How to use Raspberry Pi 3 Model B as a VPN access point

Making a VPN access point by using a Raspberry Pi 3

The Raspberry Pi 3 full of capabilities and fun. You can do anything you want with a raspberry. In this case we are going to build a VPN access point(hotspot). What I mean is that we are going to create a wifi network which automatically redirects our normal traffic into the VPN network.

I tried to make a network topology in order to explain it visually.


  • Raspberry Pi 3 Model B
  • Ethernet cable
  • A computer in order to setup raspberry via ssh
  • A subscription of a VPN service provider which supports OpenVPN or just a OpenVPN config file(.ovpn)

Step 1: Update the Raspbian repositories[1]

sudo apt-get update
sudo apt-get upgrade

After the upgrade finishes reboot the Pi, sudo reboot

Step 2: Install the wireless access point packages

We are going to use two packages in order to make our raspberry into a wireless access point. The packages are:

  • hostapd - this is the package that lets us to create wifi hotspot
  • dnsmasq - this is a easy-to-use DHCP and DNS server package.

Let’s install these,

sudo apt-get install hostapd dnsmasq -y

Since we’re going to configure these packages we should stop them in order to prevent errors.

sudo systemctl stop hostapd
sudo systemctl stop dnsmasq

Step 3: Set a static IP for wlan0 interface

Use a text editor to edit /etc/dhcpcd.conf file and add the following lines to the end of the file. I use vim editor to do that.

sudo vim /etc/dhcpd.conf

Add the followings to the end of the /etc/dhcpd.conf file.

interface wlan0
static ip_address=
denyinterfaces eth0
denyinterfaces wlan0

I set IP for wlan0 interface due to the DHCP server of my home router gives an IP like 192.168.1.xx
The last two lines which are starting with deny are needed for the next steps(in order to make our bridge setup work).

Step 4: Configure DHCP server(dnsmasq)

As I said before we are going to use dnsmasq package as our DHCP server. “Dynamic Host Configuration Protocol (DHCP) is a protocol for assigning dynamic IP addresses to devices on a network”[2].

Since dnsmasq’s default configuration file is contains lots of unnecessary information(unnecessary for our case) it’s easier to start from strach. Let’s rename the default file and create an new one.

sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
sudo vim /etc/dnsmasq.conf

Add the followings into the new file that we have just created with vim.


With this config file I tell dnsmasq to give an IP to every hotspot client within the range of

Step 5: Configure the wifi access point(hostapd)

Create a config file into /etc/hostapd/ folder and call it hostapd.conf by using the following command.

sudo vim /etc/hostapd/hostapd.conf

And add the followings into this file


The last two lines are our new wifi access point name and its password. Edit these as you wish, NETWORK is the wifi name and PASSWORD is the wifi password.

Now, we need to show the system the location of the hostapd config file.
Open the /etc/default/hostapd file with your favorite text editor.

sudo vim /etc/default/hostapd

In this file find the #DAEMON_CONF=”” line and change it with this DAEMON_CONF="/etc/hostapd/hostapd.conf" and check that # symbol is removed from beginning of the line.

Step 6: Enable traffic forwarding

We need to enable traffic forwarding in order to let our wlan0 traffic flows into eth0 interface, to do that we need to edit another configuration file.

Open /etc/sysctl.conf file

sudo vim /etc/sysctl.conf

Find this line


And delete the # symbol then leave the rest as it is, so that the line should be like this


After that, start the services that we’ve stopped at step 2:

sudo systemctl start hostapd
sudo systemctl start dnsmasq

Step 7: Add a new iptables rule

In this step, we’re going to add IP masquerading for outbound traffic on eth0 using iptables:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Since iptables doesn’t restore previous rules on reboot therefore we need to install another package in order to make iptables rules persistent on reboot.

sudo apt install iptables-persistent -y

While apt installing iptables-persistent package it will ask you to save current rules, you need to select yes option. If you selected no option then you need to save it manually by using this command sudo netfilter-persistent save

Step 8: Enable internet connection

We’re almost done with the access point part. So far, we’ve built the access point but we cannot use Pi’s internet connection. You may check with your devices, the wifi network that we’ve set at step 5 should be appeared to your devices now. You can connect to the wifi network but you’ll see there is no internet connection.

In order to connect to the internet we should create a bridge between wlan0 and eth0 interfaces.
To build the bridge we need to install another package:

sudo apt-get install bridge-utils

After it’s installed we’re ready to add a new bridge called br0

sudo brctl addbr br0

Next, connect the eth0 interface to our bridge:

sudo brctl addif br0 eth0

Then, edit the /etc/network/interfaces file

sudo vim /etc/network/interfaces

Finally, add the followings to the end of the file.

auto br0
iface br0 inet manual
bridge_ports eth0 wlan0

So far so good, let’s reboot the Pi and try to connect Pi’s wifi network.

If there is was no error or misconfigured package it should work as a normal wireless access point which extends your ethernet network. If everything is OK then continue with the next part which is routing over the VPN.

Step 9: Install OpenVPN Package

sudo apt install openvpn

And reboot again sudo reboot

Step 10: Connecting to the VPN

As I said in the requirements section we need a OpenVPN config file which you can easily download your VPN service provider’s website or if you have your own OpenVPN server then use its config file. I’m using ProtonVPN[3] therefore I’m going to use ProtonVPN‘s OpenVPN config file.

I copied my config file into the Pi’s home directory and called it open.ovpn. The location of the config file is /home/pi/open.vpn and I also copied my VPN credentials into the same directory and called it pass.

Let’s test if we can connect to VPN:

sudo openvpn --config open.ovpn --auth-user-pass pass

If there was no error or misconfiguration we should see these magical words Initialization Sequence Completed.

Step 11: Reconfigure iptables

To creating and testing the access point we add a iptables rule. Now we need to change the iptables rules. Execute the following commands to erase old iptables rules.

sudo iptables -F
sudo iptables -t nat -F
sudo iptables -X

And add the new ones:

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

After that, we need to save iptables rules. Remember the command from step 7 sudo netfilter-persistent save

Step 12: Set OpenVPN starts on boot

We don’t want to start OpenVPN manually every time Pi starts therefore we need to edit one last config file /etc/rc.local

sudo vim /etc/rc.local

And add the followings into this file but just above the line exit 0 with respect to your config and credentials file.

sleep 5
sudo openvpn --config /home/pi/open.ovpn --auth-user-pass /home/pi/pass

Final step: Reboot

Just reboot the Pi one last time then sit back and connect your devices to Pi’s Wifi over VPN

Testing from my mobile phone the IP address results from the website

When I connect to my normal wifi my IP address ends with 234

When I connect to Pi’s wifi my IP address ends with 216