Jump to content
Hak5 Forums

USB tether android to pi3 wireless AP and tunnel traffic through VPN

Recommended Posts

I'm not sure if this is the right place for this, but I'm going to ask anyway and hope for some direction.

I've been trying to find a way to use my unlocked/rooted moto g osprey on metro pcs as a USB modem for my pi3 that is acting as a wireless AP.  I started with these two guides:





They didn't work.  So I did some digging and modified a few of the steps to this:

# Add usb0 to /etc/network/interfaces
	sudo nano /etc/network/interfaces
	# Add
		allow-hotplug usb0
		iface usb0 inet dhcp

# Install openvpn
	sudo apt-get install openvpn

# Using PIA 
	wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
	unzip openvpn.zip -d openvpn
# Copy certs
	sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/
	sudo cp openvpn/US New York.ovpn /etc/openvpn/US.conf
# Create login file
	sudo nano /etc/openvpn/login
# Point config to right location
	sudo nano /etc/openvpn/US.conf
	# Change:
		auth-user-pass /etc/openvpn/login
	# Change:
		ca ca.rsa.2048.crt
		ca /etc/openvpn/ca.rsa.2048.crt
	# Change:
		crl-verify crl.rsa.2048.pem
		crl-verify /etc/openvpn/crl.rsa.2048.pem

# Reboot
	sudo reboot

# Test VPN
	sudo openvpn --config /etc/openvpn/US.conf
	# Ctrl+C to exit
# Enable at boot
	sudo systemctl enable openvpn@US
# Enable forwarading
	sudo nano /etc/sysctl.conf
	# Uncomment
# Enable service
	sudo sysctl -p
# Edit IPTables rules(paste commands into command line)
	sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
	sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
	sudo iptables -I INPUT -i usb0 -m comment --comment "In from LAN" -j ACCEPT
	sudo iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT
	sudo iptables -A OUTPUT -o usb0 -p udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
	sudo iptables -A OUTPUT -o usb0 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
	sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
	sudo iptables -A OUTPUT -o usb0 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
	sudo iptables -A FORWARD -i tun+ -o usb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
	sudo iptables -A FORWARD -i usb0 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT
	sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
# Make IPTables rules persistent
	sudo apt-gt install iptables-persistent
		# Answer yes to both questions
# Apply everything to startup
	sudo systemctl enable netfilter-persistent
# Install packages to turn pi3 into hotspot
	sudo apt-get install hostapd
	sudo apt-get install dnsmasq
# Stop anything else from using wlan0
	sudo nano /etc/dhcpcd.conf
	#Add to bottom of file, but above any other interfaces in file
		denyinterfaces wlan0
# Configure static ip
	sudo nano /etc/network/interfaces
	#Change wlan0 entry to:
		allow-hotplug wlan0  
		iface wlan0 inet static  
		#    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
# Restart dhcpd 
	sudo service dhcpcd restart
	sudo ifdown wlan0; sudo ifup wlan0
# Configure hostapd(ssid and wpa_passphrase can be whatever you want)
	sudo nano /etc/hostapd/hostapd.conf


		# Use WPA2

		# This is the name of the network
		# The network passphrase
# Tell hostapd where to find config
	sudo nano /etc/default/hostapd
	# Change
# Again tell hostapd where to find config
	sudo nano /etc/init.d/hostapd
	# Change
# Backup dnsmasq.conf
	sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
# Create new dnsmasq.conf
	sudo nano /etc/dnsmasq.conf
	# Add
		interface=wlan0       # Use interface wlan0  
		listen-address=   # Specify the address to listen on  
		bind-interfaces      # Bind to the interface
		server=       # Use Google DNS  
		domain-needed        # Don't forward short names  
		-priv           # Drop the non-routed address spaces.  
		dhcp-range=,,12h # IP range and lease time  
# Activate forwarding
	sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
# More IPTables rules(paste into command line)
	sudo iptables -t nat -A POSTROUTING -o usb0 -j MASQUERADE  
	sudo iptables -A FORWARD -i usb0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT  
	sudo iptables -A FORWARD -i wlan0 -o usb0 -j ACCEPT
# Save new rules
	sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
# Load rules at boot
	sudo nano /etc/rc/local
	# Find "exit 0" at bottom of file and above that line add
		iptables-restore < /etc/iptables.ipv4.nat
# Start services
	sudo service hostapd start
	sudo service dnsmasq start
# Reboot 
	sudo reboot

It still doesn't work.  I end up not being able to load the page or getting redirected to a metropcs.com page telling me that my plan doesn't support tethering.  I have everything working using my phone as a wifi hotspot, firing up openvpn connect, and then using vpn tether from the google playstore, but my DNS leaks and I end up going through tmobile DNS servers rather than my VPNs.  The phone as a hotspot does what I need it to, but I've spent so much time trying to get the pi to do what I want that I don't want to give up.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.