To use your Raspberry Pi as a hotspot or access point is actually quite easy. You will find a lot of guides that talk about lengthy manual configurations via commandline with hostapd and so on. But it is actually much easier if you use RaspAP. Not only is the installation much easier – you also get a graphical interface (GUI) to manage your Wi-Fi hotspot or access point. Once this is done you only need a few simple additional steps to turn your Raspberry Pi into a VPN router. RaspAP does work Raspbian Buster that I am using in this tutorial.
Quick guide how to use your Raspberry Pi as a VPN router
To use your Raspberry Pi as a VPN router seems to be more complicated that it actually is. In a nutshell those are the steps required:
- Install Raspbian Buster onto your Raspberry Pi. I am using Raspbian Light as a graphical interace is not necessary.
- Get RaspAP up and running. This turns your Raspberry Pi into a Wi-Fi hotspot or access point.
- Get a VPN that runs on Raspbian and ideally one with a command line client. I’m using NordVPN* as it has one of the most versatile Linux clients on the market. You can try NordVPN as the service offers a 30-day money-back-guarantee. It is without a doubt one of the best VPNs on the market.
- Install the VPN on Rasbian and connect to a server.
- Enjoy your VPN router!
Prerequisites for using RaspAP on a Raspberry Pi
For this to work, you need a Raspberry Pi with two network cards. One of them must logically be a wireless network card (Wi-Fi) because it serves as a hotspot or access point. The other network card could theoretically also be a wireless network card, but better is the integrated Ethernet interface. The Raspberry Pi 4 shown below also works, of course.
Let’s put it this way: The easiest way is to use a Raspberry Pi that already has an Ethernet and wireless interface. The Pi expert knows immediately that we are talking about the Pi 3 B upwards. For Pis without an integrated Wi-Fi card, it’s best to use a cheap, compatible USB network interface. I have had very good experiences with the Edimax. The cost is about 7 Euro.
Logically you need a suitable power supply, a microSD card and so on. With the microSD card a relatively small one is enough, but you hardly get anything under 16 GByte these days. They only cost about 10 Euro – so that’s affordable. You also need a network cable if you want to follow my instructions.
Mouse, keyboard and screen are not necessary! As already mentioned, I use Raspbian Buster as my operating system. But the lite version is enough for me, and we configure the operating system so that you can access it immediately via SSH.
Which Raspberry Pi should I use for the hotspot?
That’s a good question. The new Raspberry Pi 4 is powerful and works very well but it needs more power than its predecessors. If you don’t want to buy an additional network card, you can use both Pi 3 B and Pi 3+ B. The most energy saving would probably be a Raspberry Pi Zero W, if you extend it with an Ethernet interface. It might not powerful enough for a task like that but I didn’t test it to be honest.
I tested RaspAP with a Raspberry Pi 3+ and used the integrated network interfaces. The Ethernet interface was connected to the router. This is my gateway to the Internet.
Install Raspbian Buster Lite on the microSD card
In the download area of the project page you can find the image for Raspbian Buster Lite. It has 426 MB and should be downloaded relatively fast.
As soon as you have the image, you can upload it to your microSD card. I use Etcher because it’s the most convenient way. But also dd or other options are possible.
Depending on the OS and speed of the microSD card, the installation may take a while. Once the image has been installed, mount the microSD card again, because we immediately prepare the operating system for remote access.
SSH access from the beginning
Simply create an empty ssh file on the boot partition without an extension. This is very easy under Linux. For example, the command touch ssh is sufficient. The boot partition looks like this afterwards:
If the file ssh exists, Raspbian activates the SSH server at system startup and you can access the operating system via Secure Shell. This way you don’t need a screen, keyboard or mouse. If you connect the Pi to the router via the Ethernet network cable, no further configuration is necessary, because the Pi is assigned an IP address by the DHCP server of the router.
It gets a little more complicated if there is no DHCP server in the network or if you want to use a wireless network card as gateway. As already mentioned, the Pi in my case uses a network cable.
Determining the IP address of the pi
If you have started the Raspberry Pi, then you find out the IP address. Usually it is enough to check the router. Most routers tell you which devices are within the network and which IP addresses have been assigned.
I like to assign static IP addresses to such devices. Normally you can assign an IP address to a MAC address in the DHCP server of the router. This way the Raspberry Pi always gets the same IP address and you don’t have to configure it within the operating system. Another advantage of this method is that the DHCP server does not assign the IP address to any other device. DNS servers and so on are also assigned to the PI by the router.
As soon as you know the IP address, remote access should be possible. In my case, the IP address was 192.168.1.2. By default, the name and password of the SSH access on a Pi are: pi and raspberry:
On first access you have to confirm that an access is really granted.
