My Raspberry Pi model 3 is a multipurpose server, currently it is:
A WiFi Access Point
#connected to the router via. ethernet and extending that connection via. Wifi.
A VPN server
#provides VPN function to wireless AP clients.
A SMB NAS
#provides network access to files stored on it.
A local Webserver
#provides a local WordPress instance for experimentation.
A local Minecraft Server
#rarely used, installed to see if it would run smoothly.
With these running it is averaging:
20-40% Average CPU usage #with expected spikes (it’s not exactly a powerhouse machine)
130/970Mb Memory usage
4.7Gb/15Gb Disk usage #for “/”
!!This is not a comprehensive “How-to” guide, it was pieced together from various other configs and made to work on my machines/network!!
It’s here for personal reference, I recommend you search around for a proper guide if you want to do something similar yourself.
Access point setup with hostapd
Current home network using a 192.168.1.X ip setup. The VPN network will run on a 192.168.11.X ip range. openvpn will be used to connect to nordvpn,
change as needed. *arm client unavailable for nordvpns official vpnclient!
#Perform initial install/setup of RaspberryPi if needed
#Update pi
sudo apt-get update && sudo apt-get upgrade
#install hostapd to provide a wifi access point on wlan0
#install isc-dhcp-server to assign ip addresses to wlan0 clients
#install openvpn to manage the vpn connection
sudo apt-get install hostapd isc-dhcp-server
#edit /etc/dhcp/dhcpd.conf -addition to end of file
subnet 192.168.11.0
netmask 255.255.255.0
range 192.168.11.20 192.168.101.30;
option broadcast-address 192.168.11.255;
option routers 192.168.11.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name “local”
option domain-name-servers 8.8.8.8, 8.8.4.4;#edit /etc/default/isc-dhcp-server -addition to end of file
#dhcp server to serve dhcp requests on adaptor wlan0 />INTERFACES=wlan0
#edit /etc/network/interfaces # out current wlan0 config to retain details for reference
allow-hotplug wlan0 #new wlan0 config
iface wlan0 inet static
address 192.168.11.1
netmask 255.255.255.0
#edit /etc/hostapd/hostapd.conf #create access point using hostapd
interface=wlan0 driver=nl80211 #for default pi3 onboard wireless adaptor, edit for USB dongle
ssid=wifi_SSID
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=wifi_Pass
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
#edit /etc/default/hostapd to link to updated .conf file remove # from DAEMON_CONF and add path to .conf
DAEMON_CONF=/etc/hostapd/hostapd.conf#copy relevant files for your vpn provider to /etc/openvpn and configure as required.
#enable ipv4 forwarding
#edit /etc/sysctl.conf -remove the # from net.ipv4.ip_forward=1 to allow it.
NAS setup using SMB #Quick’n’dirty setup, not security conscious!!
#NAS setup (samba) -based on a fat32 usb drive (install ntfs-3g if required for ntfs storage)
sudo apt install samba and samba-common-bin
#Locate the disk you’ll be using as storage and note the location, for me it’s /dev/sda1
fdisk -l
#Create a directory you’ll mount this device to, for me it will be /home/pi/NAS mkdir /home/pi/NAS
#mount the storage drive to the folder you created
sudo mount -t auto /dev/sda1 /home/pi/NAS
#Backup your samba config before making changes
sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.old
#open smb.conf for editing, I use nano
sudo nano /etc/smb.conf
#Configure security as needed, this is my private box and non-essential so I’m ok leaving it open create the new samba shares, added to bottom of file
#samba.org has lots of info about specifics if needed.
##New Share##
[NAS]
comment = NAS Storage
path = /home/pi/NAS
valid users = @users
force group = users
create mask = 0660
directory mask = 0771
read only = no #restart the samba server
sudo /etc/init.d/samba restart
create user/users to access the NAS if needed
example: useradd NAS -m -G users
passwd NAS#Connect the user account to samba
sudo smbpasswd -a NAS
#Set password to connect to share NOTE: I’m connecting via the default existing pi user so it was only
sudo smbpasswd -a pi
The new NAS should now be up and running, browse to it using your network browser of choice and connect using the account you connected.
CAUTION This is a very quick and dirty setup, definitely not ideal for networks with multiple users due to potential security issues!. Just the setup for my personal use.
# Working iptables setup
# Formatting is messed up from database recovery!
sudo iptables -t nat -S
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state & state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD eth0 -o wlan0 -m state & state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo sh -c & echo 1 /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o tun+ -m #LAN out to VPN&#-j ACCEPT
sudo iptables -A FORWARD -i tun+ -o eth0 -m state & state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp dport 53 -m comment & comment ;dns; -j ACCEPT
sudo iptables -A OUTPUT -p UDP ;dport 67:68 -m comment ;comment ; dhcp; -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp ;dport 123 -m comment ;comment ;ntp ; -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp ;dport 1198 -m comment ;comment ;openvpn; -j ACCEPT
sudo iptables -I OUTPUT -o tun+ -m comment ;comment #Out to VPN&# -j ACCEPT
sudo iptables -I INPUT -i eth0 -m comment ;comment #In from LAN# ; -j ACCEPT
sudo iptables -A OUTPUT -o lo -m comment ;comment #loopback# -j ACCEPT
sudo iptables -A INPUT -i lo -m comment ;comment #loopback# -j ACCEPTsudo apt-get install iptables-persistent
sudo netfilter-persistent save
sudo systemctl enable netfilter-persistent