In this article I will talk about the use of a professional VPN service called Hide My Ass (I have no affiliation with them). This allows you to send and receive data online while appearing (to everyone else on the Internet) as though you are in a different country. They have VPN servers all over the world so essentially this allows you to easily select the country from which you want to access georestricted content. Their service is not free however there are several benefits. The main one being that it will anonymously encrypt your Internet activity and prevent anyone from violating your privacy online. Their service can be used on most computers and smart phones besides the Raspberry Pi but you can read their FAQ for more information. There are also some reviews on YouTube.
Okay don’t panic! I know this article looks huge. It’s only this long because it explains the solution in three different ways, only one of which you will likley want to use. There is also a lot of detail so you don’t go wrong!
So what are georestrictions then? Simply put; it’s when the content of an Internet service is restricted based on your current location in the world. An example is your local catch-up TV service. If you go on holiday to another country for the weekend, you will no longer be able to log in and watch the latest episode of your favorite show. This is because their site is georestricted to your country only. Similarly TV streaming services show a different range of available programmes to USA subscribers as opposed to European ones.
The above image is a general overview of what we need to do. Normally you would connect your device directly to your router but in this case we need to put a Raspberry Pi between your device and the router so that it can perform the magic that avoids the georestrictions.
Note: Please understand that by doing this to watch an Internet TV service you may be breaching your terms of service agreement with them. Please check before you continue.
Notice the red and green arrows in the above diagram. Following the green arrows the network data will flow from your device to the Pi, the Pi will do the magic, then from the Pi to the Router, then from the Router out into the Internet and back along the red arrows.
Each pair of green and red arrows represent an actual connection between devices be it wired or wireless. You can ignore the ones between the router and the Internet, the only ones that matter to us are the ones on either side of the Raspberry Pi. How you want to do this is entirely up to you but it is quite common for one side to be wired, since the model B Pi comes with an Ethernet port, and the other to be wireless.
So to summarise your Pi needs to accommodate two network connections. One that goes from the device to the Pi and one that goes from the Pi to the router. The easiest way for you to satisfy this requirement is to get hold of a wireless dongle or an Ethernet dongle.
What you chose should be determined by the existing devices you’re using. Your smart TV may only have an Ethernet port, or your Nintendo Wii can only support wireless. I can recommend the Edimax wireless dongle above as this is known to work well with the Raspberry Pi. Also if you’re intending to use multiple USB devices please have a read about potential power issues. A powered USB hub is often a quick and easy solution to these.
Before we get going I just want to mention a Windows program that you should familiarise yourself with. Putty.exe (above) is an SSH terminal client program that will basically allow you to have the Raspberry Pi command prompt (the Shell) inside a desktop window. You can copy and paste Linux commands directly into Putty from a web site such as this without having to manually type them out. There is more info about this in one of my previous blog posts. A paste in Putty is done by a right click of the mouse.
If you’re using Linux or OSX the equivalent of this is just to open a Terminal window and enter the following command. Replace <IP> with the IP address of the Raspberry Pi.
ssh <IP> -l pi
So here are some example configurations of the proposed system. Maybe one of these will satisfy your needs?
Example 1: The Wireless Bridge
- Device is connected to the Raspberry Pi over Ethernet.
- Raspberry Pi is connected to the router over wireless.
- 1 x USB Wireless dongle needed.
- 1 x Ethernet cable needed.
- do
Example 2: The Wireless Hotspot (takes longer to set up)
- Raspberry Pi is hosting a wireless hotspot.
- Device is connected to the Raspberry Pi hotspot over wireless.
- Raspberry Pi is connected to the router over Ethernet.
- 1 x USB Wireless dongle needed.
- 1 x Ethernet cable needed.
- do
Example 3: The Ethernet Router
- Device is connected to the Raspberry Pi over Ethernet.
- Raspberry Pi is connected to the router over Ethernet.
- 1 x USB Ethernet dongle needed.
- 2 x Ethernet cables needed.
