VPN Router – Raspberry Pi, RaspAP and NordVPN (Wi-Fi Hotspot / Access Point)

To use your Raspberry Pi as a hotspot or access point is actually straightforward. You will find many guides that talk about lengthy manual configurations via command line with hostapd and so on. But it is actually much easier if you use RaspAP. Not only is the installation much easier – you also get a graphical interface (GUI) to manage your Wi-Fi hotspot or access point. Once this is done, you only need a few simple additional steps to turn your Raspberry Pi into a VPN router. RaspAP does work Raspbian Buster that I am using in this tutorial.

Quick guide how to use your Raspberry Pi as a VPN router

To use your Raspberry Pi as a VPN router seems to be more complicated that it actually is. In a nutshell those are the steps required:

  • Install Raspbian Buster onto your Raspberry Pi. I am using Raspbian Light as a graphical interface is not necessary.
  • Get RaspAP up and running. This turns your Raspberry Pi into a Wi-Fi hotspot or access point.
  • Get a VPN that runs on Raspbian and ideally one with a command line client. I’m using NordVPN as it has one of the most versatile Linux clients on the market. You can try NordVPN as the service offers a 30-day money-back-guarantee. It is undoubtedly one of the best VPNs on the market. Try NordVPN 30 days without risk!*
  • Install the VPN on Rasbian and connect to a server.
  • Enjoy your VPN router!

Prerequisites for using RaspAP on a Raspberry Pi

For this to work, you need a Raspberry Pi with two network cards. One of them must logically be a wireless network card (Wi-Fi) because it serves as a hotspot or access point. The other network card could theoretically also be a wireless network card, but better is the integrated Ethernet interface. The Raspberry Pi 4 shown below also works, of course.

Raspberry Pi 4 – RaspAP is working quite well on it and we ca use it as a VPN router (source: raspberrypi.org)
Raspberry Pi 4 – RaspAP is working quite well on it and we ca use it as a VPN router (source: raspberrypi.org)

Let’s put it this way: The easiest way is to use a Raspberry Pi that already has an Ethernet and wireless interface. The Pi expert knows immediately that we are talking about the Pi 3 B upwards. For Pis without an integrated Wi-Fi card, it’s best to use a cheap, compatible USB network interface. I have had very good experiences with the Edimax. The cost is about 7 Euro.

Logically you need a suitable power supply, a microSD card and so on. With the microSD card a relatively small one is enough, but you hardly get anything under 16 GB these days. They only cost about 10 Euro — affordable so. You also need a network cable if you want to follow my instructions.

Mouse, keyboard and screen are not necessary! As already mentioned, I use Raspbian Buster as my operating system. But the lite version is enough for me, and we configure the operating system so that you can access it immediately via SSH.

Which Raspberry Pi should I use for the hotspot?

That’s a good question. The new Raspberry Pi 4 is powerful and works very well but it needs more power than its predecessors. If you don’t want to buy an additional network card, you can use both Pi 3 B and Pi 3+ B. The most energy saving would probably be a Raspberry Pi Zero W, if you extend it with an Ethernet interface. It might not powerful enough for a task like that but I didn’t test it to be honest.

My scenario

I tested RaspAP with a Raspberry Pi 3+ and used the integrated network interfaces. The Ethernet interface was connected to the router. This is my gateway to the Internet.

Install Raspbian Buster Lite on the microSD card

In the download area of the project page you can find the image for Raspbian Buster Lite. It has 426 MB and should be downloaded relatively fast.

As soon as you have the image, you can upload it to your microSD card. I use Etcher because it’s the most convenient way. But also dd or other options are possible.

Installing Raspbian Buster Lite via Etcher – first step for our VPN router
Installing Raspbian Buster Lite via Etcher – first step for our VPN router

Depending on the OS and speed of the microSD card, the installation may take a while. Once the image has been installed, mount the microSD card again because we immediately prepare the operating system for remote access.

SSH access from the beginning

Simply create an empty ssh file on the boot partition without an extension. This is very easy under Linux. For example, the command touch ssh is sufficient. The boot partition looks like this afterwards:

Create the file ssh and you will get remote access
Create the file ssh and you will get remote access

If the file ssh exists, Raspbian activates the SSH server at system startup and you can access the operating system via Secure Shell. This way you don’t need a screen, keyboard or mouse. If you connect the Pi to the router via the Ethernet network cable, no further configuration is necessary because the Pi is assigned an IP address by the DHCP server of the router.