As soon as you are logged on to the Raspberry Pi, you should change the password for the user pi immediately, otherwise everyone in the same network can get access to your device. Either you use the command passwd or you open the Pi configuration:
This opens the commandline configuration tool.
Because the configuration tool is already open, you can also set the country settings right away – if necessary:
Update Raspbian Buster straight away
It is also advisable to update the system. An upgrade never hurts and Raspbian know the drill anyways:
sudo apt update sudo apt dist-upgrade sudo reboot
Now you need to restart the device before you continue. After that you habe to reconnect to the Pi via SSH. Once the operating system Raspbian Buster is updated and the system restarted, we can convert the Pi into hotspot with RaspAP.
Installing RaspAP – step by step
Now we install RaspAP. The project page can be found at raspap.com. We don’t have to visit it directly, but it doesn’t hurt to know the source. If you are logged in on your Pi, you install RaspAP just like that:
wget -q https://git.io/voEUQ -O /tmp/raspap && bash /tmp/raspap
The installation ist starting now:
During the installation I had to answer two questions, both of which I answered with Yes: http-cookies -> Yes – Control service -> Yes
That’s all and it! RaspAP is installed on your system!
As you can see in the screenshot, the system wants to restart. So we do RaspAP the favor.
IP address of RaspAP or the hotspot
By default, the hotspot gateway has the IP address 10.3.141.1. This is fine because it does not interfere with the other 192.168.1.x network. I have not changed anything at this point. As DHCP area RaspAP is preconfigured with 10.3.141.50 to 10.3.141.255.
By default RaspAP has the name raspi-webgui as SSID and the password is ChangeMe. The hotspot or access point is now ready for use and you can log in. You can change the password and SSID in the WebGUI if you want.
RaspAP’s web gui
You configure your hotspot completely via your browser. Either you log in to the hotspot and use URL 10.3.141.1 or you are in another network and open the admin interface with (in my case) 192.168.1.2.
By default you log in with admin and secret. At this point I would advise you to change all passwords first and adapt the hotspot to your needs. You can also configure the DHCP server via the web gui. Here are some screenshots, how it looks like.
Under Configure hotspot -> Basic you can configure how the Pi hotspot should be found. In my case I changed it to pi-hotspot for example.
That works and I can connect:
A ping to my website confirms to me that I can access the internet via RaspAP.
You change the password for the hotspot under Configure hotspot -> Security. Maybe you want to change Security type to WPA + WPA2.
The settings or the DHCP server are under Configure DHCP Server:
In most cases you don’t have to change these settings.
More settings for RaspAP
The hotspot software also offers a console.
However, it is only of limited use, since it does not give you root access and you cannot switch with sudo. I would leave that as is and manage the operating system exclusively via SSH.
You don’t like the theme? Change it! There are a few other options like a terminal theme.
if you open the Dashboard you always see the most important settings straight away.
As you can see, the installation of RaspAP is very simple. But basic knowledge of networks in general is helpful.
Changing the DNS server of RaspAP
By default, RaspAP uses 126.96.36.199 (Cloudflare) and 188.8.131.52 (Google) as DNS servers. The DNS servers are stored in the file /etc/dhcpcd.conf.
If you want to use your own, change this here. Maybe you have the adblocker Pi-Hole in your network and RaspAP should use it as DNS server. FreeDNS is also a nice alternative.
Your Raspberry Pi is now a working Wi-Fi hotspot or access point. Now we will turn it into a VPN router. Did you already register with NordVPN?
Once you have RaspAP installed and running, take the next step and build your own VPN router. These are just a few additional steps. In this article, I’ll explain step-by-step how it works.
VPN router only counts as one device!
Many VPN providers allow the use on a router and your Raspberry Pi will only count as 1 device or 1 connection, no matter how many smartphones, tablets and computers are connected to it.
That is a nice advantage if you ask me. Furthermore you can use it as a Wi-Fi access point for devices where no VPN client does exist for. Connect your Chromecast to the VPN router, your Smart TV, your gaming console and so on.
A VPN router is also a very good choice if you want to connect a Kodi device to it. LibreELEC is a very nice operating system if you want to install Kodi on a Raspberry Pi. But there are no easy to use VPN apps for Kodi or LibreELEC. But you could connect your LibreELEC device to your VPN router and circumvent the issue.
Don’t forget the rise of IoT (Internet of Service) devices! A lot of them will connect to Wi-Fi but have very limited options to install additional software. For a lot of those devices the only option to use a VPN is a VPN router.
If your Raspberry Pi acts as a VPN router your don’t need to install a client on every device you want to use the VPN. Just connect the Pi to the server or country you want to use and connect the devices to the Pi. It really is that simple.
