Raspberry Pi 4B Wifi-Extender/Repeater Setup with VPN Hotspot

Source : https://raspberrypi.stackexchange.com/a/118877

Source : https://pimylifeup.com/raspberry-pi-vpn-access-point/

(dhcp 192.168.1.3 from router)  +----------------------+   (192.168.1.1
                             \  |                      |  / +DHCP server)
                 wifi        (eth0)      wifi uplink   | /
mobile-phone <~.~.~.~.~> (ap0)RPi(wlan0) <.~.~.~.~.> router <───> INTERNET
            ╲             ╱          ╲                        wan
(dhcp 192.168.50.50 (192.168.50.1   (dhcp 192.168.1.2
          from RPi) +DHCP server)    from router)

Shift to sudo:
```
sudo -Es
```
Install DNSMasq & Hostapd:
```
apt install -y dnsmasq hostapd
```

Configure HostAPd for Access Point:

SSID="<Your SSID>"
PASS="<Your Password>"

test -f /etc/hostapd/hostapd.conf || cat > /etc/hostapd/hostapd.conf <<\EOF
ctrl_interface=/var/run/hostapd
driver=nl80211
country_code=IE
ssid=$SSID
hw_mode=g
channel=7
auth_algs=1
wpa=2
wpa_passphrase=$PASS
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
EOF

chmod 600 /etc/hostapd/hostapd.conf

Validate hardware:

Validate supported interface:

iw list | grep "Supported interface modes" -A 8

The following should list the interfaces:

        Supported interface modes:
         * IBSS
         * managed
         * AP
         * P2P-client
         * P2P-GO
         * P2P-device

We are interested in AP. Which signifies we the driver supports Access Point as a supported interface.

Validate interface combinations:

iw list | grep "Supported interface modes" -A 8

The following should list the valid combinations:

        valid interface combinations:
                * #{ managed } <= 1, #{ P2P-device } <= 1, #{ P2P-client, P2P-GO } <= 1,
                total <= 3, #channels <= 2
                * #{ managed } <= 1, #{ AP } <= 1, #{ P2P-client } <= 1, #{ P2P-device } <= 1,
                total <= 4, #channels <= 1
        Device supports scan flush.
        Device supports randomizing MAC-addr in sched scans.
        Supported extended features:
                * [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode

Here, it means that not more than one AP or P2P-GO interface can be configured at the same time.

Test access point creation:

/sbin/iw dev wlan0 interface add uap0 type __ap
/sbin/iw dev uap0 del

Note: The above command should not return any errors.

Create SystemCtl service:

SYSTEMD_EDITOR=tee systemctl edit --force --full [email protected] <<\EOF
[Unit]
Description=IEEE 802.11 %p%i AP on wlan%i with hostapd
After=network.target

[Service]
Type=forking
PIDFile=/run/hostapd.pid
Restart=on-failure
RestartSec=2
Environment=DAEMON_CONF=/etc/hostapd/hostapd.conf
EnvironmentFile=-/etc/default/hostapd
ExecStartPre=/sbin/iw dev wlan%i interface add %p%i type __ap
ExecStart=/usr/sbin/hostapd -i %p%i -P /run/hostapd.pid -B $DAEMON_OPTS ${DAEMON_CONF}
ExecStopPost=-/sbin/iw dev %p0 del

[Install]
WantedBy=multi-user.target
EOF

systemctl stop hostapd # if the default hostapd service was active before
systemctl disable hostapd # if the default hostapd service was enabled before
systemctl enable [email protected]
rfkill unblock wlan

In case you want to edit the file in the future:

sudo -Es
export SYSTEMD_EDITOR=vi systemctl edit --full [email protected]
exit

Now we setup wpa_supplicant for client connections.

We need to update dhcpcd (the default a DHCP client) by editing /etc/dhcpcd.conf, adding the following to the end (these settings replace the configuration suggested in Raspberry’s site, which defined a static address to wlan0 instead of a DHCP Client; ref. "Define the wireless interface IP configuration"):
```
# these two lines are not strictly needed, as wlan0 uses the default configuration
interface wlan0 
    dhcp

# this defines static addressing to uap0 and disables wpa_supplicant for this interface
interface uap0
    static ip_address=192.168.50.1/24
    ipv4only
    nohook wpa_supplicant
```

Install iptables, netfilter.

sudo DEBIAN_FRONTEND=noninteractive apt install -y netfilter-persistent iptables-persistent

Create a file for routing ap:

test -f /etc/sysctl.d/routed-ap.conf || cat >/etc/sysctl.d/routed-ap.conf <<\EOF
# https://www.raspberrypi.org/documentation/configuration/wireless/access-point-routed.md
# Enable IPv4 routing
net.ipv4.ip_forward=1
EOF

Configure DNSMasq:

cat >> /etc/dnsmasq.conf <<\EOF

# disables dnsmasq reading any other files like /etc/resolv.conf for nameservers
no-resolv

interface=uap0
no-dhcp-interface=lo,wlan0
domain-needed
bogus-priv
server=8.8.8.8
dhcp-range=192.168.50.50,192.168.50.199,12h
dhcp-option=3,192.168.50.1
EOF

Install OpenVPN:
```
apt install openvpn -y
```

Download or sync .ovpn file from local terminal.

rsync -chavzP --stats ~/Downloads/client.ovpn [email protected]:~/OVPN/

Copy ovpn file to /etc/openvpn/

sudo mv ~/OVPN/client.ovpn /etc/openvpn/home.conf

Validate OpenVPN works by running:

sudo openvpn --config "/etc/openvpn/home.conf"

Set OpenVPN to run autostart with home.conf. Edit /etc/default/openvpn by running:
```
sudo nano /etc/default/openvpn
```
And uncomment #AUTOSTART="all" and change all to home. The line should look like this:
```
AUTOSTART="home"
```

Add firewall rules:

sudo iptables -F
sudo iptables -t nat -F
sudo iptables -X

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

sudo iptables -A FORWARD -i wlan0 -o uap0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i uap0 -o wlan0 -j ACCEPT
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
sudo netfilter-persistent save

adityastic/rpi-wifi-repeat-tunnel.md

Raspberry Pi 4B Wifi-Extender/Repeater Setup with VPN Hotspot

Source : https://raspberrypi.stackexchange.com/a/118877

Source : https://pimylifeup.com/raspberry-pi-vpn-access-point/