It gets a little more complicated if there is no DHCP server in the network or if you want to use a wireless network card as gateway. As already mentioned, the Pi in my case uses a network cable.

Determining the IP address of the pi

If you have started the Raspberry Pi, then you find out the IP address. Usually it is enough to check the router. Most routers tell you which devices are within the network and which IP addresses have been assigned.

I like to assign static IP addresses to such devices. Normally, you can assign an IP address to a MAC address in the DHCP server of the router. This way the Raspberry Pi always gets the same IP address and you don’t have to configure it within the operating system. Another advantage of this method is that the DHCP server does not assign the IP address to any other device. DNS servers and so on are also assigned to the PI by the router.

As soon as you know the IP address, remote access should be possible. In my case, the IP address was 192.168.1.2. By default, the name and password of the SSH access on a Pi are: pi and raspberry:

ssh pi@192.168.1.2

On first access you have to confirm that access is really granted.

As soon as you are logged on to the Raspberry Pi, you should change the password for the user pi immediately, otherwise everyone in the same network can get access to your device. Either you use the command passwd or you open the Pi configuration:

sudo raspi-config

This opens the command line configuration tool.

Change your password immediately
Change your password immediately

Because the configuration tool is already open, you can also set the country settings right away — if necessary:

Change locale if you want to
Change locale if you want to

Update Raspbian Buster straight away

It is also advisable to update the system. An upgrade never hurts and Raspbian know the drill anyway:

sudo apt update
sudo apt dist-upgrade
sudo reboot

Now you need to restart the device before you continue. After that, you have to reconnect to the Pi via SSH. Once the operating system Raspbian Buster is updated and the system restarted, we can convert the Pi into hotspot with RaspAP.

Installing RaspAP – step by step

Now we install RaspAP. The project page can be found at raspap.com. We don’t have to visit it directly, but it doesn’t hurt to know the source. If you are logged in on your Pi, you install RaspAP just like that:

wget -q https://git.io/voEUQ -O /tmp/raspap && bash /tmp/raspap

The installation is starting now:

Install RaspAP with wget
Install RaspAP with wget

During the installation I had to answer two questions, both of which I answered with Yes: http-cookies -> Yes – Control service -> Yes

RaspAP: installation PHP configuration
RaspAP: installation PHP configuration
RaspAP: installation control service
RaspAP: installation control service

That’s all and it! RaspAP is installed on your system!

RaspAP: installation finished – the groundwork for the VPN router is done
RaspAP: installation finished – the groundwork for the VPN router is done

As you can see in the screenshot, the system wants to restart. So, we do RaspAP the favor.

IP address of RaspAP or the hotspot

By default, the hotspot gateway has the IP address 10.3.141.1. This is fine because it does not interfere with the other 192.168.1.x network. I have not changed anything at this point. As DHCP area RaspAP is preconfigured with 10.3.141.50 to 10.3.141.255.

By default RaspAP has the name raspi-webgui as SSID and the password is ChangeMe. The hotspot or access point is now ready for use and you can log in. You can change the password and SSID in the web GUI if you want.

RaspAP’s web gui

You configure your hotspot completely via your browser. Either you log in to the hotspot and use URL 10.3.141.1 or you are in another network and open the admin interface with (in my case) 192.168.1.2.

By default, you log in with admin and secret. At this point I would advise you to change all passwords first and adapt the hotspot to your needs. You can also configure the DHCP server via the web GUI. Here are some screenshots, how it looks like.

Under Configure hotspot -> Basic you can configure how the Pi hotspot should be found. In my case I changed it to pi-hotspot for example.

RaspAP: Change the SSID of the hotspot
RaspAP: Change the SSID of the hotspot

That works and I can connect:

My Raspberry Pi is already working as a hotspot
My Raspberry Pi is already working as a hotspot

A ping to my website confirms to me that I can access the internet via RaspAP.

You change the password for the hotspot under Configure hotspot -> Security. Maybe you want to change Security type to WPA + WPA2.

Set the password of the hotspot / RaspAP
Set the password of the hotspot / RaspAP

The settings or the DHCP server are under Configure DHCP Server:

Configure the DHCP server of RaspAP
Configure the DHCP server of RaspAP

In most cases you don’t have to change these settings.

More settings for RaspAP

The hotspot software also offers a console.