So let’s get started and turn the Raspberry Pi into a VPN router.
Do all VPNs work?
In theory any provider that provides ovpn files works. This allows you to connect to the provider manually via the OpenVPN protocol. First, I’ll show you how to use the Linux client from NordVPN to build a VPN router as this is the most convenient way. After that I’ll tell you how it works with a normal OpenVPN connection.
Install NordVPN on the Raspberry Pi and turn it into a VPN router
If you want to follow my instructions, you need a subscription to NordVPN. It’s great that the VPN provider offers a 30-day money-back-guarantee. You can first try out whether your Raspberry Pi runs properly as a VPN router and if not, you simply demand your money back. The provider doesn’t ask stupid questions and usually refunds very quickly.
My Raspberry Pi runs headless – without peripheral devices like screen, mouse and keyboard. I log on to the device via SSH. After that I download the deb file from NordVPN.
wget -c https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn-release_1.0.0_all.deb
Now you install the file via shell:
sudo dpkg -i nordvpn-release_1.0.0_all.deb
The deb file is basically only setting up the repository. You have to update the package information and after that you instal the Linux client of NordVPN.
sudo apt update sudo apt install nordvpn
It looks like this:
Setting up the NordVPN client
The first step is to log on to the client with your access data from NordVPN:
Now the client asks for username and password.
The Linux client of NordVPN provides a so-called Whitelist. I put port 22 here to be on the safe side so that SSH access is possible in any case.
nordvpn whitelist add port 22
You can review the settings with the following command:
Quickconnect to NordVPN work like that:
Important! Now the Raspberry Pi does not work anymore as a hotspot or access point! If you are still connected to the Pi hotspot you won#t feel a difference. But new connections are impossible – so we need to fix that.
NordVPN changes iptables on our VPN router
The reason for the behavior is that the Linux client of NordVPN modifies iptables. You can view the current rules with that command:
sudo iptables -S
If you do that before and after a connection to the VPN network you see what I mean:
If I want to connect to the Pi Hotspot now, I don’t even get an IP address anymore. That’s why I execute the following two commands and the hotspot assigns me an IP address again and works as designed:
sudo iptables -P INPUT ACCEPT sudo iptables -P OUTPUT ACCEPT
However, the device does not route my traffic to the Internet. Therefore the following iptables entries are necessary.
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
Now everything works as designed – but there still is a little catch.
Making the settings for VPN router permanent
With the commands shown above, the settings are only temporary. They are lost as soon as you restart the Raspberry Pi. The first two commands will also be overwritten when you connect to another NordVPN server.
Now there are several options to make the settings permanent. Of course, I want NordVPN to connect to the startup immediately. A cronjob via /etc/crontab is an option. For this I first create a script file, which I simply call nordvpn.sh.
I put the following lines into it:
I neeed the line sleep 30 because the NordVPN daemon needs a bit after the system starts and the command
nordvpn c UK
would not be executed. As you can imaging that command would connect me to a server in the UK. In this case you would be able to stream BBC iPlayer for example.
I tried with sleep 20 and sometimes it worked – sometimes it didn’t. So I opted in for a 30 second wait and that is OK. The file need to be executable as well.
chmod +x nordvpn.sh
Now I put the following line at the end of the file /etc/crontab:
@reboot pi /home/pi/nordvpn.sh
It looks like this now:
Tip: If you want to execute the script via /etc/rc.local be aware that the user pi has to run the command. The login data of NordVPN are stored per user and that is in this case pi. Per default the user root will be in charge of the file rc.local!
su pi -c '/path/to/script'
The above command would execute the file as user pi.
Connect automatically to the VPN – VPN router has to be reconfigured
It is possible that the connection to the VPN network fails – that happens once in a while. In this case, the data traffic of your device would no longer be routed through the VPN network. We want the VPN to reconnect automatically in the event of a failure. You can do this with the command:
nordvpn set autoconnect on
This would also automatically connect the VPN client when the device is restarted. However, the iptables entries are missing and therefore I run my script once the system starts.
You can also specify a country with autoconnect:
nordvpn set autoconnect enabled UK
The software would connect you automatically to the UK.
What happens if the connection goes down?
I disconnected the router from the Internet (pulled the cable) and waited a minute to see what happens. After plugging the cable back in, the DSL line first synchronized and shortly afterwards the Internet connection was restored.
My VPN router still worked as before. If you want to be on the safe side, you could run another mini script every minute as a cronjob. For example, call the crontab as user pi:
and use a line like that:
* * * * * /home/pi/nordvpn-minute.sh > /dev/null 2>&1
If everything is fine, the script has no effect. If the VPN connection is established, it will not be re-established. In case the iptables settings are correct, the system will not overwrite them. The output of the cronjob is transferred to /dev/null (digital black hole).
