DIY VPN (Ethernet) Instructions

Before we start

I spent quite a bit of time on this guide and process. If you have your own pi and don’t want to manage your own Azure resources, it may be better off for you to just pay the $40 set up fee and $25 monthly afterwards. If you don’t know what the terminal is, you should just buy the Raspberry Pi device I’m selling.

This guide only covers your hotspot being connected via wifi – not via ethernet (or two wifi cards). If you are technical, the instructions are the same except reversing eth0 and wlan0 in the scripts and docs I provide. For two wifi cards, eth0 becomes wlan0 and wlan0 becomes wlan1.

Oh also, donate if you find this useful. My helium address is below – others are at the bottom.

145UZRW2PhUmTM4YiCyyFCJRQUfdVcU2XegP1fmzNomoRx1qrzW

Prerequisites

  • Raspberry Pi with Wifi and Ethernet*
  • Micro SD card large enough for the Raspbian build
  • An Azure Subscription
  • Some knowledge of how to use the terminal
  • Some knowledge of how this system works

* These instructions will work for any Pi with Wifi and Ethernet built in… you may have an issue if you use a dongle as the default driver may not work. I will not offer any support on this obviously.

Azure Setup Instructions

  1. Create a Open VPN Server. A Standard_B1s (1vcpu, 1gib memory) works great – anything smaller will crash. Be sure to turn off “Enable Auto-Shutdown” on the Management Tab during creation.

(Azure deployment instructions are not covered, if you don’t know how to do this, I recommend you purchasing my services instead).

2. SSH in to your server and just hit enter or type yes to all the prompts.
ssh azureuser@your.server.ip.address

3. Once the initial configuration is done, go ahead and run this command:

sudo iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 44158 -j DNAT --to-destination 172.27.240.2:44158

3B. If you used an SSH public key for your server (like you should), you need to do this as well and set a password so you can login to the vpn server: sudo passwd openvpn

4. Now that you’ve set up forwarding on the OpenVPN Server, go back to the azure portal and open the Network Security Rules with your VM (Open the VM, click Networking on the left).

5. Click “Add inbound port rule” and fill it out like the below.

6. You’re done with the Azure side of things, now on to the VPN itself.

OpenVPN Settings

  1. Launch your VPN server by visiting it (the link will be something like https://xxx.xxx.xxx.xxx:943/admin/) – you can get the public IP by visiting your VM in Azure and seeing it at the top right.
  2. Ignore your browsers warnings and continue anyway warnings *Note, Mac users need to use something other than Chrome because it won’t let you bypass it.
  3. Login as user openvpn and use the password you set above (or your root password)
  4. Click Configuration -> VPN Settings
  5. Type 172.27.240.0 in the box that says Static IP Address Network (Optional) and 24 in the # of netmask bits
  6. Click save at the bottom then click the button at the top of the page that says apply after reload
  7. Click User Management -> User Permissions
  8. Click the “Allow Auto-login” box next to the user openvpn
  9. Click “More Settings” next to openvpn
  10. Select “Use Static” and type in 172.27.240.2 for the user.
  11. Click Save at the bottom of the page
  12. Click update server if it prompts.
  13. Open your server again without the /admin (so https://xxx.xxx.xxx.xxx:943)
  14. Login as openvpn again
  15. There should be a link that says “Yourself (autologin profile)” – click that and store the client.ovpn file so you can put it on the pi.

