How to Setup VPN VLAN for Home
Preface
You do not necessarily need DPI-proofing or geobloock-proofing your existing network. It is a niche thing most people can live without just fine. If your government or ISP are blocking access or obtaining information on your access to random websites that would be one of the “niche” needs. Likewise, if you are blacklisted from HomeDepot and many other developer communities for being in a ‘commercial zone’ when you wanted to give some articles a read, this would be another “niche” need. I had been hit with all of the above, and I know my ISP is not willing to cooperate with me here.
That being said, the solution I am writing will be more abstract than usual so that readers would be able to find (e.g. google) their resources that fit their use case. It will not be an algorithmic solution get VPN going. Also, I know for a fact the very idea I am proposing is made out of compromises. To paraphrase what I’ve heard so far: ‘why don’t you just move’, ‘why don’t you protest to lift the censorship’, ‘why not sue the ISP’, ‘why not contact the webmasters’, and etc. If I could afford a small loan of one million dollar to simply up and leave to the land of freedom, preferably to the city with the best ISP in the nation, I would have done so. But do I really need to emphasize the importance of budget? At least VLAN is within budget, preferably one Raspberry Pi at most.
Instructions
I am assuming your home network already has a router, not just a computer connected directly to a modem like in the 90s. Nowadays, even ISPs offer modem with router capability, so the chances are you wouldn’t want to upgrade existing, working network. If you are shopping for a router in the future or are planning to upgrade the current one, don’t worry too much about networking features and boons on a machine; the instruction applies the same regardless.
I am also assuming you have a spare Raspberry Pi lying around, in other words, a spare linux box. Technically a spare PC, running Mac or Windows, of any kind would work as well, but considering the tools available and how the machine will be running 24/7, a simple USB-powered computer does go a long way.
- Finding the right VPN or anti-DPI application
For the sake of this post, I will be treating VPN and anti-DPI applications as the same. The key point is that these applications are a way to connect past the geofence or DPI.
More reliable applications are often paid ones, but again, simply spoofing DPI only takes a clever tool such as GoodByeDPI or Green Tunnel. From my experience, both of them can be hit-and-miss. Same goes for VPN, both free and paid versions. Many paid VPNs come with trial period. I suggest trying them out on a device via OpenVPN.
Raspberry Pi will stay keep the application running to keep the connection going. Using systemctl enable openvpn-client@[openvpn-conf], Pi can be set up to connect to VPN automatically on boot as well.
- Building a One-Armed Router (Router on a Stick)
This is where the actual work is done on Pi. We don’t want to replace the existing router with Pi, especially when Pi is not designed to be a network hardware. Instead, the aim of this “one-armed router” is to create a VLAN, a separate network running on existing hardware. For this exercise, it is recommended to have Pi connected via wire, though it is possible to build a wireless one.
A one-armed router, as the name implies, only has one port connection to the physical network, as opposed to being connected to both LAN and WAN. Though this is less common for home network, we can take advantage of the idea and separate out our VPN on a separate VLAN. This will allow any devices on the same physical network to be connected via VPN at will without installing additional softwares or hardware on the device.
First, do take note of your existing network setup: address of your router and its subnet mask. The information can be obtained from your router, your device, or even on Raspberry Pi. With that information, edit /etc/network/interfaces like following. Note: you can choose any DNS servers you like, Google, Cloudflare, or even your router
auto lo
iface lo inet loopback
auto eth0
allow-hotplug eth0
iface eth0 inet static
address <ip address of pi, can stay the same>
netmask <subnet mask from router>
gateway <ip address of router>
dns-nameservers <dns servers of your choice>
Second, let’s install the application of your choice on Raspberry Pi. Again, as a reminder, this could be any VPN provider or anti-DPI applications. But I am writing with the assumption you choose a VPN provider with OpenVPN, (much easier to work with) and therefore needs to set it up. Your provider of choice would have a list of OpenVPN files for the available destination. Download one on Pi. Do be mindful any application of choosing should allow LAN connection for other devices to communicate to the Pi.