- do
Example 1: The Wireless Bridge
- 1 x USB Wireless dongle needed.
- 1 x Ethernet cable needed.
Start with a blank SD card. Download and install the latest image of Raspbian either using a raw image or with the NOOBS software. Boot up the Pi and don’t forget to expand the file system to fill the SD card. Insert the USB wireless dongle now if you have not done so already.
After rebooting log in and enter the following command.
lsusb
Ensure that the dongle is displayed in the list. If it is not shown, do not continue you must solve this first. It may be a power issue which you’ll need a powered USB hub to solve.
The next task is to establish a wireless connection to your router. One of the quickest ways to do this is to use the software on the Pi desktop. Enter startx at the command prompt to go into X windows. One of the icons on the desktop will be named WiFi Config (see above). Here is a quick guide on how to use it. Make a note of the wireless IP address you get!
Ensure that the wireless connection is successful and that the connection is stable before you continue. Leave the Ethernet port disconnected for now and reboot the Pi to double check that you get an IP address via the wireless adapter during bootup.
sudo reboot
Upon boot up you can log in and check the IP address by entering the command ifconfig, look for the line starting with inet addr under wlan0. If that line is missing then you have troubleshooting to do before you continue. Use the wlan0 IP address for all SSH sessions from Putty or a Terminal window from here on.
Ensure the Ethernet port is disconnected and SSH into the Raspberry Pi using the wireless IP address. There is a small background service that runs on Raspbian which is designed to make the Pi network connection defer to the Ethernet port even when a wireless network is available. This is typical laptop behaviour but we don’t want this here because it will interfere with our set up. Enter the following commands;
sudo apt-get remove ifplugd sudo apt-get autoremove
We’re going to make the Pi Ethernet port behave in a similar way to your router. This means assigning a static IP address to it and installing a DHCP service that will respond to requests from your device. It’s a good idea to use an IP range that is very different to your router, so let’s use 10.0.0.X. To configure this we must edit the network interfaces file, enter the following command;
sudo nano /etc/network/interfaces
Modify the content of the file so that it is the same as below. In this file eth0 is the Ethernet port and wlan0 is the wireless dongle.
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 10.0.0.1 netmask 255.255.255.0 auto wlan0 iface wlan0 inet manual wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf iface default inet dhcp
Press Ctrl – X, y and enter to save and quit out of nano. Now to install and configure the DHCP service called dnsmasq. Enter the following commands;
sudo apt-get update sudo apt-get install dnsmasq
I am going to explicitly specify a configuration file for the dnsmasq service so let’s first make a backup of the default config file and then save my one in its place.
cd /etc sudo mv dnsmasq.conf dnsmasq.default sudo nano dnsmasq.conf
You should now be editing a blank file. Copy and paste the following into it.
interface=eth0 dhcp-range=10.0.0.2,10.0.0.250,255.255.255.0,12h dhcp-option=3,10.0.0.1 dhcp-option=6,8.8.8.8,8.8.4.4
The first line tells dnsmasq to listen for DHCP requests on the Ethernet port. The second line is specifying the range of IP addresses that can be given out with a 12 hour lease. The third and fourth lines provides the default gateway and DNS server settings to the client devices. You may recognise the Google public DNS servers here. You could also use Open DNS here too. But you’ll have to manually substitute their IP addresses for the Google ones I have specified.
Press Ctrl – X, y and enter to save and quit out of nano. We’re also going to use these DNS servers on the Pi itself. The ones provided by your router settings for the wireless connection will not be usable once we start using a VPN later on. Enter the following command;
sudo nano /etc/dhcp/dhclient.conf
Scroll down and find a line saying;
#prepend domain-name-servers 127.0.0.1;
Add this line in immediately after it;
prepend domain-name-servers 8.8.8.8, 8.8.4.4;
Press Ctrl – X, y and enter to save and quit out of nano. Next we need to enable IP v4 forwarding. Essentially we are going to be forwarding IP traffic from the Ethernet port to the wireless dongle and back again, similar to how your router does it. Enter the following command;
sudo nano /etc/sysctl.conf
Find the line that says this (below) and remove the hash at the start of the line.