Pi setup

  1. Format a micro SD card with a clean installation of Raspbian
  2. Connect via ethernet and finish the setup (let it download updates, be sure to select your locale in raspi-config)
    NOTE: Thanks to Steve (dewigo.com), you may need to use this guide to set the locale: https://rohankapoor.com/2012/04/americanizing-the-raspberry-pi/
  3. Download this zip file and unzip it to your home directory on the pi
  4. Place the client.ovpn file in the home directory of the pi
  5. Update the file dnsmasq.conf on line 158 and uncomment it, add your Wifi Mac address found in the diagnostics section of the app (looks similar to below, but obviously 00:11:22:33:44 would be your mac address)
dhcp-range=wlan0,192.168.2.10,192.168.2.150
dhcp-host=00:11:22:33:44,192.168.2.11
  • Create a new file in the home directory called hostapd.conf and type this in (change SSID and password):
  • NOTE: If you’re using a Pi 4 and prefer to use 5Ghz, use hw_mode=a and channel=36.
  • NOTE: If you’re not living in the USA, the channel below (or above) may need to change.
interface=wlan0
driver=nl80211
ssid=YOUR_SSID_HERE
channel=1
hw_mode=g
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=3
wpa_passphrase=YOUR_PASSWORD_HERE
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

6. Finally – Open Terminal and run the following commands

cd ~
sudo chmod +xX step1.sh
sudo ./step1.sh

7. After your Pi reboots the device will automatically connect to VPN and when your hotspot connects to the pi, you will have traffic!

7b. Still not working? Go back to your openvpn server (ssh in) and run the following command: sudo iptables -F

Final Notes:

You may want to let the hotspot sync on a ethernet network to start with (not through the VPN service). This will be a lot faster and a lot cheaper for you.

autoboot.sh has a debug line that I used to test with another device on my home network. You can remove this: iptables -t nat -I PREROUTING -i tun0 -p tcp -m tcp --dport 44159 -j DNAT --to-destination 192.168.2.12:44159, or if you want to test with a second device, leave it in and add this to the dnsmasq.conf

dhcp-host=PUT:YOUR:MAC:ADDRESS:HERE,192.168.2.12

Helium:

145UZRW2PhUmTM4YiCyyFCJRQUfdVcU2XegP1fmzNomoRx1qrzW

Bitcoin:

bc1q8qqxlzuuzpgje3h5u6ysnge68vk8u82m6pelwa

Ethereum:

0x2A82C3bB0e2EfB9d77299fe8a5309b1679C757eD

11 thoughts on “DIY VPN (Ethernet) Instructions

  1. I would like to buy the rasbury pi your selling. How many hotspots will work on one configured pi?

  2. Dude, need 1 of these to test, and maybe more to deploy a helium network …. let me know

    1. You are welcome to buy one!

  3. I followed everything in the guide, and I checked three times, but port 44158 isn’t open when I go to portchecker.co and enter the IP address of my server and port 44158. By the way, this is a DIY, I have my own Pi. Any help would be appreciated.

    1. You are welcome to pay me to do it for you or hire me at a consulting rate. If you’d like me to reach out via my hourly rate, respond to this and I’ll drop you an email!

      Also, you’re getting this response because I have no idea what you did – if you followed this guide to a t, your setup would work.

      The only other thing you can try is

      sudo iptables -F

      On the azure server. If that doesn’t work, feel free to reply and I’ll set up time for us to talk.

      1. I just payed for the DIY plan. Not sure what is happening. BTW, the command

        sudo iptables -F

        did not have any output on the azure server.

        1. It won’t, but the port may magically open if you do that.

          Cool on the plan, I’ll send you the cert and installation soon!

          1. Oh….it magically opened the port. Ah well I will still use your service. Could you make the Azure server based in Wyoming please? I believe it is West Central US in Azure. It is closer to me which will make the ping lower.

          2. You’ve got it! You’ll just download the cert I send to you and place it in the home directory. From there, you’ll run sudo ./step1.sh again and everything will be good to go.

            I’ll send it to you in a bit 🙂

  4. Hi, Well I’ve been using my own pi and this does work however the bobcat miner is not seeing the pi as a hotspot. Unless you mean in the docs that the dnsmasq.conf address should be the bobcat mac address. From the the doc I thought it was the mac address of the wifi on the pi.

    Port 44158 says closed and I’m still stuck in relay mode.

    Thanks, Jason

    1. I do infact mean the MAC address of the bobcat 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *