The version of this file uses UFW in Ubuntu This is a working progress and not finished....
UFW is installed on most debian distros
This is a verified setup for PIA VPN setup on a Raspberry Pi 3b+ with a killswitch on the VPN. So if the VPN goes down, the internet doesn't work.
This setup starts with 2021-01-11-raspios-buster-armhf-lite. The version with desktop is a little easier to setup due to the easability of using a https://dnsleaktest.com to verify that everything is operating as expected.
Make sure that your running stuff as root
sudo suUpdate
apt update
apt upgrade -y
apt full-upgrade -y Check the current public IP and write it down
curl icanhazip.comInstall and start resolvconf and start on reboot
apt install resolvconf -y
systemctl enable --now resolvconf.serviceInstall openvpn and put the files from PIA and put into place
apt install openvpn -y
wget https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip
unzip openvpn-strong.zip -d /etc/openvpn
rm openvpn-strong.zip
cd /etc/openvpnLook at the files and figure out what location you are going to be using
lsIn this example, italy is going to be used, substitute in the appropriate file name Copy that file to the name vpn.conf
cp italy.ovpn vpn.confCreate a login file. There's multiple ways to do this. USERNAME and PASSWORD are your login credentials for the VPN.
echo USERNAME >> /etc/openvpn/login
echo PASSWORD >> /etc/openvpn/login
chmod og-rx,u+x,a-w /etc/openvpn/loginAdd the login info to the vpn.conf file
sed -i 's/auth-user-pass/auth-user-pass \/etc\/openvpn\/login/g' vpn.confHelp to prevent DNS leaks
echo "script-security 2" >> /etc/openvpn/vpn.conf
echo "up /etc/openvpn/update-resolv-conf" >> /etc/openvpn/vpn.conf
echo "down /etc/openvpn/update-resolv-conf" >> /etc/openvpn/vpn.confEnable openvpn to start on reboot and start it
systemctl enable openvpn@vpn
reboot nowEstablish root after reboot
sudo suMake sure that vpn is working before proceeding by rechecking the IP address
curl icanhazip.comBefore proceeding note your network address, generally written similar to 192.168.0.0/24 It is displayed with other information in this.
ip routeIn case there's anything else in the iptables, clear those out
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -XAllow loopback device (internal communication)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPTAllow all local network traffic
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPTVerify the port needed in the vpn.conf file It's located at the end of the line starting with [b]remote[/b]
nano /etc/openvpn/vpn.conf[/conf]Allow VPN establishment with only 2 ports open, 1 for DNS {53) and 1 for VPN (1197) If establishing thru an IP and not DNS, the ones with port 53 can be removed Port 1197 may be different depending on the VPN. Open the vpn.conf file to verify
iptables -A OUTPUT -p UDP --dport 53 -j ACCEPT
iptables -A INPUT -p UDP --sport 53 -j ACCEPT
iptables -A OUTPUT -p UDP --dport 1197 -j ACCEPT
iptables -A INPUT -p UDP --sport 1197 -j ACCEPTAccept all TUN connections (tun = VPN tunnel)
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPTSet default policies to drop all communication unless specifically allowed
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROPBring the network connection down then back up. If remoted into the Pi, copy the extra line.
ifconfig eth0 down
ifconfig eth0 up
Stop and start openvpn
service openvpn stop
service openvpn start
Setup persistent iptables to keep after reboot. Click YES on both when prompted
apt install iptables-persistent -ySave the iptables and enable to start after reboot
netfilter-persistent save
systemctl enable netfilter-persistentIf running from the command line, dnsleaktest can be run from the command line Install this first
apt-get install jq -yDownload it and enable it to run as a script
wget https://raw.githubusercontent.com/macvk/dnsleaktest/master/dnsleaktest.sh
chmod +x dnsleaktest.shRun it
./dnsleaktest.shthis will say if dns is leaking and where you are appearing from
If running desktop. Open the browser to dnsleaktest.com and run extended test
Test if the killswitch is working. Note that you can ping google.com. Ctrl+C to stop
ping google.comDisable openvpn to see if things are stil working
service openvpn stopNow ping google.com again
ping google.comNo ping is good
Turn openvpn back on and your good to go
service openvpn startHere's a few of my sources:
https://www.novaspirit.com/2017/06/22/raspberry-pi-vpn-router-w-pia/