## Goal Browse the Internet via the desired mobile network operator by connecting to a Wireguard network with a specific address. Why? You'll know why if you need it. Advantages: * You probably have more old Android phones sitting around than 4G modems. * All network traffic will be routed via the VPN/MNO as opposed to setting up simple HTTP proxies ([Every Proxy](https://play.google.com/store/apps/details?id=com.gorillasoftware.everyproxy&hl=en&gl=US)) on the Android devices, which is a much simpler option. Disadvantages: * You need to manually enable USB tethering on the phone on each restart. * If you plug more than one phone into the same RPi, you need to keep track of which device is usb0, usb1, etc. * A 4G modem is cheaper than an Android phone. * (Semi) Complicated routing! ## Summary ![Wireguard](https://docs.google.com/drawings/d/e/2PACX-1vQFlCgqwOdI9G7AB4EHtPOyl288NzTkxU5OcF50Gl9UUvrXFeCRm4Y5VsxSXcgXtzyW8kNZi8AgUROx/pub?w=789&h=313 "Wireguard") ## Gateway setup ### Wireguard 1 Wireguard interface will be setup with multiple addresses/subnets. Each subnet will route traffic via a different MNO. ``` [Interface] Table = 1234 Address = 10.0.0.1/24, 10.0.1.1/24, 10.0.2.1/24 # 1 network for each MNO SaveConfig = false ListenPort = 5555 PrivateKey = [Peer] # normal browsing peer PublicKey = AllowedIPs = 10.0.0.2/32,10.0.1.2/32,10.0.2.2/32 # 1 for each MNO [Peer] # normal browsing peer PublicKey = AllowedIPs = 10.0.0.3/32,10.0.1.3/32,10.0.2.3/32 # 1 for each MNO [Peer] # rpi gw peer PublicKey = AllowedIPs = 0.0.0.0/0 # this allows all traffic to exit the GW direction RPI as well as RPI to register any IP address (x.x.x.254) on the GW. [Peer] # rpi gw peer PublicKey = AllowedIPs = 0.0.0.0/0 # this allows all traffic to exit the GW direction RPI as well as RPI to register any IP address (x.x.x.254) on the GW. ``` ### ip routes and rules We need ip route tables and rules on the main gateway in order to route traffic to the correct RPi/phone. All of this should probably go into the Wireguard config PostUp. ``` sysctl -w net.ipv4.ip_forward=1 ip route add default via 10.0.0.254 dev wg0 table 1111 ip route add default via 10.0.1.254 dev wg0 table 2222 ip route add default via 10.0.2.254 dev wg0 table 3333 ip rule add from 10.0.0.254/24 lookup 1111 ip rule add from 10.0.1.254/24 lookup 2222 ip rule add from 10.0.2.254/24 lookup 3333 ``` ## Raspberry Pi gateway setup ### Routing and firewall Enable IP forwarding and masquerading. Set up routes and rules so that traffic exits the correct USB tethered phone. ``` sysctl -w net.ipv4.ip_forward=1 iptables -A FORWARD -i wg0 -j ACCEPT # put in WG config iptables -t nat -A POSTROUTING -o usb0 -j MASQUERADE # put in WG config iptables -t nat -A POSTROUTING -o usb1 -j MASQUERADE # put in WG config ip route add default via 192.168.42.129 dev usb0 table 1111 # put in WG config ip route add default via 192.168.42.129 dev usb1 table 2222 # put in WG config ip rule add from 10.0.0.254/24 lookup 1111 # put in WG config ip rule add from 10.0.1.254/24 lookup 2222 # put in WG config ``` ### Wireguard ## Browsing peer setup ### Wireguard ``` wef wef ``` The browsing peer will have an IP address on each network/MNO. When bringing up the ## Wrapping up Bring up wg0 on boot.