Tethering, VPN, access to same subnet

Hi, I’m running a RPi3 B+ with ExpressVPN. VPN is simply needed because you can’t reach TheTVdb for the scraper from China, where I’m living, without vpn. VPN is working quite reliable on the raspberry, better than on the iDevices I’m using. Therefore, I want to access the vpn on the osmc/raspberry from all devices. At the same time I need to stay on the same subnet/Router to control Kodi and the AVR with remote on the iDevice. I also learned that tethering with built-in WiFi is no longer supported. But anyway, I would buy another WiFi dongle and I have another 3B+ and also an unused RPi 4. I’m open to suggestions how to do and I still have time to hack thanks to unwanted holidays at home. Cheers Georg

If you want to make the Pi an access point, you can use hostapd. You should find plenty of instructions out on the Internet, though bear in mind that OSMC uses connman and not network manager.

One complication is that the version in Debian stretch (2.4) isn’t compatible with the latest kernel, so you’ll need to get version 2.7 of hostapd from the stretch-backports repository. To do so, run these commands:

echo "deb http://deb.debian.org/debian stretch-backports main" | sudo tee /etc/apt/sources.list.d/stretch-backports.list
sudo apt-get update
sudo apt-get install -y -t stretch-backports hostapd

If you have a spare Raspberry available then just setup DNS/DHCP on that Pi (remove DHCP from your router) and let the Pi act as your LAN gateway. Then you configure the VPN on that Pi. In that setup your Router still act as your Wifi Access Point (which it will do a better job than the Pi) but all traffic goes through your Pi to the Internet.
You could e.g. use Pihole as the basic setup for such a Pi or go with a plain Rasbian and setup everything from scratch.

Very good to know about hostapd versions, thank you!

Typical AP tutorials creating an AP with NAT/router; then I would not see my other devices which are needed to remote control the RPi with osmc and the AVR? OSMC tethering would do the same (I could by a wifi dongle which is hopefully working; maybe the most easy way if I could reach the RPi and AVR)?

My actual setup is like:

Internet <–> router1 (ISP China, DHCP, 192.168.1.1) <-WAN-> router2 (DHCP, 192.168.2.1) <-LAN-> RPi3B+ (osmc, 192.168.2.3);

WiFi device connect with router2 and static IP and running remote control Apps for Kodi and AVR;

PC (Win10) connected with LAN to router2 and static IP; AVR connected with LAN to router2 and static IP.

Does router2 support running a VPN? That would be the cleanest solution. Or can router2 be loaded with OpenWRT?

thank you! I was already thinking of buying a new router which can do OpenWrt and running the vpn directly on the router; this would be similar like your proposal?

The reason why I don’t like to pass all my traffic through the vpn is that I sometimes need access the Chinese Internet and this is not convenient with VPN. Furthermore, the vpn service in China is often blocked, not stable and I need to switch to available servers which is not convenient on a router (as far as I can imagine). I more prefer to be flexible creating an additional vpn access which I can use but also decide not to use if temporary not working.

I should also explain why I’m not happy with the vpn on my wireless iDevices; vpn is always switched off when the devices are going idle and you need manually re-connect. This is not a problem but it is boring. RPi/osmc’s OpenVPN is automatically reconnecting and it is only needed every 2 or 4 days to manually re-connect (when ISP or the golden shield were too successful in blocking).

What I was thinking what I need is an AP connected as bridge to the RPI running osmc?

Adding the complexity of something like PiHole won’t make turning the VPN on/off any easier. If you have the VPN on the router then you just turn it on/off on the router. And you could probably configure it to not send some sites over the VPN. So you could have chosen Chinese sites bypass the VPN.

This is definitely an option. A little SSHing for changing the vpn server and on/off switching should not be the problem at the end. If I can’t realize what I want with the existing raspberries I will try this way.

This is surely the best option if you can get one of the recent routers that support openwrt with good VPN throughput.

You can just use a service (either HTTP or SSH) via which you can enable/disable the VPN on the Pi (or router). then you easily from your i-device decide if VPN is used or not.
Your approach with the AP is as good as but finding a good Wifi Stick to play AP role and setting up everything will not be trivial.

I bought a router with AES-NI hardware support (Asus RT-AC86U) at a good price running now my VPN. Works very fine and faster than VPN on Win10 PC. Fortunately, and maybe also surprisingly, my iDevices and the PC can not connect to VPN at the moment due to successful great firewall blocking but the router can!

Well if you have openwrt on it now, then just configure a second SSID that you then route through the VPN on the router. Then you have your original idea solved. You connect to one SSID for VPN access and another one for “plain” internet.

Alternatively as mentioned by @bmillham do routing based on target IP’s

Hi. Yes, good. And also, with wifi this is no problem because I still have a wifi router (from my ISP) in front of my new Asus. But my PC is wired; I will try to exclude on the router and for the meantime I simply could switch the cable to the other router. Thank you. The router approach was straight forward (and gave me extra speed) but the idea with the raspberry was more fun. :joy:

Well as mentioned with openwrt, an proper firewall and route based VPN the fun really starts

You can’t put openwrt on an Asus RT-AC86U. There isn’t much third party firmware available for that router; but Asuswrt-Merlin is a good option.

I tried Merlin but I got stuck with the vpn client configuration and gave up (for the moment). Asus FW is working. I will try later with Merlin again.

If you’re getting experimental, and you have an ISP that supports it, you could try getting Wireguard working under Asuswrt-Merlin. Performance is very impressive - much faster than any other VPN protocol that the router supports.

See this thread on SNB Forums for more info.

I checked my vpn provider. ExpressVPN is stating in an April 2019 update that they are supporting the development of WireGuard but yet not rolling out. Thank you for the info, I will consider this in the future.