#net.ipv4.ip_forward=1
Press Ctrl – X, y and enter to save and quit out of nano. Now enter the following command;
sudo sysctl -p
The software that controls this IP forwarding is called iptables, we now just need to install it however you may find your Raspbian install already has the latest version.
sudo apt-get install iptables
Okay now for the magic part! We’re going to create a few scripts that will instruct the Pi to forward the network traffic. There are going to be two modes. A normal router mode which will make the Raspberry Pi just pass all traffic straight through without doing anything. Ideal if you’re just wanting to use your device in the normal way that you always have been. Here we go from the eth0 interface to the wlan0 interface when you look at what ifconfig shows.
The second mode is called tunnel mode which uses a VPN connection. In tunnel mode we make a VPN connection to a HMA server in another country which gives us an interface called tun0. We then forward from the eth0 interface to the tun0 interface.
Think about this like a virtual underground tunnel that starts at your home then goes underground all the way to the desired country. When your network traffic goes through the tunnel it comes out on the other side and it looks to everyone else like it came from there. No one else can see inside the tunnel.
Enter the following commands;
cd ~ mkdir scripts cd scripts sudo nano router.sh
Copy and paste in the following code.
echo "Router mode" iptables -F iptables -X iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i eth0 -j ACCEPT iptables -A OUTPUT -o eth0 -j ACCEPT iptables -A POSTROUTING -t nat -o wlan0 -j MASQUERADE iptables -A FORWARD -i eth0 -j ACCEPT
Press Ctrl – X, y and enter to save and quit out of nano. We’re going to use a command to make the script executable (so it will run) and then we’re going to make a copy which we will tweak slightly to give us the script for the tunnel mode. Enter the following commands;
sudo chmod +x router.sh cp router.sh tunnel.sh sudo nano tunnel.sh
Change the message at the start to say “Tunnel mode” and modify the second to last line to replace wlan0 with tun0. Like so;
iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
Press Ctrl – X, y and enter to save and quit out of nano. Okay we’re almost there.
Connect your device to the Pi directly via the Ethernet cable and reboot.
sudo reboot
First lets test that normal router mode is working. Log in either via SSH using the wireless IP address or on the console of the Pi itself. Enter the following command to turn on router mode;
sudo ~/scripts/router.sh
Your Pi is now doing something called Network Address Translation or NAT for short. Now use your device be it a games console or smart TV to access the Internet in the usual way. You may have to go into its connection settings and specify to use a wired internet connection, you don’t want it to be using a wireless connection directly to the router as this will bypass the Raspberry Pi. Verify that you can still do the things you would normally do on your device. Check that the expected activity lights on the Pi and your wireless dongle are blinking when you do this.
If this is unsuccessful then do not continue. Go back through the previous instructions and double check that everything has been done correctly.
The last part is common to all three examples so click below to skip to the end.
Example 2: The Wireless Hotspot
- 1 x USB Wireless dongle needed.
- 1 x Ethernet cable needed.
Okay so this will take a bit longer to set up but it should work just as well as the other methods. We’re going to set up a wireless hot spot or access point on the Raspberry Pi. This will allow you to connect your device over wireless as well as other devices like smart phones and tablets. All of which will be able to share the georestriction evasion that is being provided by the VPN.
Start with a blank SD card. Download and install the latest image of Raspbian either using a raw image or with the NOOBS software. Boot up the Pi and don’t forget to expand the file system to fill the SD card.
Ensure you have an Ethernet cable connecting your Raspberry Pi to your router and use the eth0 IP address (shown by the ifconfig command) for all SSH sessions from Putty or a Terminal window from here on. Insert the USB wireless dongle now if you have not done so already.
