Raspberry Pi VPN Access Point: Setup a Basic VPN Router

In this Raspberry Pi VPN access point tutorial, we will be exploring how to set up a VPN on a WiFi access point.

Raspberry Pi VPN Access Point

This tutorial builds upon our previous Wireless Access Point tutorial but makes one significant change, and this is to route all the traffic through a VPN.

A VPN Access Point provides a quick and easy way of running any device you want through a VPN even if it doesn’t support any VPN software. As all you need to do is connect that device to your Raspberry Pi wireless access point and all its traffic will be automatically routed through a VPN tunnel.

This tutorial builds upon our previous tutorial on a wireless access point but makes one big change, and this is to route all traffic through a VPN. This project is essentially a VPN router and incredibly easy to set up, and you will need to first run through the first tutorial that I just linked to.

For our tutorial, we will be showing you how to set this VPN access point up by using either the VyprVPN or NordVPN services. While testing out various VPN providers for our tutorial, we found these to be some of the most reliable while retaining both good speed and good privacy policies.

If you rather connect to the Raspberry Pi from outside your network and use that as a VPN, then I have a pretty easy to follow Raspberry Pi VPN tutorial you should take a look at.

You can choose to utilize your VPN service for this if you have any recommendations for other providers, you can leave a comment at the bottom of this page.

Equipment List

Below are all the bits and pieces that I used for this Raspberry Pi VPN access point tutorial, there is nothing super special that you will need to be able to complete this.

Recommended

Optional

Preparing OpenVPN for the Access Point

To set up our VPN Access Point, you will first have to of followed our Wireless Access Point tutorial, as this will set up your Raspberry Pi correctly for this tutorial.

For this tutorial, we will be showing you how you can utilize your VPN service to set up a VPN Access Point.

The two VPNs that we will touch on in this tutorial is VyprVPN and NordVPN. We chose these two as we found both of them to be reliable, speedy and good privacy policies.

For the VPN itself, we will be utilizing the OpenVPN software, the two VPN’s that we will be touching on offers full support for the OpenVPN protocol and provides us with the .opvn files required to get it to run.

1. Before we get started with setting up our VPN Access Point, lets first make sure we have the latest packages by running the following two commands.

sudo apt update
sudo apt upgrade

2. Now that we are entirely up to date we can install the OpenVPN software that we will rely on.

We can do that by running the following command in the terminal:

sudo apt install openvpn -y

3. Now let’s jump to the openvpn directory where we will be storing all the stuff we need to get our Raspberry Pi VPN access point up and running.

Let’s jump to the directory with the change directory command.

cd /etc/openvpn

4. Now that we have changed into the openvpn directory we need to create our authorization file to proceed.

This auth.txt file that we will be creating will keep your username and password for your VPN service.

Begin by creating the file by running the following nano command.

sudo nano /etc/openvpn/auth.txt

5. Now add your username and password to this file as shown in our example below.

We will be setting OpenVPN up so that it reads from this file to login to your VPN service.

username
password

With your login details entered into the file, we can save and quit out of the file by pressing CTRL + X then pressing Y and then Enter.

Getting the OVPN files for VyprVPN

1. Before we begin grabbing the files we need to set up VyprVPN we need first to make sure that we are still in the openvpn directory by running the following command.

Of course, before you can utilize these files, you must first sign up to VyprVPN.

cd /etc/openvpn

2. Now we are in the configuration directory we will now download our VyprVPN OVPN files. These are what we will load to make a connection to Vypr’s network.

Run the wget command to grab the zip file from VyprVPN’s servers.

sudo wget -O vyprvpn.zip \
https://support.goldenfrog.com/hc/article_attachments/360008728172/GF_OpenVPN_10142016.zip

3. With the zip file now on our Raspberry Pi, we need to extract it so we can access all the files.

We can easily extract this by running the following unzip command in the terminal.

sudo unzip vyprvpn.zip

4. Now we can check out all the .ovpn files by changing into the newly generated directory, in here take note of the location you want to connect into as you will need to specify this in a later command.

cd OpenVPN256

5. Now use the following command to list all of the .ovpn files in here.

Take note of the filename for the location you want to use, for instance, if we wanted to connect to the San Francisco in the United States we would take note of “USA – San Francisco.ovpn

ls

6. With your desired ovpn file, move it out of the OpenVPN256 directory to the openvpn directory.

We do this as we will need to make some changes to the file and it will be easier for the daemon to autostart with it sitting in the openvpn directory.