RaspAP's console – certainly has it's limits
RaspAP’s console – certainly has it’s limits

However, it is only of limited use, since it does not give you root access and you cannot switch with sudo. I would leave that as is and manage the operating system exclusively via SSH.

You don’t like the theme? Change it! There are a few other options like a terminal theme.

RaspAP offers a terminal theme
RaspAP offers a terminal theme

if you open the Dashboard you always see the most important settings straight away.

Dashboard of RaspAP
Dashboard of RaspAP

As you can see, the installation of RaspAP is simple. But basic knowledge of networks in general is helpful.

Changing the DNS server of RaspAP

By default, RaspAP uses 1.1.1.1 (Cloudflare) and 8.8.8.8 (Google) as DNS servers. The DNS servers are stored in the file /etc/dhcpcd.conf.

The DNS servers that RaspAP uses are in /etc/dhcpcd.conf
The DNS servers that RaspAP uses are in /etc/dhcpcd.conf

If you want to use your own, change this here. Maybe you have the adblocker Pi-Hole in your network and RaspAP should use it as DNS server. FreeDNS is also a nice alternative.

Your Raspberry Pi is now a working Wi-Fi hotspot or access point. Now we will turn it into a VPN router. Did you already register with NordVPN?

NordVPN – superb for router

Once you have RaspAP installed and running, take the next step and build your own VPN router. These are just a few additional steps. In this article, I’ll explain step-by-step how it works.

VPN router only counts as one device!

Many VPN providers allow the use on a router and your Raspberry Pi will only count as 1 device or 1 connection, no matter how many smartphones, tablets and computers are connected to it.

That is a nice advantage if you ask me. Furthermore, you can use it as a Wi-Fi access point for devices where no VPN client does exist for. Connect your Chromecast to the VPN router, your Smart TV, your gaming console and so on.

A VPN router is also an excellent choice if you want to connect a Kodi device to it. LibreELEC is a very nice operating system if you want to install Kodi on a Raspberry Pi. But there is no easy way to use VPN apps for Kodi or LibreELEC. However, you could connect your LibreELEC device to your VPN router and circumvent the issue.

Don’t forget the rise of IoT (Internet of Service) devices! A lot of them will connect to Wi-Fi but have very limited options to install additional software. For a lot of those devices the only option to use a VPN is a VPN router.

If your Raspberry Pi acts as a VPN router you don’t need to install a client on every device you want to use the VPN. Just connect the Pi to the server or country you want to use and connect the devices to the Pi. It really is that simple.

So let’s get started and turn the Raspberry Pi into a VPN router.

Do all VPNs work?

In theory any provider that provides ovpn files works. This allows you to connect to the provider manually via the OpenVPN protocol. First, I’ll show you how to use the Linux client from NordVPN to build a VPN router as this is the most convenient way. After that I’ll tell you how it works with a normal OpenVPN connection.

Install NordVPN on the Raspberry Pi and turn it into a VPN router

If you want to follow my instructions, you need a subscription to NordVPN. It’s great that the VPN provider offers a 30-day money-back-guarantee. You can first try out whether your Raspberry Pi runs properly as a VPN router and if not, you simply demand your money back. The provider doesn’t ask stupid questions and usually refunds rapidly.

NordVPN — big discount!*

My Raspberry Pi runs headless — without peripheral devices like screen, mouse and keyboard. I log on to the device via SSH. After that, I download the deb file from NordVPN.

wget -c https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn-release_1.0.0_all.deb

Now you install the file via shell:

sudo dpkg -i nordvpn-release_1.0.0_all.deb

The deb file is basically only setting up the repository. You have to update the package information and after that you install the Linux client of NordVPN.

sudo apt update
sudo apt install nordvpn

It looks like this:

Installation of NordVPN on Raspbian Buster – we need ot for the VPN router
Installation of NordVPN on Raspbian Buster – we need ot for the VPN router

Setting up the NordVPN client

The first step is to log on to the client with your access data from NordVPN:

nordvpn login

Now the client asks for username and password.

The Linux client of NordVPN provides a so-called Whitelist. I put port 22 here to be on the safe side so that SSH access is possible in any case.

nordvpn whitelist add port 22

You can review the settings with the following command:

nordvpn settings

Quick connect to NordVPN work like that:

nordvpn c

Important! Now the Raspberry Pi does not work anymore as a hotspot or access point! If you are still connected to the Pi hotspot, you won’t feel a difference. But new connections are impossible — so we need to fix that.