After rebooting log in and enter the following command.
lsusb
Ensure that the dongle is displayed in the list. If it is not shown, do not continue you must solve this first. It may be a power issue which you’ll need a powered USB hub to solve.
The software used to provide the wireless hotspot is called hostapd. We need to install this package first. Enter the following commands;
sudo apt-get update sudo apt-get install hostapd
Allow this to finish.
Note: If the lsusb command shows that your wireless dongle is a Realtek RTL8188CUS device then there are some extra steps that you need to go through. The Edimax dongle that I recommended above is one of these!
Realtek RTL8188CUS devices only
skip this
We need to compile hostapd from source code to make it work with this type of wireless dongle. Below are the instructions for doing this.
First let’s make a dev folder in our home directory where we’ll do this work. Enter these commands;
cd ~ mkdir dev cd dev
Next we need to download a package directly from Realtek which contains the source code we want to compile. There are various ways you can achieve this. You can download the file on the Raspberry Pi itself using Midori (type startx to go into the X desktop), or you could download it on another machine and copy it over using a USB pen drive.
Point your browser here (or copy/paste the below into the address bar);
http://www.realtek.com.tw/downloads/downloadsView.aspx?Langid=1&PNid=21&PFid=48&Level=5&Conn=4&DownTypeID=3&GetDown=false
Under Step 1 tick RTL8188CUS and under Step 2 click go. Locate and click on “Unix (Linux)” and choose one of the download sites on the right hand side of the table. Give it a moment to connect and then download the file.
You will now have a .zip file with a long file name, put this into the dev folder that we created above. This will be inside your home, pi, directory if you’re using the File Manager program under the X desktop (Start > Accessories > File Manager).
Log out of the X desktop and return to the command prompt. To check the above has been done correctly, enter the following commands;
cd ~/dev ls -l
If the zip file with the long name is not shown then do not continue, you have not copied the file correctly. Solve this before you continue.
Next, to get to the source code we want, we must first unzip the file and within it there is a second zip file that we must also unzip. Please note that the exact file names specified here may become changed by Realtek without any notice in the future. So it’s a good idea to always check the names of files and folders using the ls (list) command.
Enter the following commands;
cd ~/dev unzip RTL8192xC_USB_linux_v3.4.4_4749.20121105.zip cd RTL8188C_8192C_USB_linux_v3.4.4_4749.20121105 cd wpa_supplicant_hostapd unzip wpa_supplicant_hostapd-0.8_rtw_20120803.zip cd wpa_supplicant_hostapd-0.8 cd hostapd ls -l
If everything has been successful your command prompt should now look something like this (below) and one of the files shown in the list above should be called Makefile.
pi@raspberrypi ~/dev/RTL8188C_8192C_USB_linux_v3.4.4_4749.20121105/wpa_supplicant_hostapd/wpa_supplicant_hostapd-0.8/hostapd $
If this is not the case then do not continue, you need to solve this first. Check that the file names above are correct by using the ls command before each one. If the file names shown by ls are different then just modify them to match what ls shows. The things most likely to change are the numbers at the end of the filenames since these represent dates and versions of the code.
Just to forewarn you; the compile process takes a while to complete. So when you start it you can go away and make a cup of tea or watch an episode of your favorite show. If you’re connected over SSH using Putty or a terminal window it’s a good idea to do the compilation inside a screen session. This will allow you to initiate the compile and then disconnect from the Pi while leaving it running. If you’re using the Pi console (as in keyboard, mouse and monitor directly) then you can skip straight to make below.
You can install the screen program by using the following command;
sudo apt-get install screen
Once that has finished enter the following command to begin a new screen session;
screen bash
You can now begin the compile process. Enter the following command;
make
If you used a screen session then you can hold down Ctrl – A and then also press D to disconnect it. You can now safely log out of the Pi leaving the compile running. Do not reboot or power off the Pi during this process.
Tick tock, tick tock.
