: 4
Joined: Fri Apr 22, 2016 6:58 pm

Plug-and-play policy based VPN router on a Raspberry Pi

Mon Jan 23, 2017 11:13 am

Howdy folks!

I've been working on a project to build a plug-and-play, policy-based VPN router running on the RPi platform, which un-blocks popular Internet content, such as Netflix ad Hulu. It is now more or less complete, so I thought I would share some details with the community.

The project is documented in my blog post here:
https://anton.belodedenko.me/black-box/

Or on the GitHub pages site:
http://black-box.belodedenko.me/

The device requires activation using Bitcoin or PayPal in order to establish a VPN connection, so in effect, this is a subscription service. The VPN servers (exit-nodes) are managed, so the user does not need to know where they are, as long as the traffic is successfully un-blocked. Currently it is in free preview mode, so anyone can flash an image and kick the tyres a bit.

Devices can be operated in normal client mode, or in server (exit-node) mode, where they become exit nodes for the client devices to connect and tunnel traffic through. This is useful for deploying small exit-nodes onto residential Internet connections in target un-blocking regions.

The project is written in Python, with Bash scripts used to mainly bootstrap, interface to the OpenVPN client as well as perform OS based tasks.

The code is compiled using Nuitka to executables on custom build boxes, provisioned using Digital Ocean API and destroyed on build completion. Both x86 (Intel NUC) and ARMv7 (RPi2/3) platforms are built and supported. The later uses QEMU to provision the build environment on x86_64 hardware.

The appliance uses Linux routing tables (rt_tables) together with iptables, ipset and dnsmasq components to send some interesting traffic (i.e. netflix.com) via the tunnel interface and everything else out the local Internet interface. DNS requests are captured and re-written to the local dnsmasq instance, to prevent DNS leaks. IPv6 is supported as well as stunnel mode, where the OpenVPN connection is wrapped inside an SSL tunnel to better socialise it in hostile deep packet inspection environments (e.g. GFW).

If the Pi is equipped with a USB Wi-Fi dongle (or built-in), the router advertises a local Wi-Fi network. If no WLAN interface is detected, the device can be operated in LAN routing mode, by setting default gateway of client devices to the LAN IP of the device.

User interfaces is provided by way of AWS (EBS) hosted dashboard, backing off to API hosted in the same place.

If anyone is interested in specific technical aspects, please send your questions and I'll try to answer them.

Cheers!

-- ab1

Return to “Networking and servers”