Before we start
I spent quite a bit of time on this guide and process. If you have your own pi and don’t want to manage your own Azure resources, it may be better off for you to just pay the $40 set up fee and $25 monthly afterwards. If you don’t know what the terminal is, you should just buy the Raspberry Pi device I’m selling.
This guide only covers your hotspot being connected via wifi – not via ethernet (or two wifi cards). If you are technical, the instructions are the same except reversing eth0 and wlan0 in the scripts and docs I provide. For two wifi cards, eth0 becomes wlan0 and wlan0 becomes wlan1.
Oh also, donate if you find this useful. My helium address is below – others are at the bottom.
- Raspberry Pi with Wifi and Ethernet*
- Micro SD card large enough for the Raspbian build
- An Azure Subscription
- Some knowledge of how to use the terminal
- Some knowledge of how this system works
* These instructions will work for any Pi with Wifi and Ethernet built in… you may have an issue if you use a dongle as the default driver may not work. I will not offer any support on this obviously.
Azure Setup Instructions
- Create a Open VPN Server. A Standard_B1s (1vcpu, 1gib memory) works great – anything smaller will crash. Be sure to turn off “Enable Auto-Shutdown” on the Management Tab during creation.
(Azure deployment instructions are not covered, if you don’t know how to do this, I recommend you purchasing my services instead).
2. SSH in to your server and just hit enter or type yes to all the prompts.
3. Once the initial configuration is done, go ahead and run this command:
sudo iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 44158 -j DNAT --to-destination 172.27.240.2:44158
3B. If you used an SSH public key for your server (like you should), you need to do this as well and set a password so you can login to the vpn server:
sudo passwd openvpn
4. Now that you’ve set up forwarding on the OpenVPN Server, go back to the azure portal and open the Network Security Rules with your VM (Open the VM, click Networking on the left).
5. Click “Add inbound port rule” and fill it out like the below.
6. You’re done with the Azure side of things, now on to the VPN itself.
- Launch your VPN server by visiting it (the link will be something like https://xxx.xxx.xxx.xxx:943/admin/) – you can get the public IP by visiting your VM in Azure and seeing it at the top right.
- Ignore your browsers warnings and continue anyway warnings *Note, Mac users need to use something other than Chrome because it won’t let you bypass it.
- Login as user openvpn and use the password you set above (or your root password)
- Click Configuration -> VPN Settings
- Type 172.27.240.0 in the box that says Static IP Address Network (Optional) and 24 in the # of netmask bits
- Click save at the bottom then click the button at the top of the page that says apply after reload
- Click User Management -> User Permissions
- Click the “Allow Auto-login” box next to the user openvpn
- Click “More Settings” next to openvpn
- Select “Use Static” and type in 172.27.240.2 for the user.
- Click Save at the bottom of the page
- Click update server if it prompts.
- Open your server again without the /admin (so https://xxx.xxx.xxx.xxx:943)
- Login as openvpn again
- There should be a link that says “Yourself (autologin profile)” – click that and store the client.ovpn file so you can put it on the pi.
- Format a micro SD card with a clean installation of Raspbian
- Connect via ethernet and finish the setup (let it download updates, be sure to select your locale in raspi-config)
NOTE: Thanks to Steve (dewigo.com), you may need to use this guide to set the locale: https://rohankapoor.com/2012/04/americanizing-the-raspberry-pi/
- Download this zip file and unzip it to your home directory on the pi
- Place the client.ovpn file in the home directory of the pi
- Update the file dnsmasq.conf on line 158 and uncomment it, add your Wifi Mac address found in the diagnostics section of the app (looks similar to below, but obviously 00:11:22:33:44 would be your mac address)
- Create a new file in the home directory called hostapd.conf and type this in (change SSID and password):
- NOTE: If you’re using a Pi 4 and prefer to use 5Ghz, use hw_mode=a and channel=36.
- NOTE: If you’re not living in the USA, the channel below (or above) may need to change.
interface=wlan0 driver=nl80211 ssid=YOUR_SSID_HERE channel=1 hw_mode=g macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 wpa=3 wpa_passphrase=YOUR_PASSWORD_HERE wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP
6. Finally – Open Terminal and run the following commands
cd ~ sudo chmod +xX step1.sh sudo ./step1.sh
7. After your Pi reboots the device will automatically connect to VPN and when your hotspot connects to the pi, you will have traffic!
7b. Still not working? Go back to your openvpn server (ssh in) and run the following command: sudo iptables -F
You may want to let the hotspot sync on a ethernet network to start with (not through the VPN service). This will be a lot faster and a lot cheaper for you.
autoboot.sh has a debug line that I used to test with another device on my home network. You can remove this:
iptables -t nat -I PREROUTING -i tun0 -p tcp -m tcp --dport 44159 -j DNAT --to-destination 192.168.2.12:44159, or if you want to test with a second device, leave it in and add this to the dnsmasq.conf