For our example file, you can use a command similar to this to move it to the right directory. This command assumes you are still sitting in the vyprvpn directory.

It is essential that you also change the file type from .ovpn to .conf, this is required by OpenVPN to detect and load the file.

In addition to moving the file, we will also rename it to make it easier to reference.

sudo mv "USA - San Francisco.ovpn" "../USASanFran.conf"

7. With that done you can now move onto the section titled “Setting up the VPN access point“, this section will walk you through the changes that you need to make to the .ovpn file and also show you how to get the VPN running at startup.

Getting the OVPN files for NordVPN

1. Now that we have the auth.txt file created we will need to grab our required ovpn files from NordVPN.

Remember that before you can utilize these files, you will be required to sign up to NordVPN.

Before we do that, however, lets first make sure we are in the correct directory by running the following command on the terminal.

cd /etc/openvpn

2. Now to obtain the OpenVPN files for NordVPN you need to go to their ovpn section on the NordVPN website.

On this website find the specific server that you want to utilize, right-click the “Download UDP” button and copy the link by pressing “Copy Link Address“.

Paste that URL into the following command in place of the URL that we used.

In our example, we will be making use of the au514 server.

sudo wget https://downloads.nordcdn.com/configs/files/ovpn_legacy/servers/au514.nordvpn.com.udp1194.ovpn

3. Now it is best to rename the file you just downloaded. Renaming the file will make it easier to utilize it later on in the tutorial.

You are also required to change the filetype from .ovpn to .conf. This change is necessary for OpenVPN to be able to detect and load the file in when we enable autostarting.

You can utilize the mv command to quickly rename the file as we have shown in our example below.

We shortened the au514.nordvpn.com.udp1194.ovpn filename to just au514.conf, much more straightforward to deal with but still gives enough information about what server it is for connecting to.

sudo mv au514.nordvpn.com.udp1194.ovpn au514.conf

4. Now that you have renamed the file you can move onto the section titled “Setting up the VPN access point”.

This section will walk you through the process of actually utilizing OpenVPN as well as showing you how to route traffic through it.

Setting up the VPN Access Point

1. Now that we have a .ovpn file ready to go we need to make some modifications to it for our Raspberry Pi VPN access point to work.

Begin by running the following command, making sure you replace the filename in this command with your own.

sudo nano au514.conf

2. Now within this file, you need to search and make modifications to the following line. You can use CTRL + W to make finding this line easier.

This change will make it so that when the OpenVPN client opens up the file, it will know it needs to load your auth.txt file.

Find

auth-user-pass

Replace with

auth-user-pass auth.txt

3. Once you have modified the file, you can save it by pressing CTRL + X then Y and finally ENTER.

4. With that done we can now test to make sure that OpenVPN is making a successful connection to our VPN provider, in our example this will be NordVPN.

To do this, we will be running the following command, make sure to replace the .conf (.ovpn) file with the one you modified in the previous step. For our example, we will be using our “au514.conf” file.

sudo openvpn --config "/etc/openvpn/au514.conf"

This command will output a fair bit of text as it makes the connection, the main text you will want to look for is something like what we have shown below.

If you get an output similar to this, it means that you have now made a successful connection to your VPN providers servers.

/sbin/ip route add 81.171.69.2/32 via 192.168.40.1
/sbin/ip route add 0.0.0.0/1 via 172.20.32.1
/sbin/ip route add 128.0.0.0/1 via 172.20.32.1
Initialization Sequence Completed

5. Now that we have test ran the OpenVPN client we can kill it and proceed onto setting it to launch at startup and changing up our firewall routing so that traffic is directed through the VPN tunnel.

To stop the currently running process press CTRL + C.

6. With our VPN working correctly, we need to utilize iptables to reroute the wlan0 connection through our tunnel, rather than through to the Ethernet as we did in our Wireless Access Point tutorial.