I will assume the compile process has finished now. If you used a screen session you should log back into the Pi and then you can use the following command to re-connect to it;
screen -r
If you type ls now you should notice that two new files are shown in a green colour. These are;
hostapd hostapd_cli
We now need to manually copy these files into a couple of other places on the system. Enter the following commands;
sudo service hostapd stop sudo cp ./hostapd /usr/local/bin sudo cp ./hostapd /usr/sbin sudo cp ./hostapd_cli /usr/local/bin sudo cp ./hostapd_cli /usr/sbin
The last thing to do here is to copy a template configuration file which we will user later. There is one supplied in the Realtek zip file that we downloaded earlier. To find it go two folders back from where you are now. Enter the following commands;
cd .. cd .. ls -l
Your command prompt should now look like this (below);
pi@raspberrypi ~/dev/RTL8188C_8192C_USB_linux_v3.4.4_4749.20121105/wpa_supplicant_hostapd $
You should see that one of the files in the list above is rtl_hostapd_2G.conf. This is the file we want to use as a template. Enter the following command to copy it;
sudo cp ./rtl_hostapd_2G.conf /etc/hostapd/hostapd.conf
That’s it, hostapd is compiled and installed. We can now resume the setup process for the rest of the system.
If you are still inside a screen session you can enter exit to close it down.
Main configuration
The first thing we need to do is tell hostapd where it’s configuration file is. Enter the following command;
sudo nano /etc/default/hostapd
Locate the following line;
#DAEMON_CONF=""
Remove the hash at the start of the line and enter the path to where we shall save the config file (as per below);
DAEMON_CONF="/etc/hostapd/hostapd.conf"
Press Ctrl – X, y and enter to save and quit out of nano. We can now go ahead and configure the settings in the hostapd config file. Each line of the file is a different setting and the format is settingName=value. Pay close attention to these settings since here is where you can specify things like the SSID of the access point and the password to join it.
Enter the following command;
sudo nano /etc/hostapd/hostapd.conf
If you had to recompile hostapd from source then this file will already contain some settings, you will need to manually merge the settings below with the settings in your current file. This means you should insert settings that are missing and update ones that already exist. Otherwise you can just copy and paste them right in.
Note: The order in which these appear in the file does not matter.
First we need to specify the interface to listen on, this will be wlan0 as shown by the ifconfig command.
interface=wlan0
Then the driver name. Do not modify this setting if you recompiled hostapd.
driver=nl80211
These next two lines are to configure the hostapd daemon process, this is a background process that stays in memory all the time.
ctrl_interface=/var/run/hostapd ctrl_interface_group=0
Next the important settings! The wireless network name (ssid), the wireless channel and it’s pass phrase to join. Valid wireless channels range from 1-11, or 1-14 depending on your location in the world. Modify these how you see fit.
ssid=RaspberryPiWiFi channel=8 wpa_passphrase=MyWiFiPassword
Your choice of wireless channel is quite important if you live in an area with high wireless traffic. You may wish to download and use some wireless diagnostics tools to see what other wireless channels are being used in your local area. I can recommend one called inSSIDer. Ideally you should try and pick the most empty or unused channel you can find.
Next is the wireless mode, valid options are a, b or g. I reccomend to use g for the 2.4 GHz band.
hw_mode=g
Next I would advise to use WPA-2 with WPA-PSK as the wireless encryption system.
wpa=2 wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP #TKIP is another possible choice here rsn_pairwise=CCMP
These last settings control how often the wireless hostspot sends out a beacon.
beacon_int=100 auth_algs=3 wmm_enabled=1
Press Ctrl – X, y and enter to save and quit out of nano. If you reboot the Pi now you should see that your phone or tablet will detect the new wireless network after the Pi comes back up. However you will not yet be able to join it. We need to do some more work before you can do that.
It will be a good idea to monitor the boot up output of the Raspberry Pi for any errors showing in red.
sudo reboot
If everything has worked you should have seen no errors in the boot up sequence and your phone or tablet can now see the new wireless network (but not join it). If this is not the case then stop, something is wrong and you need to troubleshoot before you continue.
