by In this Raspberry Pi VPN access point tutorial, we will be exploring how to set up a VPN on a WiFi access point.
This tutorial builds upon our previous Wireless Access Point tutorial but makes one significant change, and this is to route all the traffic through a VPN.
A VPN Access Point provides a quick and easy way of running any device you want through a VPN even if it doesn’t support any VPN software. As all you need to do is connect that device to your Raspberry Pi wireless access point and all its traffic will be automatically routed through a VPN tunnel.
This tutorial builds upon our previous tutorial on a wireless access point but makes one big change, and this is to route all traffic through a VPN. This project is essentially a VPN router and incredibly easy to set up, and you will need to first run through the first tutorial that I just linked to.
For our tutorial, we will be showing you how to set this VPN access point up by using either the VyprVPN or NordVPN services. While testing out various VPN providers for our tutorial, we found these to be some of the most reliable while retaining both good speed and good privacy policies.
If you rather connect to the Raspberry Pi from outside your network and use that as a VPN, then I have a pretty easy to follow Raspberry Pi VPN tutorial you should take a look at.
You can choose to utilize your VPN service for this if you have any recommendations for other providers, you can leave a comment at the bottom of this page.
Equipment List
Below are all the bits and pieces that I used for this Raspberry Pi VPN access point tutorial, there is nothing super special that you will need to be able to complete this.
Recommended
- Raspberry Pi Amazon
- Micro SD Card Amazon
- Wi-Fi Amazon
- Ethernet Cable Amazon
- VyprVPN Subscription vyprvpn or a NordVPN Subscription NordVPN
Optional
- Raspberry Pi Case Amazon
Preparing OpenVPN for the Access Point
To set up our VPN Access Point, you will first have to follow our Wireless Access Point tutorial, as this will set up your Raspberry Pi correctly for this tutorial.
For this tutorial, we will be showing you how you can utilize your VPN service to set up a VPN Access Point.
The two VPNs that we will touch on in this tutorial is VyprVPN and NordVPN. We chose these two as we found both of them to be reliable, speedy, and good privacy policies.
For the VPN itself, we will be utilizing the OpenVPN software, the two VPN’s that we will be touching on offers full support for the OpenVPN protocol and provides us with the .opvn files required to get it to run.
1. Before we get started with setting up our VPN Access Point, lets first make sure we have the latest packages by running the following two commands.
sudo apt update
sudo apt upgradeCopy2. Now that we are entirely up to date, we can install the OpenVPN software that we will rely on.
We can do that by running the following command in the terminal:
sudo apt install openvpn -yCopy3. Now let’s jump to the “openvpn” directory where we will be storing all the stuff we need to get our Raspberry Pi VPN access point up and running.
We can switch to this directory using the change directory command.
cd /etc/openvpnCopy4. Now that we have changed into the “openvpn” directory we need to create our authorization file to proceed.
This “auth.txt” file that we will be creating will keep your username and password for your VPN service.
Begin by creating the file by running the following nano command.
sudo nano /etc/openvpn/auth.txtCopy5. Now add your username and password to this file as shown in our example below.
We will be setting OpenVPN up so that it reads from this file to login to your VPN service.
username
password6. With your login details entered into the file, we can save and quit out of the file by pressing CTRL + X then pressing Y and then Enter.
Getting the OVPN files for NordVPN
1. Now that we have the auth.txt file created we will need to grab our required ovpn files from NordVPN.
Remember that before you can utilize these files, you will be required to sign up to NordVPN.
Before we do that, however, lets first make sure we are in the correct directory by running the following command on the terminal.
cd /etc/openvpnCopy2. Now to obtain the OpenVPN files for NordVPN you need to go to their ovpn section on the NordVPN website.
On this website find the specific server that you want to utilize, right-click the “Download UDP” button and copy the link by pressing “Copy Link Address“.
Paste that URL into the following command in place of the URL that we used.
In our example, we will be making use of the au514 server.
sudo wget https://downloads.nordcdn.com/configs/files/ovpn_legacy/servers/au514.nordvpn.com.udp1194.ovpnCopy3. Now it is best to rename the file you just downloaded. Renaming the file will make it easier to utilize it later on in the tutorial.
You are also required to change the file type from “.ovpn” to “.conf“. This change is necessary for OpenVPN to be able to detect and load the file in when we enable autostarting.
You can utilize the mv command to quickly rename the file as we have shown in our example below.
