Thanks to the built-in Wi-Fi, the newest version of the Raspberry Pi is more useful than ever for networking projects. We recently showed you how to use your Raspberry Pi as a wireless access point – a router, essentially – and now we have a project for you that builds on that. You can use your Raspberry Pi as a VPN access point, helping you browse the web more privately. Here’s how.
How to use your Raspberry Pi as a VPN router
Step 1: Turn your Pi into a wireless access point
You’ll find everything you need in our how-to post.
Step 2: Install OpenVPN
We’re going to use a program called OpenVPN to set up our VPN. Open the command line and type this to get it:
sudo apt-get install openvpn -y
Now go ahead and reboot the Pi:
sudo reboot
Step 3: Download and unzip VyprVPN
We’ll need one more program for this project, and that’s VyprVPN. Let’s get it via the command line:
cd /etc/openvpn
This puts us in the right directory.
sudo wget https://support.goldenfrog.com/hc/article_attachments/214728647/GF_OpenVPN_10142016.zip
This downloads the file.
sudo unzip GF_OpenVPN_10142016.zip
And this, of course, unzips it!
Step 4: List the VPNs
Hop into the new directory here, then type ls to list the files. We’re using the 256-bit version, so our path reflects that.
cd GF_OpenVPN_10142016/OpenVPN256 ls
You’ll see a whole bunch of files that end in .ovpn. These are the different VPNs you can use, listed by location. Remember these for when you want to connect to specific VPNs (consider writing them down, or just run these commands again when you forget).
Step 5: Create an authorization file
You need to be authorized to use VyprVPN. Let’s create an authorization file:
sudo nano /etc/openvpn/auth.txt
This should create a new file. In the file, type two lines. The first will be your username, the second your password. You’re not just making these up – they have to be your VyprVPN login (if you don’t have a VyprVPN account, create one). Now get out of the file (Ctrl+X), save it (Y), and confirm (Enter).
Step 6: Run a test
sudo openvpn --config "/etc/openvpn/GF_OpenVPN_10142016/OpenVPN256/FILENAME.ovpn" --auth-user-pass /etc/openvpn/auth.txt
Remember the VPN you wanted to use? Plug that in where we have FILENAME.ovpn. If you did it right, you should get a bunch of text that includes the happy words “Initialization Sequence Completed.”
Step 7: Fun with iptables
We’re not done yet. We changed a bunch of stuff in iptables when we used our Pi as a wireless access point, but we need to change that now.
sudo iptables -F sudo iptables -t nat -F sudo iptables -X
This clears out the old stuff.
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
And this is what we want now. This will route the wlan0 connection through our tunnel instead of over the Ethernet connection.
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
This saves our work.
Step 8: Make things automatic
Let’s set it up so that our VPN starts up when our Pi starts up. We’ll need to edit the rc.local file.
sudo nano /etc/rc.local
In the file, look for the line that says “exit 0” and add these lines just above it:
sleep 5 sudo openvpn --config "/etc/openvpn/GF_OpenVPN_10142016/OpenVPN256/FILENAME.ovpn" --auth-user-pass /etc/openvpn/auth.txt
As with the last time, FILENAME.ovpn should be your choice from step 4. Head out of here with the same keystrokes as our last file editing step: Ctrl+X, Y, Enter.
That’s it! Everything should work properly now. You can check to make sure everything starts with each boot by rebooting the Pi with sudo reboot.
Comments (11)
Ps: I am a complete Pi/Linux noob. My VPN connects but when accessing the internet it can't resolve DNS... Assume its something to do with resolv.conf?
Also, what assumptions are taken into account for this project to work with regards to Wi-Fi setup, etc.?
Hey, I had this problem, and fixed it by adding DNS servers into dhcpcd.conf.