NordVPN changes iptables on our VPN router

The reason for the behavior is that the Linux client of NordVPN modifies iptables. You can view the current rules with that command:

sudo iptables -S

If you do that before and after a connection to the VPN you see what I mean:

iptables on our VPN router before and after a connection to the NordVPN network
iptables on our VPN router before and after a connection to the NordVPN network

If I want to connect to the Pi Hotspot now, I don’t even get an IP address anymore. That’s why I execute the following two commands and the hotspot assigns me an IP address again and works as designed:

sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT

However, the device does not route my traffic to the Internet. Therefore, the following iptables entries are necessary.

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

Now everything works as designed — but there still is a little catch.

Making the settings for VPN router permanent

With the commands shown above, the settings are only temporary. They are lost as soon as you restart the Raspberry Pi. The first two commands will also be overwritten when you connect to another NordVPN server.

Now there are several options to make the settings permanent. Of course, I want NordVPN to connect to the startup immediately. A cronjob via /etc/crontab is an option. For this, I first create a script file, which I simply call nordvpn.sh.

nano nordvpn.sh

I put the following lines into it:

Start NordVPN with a delay on the VPN router
Start NordVPN with a delay on the VPN router

I need the line sleep 30 because the NordVPN daemon needs a bit after the system starts and the command

nordvpn c UK

would not be executed. As you can imagine, that command would connect me to a server in the UK. In this case you would be able to stream BBC iPlayer for example.

I tried with sleep 20 and sometimes it worked — sometimes it didn’t. So, I opted in for a 30-second wait and that is OK. The file need to be executable as well.

chmod +x nordvpn.sh

Now I put the following line at the end of the file /etc/crontab:

@reboot pi /home/pi/nordvpn.sh

It looks like this now:

As soon as the system starts the VPN connects and turns my Raspberry Pi into a VPN router
As soon as the system starts the VPN connects and turns my Raspberry Pi into a VPN router

Tip: If you want to execute the script via /etc/rc.local be aware that the user pi has to run the command. The login data of NordVPN are stored per user and that is in this case pi. Per default the user root will be in charge of the file rc.local!

su pi -c '/path/to/script'

The above command would execute the file as user pi.

Connect automatically to the VPN – VPN router has to be reconfigured

It is possible that the connection to the VPN fails – that happens once in a while. In this case, the data traffic of your device would no longer be routed through the VPN. We want the VPN to reconnect automatically in case of a connection failure. You can do this with the command:

nordvpn set autoconnect on

This would also automatically connect the VPN client when the device is restarted. However, the iptables entries are missing and therefore I run my script once the system starts.

You can also specify a country with autoconnect:

nordvpn set autoconnect enabled UK

The software would connect you automatically to the UK.

What happens if the connection goes down?

I disconnected the router from the Internet (pulled the cable) and waited a minute to see what happens. After plugging the cable back in, the DSL line first synchronized and shortly afterwards the Internet connection was restored.

My VPN router still worked as before. If you want to be on the safe side, you could run another mini script every minute as a cronjob. For example, call the crontab as user pi:

crontab -e

and use a line like that:

* * * * * /home/pi/nordvpn-minute.sh > /dev/null 2>&1

If everything is fine, the script has no effect. If the VPN connection is established, it will not be re-established. In case the iptables settings are correct, the system will not overwrite them. The output of the cronjob is transferred to /dev/null (digital black hole).

nordvpn-minute.sh as a cronjob every minute on the VPN router
nordvpn-minute.sh as a cronjob every minute on the VPN router

The reason for the script is clear. If the VPN daemon connects completely new, it sets INPUT and OUTPUT to DROP and our hotspot doesn’t work anymore.

DROP and not ACCEPT
DROP and not ACCEPT

Yeah, it’s not the most elegant method but it seems to work reliably. I have tried it. If you run the command via cronjob, you don’t have to worry about it at startup. At the latest one minute after the NordVPN daemon is available, a connection to the VPN is established.

You may even want the VPN router to stop working if it fails. This would also be a kind of kill switch and you can see what went wrong.

In the end, you’ll have to experiment a bit to see which solution works best for you. But with a little patience, trial and error, your VPN router will be up and running in no time.

A few thoughts regarding the VPN router

You may want to restart your VPN router once a day. You could also do that with a cronjob.

If you disconnect the VPN connection and then log in again, you might get a faster server assigned.