We shortened the au514.nordvpn.com.udp1194.ovpn filename to just au514.conf. It is much more straightforward to deal with, but still gives enough information about what server it is for connecting to.
sudo mv au514.nordvpn.com.udp1194.ovpn au514.confCopy4. Now that you have renamed the file you can move onto the section titled “Setting up the VPN access point”.
This section will walk you through the process of actually utilizing OpenVPN as well as showing you how to route traffic through it.
Setting up the VPN Access Point
1. Now that we have a .ovpn file ready to go we need to make some modifications to it for our Raspberry Pi VPN access point to work.
Begin by running the following command, making sure you replace the filename in this command with your own.
sudo nano au514.confCopy2. Now, within this file, you need to search and make modifications to the following line. You can use CTRL + W to make finding this line easier.
This change will make it so that when the OpenVPN client opens up the file, it will know it needs to load your “auth.txt” file.
Find
auth-user-passReplace with
auth-user-pass auth.txt3. Once you have modified the file, you can save it by pressing CTRL + X, then Y, and finally ENTER.
4. With that done we can now test to make sure that OpenVPN is making a successful connection to our VPN provider, in our example this will be NordVPN.
To do this, we will be running the following command, make sure to replace the .conf (.ovpn) file with the one you modified in the previous step. For our example, we will be using our “au514.conf” file.
sudo openvpn --config "/etc/openvpn/au514.conf"CopyThis command will output a fair bit of text as it makes the connection, the main text you will want to look for is something like what we have shown below.
If you get an output similar to this, it means that you have now made a successful connection to your VPN providers servers.
/sbin/ip route add 81.171.69.2/32 via 192.168.40.1
/sbin/ip route add 0.0.0.0/1 via 172.20.32.1
/sbin/ip route add 128.0.0.0/1 via 172.20.32.1
Initialization Sequence Completed5. Now that we have test run the OpenVPN client we can kill it and proceed onto setting it to launch at startup and changing up our firewall routing so that traffic is directed through the VPN tunnel.
To stop the currently running process press CTRL + C.
Setting up Networking Rules
6. With our VPN working correctly, we need to utilize iptables to reroute the wlan0 connection through our tunnel, rather than through to the Ethernet as we did in our Wireless Access Point tutorial.
Before we do this, though, we will have to flush out our current nftables. We can do that by running the following command on the Raspberry Pi.
sudo nft flush rulesetCopy7. Our next step is to set up some rules that will route the wlan connection through the tunnel. This will take three separate commands.
The first command creates a NAT table, the next sets up a postrouting chain, and the final one creates a masquerade rule.
sudo nft add table ip nat
sudo nft add chain ip nat postrouting '{ type nat hook postrouting priority srcnat; policy accept; }'
sudo nft add rule ip nat postrouting oifname "tun0" masqueradeCopy8. With that done, lets now save our nftables rules so that they will be read in whenever the NFT Tables are read in.
We can achieve this by using the following command. This command dumps the current active rulset into the “/etc/nftables.conf” file.
sudo sh -c 'nft list ruleset > /etc/nftables.conf'Copy9. With this change done, we must also ensure that the NFTables service is enabled. Luckily, that is pretty easy to do, and we can just run the following command.
Enabling the service ensures that the service is started when your Raspberry Pi powers on.
sudo systemctl enable --now nftablesCopyGetting OpenVPN to Connect at Boot
10. As we now have the firewall set up and ready to go, we need to adjust the OpenVPN client’s configuration file.
Begin editing the file by running the following command.
sudo nano /etc/default/openvpnCopy11. To this file find the following line and change it, so it is both uncommented and “all” is replaced with the name of the file you modified in Step 1 of this section.
You can see our example below.
Find
#autostart="all"Replace with
autostart="au514"12. Once you have made the required changes to the OpenVPN configuration file, you can save and exit by pressing CTRL + X, then Y, and finally ENTER.
13. You should now be able to see if everything is working by restarting your Raspberry Pi.
Upon startup, it should automatically make the connection to your VPN, establish the tunnel, and then forward traffic from your wireless access point through the tunnel.
sudo rebootCopyThe easiest way to verify that your VPN access point is working as intended is to check to see if your IP address differs from devices not connected through the VPN.
Alternatively, your VPN provider likely displays whether you are “Protected” at the top of their website, both our examples, NordVPN and VyprVPN do provide this feedback.
