I prepared this write-up at the request of a member on the ProtonVPN reddit forum. After all that effort the post was removed. Too long or what I have no idea. I though I might share it here for what it is worth...
In response to a comment in another thread I am posting a description of how I am using a Raspberry Pi Zero as a gateway/firewall/router and vpn sharing box to connect my LAN to the Internet via ProtonVPN. This is the latest iteration of my less is more progression. I started with a small Intel based PC, then migrated to a Pi 3B and now to the Zero. I will be brief about how to setup the Pi in general as that is well documented elsewhere. However, if I can answer a question, please ask. Please feel free to make use of my script, systemctl job etc. Comments are appreciated as I may have made some typos in this monograph :-)
The Pi Zero has some limitations. No network connectivity built in, a single USB port with minimal power capability and Raspbian as the only practicable OS. The Intel PC used CentOS 7 and the Pi 3B Ubuntu Mate. Those made the setup a breeze. As to Raspbian, more on that as we go...
The hardware setup is as follows:
Pi Zero
a USB hub
two USB to 10/100 Ethernet dongles
a 16 GB MicroSD card with the offical Raspbian image
a Pi power supply
some Ethernet cables
keyboard, mouse, monitor (only for initial setup)
The installation process:
Connect a monitor to the Pi and plug in a keyboard, mouse and the two Ethernet dongles to the hub. Caution: do not plug in an Ethernet dongle after the Pi is booted. I have found that doing so will cause a voltage dip on the USB port and cause the Pi to reboot. Label one of the dongles wan (for wide area network i.e. Internet). Connect an Ethernet cable from the wan dongle to your Internet source (modem/router etc.) Do NOT connect anything to the second dongle for now.
Boot the Pi for the first time. It will expand the file system to fill the SD card, create a swap file, connect to the Internet, update packages as necessary etc. You will be automatically logged in as user "pi" when this completes.
The next step is to install the ProtonVPN Linux client. This is documented on the Proton web site. Just a couple of notes...
Execute "sudo su -" (no quotes) in the terminal before starting the installation. This SHOULD cause the ProtonVPN configuration files to land in /root/.protonvpn-cli/ Check this afte the installaton ls -a /root/.protonvpn-cli should show a bunch of stuff. If this lands in /home/pi/.protonvpn.cli you will need to move the directory and contents to /root/ in order for the script to execute the connection as root.
While logged on as root (sudo su -) try accessing the ProtonVPN client pvpn -c, pvpn -d, pvpn --cc US etc. Provided this works we can now proceed to setting up the second Ethernet dongle. It will be shared to the other computers on the LAN.
The Raspbian OS uses the LXDE desktop which is light weight but lacks the tools I am familiar with in my preferred OS, CentOS. I therefore insalled network-manager-gnome firewalld and firewall-cmd. I uninstalled ufw just to be safe. The firewall configuration can be done with either tool - your preference.
The utility nm-connection-editor make quick work of setting up the two network connections. There should be a menu item under Configuration as I recall. Launch the utility and look for the active ethernet connection. There SHOULD only be one as the second dongle is not connected on the Ethernet side.
Select the connection and double click or press the gear like edit button. A 7 tab dialog will apppear. You should be on the second tab (Ethernet). Change Connection name: to "wan". Make not of the Device: identification as it may come in handy later.
Select the IPv4 Settings tab. The Method: should be "Automatic (DHCP)" On the IPv6 Settings tab I generally set the Method: to "Ignore" as I am not using IPv6 (yet). When everything looks good press Save. Close the utility.
Next connect the second (LAN side) dongle to another PC or a switch or hub so it is eletrically "alive". Call up the utility again and select the new connection and edit it. Check the Device identifier to make sure you have the correct one. Change the Connection name: to "lan". Again you may set IPv6 to Ignore. The real magic occurs on the IPv4 Settings tab. Change the Method to "Shared with other computers" Save and close the utility.
Reboot the Pi. When it comes back up we need to see what sort of network mess we have. CentOS and Ubuntu are reasonably well behaved. Raspbian... Modern Linux distros try to make networking easy by automagically connecting to the network/Internet. That is fine unless it is desired to do something specific. Open a terminal and check things out. Here is an example from my Pi
Code:
ken@taylor27:~ $ nmcli conn
NAME UUID TYPE DEVICE
lan e9b71f92-a15d-4453-a1ff-439522c2fdf8 802-3-ethernet eth1
tun0 0bbf891e-92fc-424a-addc-ec403d28a72c tun tun0
wan 349104ac-00aa-486d-81bd-adf627646cdf 802-3-ethernet eth0
ken@taylor27:~ $ ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet 192.168.66.5/24 brd 192.168.66.255 scope global dynamic eth0
valid_lft 233644sec preferred_lft 233644sec
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet 10.42.0.1/24 brd 10.42.0.255 scope global eth1
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
inet 10.8.3.3/24 brd 10.8.3.255 scope global tun0
valid_lft forever preferred_lft forever
Things to note:
tun0 is my VPN tunnel. It will appear after the ProtonVPN is connected. Ignore for now.