Before we do this though we will have to flush out our current iptables, we can do that by running the following three commands on the Raspberry Pi.

sudo iptables -F
sudo iptables -t nat -F
sudo iptables -X

7. Now let’s finally install our new iptables by running the following command, this will tell it to forward all our wlan0 traffic over to the tunnel connection.

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

8. With that done, lets now save our iptables to overwrite the old rules we set up in our Wireless Access Point tutorial.

To do this run the following command on the Raspberry Pi.

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

9. As we now have the firewall set up and ready to go, we need to adjust the OpenVPN client’s configuration file.

Begin editing the file by running the following command.

sudo nano /etc/default/openvpn

10. To this file find the following line and change it, so it is both uncommented and “all” is replaced with the name of the file you modified in Step 1 of this section.

You can see our example below.

Find

#autostart="all"

Replace with

autostart="au514"

11. Once you have made the required changes to the OpenVPN configuration file, you can save and exit by pressing CTRL + X then Y and finally ENTER.

12. You should now be able to see if everything is working by restarting your Raspberry Pi.

Upon startup, it should automatically make the connection to your VPN, establish the tunnel and then forward traffic from your wireless access point through the tunnel.

sudo reboot

The easiest way to verify that your VPN access point is working as intended is to check to see if your IP address differs from devices not connected through the VPN.

Alternatively, your VPN provider likely displays whether you are “Protected” at the top of their website, both our examples, NordVPN and VyprVPN do provide this feedback.

Preventing DNS Leaks

You might find that you get DNS leakage, but a small tweak can easily fix this on your Raspberry Pi. The change is forcing our DNS to run via Cloudflare’s public DNS rather than the internet service provider’s.

1. Firstly, load into the dhcpcd configuration file and update the following line.

Open

sudo nano /etc/dhcpcd.conf

Find

#static domain_name_servers=192.168.0.1

Replace with

static domain_name_servers=1.1.1.1

2. Save & exit the file.

3. Now reboot your Pi by entering the following command.

sudo reboot

4. Go to ipleak.net and check that your DNS is no longer leaking. If it is still leaking, then you might want to make sure WebRTC isn’t leaking.

Hopefully, by now you should have a fully operational Wireless Access Point that will route all its traffic through our OpenVPN tunnel to the VyprVPN or NordVPN service.

You should be left with a stable and fast VPN connection and an easy way to switch to a more secure connection.

If you come across any issues or have some feedback related to this Raspberry Pi VPN access point tutorial, then please don’t hesitate to leave a comment below.

Leave a Reply

Your email address will not be published. Required fields are marked *

36 Comments

  1. Avatar for JiM
    JiM on

    Preventing DNS leaks:

    static domain_name_servers=1.1.1.1

    For Malware and Adult Content Blocking
    Primary DNS: 1.1.1.3
    Secondary DNS: 1.0.0.3

  2. Avatar for Michel P
    Michel P on

    I used the tutorial with ExpressVpn and it worked without a problem on buster lite / PI 3A+.
    2 remarks:
    -If the apt-get upgrade caused a kernel upgrade, it’s better to perform a reboot sooner than later, as some commands might fail otherwise (sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE in my case).
    – While setting up the AP, the command “sudo systemctl start hostapd” failed until I used “sudo rfkill unblock wifi” beforehand.

    Now, I’m having a problem with the internet connection not coming back after being dropped. I looked in syslog, the openvpn log and journalctl -ex and could not see anything unusual. Once my 4G router looses the internet connection even for a few seconds, the PI cannot recover and has to be rebooted. Still looking…

  3. Avatar for Connor
    Connor on

    Currently using this solution with a TorGuard VPN and it also works! Thanks for the writeup.

  4. Avatar for AM
    AM on

    Hi,
    I’m using NordVPN and set it up as described. The extended test on dnsleaktest.com results with no leaks, but when connecting to ipleak.net it shows the ipv6 address of my real location, while the ipv4 address is shown as the one of NordVPN. Are there additional configurations that must be made on my raspberry?

    Greetings,
    AM

    1. Avatar for Gus
      Gus on
      Editor

      Hi AM,

      Due to the way ipv6 works, currently most, if not all, VPN services don’t support it.

