This is a guide to setting up a free Netflix Compatible VPN based wifi hotspot for expats.
Like many of you, I am from the US living abroad. And, chances are, if you are reading this, you have quickly found that Netflix and other streaming services offer much less content outside of the US. Also many websites in the US are blocked for users in Europe due to the new GDPR laws. Additionally, some US based websites like southwest.com just don’t work at all for some reason. I wanted to share here some of the lessons I’ve learned in getting around this issue, and how to set up a free VPN that can be used by any device including Roku, Firestick or your smart TV.
First thing you will need are:
2 raspberry Pi’s (your local should be a Pi3 with wifi).
A family member or friend back in the US with a good internet connection that will let you host your VPN server.
At first I tried rolling a AWS server and watching Netflix on my laptop using a SSH tunnel and socks setting on my browser. This works sometimes, but most of the AWS server IPs are blacklisted by Netflix and won’t always work. Plus, I wanted my Roku and Firestick to connect seamlessly to a US based IP using a local wifi hostpot. After much trial and error, and reading many other how to guides, this setup works rock solid for me.
The final setup will look like this:
Note that the following instructions are probably not for a total newbie. You should have some basic networking and Linux skills in order to get past any unexpected issues.
Set up SSH Server on your Remote Pi and remote access
First, you need to install SSH service on your remote raspberry pi and make sure you can access it from the internet.
1. Enter sudo raspi-config in a terminal window.
2. Select Interfacing Options.
3. Navigate to and select SSH.
4. Choose Yes.
5. Select Ok.
6. Choose Finish.
7. Reboot.
While you are at it, change your default pi password, or better yet, remove the default pi account and create a new username and complex password.
Make sure you can ssh into your pi from the local lan, then get on a plane, go to your friend’s house in the USA and plug in to his router. Go to your friend’s router and reserve the mac ip of your remote pi and set up SSH routing to it (UDP Port 22). Also pick a port for your VPN service (lets say port 5150 for fun) and make sure your router is fording that one also. More on this later…
Now unless your friend has a static real world IP assigned to his router, you will have to use a service like DynDNS so that whenever the IP changes you will still be able to access your Pi. Fortunately, my friend’s router is a netgear, and includes a free service using xxxx.mynetgear.com. Be sure that you can ssh into your pi from the outside world before getting back on that plane!
If the above language is confusing, you can read a nice article about port forwarding at https://www.cyberpratibha.com/blog/ssh-port-forwarding-in-router/
Install PIVPN Server on your remote Pi
I can tell you that installing a VPN server and connecting to it can be a horrible experience. With PIVPN Server (and OPENVPN on your client) it’s pretty easy.
To install pivpn, ssh into your remote pi and enter:
curl -L https://install.pivpn.io/ | bash
I recommend you consult this guide for more information on installing PIVPN:
Note that you need to use the VPN port that you have set up above (in the example I used 5150). Also you will need to create a VPN user. I suggest that you not use a passphrase because you will be downloading a keyfile that takes the place of a passphrase (just hit enter when it asks for a passphrase). They suggest using FTP to download your xxx.ovpn file. However there is no need, if you are accessing your pi with another linux based system (such as a mac or another pi) just pull it down using scp (Secure CoPy) like so:
scp @:
example
scp pi@remotemachine.mynetgear.com:mykeyfile.ovpn .
Install OpenVPN on your client (the Pi at your out of the country location)
sudo apt-get install openvpn
by now you should have your key file that you copied from your vpn server. Assuming it is in your home directory, look at the headers and be sure that the dns name is correct on the 4th line (or the static public IP of your friend’s router)
cat mykeyfile.ovpn
client
dev tun
proto udp
remote yourcoolserver.mynetgear.com 5150
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_jMx58knymDexHXFv name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxx
…
Try making a connection:
sudo openvpn mykeyfile.ovpn
You should see a bunch of routing debug info, then the line:
Initialization Sequence Completed
You should note that if everything has connected you should see your vpn connection as a new network interface called tun0
Open another termainal connection or put your process in the bkground by typing ctrl-Z then bg and now run
ifconfig
You should see all your network interfaces:
eth0 …
lo…
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.3 netmask 255.255.255.0 destination 10.8.0.3
inet6 fe80::4192:fe9c:7dc7:a00e prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 2 bytes 331 (331.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 175 (175.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
And wlan0…
Type fg to bring your vpn session to the terminal Kill the vpn connection with crtl-C and now enable openvpn as a service so that it starts up every time:
First copy your mykeyfile.ovpn file as follows and note the filename extension change:
sudo cp mykeyfile.ovpn /etc/openvpn/mykeyfile.conf
sudo systemctl enable openvpn
sudo systemctl start openvpn
Restart and check that you have tun0 as an interface. Yaay.
