Your example shows a tun
device, so we exclusively have to use routing. I use Raspbian Stretch Lite 2018-04-18. The idea is to set up a static minimal configuration without any extras e.g. dhcp server
or so. If routing works it could be extended step by step.
Default networking on Raspbian is often confusing particular with more complex setups [1]. So I use systemd-networkd
that is designed for server setups. Because it's difficult for me to guess all ip addresses of your interfaces I have set up my test with this ip addresses:
10.10.10.2 +----------+ 10.10.10.1
/ vpn-tunnel | | \
(tun0) =============\\ //======================> VPN-SERVER
PHONE ~.~.~.~.~.~> (wlan0)RPI(eth0) ------------> ROUTER ---> | INTERNET |
\ wifi / \ ethernet / wan | |
192.168.1.2 192.168.1.1 192.168.0.2 192.168.0.1 +----------+
Another problem for me is, that I don't have a cisco3000 VPN Concentrator so I cannot use vpnc
. Instead I used openvpn
but it should do the same things in routing. But setting up an openvpn
infrastructure is out of scope here.
You can look at howto migrate from networking to systemd-networkd if you like to use that but you only have to use Step 1 to Step 3 on that with this files:
rpi ~$ sudo cat >/etc/systemd/network/04-eth.network <<EOF
[Match]
Name=e*
[Network]
Address=192.168.0.2/24
Gateway=192.168.0.1
EOF
rpi ~$ sudo cat >/etc/systemd/network/08-wifi.network <<EOF
[Match]
Name=wl*
[Network]
Address=192.168.1.1/24
IPForward=yes
EOF
ip forwarding
is essential.
Don't setup wpa_supplicant
. Instead install hostapd
[2]:
rpi ~$ sudo -Es
rpi ~# systemctl disable wpa_supplicant.service
rpi ~# apt update
rpi ~# apt full-upgrade
rpi ~# apt install hostapd
rpi ~# systemctl stop hostapd.service
Configure the access point host software (hostapd) with this file:
rpi ~# cat >/etc/hostapd/hostapd.conf <<EOF
interface=wlan0
driver=nl80211
ssid=MyTestAP
hw_mode=g
channel=6
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=VerySecretPw
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
EOF
rpi ~# chmod 600 /etc/hostapd/hostapd.conf
Set DAEMON_CONF="/etc/hostapd/hostapd.conf" in /etc/default/hostapd with:
rpi ~# sed -i 's/^#DAEMON_CONF=.*$/DAEMON_CONF="\/etc\/hostapd\/hostapd.conf"/' /etc/default/hostapd
rpi ~# systemctl reboot
Then you have to set a static route in your internet router so it can find the route over the raspi to your mobile phone. On most internet router you can set a static route but how to do that varies from model to model. It's up to you to find it out. On a Raspberry Pi it would look like this (don't set it on your Raspi router!)
rpi ~$ sudo ip route add 192.168.1.0/24 via 192.168.0.2 dev ethX
That means for the internet router: "send all packets belonging to subnet 192.168.1.0/24
(destination network) to the next router on my subnet, your raspi-router 192.168.0.2
(gateway). It knows where to go on."
If you have no access to the internet router you can fake it with nat
to tell it a lie that all packets are coming from your raspi. Set this on your Raspberry Pi:
rpi ~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
But this should only be the second choise because it's not clean routing and has limitations and may be confusing.
If you connect now your mobile phone to MyTestAP configure it with a static ip address 192.168.1.2, gateway 192.168.1.1. Then you should be able to connect to the internet.
The setting is:
rpi ~$ ip addr # stripped to relevant information
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet 192.168.0.2/24 brd 192.168.0.255 scope global eth0
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global wlan0
rpi ~$ ip route
default via 192.168.0.1 dev eth0 proto static
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.1
Now I establish a vpn connection e.g. with:
rpi ~$ sudo openvpn myVpn.conf
The setting then is:
rpi ~$ ip addr # stripped to relevant information
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet 192.168.0.2/24 brd 192.168.0.255 scope global eth0
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global wlan0
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.10.10.2 peer 10.10.10.1/32 scope global tun0
rpi ~$ ip route
default via 192.168.0.1 dev eth0 proto static
10.0.0.0/8 via 10.10.10.1 dev tun0
10.10.10.1 dev tun0 proto kernel scope link src 10.10.10.2
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.1
Here we should also set static routes in the remote vpn server but I think we don't have any chance to do that. So we only can fake the server with a nat
. On the raspi set:
rpi ~$ sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
Now I was able to get always into the internet with my mobile phone through the wifi, but only to the vpn network if its connection was established.
references:
[1] dhcpcd vs /etc/network/interfaces
[2] Setting up a Raspberry Pi as an access point
Best Answer
I have to use
reauth
forsnx
to work ok for me.For that I use a .snxrc file in the homedir of the user invoking
snx
as in:For more details see https://unix.stackexchange.com/questions/450229/getting-checkpoint-vpn-ssl-network-extender-working-in-command-line/453727