How to use your Raspberry Pi as a VPN router

How to use your Raspberry Pi as a VPN router

Thanks to the built-in Wi-Fi, the newest version of the Raspberry Pi is more useful than ever for networking projects. We recently showed you how to use your Raspberry Pi as a wireless access point – a router, essentially – and now we have a project for you that builds on that. You can use your Raspberry Pi as a VPN access point, helping you browse the web more privately. Here’s how.

How to use your Raspberry Pi as a VPN router

Step 1: Turn your Pi into a wireless access point

You’ll find everything you need in our how-to post.

Step 2: Install OpenVPN

We’re going to use a program called OpenVPN to set up our VPN. Open the command line and type this to get it:

sudo apt-get install openvpn -y

Now go ahead and reboot the Pi:

sudo reboot

Step 3: Download and unzip VyprVPN

We’ll need one more program for this project, and that’s VyprVPN. Let’s get it via the command line:

cd /etc/openvpn

This puts us in the right directory.

sudo wget

This downloads the file.

sudo unzip

And this, of course, unzips it!

Step 4: List the VPNs

Hop into the new directory here, then type ls to list the files. We’re using the 256-bit version, so our path reflects that.

cd GF_OpenVPN_10142016/OpenVPN256

You’ll see a whole bunch of files that end in .ovpn. These are the different VPNs you can use, listed by location. Remember these for when you want to connect to specific VPNs (consider writing them down, or just run these commands again when you forget).

Step 5: Create an authorization file

You need to be authorized to use VyprVPN. Let’s create an authorization file:

sudo nano /etc/openvpn/auth.txt

This should create a new file. In the file, type two lines. The first will be your username, the second your password. You’re not just making these up – they have to be your VyprVPN login (if you don’t have a VyprVPN account, create one). Now get out of the file (Ctrl+X), save it (Y), and confirm (Enter).

Step 6: Run a test

sudo openvpn --config "/etc/openvpn/GF_OpenVPN_10142016/OpenVPN256/FILENAME.ovpn" --auth-user-pass /etc/openvpn/auth.txt

Remember the VPN you wanted to use? Plug that in where we have FILENAME.ovpn. If you did it right, you should get a bunch of text that includes the happy words “Initialization Sequence Completed.”

Step 7: Fun with iptables

We’re not done yet. We changed a bunch of stuff in iptables when we used our Pi as a wireless access point, but we need to change that now.

sudo iptables -F
sudo iptables -t nat -F
sudo iptables -X

This clears out the old stuff.

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

And this is what we want now. This will route the wlan0 connection through our tunnel instead of over the Ethernet connection.

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

This saves our work.

Step 8: Make things automatic

Let’s set it up so that our VPN starts up when our Pi starts up. We’ll need to edit the rc.local file.

sudo nano /etc/rc.local

In the file, look for the line that says “exit 0” and add these lines just above it:

sleep 5
sudo openvpn --config "/etc/openvpn/GF_OpenVPN_10142016/OpenVPN256/FILENAME.ovpn" --auth-user-pass /etc/openvpn/auth.txt

As with the last time, FILENAME.ovpn should be your choice from step 4. Head out of here with the same keystrokes as our last file editing step: Ctrl+X, Y, Enter.

That’s it! Everything should work properly now. You can check to make sure everything starts with each boot by rebooting the Pi with sudo reboot.

11 Comments on "How to use your Raspberry Pi as a VPN router"

  1. Jan van den Berg | October 31, 2017 at 10:21 pm | Reply

    Ps: I am a complete Pi/Linux noob. My VPN connects but when accessing the internet it can’t resolve DNS… Assume its something to do with resolv.conf?

    Also, what assumptions are taken into account for this project to work with regards to Wi-Fi setup, etc.?

    • Hey, I had this problem, and fixed it by adding DNS servers into dhcpcd.conf.

      I.e. do: sudo nano /etc/dhcpcd.conf

      My interface config now looks like this:

      interface wlan0
      static ip_address=
      static routers=
      static domain_name_servers=

      interface br0
      static ip_address=
      static routers=
      static domain_name_servers=

      a) I’ve got static IPs set up for both wlan0 and the bridge – you may want to alter this.
      b) Your home router may have a different address – modify to suit.
      c) I’m not really sure whether it was adding the DNS servers to the bridge or the wlan settings that helped!

