Jump to content

USB tether android to pi3 wireless AP and tunnel traffic through VPN


codename_duchess

Recommended Posts

I'm not sure if this is the right place for this, but I'm going to ask anyway and hope for some direction.

I've been trying to find a way to use my unlocked/rooted moto g osprey on metro pcs as a USB modem for my pi3 that is acting as a wireless AP.  I started with these two guides:

https://www.novaspirit.com/2017/06/22/raspberry-pi-vpn-router-w-pia/  

and

https://pimylifeup.com/raspberry-pi-wireless-access-point/

 

They didn't work.  So I did some digging and modified a few of the steps to this:

# Add usb0 to /etc/network/interfaces
	sudo nano /etc/network/interfaces
	# Add
		allow-hotplug usb0
		iface usb0 inet dhcp

# Install openvpn
	sudo apt-get install openvpn

# Using PIA 
	wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
	unzip openvpn.zip -d openvpn
# Copy certs
	sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/
	sudo cp openvpn/US New York.ovpn /etc/openvpn/US.conf
# Create login file
	sudo nano /etc/openvpn/login
		username
		password
# Point config to right location
	sudo nano /etc/openvpn/US.conf
	# Change:
		auth-user-pass
		to
		auth-user-pass /etc/openvpn/login
	# Change:
		ca ca.rsa.2048.crt
		to
		ca /etc/openvpn/ca.rsa.2048.crt
	# Change:
		crl-verify crl.rsa.2048.pem
		to
		crl-verify /etc/openvpn/crl.rsa.2048.pem

# Reboot
	sudo reboot

# Test VPN
	sudo openvpn --config /etc/openvpn/US.conf
	# Ctrl+C to exit
# Enable at boot
	sudo systemctl enable openvpn@US
# Enable forwarading
	sudo nano /etc/sysctl.conf
	# Uncomment
		net.ipv4.ip_forward=1
# Enable service
	sudo sysctl -p
# Edit IPTables rules(paste commands into command line)
	sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
	sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
	sudo iptables -I INPUT -i usb0 -m comment --comment "In from LAN" -j ACCEPT
	sudo iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT
	sudo iptables -A OUTPUT -o usb0 -p udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
	sudo iptables -A OUTPUT -o usb0 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
	sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
	sudo iptables -A OUTPUT -o usb0 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
	sudo iptables -A FORWARD -i tun+ -o usb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
	sudo iptables -A FORWARD -i usb0 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT
	sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
# Make IPTables rules persistent
	sudo apt-gt install iptables-persistent
		# Answer yes to both questions
# Apply everything to startup
	sudo systemctl enable netfilter-persistent
# Install packages to turn pi3 into hotspot
	sudo apt-get install hostapd
	sudo apt-get install dnsmasq
# Stop anything else from using wlan0
	sudo nano /etc/dhcpcd.conf
	#Add to bottom of file, but above any other interfaces in file
		denyinterfaces wlan0
# Configure static ip
	sudo nano /etc/network/interfaces
	#Change wlan0 entry to:
		allow-hotplug wlan0  
		iface wlan0 inet static  
		    address 192.168.220.1
		    netmask 255.255.255.0
		    network 192.168.220.0
		    broadcast 192.168.220.255
		#    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
# Restart dhcpd 
	sudo service dhcpcd restart
	sudo ifdown wlan0; sudo ifup wlan0
# Configure hostapd(ssid and wpa_passphrase can be whatever you want)
	sudo nano /etc/hostapd/hostapd.conf
		interface=wlan0
		driver=nl80211

		hw_mode=g
		channel=6
		ieee80211n=1
		wmm_enabled=1
		ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]
		macaddr_acl=0
		ignore_broadcast_ssid=0

		# Use WPA2
		auth_algs=1
		wpa=2
		wpa_key_mgmt=WPA-PSK
		rsn_pairwise=CCMP

		# This is the name of the network
		ssid=Pi3-AP
		# The network passphrase
		wpa_passphrase=raspberry
# Tell hostapd where to find config
	sudo nano /etc/default/hostapd
	# Change
		#DAEMON_CONF=""
		to
		DAEMON_CONF="/etc/hostapd/hostapd.conf"
# Again tell hostapd where to find config
	sudo nano /etc/init.d/hostapd
	# Change
		DAEMON_CONF=
		to
		DAEMON_CONF=/etc/hostapd/hostapd.conf
# Backup dnsmasq.conf
	sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
# Create new dnsmasq.conf
	sudo nano /etc/dnsmasq.conf
	# Add
		interface=wlan0       # Use interface wlan0  
		listen-address=192.168.220.1   # Specify the address to listen on  
		bind-interfaces      # Bind to the interface
		server=8.8.8.8       # Use Google DNS  
		domain-needed        # Don't forward short names  
		-priv           # Drop the non-routed address spaces.  
		dhcp-range=192.168.220.50,192.168.220.150,12h # IP range and lease time  
# Activate forwarding
	sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
# More IPTables rules(paste into command line)
	sudo iptables -t nat -A POSTROUTING -o usb0 -j MASQUERADE  
	sudo iptables -A FORWARD -i usb0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT  
	sudo iptables -A FORWARD -i wlan0 -o usb0 -j ACCEPT
# Save new rules
	sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
# Load rules at boot
	sudo nano /etc/rc/local
	# Find "exit 0" at bottom of file and above that line add
		iptables-restore < /etc/iptables.ipv4.nat
# Start services
	sudo service hostapd start
	sudo service dnsmasq start
# Reboot 
	sudo reboot

It still doesn't work.  I end up not being able to load the page or getting redirected to a metropcs.com page telling me that my plan doesn't support tethering.  I have everything working using my phone as a wifi hotspot, firing up openvpn connect, and then using vpn tether from the google playstore, but my DNS leaks and I end up going through tmobile DNS servers rather than my VPNs.  The phone as a hotspot does what I need it to, but I've spent so much time trying to get the pi to do what I want that I don't want to give up.

Link to comment
Share on other sites

  • 4 weeks later...

I don't think it matters what DNS you choose to use, you can't bypass your ISP. If you don't want them to know you're tethering, you'll need to send fake web browser user agent IDs, to trick them into thinking the connection is coming from your phone.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...