      To fix this issue you will need to disable ipv6 on the Raspberry Pi or on your router.

      The following method of disabling ipv6 on the Raspberry Pi is untested since my ISP is in the dark ages and doesn’t support ipv6 yet.

      Open sysctl.conf

      nano /etc/sysctl.conf

      In here add the following lines.

      net.ipv6.conf.all.disable_ipv6 = 1
      net.ipv6.conf.default.disable_ipv6 = 1
      net.ipv6.conf.lo.disable_ipv6 = 1

      After that run the following.

      sudo sysctl -p

      Now run the following.

      cat /proc/sys/net/ipv6/conf/all/disable_ipv6

      It should report 1, if it reports 0 then it's still enabled.

      If the above doesn't work, then you may need to look at disabling it on the router.

  5. Avatar for RonF
    RonF on

    I have ran it with PIA and got everything working fine . My only question is what kind of VPN this is

    PPTP , IPSEC, L2TP?

    To,what level of encryption is openvpn is taking us to

  6. Avatar for Dan
    Dan on

    Hi Gus,

    Do you know if you can use a second wireless adaptor to be the “internet” connection to the Pi instead of over Eth? I regularly roam around the country and use various WiFi hotspots in hotels and theatres. I’d love to be able to tell the Pi which AP to connect to and then browse the internet using my own AP, which is tunnelled through the VPN.

    Cheers,
    D

  7. Avatar for Jaime
    Jaime on

    Hi,
    you recommend Raspberry Pi 2 or 3, but will this work on a original Raspberry Pi (1) as well?

    Thanks!

    1. Avatar for Gus
      Gus on
      Editor

      As far as I am aware it should work just fine but I haven’t been able to test it so I can’t guarantee that it will work.

  8. Avatar for Michael
    Michael on

    Hello, everything works so far. I am using Nord VPN and not Viper. I can connect to Nord VPN but once I connect, I internet connectivity. Anyone else have this issue?

  9. Avatar for Andy
    Andy on

    I have followed your previous guide to set my R Pi 3 up as a Router. This worked flawlessly thanks.

    I am now trying to set up the VPN in this guide but using PureVPN. I have tried using both this guide and the openVPN guide from the PureVPN support pages.

    I have connected my firestick to my RPi router but i am still seeing my own IP.

    Could you please write the amended steps to complete this set up for PureVPN.

  10. Avatar for Tyson
    Tyson on

    Would this method work alongside Pi-Hole? If so, what are additional steps to take to ensure it works properly?

  11. Avatar for Evan Thompson
    Evan Thompson on

    Does anyone else who has got this work tested if there is DNS leak?

    I’ve run https://www.dnsleaktest.com and it correctly identifies that I’m living in New Zealand.

    I’m using privateinternetaccess, I’ve tried adding the lines to the ovpn script but no success

    script-security 2
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf

    Thanks

    1. Avatar for Gus
      Gus on
      Editor

      There is no DNS leak when using vyprvpn but I am unable to say about privateinternetaccess.

      Been running this exact setup for months without any issues.

    2. Avatar for Evan Thompson
      Evan Thompson on

      I have now signed up with vyprvpn but I’m still having problems.

      Using Roku stick to connect to the Pi both NowTV and Amazon detect I’m from an external region.

      When I run the standard DNS leak test on the website dnsleaktest.com it says that

      Hello 178.xxx.xxx.xx
      from London, United Kingdom
      but the standard test shows a DNS leak.

      results:
      Test complete
      Query round Progress... Servers found
      1 ...... 1
      IP Hostname ISP Country
      203.xxx.xxx.x wlg-wtc-xxxx.xxx.net The Internet Group LTD New Zealand

      I’ll check out MichaelMotorcycle response on the subject.