We’re going to make the hotspot behave in a similar way to your router. This means assigning a static IP address to it and installing a DHCP service that will respond to requests from your device. It’s a good idea to use an IP range that is very different to your router, so let’s use 10.0.0.X. To configure this we must edit the network interfaces file, enter the following command;
sudo nano /etc/network/interfaces
Modify the content of the file so that it is the same as below. In this file eth0 is the Ethernet port and wlan0 is the wireless dongle.
auto lo iface lo inet loopback iface eth0 inet dhcp auto wlan0 iface wlan0 inet static address 10.0.0.1 netmask 255.255.255.0 allow-hotplug wlan0 #iface wlan0 inet manual #wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf iface default inet dhcp
Please ensure that you put a hash # at the start of the two lines shown above in red!
Press Ctrl – X, y and enter to save and quit out of nano. Now to install and configure the DHCP service called dnsmasq. Enter the following commands;
sudo apt-get install dnsmasq
I am going to explicitly specify a configuration file for the dnsmasq service so let’s first make a backup of the default config file and then save my one in its place.
cd /etc sudo mv dnsmasq.conf dnsmasq.default sudo nano dnsmasq.conf
You should now be editing a blank file. Copy and paste the following into it.
interface=wlan0 dhcp-range=10.0.0.2,10.0.0.250,255.255.255.0,12h dhcp-option=3,10.0.0.1 dhcp-option=6,8.8.8.8,8.8.4.4
The first line tells dnsmasq to listen for DHCP requests on the wireless dongle. The second line is specifying the range of IP addresses that can be given out with a 12 hour lease. The third and fourth lines provides the default gateway and DNS server settings to the client devices. You may recognise the Google public DNS servers here. You could also use Open DNS here too. But you’ll have to manually substitute their IP addresses for the Google ones I have specified.
Press Ctrl – X, y and enter to save and quit out of nano. We’re also going to use these DNS servers on the Pi itself. The ones provided by your router settings for the Ethernet connection will not be usable once we start using a VPN later on. Enter the following command;
sudo nano /etc/dhcp/dhclient.conf
Scroll down and find a line saying;
#prepend domain-name-servers 127.0.0.1;
Add this line in immediately after it;
prepend domain-name-servers 8.8.8.8, 8.8.4.4;
Press Ctrl – X, y and enter to save and quit out of nano. Next we need to enable IP v4 forwarding. Essentially we are going to be forwarding IP traffic from the Wireless dongle to the Ethernet port and back again, similar to how your router does it. Enter the following command;
sudo nano /etc/sysctl.conf
Find the line that says this (below) and remove the hash at the start of the line.
#net.ipv4.ip_forward=1
Press Ctrl – X, y and enter to save and quit out of nano. Now enter the following command;
sudo sysctl -p
The software that controls this IP forwarding is called iptables, we now just need to install it however you may find your Raspbian install already has the latest version.
sudo apt-get install iptables
Okay now for the magic part! We’re going to create a few scripts that will instruct the Pi to forward the network traffic. There are going to be two modes. A normal router mode which will make the Raspberry Pi just pass all traffic straight through without doing anything. Ideal if you’re just wanting to use your devices in the normal way that you always have been. Here we go from the wlan0 interface to the eth0 interface when you look at what ifconfig shows.
The second mode is called tunnel mode which uses a VPN connection. In tunnel mode we make a VPN connection to a HMA server in another country which gives us an interface called tun0. We then forward from the wlan0 interface to the tun0 interface.
Think about this like a virtual underground tunnel that starts at your home then goes underground all the way to the desired country. When your network traffic goes through the tunnel it comes out on the other side and it looks to everyone else like it came from there. No one else can see inside the tunnel.
Enter the following commands;
cd ~ mkdir scripts cd scripts sudo nano router.sh
Copy and paste in the following code.
For more detail: Evade georestrictions with the Raspberry Pi