Once you have client version of OpenVPN installed on your Pi —not the server—, copy a openvpn configuration file over to /etc/openvpn/client. If the file extension is .ovpn, it’s likely already in OpenVPN configuration format, so simply change the extension to .conf. If the configuration happens to require password authentication, we need to make some changes to the file. Edit the line that starts with auth-user-pass to auth-user-pass login, and create another file with credentials like this and save it as login without extension:
<username>
<password>
Once it’s done, we can test the VPN setup with following command: sudo openvpn --config /etc/openvpn/client/<openvpn file>.conf. Since we are not interested in keeping the connection alive, once you see it running, simply exit out. As for keeping OpenVPN alive, run this command: sudo systemctl enable openvpn-client@<openvpn file>.conf. OpenVPN will now start on every boot up.
What we now need is a routing table to allow other devices connecting to Pi to be able connect through VPN. Let’s start with routing by running following commands:
echo -e '\n#Enable IP Routing\nnet.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Then the NAT (assuming tun0 is your VPN):
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
As for the finishing touch, we can make the setting to persistent with iptables-persistent, then enabling netfilter-persistent via systemctl. iptables-persistent has netfilter-persistent as a dependency, so it should be installed already.
- Choosing how to connect to the VPN router
Now the grease work is done, the actual fun part —picking your poison of the day. With Pi setup, you can choose variety of ways to connect to it.
The most obvious choice, as it is a one-armed router, is to change the device’s network router settings to the new Pi. For example, if the existing router IP address is 192.168.1.1, you can now set the router to Pi’s address and enjoy secured connection.
My personal favorite is proxy, so I can toggle them on-off on browsers. With privoxy installed on Pi, and proxy extensions such as FoxyProxy, each tab can automatically switch over to secured connection if needed.
Afterthoughts
As I briefly touched it in the preface, the most frequent question I’ve got after explaining my setup was, “why?”, literally. Why not move, they ask. Why not change ISP, they ask. Why bother paying for VPN, buying Raspberry Pi, and setup this elaborate escape plan, they ask. This is really easier said than done.
I started building mine after I found out my entire neighborhood was blacklisted. All of the new IPs given from the current ISP were all on the list. And ISP, in its infinite wisdom, again asked, why would I want to access an American website from abroad and that this is not part of their job to clear a non-static IP from a privately operated blacklist. Touché.
My thoughts on geoblocking and blacklisting IPs are simple: they don’t necessarily work. The only to make it work is to update the blacklist frequently. Once, I was trying to get a manual for a product that is no longer imported in South Korea. I knew the Korean website was down with the company pulling out, so I was hoping to get the manual from the American website. The idiotic web developer somewhere in the world had the brilliant idea of automatically redirecting anyone from Korean IPs to now defunct Korean subdomain and won’t even prompt the user beforehand. I resorted to VPN.
And then there’s the whole South Korean censorship. As far as I am aware, the country doesn’t operate a ‘censorship board’ per-se, which means there is no consistency in its decisions. In fact, I was quite surprised how biased it could be. It’s a tale for another time, but get a taste of how bizarre it is: there’s something very wrong with your censorship when it targets a minority group, but not the said minority group themed porns.
Not all countries do DPI, nor do all governments openly run internet censorships. Whereas countries like South Korea block online porns publicly with perhaps some due-diligence, often other actors in Middle East and Eastern Europe are accused of blocking websites without much of a reason. DPI is one of the many tools authoritarian censorships and nefarious attackers use to gain information on what website a user is trying to reach. That being said, there is a new development on the way, but its deployment seems rather slow. Personally I believe lackluster response stems from the fact that most of the first world countries, —again, Korea is an exception— do not have publicly known censorship yet.
Currently, most VPN services and its advocates, and DPI-proof services and its advocates, are mostly inclined to prove their point, but nothing further. I’m sure you have seen a sponsor ad on Youtube saying, ‘hey, you can watch this and this movie on Netflix, if you change your geolocation’ or ‘hey, don’t let government decide what you can read or not, help our projects on GitHub’ kind of deals. Again, what they are selling are perfectly benign and perfectly plausible. What they are not sharing, however, is how well this can be automated in day-to-day DIY projects. So enjoy.