I.e. do: sudo nano /etc/dhcpcd.conf
My interface config now looks like this:
interface wlan0
static ip_address=192.168.0.110/24
static routers=192.168.0.1
static domain_name_servers=192.168.0.1 8.8.8.8 4.2.2.1
interface br0
static ip_address=192.168.0.111/24
static routers=192.168.0.1
static domain_name_servers=192.168.0.1 8.8.8.8 4.2.2.1
Note:
a) I've got static IPs set up for both wlan0 and the bridge - you may want to alter this.
b) Your home router may have a different address - modify to suit.
c) I'm not really sure whether it was adding the DNS servers to the bridge or the wlan settings that helped!
Hi, I followed both guides. The one to turn the raspberry pi to an access point and this one to enable the VPN. The Raspberry Pi acts as an access point correctly forwarding the wlan0 to eth0, and if I SSH into the raspberry pi, all the traffic goes through the VPN. The only thing that's not working is that the Wi-Fi clients aren't going through the VPN.
Any idea what I might be doing wrong? PS. I use my own OpenVPN server.
I had same issue. :|
Fixed when I disabled the bridge which was set on the previous AP tutorial.
Delete or comment the bridge=br0 line inside the /etc/hostapd/hostapd.conf file:
sudo nano /etc/hostapd/hostapd.conf
#bridge=br0
Exit with saving.
VPN relocation works with several sites including HBO but does not "trick" Netflix. :(
DNS tweaking required maybe?
I'm having the same problem. I suspect a problem with iptables rules? Perhaps the order of the rules?
I've the exact same problem. Did you guys manage to find a solution so that clients connecting via Wi-Fi are on the VPN?
How would the process differ if I chose to use a different VPN provider instead of VyprVPN AND I have the proper .ovpn file to use? At least give me an overview of what steps would be different.
Nice how-tos! Thank you very much. Everything worked like a charm! :)
Except the one thing that all traffic through wlan0 does not go through the VPN. If I determine my public IP on the Pi, it shows me the IP assigned by VyprVPN. But if I connect with any other device through Wi-Fi, I still have the non-VPN IP.
My set-up is slightly different. On eth0 I am running a pi-hole so I added a second LAN adapter and added a tunnel from wlan0 to eth1.
Any ideas what went wrong here?
Thanks in advance!
Access point works, the IP is set via VPN, but the forwarding does not work. I have the same problem. I have been through it twice with the same results. Does not seem to work. I am using IPVanish.
br0: flags=4163 mtu 1500
inet 192.168.1.18 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::775d:d6c1:2cea:827c prefixlen 64 scopeid 0x20
ether b8:27:eb:9c:d7:7b txqueuelen 1000 (Ethernet)
RX packets 84117 bytes 13106097 (12.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10714 bytes 1403574 (1.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163 mtu 1500
inet XXX.XXX.XXX.XXX netmask 255.255.0.0 broadcast XXX.XXX.255.255
ether b8:27:eb:c9:82:2e txqueuelen 1000 (Ethernet)
RX packets 897752 bytes 1077730942 (1.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 364793 bytes 62265231 (59.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1 (Local Loopback)
RX packets 222 bytes 18719 (18.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 222 bytes 18719 (18.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305 mtu 1500
inet 172.21.23.99 netmask 255.255.254.0 destination 172.21.23.99
inet6 fe80::8270:f353:4962:dfaf prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 384 (384.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163 mtu 1500
ether b8:27:eb:9c:d7:7b txqueuelen 1000 (Ethernet)
RX packets 353185 bytes 52589790 (50.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 892413 bytes 1110647447 (1.0 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
I also had this issue of not VPNing wireless AP clients. :( Removing bridging did not solve the issue. :(
However, I found this repo that automates all this configuration, setting up a VPN Wireless Router (not AP). Check it out, it worked for my Raspberry Pi 3 using protonVPN (via OpenVPN): https://github.com/martinsauter/WLAN-VPN-Pi
Have fun!
Thanks for the tip. I managed to get the Router Component going, but have absolutely no idea how to follow their instructions to get the VPN going. Any tips?