    3. Avatar for MichaelMotorcycle
      MichaelMotorcycle on

      In your *.ovpn file, you need to add a few things. On a system pre-systemd version 229, make sure openresolv is installed, otherwise the lines you added won’t do anything in regards to update-resolv-conf. Also, you need to point to where the *.crt files and *.key files are located, possibly others, depending on the VPN service you are using. In the *.ovpn file, you should see something like ca CACertificate.crt. Just edit it to point to where the actual files are located: EXAMPLE: ca /etc/openvpn/TBear/CACertificate.crt -> auth-user-pass /etc/openvpn/TBear/auth.txt ->pk /etc/openvpn/TBear/PrivateKey.key. Wherever you put those files when you downloaded them, just point to them. Should also chmod 700 that auth.txt file to keep prying eyes off it also. I had DNS leaks before I did this, now, no more. Tested this with Tunnel Bear VPN.

  12. Avatar for Adam
    Adam on

    Hi, new to Raspberry Pi here but trying to learn. A few questions:

    1) Would it be possible to add a VPN kill switch to this setup?

    2) Can anything be done to counteract DNS leaks?

    3) What happens if the VPN tunnel or Raspberry Pi goes down, will everything restart/re-connect? Would my real IP leak during re-connection?

    Thanks.

  13. Avatar for Alex
    Alex on

    Great tutorial, works well with Private Internet Access. Thank you !

    1. Avatar for Robert
      Robert on

      How did you get this setup with private internet access??

    2. Avatar for Evan Thompson
      Evan Thompson on

      You need to change steps 5 and 6
      Create a folder for private internet access
      sudo mkdir pia
      cd pia
      sudo wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
      sudo unzip openvpn.zip

      Step 11
      sudo openvpn --config "/etc/openvpn/pia/UK Southampton.ovpn" --auth-user-pass /etc/openvpn/auth.txt
      Note that at the end of step 11 I wasn’t sure how to return to the Linux command line, so I closed my Putty session and opened a new one and continued on.
      Step 16 will also need to be changed to reflect the server you choose (e.g. UK Southampton)

      My VPN seemed to work for Amazon; however, Netflix and BBC iPlayer failed to run as they detected I was using a VPN. Odd as when I choose UK Southampton from the Private Internet Access Windows app it seems to work.

  14. Avatar for Bob
    Bob on

    Can this build change VPN access points or is it static once set up? I don’t know how vyperVPN works but Private Internet Access gives several servers in different locations you can choose between.

  15. Avatar for henry
    henry on

    i am having problems with step 11

    1. Avatar for Gus
      Gus on
      Editor

      What exactly are you having problems with? Any errors would be very handy, as it’s working just fine on my end.

  16. Avatar for henry
    henry on

    can not unzip the files on step 5

    1. Avatar for Gus
      Gus on
      Editor

      Works fine on my end, again any errors would be appreciated.

  17. Avatar for Ali aka The Rasberry PI Guy ?
    Ali aka The Rasberry PI Guy ? on

    Hey gus, can you please tell me if there are any free VPN providers that work with this? Thanks 😉

    1. Avatar for Gus
      Gus on
      Editor

      If they support ovpn then they should work just fine but I haven’t really tested or looked into free VPN providers.

  18. Avatar for Bill s
    Bill s on

    Missing something in step 4?

    1. Avatar for Gus
      Gus on
      Editor

      Was a mistake, it’s been fixed now. Thanks for noticing!

    2. Avatar for Bill S.
      Bill S. on

      Cool. I thought it was a typo. Thanks for the update.

      Great article!

  19. Avatar for Martyn
    Martyn on

    Will this work with other vpns such as IPVanish?

    1. Avatar for Gus
      Gus on
      Editor

      It should work but I haven’t tested it with any of the others. If the VPN provider supports ovpn then it should work without any issues.

    2. Avatar for Gustavo
      Gustavo on

      I tested it with Perfect-Privacy, IPVanish and NordVPN.
      But as OP said, it works with any VPN Provider that supports OVPN, which is almost all of them AFAIK.

      @Gus: Thanks for this awesome guide.

    3. Avatar for Paul
      Paul on

      Yes it does, I used IPVanish on my Pi3
      Cheers

      Paul

    4. Avatar for Will
      Will on

      Just want to add that it also works with Strong VPN as well!

    5. Avatar for James
      James on

      Only if the vpn you use supports it check their documentation, for instance my friend asked me to help him do this but his vpn did not support it. You could not install his vpn on a vpn capable router either.