The wan connection is on device eth0 and has an IP address of 192.168.66.5 (from my DSL modem/router).
The lan connection is on device eth1 and has an address of 10.42.0.1. This is the default for a shared connection. Devices which connect to the shared connection will receive a DHCP address in the 10.42.0.xxx range from DHCP on the Pi.
If you have a second PC connected to the Ethernet side of the lan dongle disconnect and reconnect it. It should pickup an IP address. If you have a hub connected to the Ethernet side of the dongle plug a PC into it and see that it picks up an IP address. If all has gone to plan you will have the Pi functioning as a gateway between the Internet and your (small one device) LAN. Open a web browser on the LAN PC and access a site such as ipaddress.com. You should see an Internet address corresponding to the one provided by your ISP.
The next step is I guess optional. Configure the firewall using the tool of your choice thus:
Make the "drop" zone the default zone.
Pick a second zone, I use "internel" and limit it to ssh only. Enable vnc if you wish to access the Pi in gui mode (not necessary).
put the wan connection in the drop zone
put the lan connection in the internal zone
Be sure to enable the firewall (sudo systemctl enable firewalld in my case)
Now onto my soapbox for a minute... You will probably notice that Raspbian has created other connection such as "Wired connection 1", "Wired connection 2". You can delete them with the utility used earlier but they tend to reappar on a reboot. I have no idea where they come from so I have used a big hammer approach in my script to deal with them. For now just delete them and make sure wan and lan are running.
It is time to fire up the ProtonVPN. sudo su - and then pvpn -c. When this connects execute nmcli conn and ip -4 addr as shown earlier. You should now see your tunnel tun0. Check the Internet IP address on the LAN test PC using ipaddress.com or similar. It should correspond to the ProtonVPN assigned address.
If things have progresses successfully to this point you could turn off the gui on the Pi (sudo systemctl set-default multi-user.target) and access it remotely with ssh. (Make sure you have ssh running. There is an option on the Pi configuration tool.) Simply connect to the Pi, start the vpn and disconnect the ssh session. This works with CentOS and Ubuntu but with the whack-a-mole connection naming it may be problematic on Raspbian. So for my next trick...
I created this script /usr/local/sbin/protonvpn.sh
Code:
superseded - see post #3 in this thread
A few notes about the script...
The idea of the script is to launch a connection to ProtonVPN and then monitor it every few seconds. If the VPN drops the script will restart it.
If I am running on Raspbian I use the whack-a-mole technque to shut down all network connections and only bring up wan and lan. I know that these are in the correct firewall zones.
I like some formatting in my logs so I tend to put in blank lines :-)
echo >> /var/log/protonvpn.log
echo >> /var/log/protonvpn.log
I have tried several methods to make sure the VPN connection is running. The presence of the tun0 network connection is a good indication. On rare occasions I have tound the tunnel connected but with no DNS response. To check this I do a ping (I will not say to whom :-) every so often. And I ping twice as sometimes the first single ping does not come back. This has been 100% effective in detecting a dropped VPN connection over the past couple of months and has reconnected quite reliably and silently (until yesterday.)
pvpn --cc US is supposed to connect to the fastest server in country code US. In my case that is normally a server in the state of VA. Last evening several of the VA servers went down for maintenance. The ProtonVPN client "sees" that the servers (or at least their IP addresses) are present and responding with a low latency and decides that one of them is the "fastest" even though it is not available for connection. I added a work around to allow me to force connection to a specified server. See the comments in the script.
If you want to try the script, copy the text into a script file in the location I specified (so the systemctl job below can invoke it) and make it executible. Remember to put the ping target of your choice in the script where indicated. You can change the check frequencies if you like. Try running it with root (sudo su -) and make sure it works. Note that the script contains an endless loop and will tie up your terminal while running. I guess your could add & at the end or run it in a screen session but I decided to run it as a service.
The last trick is to create a systemctl .service file "/etc/systemd/system/protonvpn.service" which looks like
Code:
[Unit]
Description=Connect to ProtonVPN
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=root
ExecStart=/usr/local/sbin/protonvpn.sh
[Install]
WantedBy=multi-user.target
I cannot say that the After and Wants are the best choices but it works. The job can be enabled by "sudo systemctl enable proton.vpn" and will run at boot time.
Here is a link to a picture of my Pi Zero installation
https://mega.nz/#!gw9gVYKQ!AFIV21kLT...yhmYN_pQkz_CzI Hope you don't mind my using mega. My box.net image sharing account does not seem to be working at the moment.
Again, please feel free to use any of this material which might be helpful. I would be glad to hear comments and suggestions.
Thanks,
Ken