A web GUI where you can enter the country you want to connect to would be pretty fancy. Maybe that is a project you want to do afterwards. Shouldn’t be too complicated to be honest but you need a web server installed.

OpenVPN – connect the VPN router via ovpn file

Most good VPN providers provide ovpn files so you can set up an OpenVPN connection manually. Clients have the advantage that you can change the country more conveniently. The client of NordVPN has another advantage. You can use CyberSec and the obfuscated servers. CyberSec is a neat feature because it blocks ads, tracker, and malware. Every device that is connected to the VPN router will benefit from CyberSec! The obfuscated servers also known as stealth servers are nice in countries with strong censorship. They might help to beat geoblocking from streaming providers as well.

A connection via ovpn file has the advantage that the hotspot works as designed without any problems. The command does not add any new iptables rules at all.

Install OpenVPN

For this to work, you have to install OpenVPN on the Raspberry Pi:

sudo apt install openvpn

Then get the ovpn file you want. To stick to the NordVPN example, you will find the OpenVPN configuration files for all servers on this page. The list is quite long and if you’re looking for a particular server, the page with all the servers is more convenient.

Download the ovpn file for your VPN router
Download the ovpn file for your VPN router

Just with that file you already can establish a connection.

sudo openvpn uk1418.nordvpn.com.udp.ovpn &

Now you have to enter Username and Password. That should be the case with most VPN providers.

Please enter Username and Password
Please enter Username and Password

It’s OK for a test but you can’t connect automatically like that. If you want to do that, you need a file e.g. auth.txt. It hast to be in the same directory as the ovpn file.

The first line holds the Username and the second line is the Password!

Then enter or modify the following line in your ovpn file: auth-user-pass auth.txt

auth-user-pass auth.txt on our VPN router
auth-user-pass auth.txt on our VPN router

If you use the OpenVPN command from above again, your system automatically logs on to the VPN server. Now you can also automate the process.

Be careful! DNS leak!

However, you will continue to use the DNS servers of the hotspot. If you have not changed them, they are the 1.1.1.1 (Cloudflare) and 8.8.8.8 (Google) defined by RaspAP. You can find them in the file /etc/dhcpcd.conf. The static IP address of wlan0 is stored there as well by the way.

This is basically a DNS leak. With my solution and the client of NordVPN I also use the DNS servers of the VPN provider and therefore my DNS queries are anonymous.

Of course, you can also solve this differently. Maybe you have a Pi-hole in the network anyway and use it as DNS server. There are many possibilities here, including FreeDNS. I just wanted to point out the potential DNS leak here.

Does that also work with NordLynx (WireGuard)?

If I use the WireGuard option of NordVPN — called NordLynx — I get problems with the VPN router. The first one is that the network interface is not called tun0 like with OpenVPN. Every server gets its own name.

If we use NordLynx / WireGuard the network interfaces have different names
If we use NordLynx / WireGuard the network interfaces have different names

If I change that manually and replace tun0 with the appropriate network interface in my iptables entries, I get an Internet connection. However, my smartphone claims not to be connected.

I would have to use a script to find out the new network card first and then make the corresponding routing entries. Although WireGuard is slightly faster than OpenVPN, it’s maybe not worth the effort. The solution with OpenVPN as VPN router works very well and that is not a snail either.

Speedtest with OpenVPN – it's fast enough for the VPN router
Speedtest with OpenVPN – it’s fast enough for the VPN router

However, there is a solution with the following rules for iptables:

sudo iptables -t nat -A POSTROUTING -o nordvpn+ -j MASQUERADE
sudo iptables -A FORWARD -i nordvpn+ -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o nordvpn+ -j ACCEPT

It works because all the WireGuard interfaces of my VPN provider start with nordvpn. That is the common ground here.

Would you like to make your own VPN router now? It’s really not difficult and NordVPN is a good partner for it.

NordVPN for your router!*

As I said, most reputable VPN providers should provide the resources for your project. I like NordVPN because I can use the command line client under Linux. But the provider also provides a great Android client. It is one of the most user-friendly providers on the market.

With NordVPN you can use up to 6 devices simultaneously. Because a VPN router is allowed, your Raspberry Pi counts as 1 device, no matter how many others are connected to it.

The VPN provider also allows torrent downloads and P2P connections / file sharing.

Leave a Reply

Your email address will not be published. Required fields are marked *