Preventing DNS Leaks
You might find that you get DNS leakage, but a small tweak can easily fix this on your Raspberry Pi. The change is forcing our DNS to run via Cloudflare’s public DNS rather than the internet service provider’s.
1. To help prevent DNS leaks from occurring on your Raspberry Pi we will want to modify the dhcpcd configuration file so that it connects to a better DNS provider.
You could also adjust this to use a Pi-Hole server or something else if you desired.
sudo nano /etc/dhcpcd.confCopy2. Once you have the file opened, you will want to look through until you find the following line.
#static domain_name_servers=192.168.0.13. After finding this line, remove the hashtag (#) from the front of the line, and change the DNS IP from “192.168.0.1” to “1.1.1.1“.
static domain_name_servers=1.1.1.14. After making this change, you can save and quit by pressing CTRL + X, Y, and then ENTER.
5. Now reboot your Pi by entering the following command.
sudo rebootCopy6. Go to ipleak.net and check that your DNS is no longer leaking. If it is still leaking, then you might want to make sure WebRTC isn’t leaking.
Conclusion
Hopefully, by now you should have a fully operational Wireless Access Point that will route all its traffic through our OpenVPN tunnel to the VyprVPN or NordVPN service.
You should be left with a stable and fast VPN connection and an easy way to switch to a more secure connection.
If you come across any issues or have some feedback related to this Raspberry Pi VPN access point tutorial, then please don’t hesitate to leave a comment below.
Preventing DNS leaks:
static domain_name_servers=1.1.1.1
For Malware and Adult Content Blocking
Primary DNS: 1.1.1.3
Secondary DNS: 1.0.0.3
I used the tutorial with ExpressVpn and it worked without a problem on buster lite / PI 3A+.
2 remarks:
-If the apt-get upgrade caused a kernel upgrade, it’s better to perform a reboot sooner than later, as some commands might fail otherwise (sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE in my case).
– While setting up the AP, the command “sudo systemctl start hostapd” failed until I used “sudo rfkill unblock wifi” beforehand.
Now, I’m having a problem with the internet connection not coming back after being dropped. I looked in syslog, the openvpn log and journalctl -ex and could not see anything unusual. Once my 4G router looses the internet connection even for a few seconds, the PI cannot recover and has to be rebooted. Still looking…
Currently using this solution with a TorGuard VPN and it also works! Thanks for the writeup.
Hi,
I’m using NordVPN and set it up as described. The extended test on dnsleaktest.com results with no leaks, but when connecting to ipleak.net it shows the ipv6 address of my real location, while the ipv4 address is shown as the one of NordVPN. Are there additional configurations that must be made on my raspberry?
Greetings,
AM
Hi AM,
Due to the way ipv6 works, currently most, if not all, VPN services don’t support it.
To fix this issue you will need to disable ipv6 on the Raspberry Pi or on your router.
The following method of disabling ipv6 on the Raspberry Pi is untested since my ISP is in the dark ages and doesn’t support ipv6 yet.
Open sysctl.conf
In here add the following lines.
After that run the following.
Now run the following.
It should report 1, if it reports 0 then it's still enabled.
If the above doesn't work, then you may need to look at disabling it on the router.
I have ran it with PIA and got everything working fine . My only question is what kind of VPN this is
PPTP , IPSEC, L2TP?
To,what level of encryption is openvpn is taking us to
Hi Gus,
Do you know if you can use a second wireless adaptor to be the “internet” connection to the Pi instead of over Eth? I regularly roam around the country and use various WiFi hotspots in hotels and theatres. I’d love to be able to tell the Pi which AP to connect to and then browse the internet using my own AP, which is tunnelled through the VPN.
Cheers,
D
Hi,
you recommend Raspberry Pi 2 or 3, but will this work on a original Raspberry Pi (1) as well?
Thanks!
As far as I am aware it should work just fine but I haven’t been able to test it so I can’t guarantee that it will work.
Hello, everything works so far. I am using Nord VPN and not Viper. I can connect to Nord VPN but once I connect, I internet connectivity. Anyone else have this issue?
I have followed your previous guide to set my R Pi 3 up as a Router. This worked flawlessly thanks.
I am now trying to set up the VPN in this guide but using PureVPN. I have tried using both this guide and the openVPN guide from the PureVPN support pages.
I have connected my firestick to my RPi router but i am still seeing my own IP.