  2. Hi, I followed both guides. The one to turn the raspberry pi to an access point and this one to enable the VPN. The Raspberry Pi acts as an access point correctly forwarding the wlan0 to eth0, and if I SSH into the raspberry pi, all the traffic goes through the VPN. The only thing that’s not working is that the Wi-Fi clients aren’t going through the VPN.

    Any idea what I might be doing wrong? PS. I use my own OpenVPN server.

    • I’m having the same problem. I suspect a problem with iptables rules? Perhaps the order of the rules?

      • Sebastian Doan | April 4, 2018 at 2:53 pm | Reply

        I’ve the exact same problem. Did you guys manage to find a solution so that clients connecting via Wi-Fi are on the VPN?

    • I had same issue. 😐

      Fixed when I disabled the bridge which was set on the previous AP tutorial.

      Delete or comment the bridge=br0 line inside the /etc/hostapd/hostapd.conf file:
      sudo nano /etc/hostapd/hostapd.conf


      Exit with saving.

      VPN relocation works with several sites including HBO but does not “trick” Netflix. 🙁

      DNS tweaking required maybe?

  3. Sharan Srinivasan | December 29, 2017 at 11:39 pm | Reply

    How would the process differ if I chose to use a different VPN provider instead of VyprVPN AND I have the proper .ovpn file to use? At least give me an overview of what steps would be different.

  4. Nice how-tos! Thank you very much. Everything worked like a charm! 🙂

    Except the one thing that all traffic through wlan0 does not go through the VPN. If I determine my public IP on the Pi, it shows me the IP assigned by VyprVPN. But if I connect with any other device through Wi-Fi, I still have the non-VPN IP.
    My set-up is slightly different. On eth0 I am running a pi-hole so I added a second LAN adapter and added a tunnel from wlan0 to eth1.

    Any ideas what went wrong here?

    Thanks in advance!

  5. Access point works, the IP is set via VPN, but the forwarding does not work. I have the same problem. I have been through it twice with the same results. Does not seem to work. I am using IPVanish.
    br0: flags=4163 mtu 1500
    inet netmask broadcast
    inet6 fe80::775d:d6c1:2cea:827c prefixlen 64 scopeid 0x20
    ether b8:27:eb:9c:d7:7b txqueuelen 1000 (Ethernet)
    RX packets 84117 bytes 13106097 (12.4 MiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 10714 bytes 1403574 (1.3 MiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    eth0: flags=4163 mtu 1500
    inet XXX.XXX.XXX.XXX netmask broadcast XXX.XXX.255.255
    ether b8:27:eb:c9:82:2e txqueuelen 1000 (Ethernet)
    RX packets 897752 bytes 1077730942 (1.0 GiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 364793 bytes 62265231 (59.3 MiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    lo: flags=73 mtu 65536
    inet netmask
    inet6 ::1 prefixlen 128 scopeid 0x10
    loop txqueuelen 1 (Local Loopback)
    RX packets 222 bytes 18719 (18.2 KiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 222 bytes 18719 (18.2 KiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    tun0: flags=4305 mtu 1500
    inet netmask destination
    inet6 fe80::8270:f353:4962:dfaf prefixlen 64 scopeid 0x20
    unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
    RX packets 0 bytes 0 (0.0 B)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 8 bytes 384 (384.0 B)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    wlan0: flags=4163 mtu 1500
    ether b8:27:eb:9c:d7:7b txqueuelen 1000 (Ethernet)
    RX packets 353185 bytes 52589790 (50.1 MiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 892413 bytes 1110647447 (1.0 GiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

  6. I also had this issue of not VPNing wireless AP clients. 🙁 Removing bridging did not solve the issue. 🙁

    However, I found this repo that automates all this configuration, setting up a VPN Wireless Router (not AP). Check it out, it worked for my Raspberry Pi 3 using protonVPN (via OpenVPN):

    Have fun!

    • Sebastian Doan | April 4, 2018 at 1:43 pm | Reply

      Thanks for the tip. I managed to get the Router Component going, but have absolutely no idea how to follow their instructions to get the VPN going. Any tips?

Leave a comment

Your email address will not be published.