Setup Wifi Hotspot and DHCP on your local Pi 3:
You will need 2 more programs on your local pi, hostapd for the wifi hotspot, and a dhcp server so that you can serve up local ips to your clients on the wifi:
sudo apt-get install hostapd isc-dhcp-server
Configure the DHCP Server on your Pi:
Nano /etc/dhcp/dhcpd.conf
Be sure the following is uncommented:
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;
and set up your subnet ip’s:
subnet 192.168.42.0 netmask 255.255.255.0 {
range 192.168.42.10 192.168.42.50;
option broadcast-address 192.168.42.255;
option routers 192.168.42.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local";
option domain-name-servers 8.8.8.8, 8.8.4.4;
}
Tell the dhcp server what interface you want it to serve up IPs on:
sudo nano /etc/default/isc-dhcp-server
make sure you include the following line:
INTERFACESv4="wlan0"
I am on Raspbian Stretch 9, and The method of setting a static ip below is somewhat old school using static changes (and a post network up iptables configuration setting) in /etc/network/interfaces. I tried do do this project using the proper way by configuring /etc/dhcpcd.conf but failed. I’m sure someone out there knows what I was doing wrong, but this is the way it works for me.
Disable dhcpd client: (if you are doing it my way)
sudo update-rc.d dhcpcd disable
Give wan0 and eth0 static ip’s (note eth0 should be reserved on your router, and use your own reserved ip)
sudo nano sudo cp /etc/network/interfaces
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
auto lo
iface lo inet loopback
#iface eth0 inet dhcp
allow-hotplug eth0
iface eth0 inet static
address 192.168.0.87##NOTE this should be your reserved IP on your lan
netmask 255.255.255.0
gateway 192.168.0.1 ##NOTE This should be your gateway and may be different!
allow-hotplug wlan0
iface wlan0 inet static
address 192.168.42.1
netmask 255.255.255.0
post-up iw dev $IFACE set power_save off
dns-nameservers 8.8.8.8 8.8.4.4
turn on IP forwarding:
sudo nano /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
———————
setup your hotspot by configuring hostapd:
sudo nano /etc/hostapd/hostapd.conf
Modify ssid with a name of your choice and wpa_passphrase below to a password that you will remember
# ...
WiFi authen
interface=wlan0
driver=nl80211
ssid=WiPi
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=1212121212
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
Test your hotspot
sudo /usr/sbin/hostapd /etc/hostapd/hostapd.conf
You should see your new wifi network and be able to connect with a wireless client, but you won’t have any internet access if your vpn is running until you configure your routing.
If its working, enable the hostapd daemon:
sudo nano /etc/default/hostapd
uncomment the following
DAEMON_CONF="/etc/hostapd/hostapd.conf"
All that is left to do is set up your routing tables.
Forward incoming and outgoing traffic between wifi0 and tun0:
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
Save your current iptables
sudo iptables-save > /etc/iptables.ipv4.nat
Now we want iptables to be restored on boot, so add this line to the bottom of /etc/network/interfaces
up iptables-restore < /etc/iptables.ipv4.nat
Note, there are many ways to set and restore iptables on reboot, but the “recommended” methods did not work for me.
If everything went ok, you should have a rock solid VPN that reconnects on reboot and establishes a usable secure wifi that connects directly to your home country (or other remote network) seamlessly. Good luck and enjoy a small taste of home!