Could you please write the amended steps to complete this set up for PureVPN.
Would this method work alongside Pi-Hole? If so, what are additional steps to take to ensure it works properly?
Does anyone else who has got this work tested if there is DNS leak?
I’ve run
https://www.dnsleaktest.comand it correctly identifies that I’m living in New Zealand.I’m using privateinternetaccess, I’ve tried adding the lines to the ovpn script but no success
script-security 2up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
Thanks
There is no DNS leak when using vyprvpn but I am unable to say about privateinternetaccess.
Been running this exact setup for months without any issues.
I have now signed up with vyprvpn but I’m still having problems.
Using Roku stick to connect to the Pi both NowTV and Amazon detect I’m from an external region.
When I run the standard DNS leak test on the website
dnsleaktest.comit says thatHello 178.xxx.xxx.xxfrom London, United Kingdom
but the standard test shows a DNS leak.
results:
Test complete
Query round Progress... Servers found
1 ...... 1
IP Hostname ISP Country
203.xxx.xxx.x wlg-wtc-xxxx.xxx.net The Internet Group LTD New Zealand
I’ll check out MichaelMotorcycle response on the subject.
In your *.ovpn file, you need to add a few things. On a system pre-systemd version 229, make sure openresolv is installed, otherwise the lines you added won’t do anything in regards to update-resolv-conf. Also, you need to point to where the *.crt files and *.key files are located, possibly others, depending on the VPN service you are using. In the *.ovpn file, you should see something like ca CACertificate.crt. Just edit it to point to where the actual files are located: EXAMPLE: ca /etc/openvpn/TBear/CACertificate.crt -> auth-user-pass /etc/openvpn/TBear/auth.txt ->pk /etc/openvpn/TBear/PrivateKey.key. Wherever you put those files when you downloaded them, just point to them. Should also chmod 700 that auth.txt file to keep prying eyes off it also. I had DNS leaks before I did this, now, no more. Tested this with Tunnel Bear VPN.
Hi, new to Raspberry Pi here but trying to learn. A few questions:
1) Would it be possible to add a VPN kill switch to this setup?
2) Can anything be done to counteract DNS leaks?
3) What happens if the VPN tunnel or Raspberry Pi goes down, will everything restart/re-connect? Would my real IP leak during re-connection?
Thanks.
Great tutorial, works well with Private Internet Access. Thank you !
How did you get this setup with private internet access??
You need to change steps 5 and 6
Create a folder for private internet access
sudo mkdir piacd pia
sudo wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
sudo unzip openvpn.zip
Step 11
sudo openvpn --config "/etc/openvpn/pia/UK Southampton.ovpn" --auth-user-pass /etc/openvpn/auth.txtNote that at the end of step 11 I wasn’t sure how to return to the Linux command line, so I closed my Putty session and opened a new one and continued on.
Step 16 will also need to be changed to reflect the server you choose (e.g. UK Southampton)
My VPN seemed to work for Amazon; however, Netflix and BBC iPlayer failed to run as they detected I was using a VPN. Odd as when I choose UK Southampton from the Private Internet Access Windows app it seems to work.
Can this build change VPN access points or is it static once set up? I don’t know how vyperVPN works but Private Internet Access gives several servers in different locations you can choose between.
i am having problems with step 11
What exactly are you having problems with? Any errors would be very handy, as it’s working just fine on my end.
can not unzip the files on step 5
Works fine on my end, again any errors would be appreciated.
Hey gus, can you please tell me if there are any free VPN providers that work with this? Thanks 😉
If they support ovpn then they should work just fine but I haven’t really tested or looked into free VPN providers.
Missing something in step 4?
Was a mistake, it’s been fixed now. Thanks for noticing!
Cool. I thought it was a typo. Thanks for the update.
Great article!
Will this work with other vpns such as IPVanish?
It should work but I haven’t tested it with any of the others. If the VPN provider supports ovpn then it should work without any issues.
I tested it with Perfect-Privacy, IPVanish and NordVPN.
But as OP said, it works with any VPN Provider that supports OVPN, which is almost all of them AFAIK.
@Gus: Thanks for this awesome guide.
Yes it does, I used IPVanish on my Pi3
Cheers
Paul
Just want to add that it also works with Strong VPN as well!
Only if the vpn you use supports it check their documentation, for instance my friend asked me to help him do this but his vpn did not support it. You could not install his vpn on a vpn capable router either.