VPN & Wi-Fi Setup: Fedora 42, USB Card & OpenVPN Guide

by Blender 55 views

Hey everyone! Today, we're diving deep into setting up a somewhat complex, but super useful network configuration. We're talking about creating a secure Wi-Fi hotspot using a Fedora 42 workstation, a Wi-Fi USB card, OpenVPN, and a LAN connection. Essentially, we will route all the traffic from our access point through a VPN connection. This setup is perfect for situations where you want to ensure all devices connected to your Wi-Fi are protected by a VPN, like in a public place or when you want to secure your IoT devices. Let’s get started!

Understanding the Setup

Before we jump into the configuration, let's break down the hardware and software components and how they interact.

  • Internet Connection: This is where it all begins. You'll need a stable internet connection to feed into your setup.
  • Wi-Fi USB Card (wlo1): This card connects to the internet. In our case, it’s represented as wlo1 in Fedora 42.
  • Fedora 42 Workstation: Our central hub. This workstation runs the OpenVPN client and manages the network routing.
  • OpenVPN: The VPN software that encrypts all traffic, providing a secure tunnel to the internet.
  • LAN Card (enp0s25): This card, referred to as enp0s25, connects to the Access Point (AP) via a wired connection.
  • Access Point (AP): This is a standard Wi-Fi router that broadcasts the Wi-Fi signal, allowing devices to connect to the network.

The goal is to have all devices connected to the AP use the VPN connection established on the Fedora workstation. This setup ensures that every device connected to your Wi-Fi network benefits from the security and privacy provided by the VPN.

Step-by-Step Configuration Guide

Now, let's walk through the configuration steps to set up this network. This will involve configuring the Wi-Fi USB card, setting up OpenVPN, configuring IP forwarding, and setting up the necessary firewall rules using iptables.

1. Install OpenVPN and NetworkManager

First, make sure OpenVPN and NetworkManager are installed on your Fedora 42 workstation. You can install them using the following dnf command:

sudo dnf install -y openvpn NetworkManager-openvpn

This command installs both the OpenVPN client and the NetworkManager plugin, which allows you to manage VPN connections through the NetworkManager interface.

2. Configure OpenVPN Client

Next, configure the OpenVPN client using your VPN provider's configuration file. Download the .ovpn configuration file from your VPN provider and save it to a directory, such as /etc/openvpn/client. Ensure the configuration file has the correct settings for your VPN connection.

sudo cp your_vpn_config.ovpn /etc/openvpn/client/client.conf

Note: Replace your_vpn_config.ovpn with the actual name of your configuration file.

3. Enable and Start OpenVPN Service

Enable and start the OpenVPN service using systemctl to ensure the VPN connection starts automatically on boot:

sudo systemctl enable openvpn@client
sudo systemctl start openvpn@client

Verify the VPN connection is active by checking the status of the OpenVPN service:

sudo systemctl status openvpn@client

If the service is active and running, your VPN connection is successfully established. If not, review the OpenVPN logs for any errors.

4. Configure IP Forwarding

To allow traffic to flow from the Wi-Fi USB card to the LAN card, you need to enable IP forwarding in the kernel. Edit the /etc/sysctl.conf file and uncomment the following line:

net.ipv4.ip_forward = 1

Apply the changes by running:

sudo sysctl -p

This command enables IP forwarding, allowing your Fedora workstation to act as a router.

5. Configure iptables for NAT

Next, you need to configure iptables to perform Network Address Translation (NAT) for the traffic passing through your workstation. This allows devices on your LAN to access the internet through the VPN connection.

First, identify the interface name of your VPN connection. You can find this by running ip route and looking for the interface associated with the VPN gateway. It's often something like tun0 or vpn0.

ip route | grep default

Once you have the VPN interface name, use the following iptables rules:

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i enp0s25 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i tun0 -o enp0s25 -j ACCEPT

Explanation of the rules:

  • The first rule enables NAT for traffic leaving the VPN interface (tun0).
  • The second rule allows forwarded traffic from the LAN card (enp0s25) to the VPN interface (tun0) for established and related connections.
  • The third rule allows forwarded traffic from the VPN interface (tun0) to the LAN card (enp0s25).

6. Save iptables Rules

To make the iptables rules persistent across reboots, save them using the iptables-save command. First, install the iptables-services package if it’s not already installed:

sudo dnf install -y iptables-services

Then, save the current iptables rules:

sudo iptables-save > /etc/sysconfig/iptables

Enable and start the iptables service to ensure the rules are loaded on boot:

sudo systemctl enable iptables
sudo systemctl start iptables

7. Configure the Access Point (AP)

Now, configure your Access Point (AP) to obtain its IP address automatically via DHCP. Connect the LAN card (enp0s25) on your Fedora workstation to the AP using an Ethernet cable. The AP should receive an IP address from the Fedora workstation.

Configure the DHCP server on Fedora to assign IP addresses to the AP. To do this, install the dnsmasq package:

sudo dnf install -y dnsmasq

Edit the /etc/dnsmasq.conf file to configure the DHCP server. Here’s a basic configuration:

interface=enp0s25 # Interface to listen on
dhcp-range=192.168.2.100,192.168.2.200,255.255.255.0,12h # IP range for DHCP
dhcp-option=option:router,192.168.2.1 # Router IP address

Explanation:

  • interface: Specifies the interface on which dnsmasq will listen for DHCP requests.
  • dhcp-range: Defines the range of IP addresses that dnsmasq will assign.
  • dhcp-option: Sets the default gateway for the clients.

Enable and start the dnsmasq service:

sudo systemctl enable dnsmasq
sudo systemctl start dnsmasq

8. Verify the Connection

Finally, connect a device to the Wi-Fi network provided by the AP. Verify that the device receives an IP address from the Fedora workstation and that it can access the internet through the VPN connection. You can check the device's IP address and gateway settings to confirm they are correct.

To verify the VPN connection, browse to a website that displays your IP address (like whatismyip.com) and confirm that the IP address matches the VPN server's IP address.

Troubleshooting Tips

If you encounter issues during the setup, here are a few troubleshooting tips:

  • Check OpenVPN Logs: Review the OpenVPN logs for any errors or warnings.
  • Verify iptables Rules: Ensure the iptables rules are correctly configured and saved.
  • Check IP Forwarding: Confirm that IP forwarding is enabled in /etc/sysctl.conf.
  • Review DHCP Configuration: Verify the dnsmasq configuration is correct and that the service is running.
  • Test Network Connectivity: Use ping and traceroute to diagnose network connectivity issues.

Conclusion

Setting up a VPN with a Wi-Fi USB card on Fedora 42 to share an internet connection via LAN to a Wi-Fi Access Point might seem daunting, but with the right steps, it’s totally achievable. By following this guide, you'll create a secure and private Wi-Fi hotspot, ensuring all devices connected to your network are protected by the VPN. This is particularly useful for securing IoT devices or providing a safe internet connection in public places. Good luck, and happy networking!