Just because I'm in Canada now doesn't mean I want to give up on my US streaming services. Originally I wanted to run my own VPN - and while I'm still doing that, the amount of whack-a-mole IP reputation issues for datacenter IPs being allowed to access the various streaming services is pretty close to self-hosted-email level. So for the foreseeable future, I've decided to set up a commercial VPN as a WiFi hotspot from a Rocky Linux 8 VM in NetworkManager to connect my Roku TV to, as Roku doesn't have native support for any VPN configuration.
In another apparent parallel to self-hosted email, setting up a reliable NetworkManager hotspot is a total crapshoot. I've got the NUC's Intel WiFi card added to a Rocky Linux 8 VM without issue - no Broadcom driver problems, although if you have a non-Intel WiFi device you will almost definitely run into those - but just getting the OS stable has been a major pain. I tried and discarded an Ubuntu MATE VM; the GUI was convenient for setup purposes since I lose non-console access to the VM as soon as the tunnel is active, but the entire X session kept crashing every few minutes for reasons I didn't understand and didn't feel like troubleshooting, so I reinstalled with Rocky.
Once in Rocky, you need to add some additional packages to get both OpenVPN and WiFi configuration support in NetworkManager:
sudo dnf install epel-release networkmanager-openvpn NetworkManager-wifi wpa_supplicant
Importing OpenVPN profiles is relatively simple, but with a hitch - you can't import them as a user, and importing them as root runs into a bug with SElinux policy. So unfortunately, you're going to have to perform every sysadmin's least favorite task and just disable SELinux. There's another bug related to OpenVPN passwords specifically, which is fixed with the below steps:
With all this done, and the VPN tunnel imported and tested with the VM's Ethernet connection, it's time to set up the WiFi hotspot itself. First I tried creating a hotspot with
nmtui, but I never got that working for whatever reason. The internet has a lot of supposed guides for setting this up, but what worked for me in the NM steps was:
nmcli con add type wifi ifname wlp5s0 con-name hotspot autoconnect yes ssid hotspot nmcli con modify hotspot 802-11-wireless.mode ap 802-11-wireless.band bg ipv4.method shared nmcli con mod hotspot wifi-sec.key-mgmt wpa-psk nmcli con mod hotspot wifi-sec.psk "securepassword" nmcli con up hotspot
We run into one more Rocky-specific issue - or at least, I think we do. You see, I still can't connect to this hotspot from my phone - the connection just times out, and there's nothing in
journalctl that even shows a DHCP request from the phone while it's trying to connect. So I figured
firewalld was interfering, and made sure that it was configured to allow the DHCP traffic:
sudo firewall-cmd --state sudo firewall-cmd --get-active-zones sudo firewall-cmd --zone=public --permanent --add-port=67/udp sudo firewall-cmd --zone=public --add-masquerade --permanent sudo firewall-cmd --reload
To continue troubleshooting, I rebooted the VM a couple of times, and then tried the hotspot from my laptops. They - along with the TV - connect just fine, and the VPN connection is used as the default gateway. When I was testing the previous Ubuntu MATE setup, which used largely the same NetworkManager configuration but had a downgraded
wpa_supplicant due to another bug in Ubuntu, the phone would connect fine. Maybe Rocky's older packages both help and hurt here; I didn't have to downgrade
wpa_supplicant, but I still have no idea why the phone won't connect.
But with the above setup - and switching the Roku TV between Wired and Wireless internet connectivity depending on where I want to appear to be streaming from - I now have a stable connection to all of my streaming services. I'm still not 100% pleased with this setup, so if I find any improvements, I'll come back and update this post.