The reason for the script is clear. If the VPN daemon connects completely new, it sets INPUT and OUTPUT to DROP and our hotspot doesn’t work anymore.
Yeah, it’s not the most elegant method but it seems to work reliably. I have tried it. If you run the command via cronjob, you don’t have to worry about it at startup. At the latest one minute after the NordVPN daemon is available, a connection to the VPN network is established.
You may even want the VPN router to stop working if it fails. This would also be a kind of kill switch and you can see what went wrong.
In the end, you’ll have to experiment a bit to see which solution works best for you. But with a little patience, trial and error, your VPN router will be up and running in no time.
A few thoughts regarding the VPN router
You may want to restart your VPN router once a day. You could also do that with a cronjob.
If you disconnect the VPN connection and then log in again, you might get a faster server assigned.
A WebGUI where you can enter the country you want to connect to would be pretty fancy. Maybe that is a project you want to do afterwards. Shouldn’t be too complicated to be honest but you need a webserver installed.
OpenVPN – connect the VPN router via ovpn file
Most good VPN providers provide ovpn files so you can set up an OpenVPN connection manually. Clients have the advantage that you can change the country more conveniently. The client of NordVPN has another advantage. You can use CyberSec and the obfuscated servers. CyberSec is a neat feature because it blocks ads, tracker, and malware. Every device that is connected to the VPN router will benefit from CyberSec! The obfuscated servers also known as stealth servers are nice in coutries with strong censorship. They might help to beat geoblocking from streaming providers as well.
A connection via ovpn file has the advantage that the hotspot works as designed without any problems. The command does not add any new iptables rules at all.
For this to work, you have to install OpenVPN on the Raspberry Pi:
sudo apt install openvpn
Then get the ovpn file you want. To stick to the NordVPN example, you will find the OpenVPN configuration files for all servers on this page. The list is quite long and if you’re looking for a particular server, the page with all the servers is more convenient.
Just with that file you already can establish a connection.
sudo openvpn uk1418.nordvpn.com.udp.ovpn &
Now you have to enter Username and Password. That should be the case with most VPN providers.
It’s OK for a test but you can’t connect automatically like that. If you want to do that you need a file e.g. auth.txt. It hast to be in the same directory as the ovpn file.
The first line holds the Username and the second line is the Password!
Then enter or modify the following line in your ovpn file: auth-user-pass auth.txt
If you use the OpenVPN command from above again your system automatically logs on to the VPN server. Now you can also automate the process.
Be careful! DNS leak!
However, you will continue to use the DNS servers of the hotspot. If you have not changed them, they are the 184.108.40.206 (Cloudflare) and 220.127.116.11 (Google) defined by RaspAP. You can find them in the file /etc/dhcpcd.conf. The static IP address of wlan0 is stored there as well by the way.
This is basically a DNS leak. With my solution and the client of NordVPN I also use the DNS servers of the VPN provider and therefore my DNS queries are anonymous.
Of course you can also solve this differently. Maybe you have a Pi-hole in the network anyway and use it as DNS server. There are many possibilities here, including FreeDNS. I just wanted to point out the potential DNS leak here.
Does that also work with NordLynx (WireGuard)?
If I use the WireGuard option of NordVPN – called NordLynx – I get problems with the VPN router. The first one is that the network interface is not called tun0 like with OpenVPN. Every server gets it’s own name.
If I change that manually and replace tun0 with the appropriate network interface in my iptables entries, I get an Internet connection. However, my smartphone claims not to be connected.
I would have to use a script to find out the new network card first and then make the corresponding routing entries. Although WireGuard is slightly faster than OpenVPN, it’s maybe not worth the effort. The solution with OpenVPN as VPN router works very well and that is not a snail either.
However there is a solution with the following rules for iptables:
sudo iptables -t nat -A POSTROUTING -o nordvpn+ -j MASQUERADE sudo iptables -A FORWARD -i nordvpn+ -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i wlan0 -o nordvpn+ -j ACCEPT
It works because all the WireGuard interfaces of my VPN provider start with nordvpn. That is the common ground here.
Would you like to make your own VPN router now? It’s really not difficult and NordVPN is a good partner for it.
As I said, most reputable VPN providers should provide the resources for your project. I like NordVPN because I can use the commandline client under Linux. But the provider also provides a great Android client. It is one of the most user-friendly providers on the market.
With NordVPN you can use up to 6 devices simultaneously. Because a VPN router is allowed, your Raspberry Pi counts as 1 device, no matter how many others are connected to it.
The VPN provider also allows torrent downloads and P2P connections / file sharing.