The Raspberry Pi 3 full of capabilities and fun. You can do anything you want with a raspberry. In this case we are going to build a VPN access point(hotspot). What I mean is that we are going to create a wifi network which automatically redirects our normal traffic into the VPN network.
I tried to make a network topology in order to explain it visually.
- Raspberry Pi 3 Model B
- I used Raspbian Stretch Lite(version 2018-10-09) image and SSH is activated
- Ethernet cable
- A computer in order to setup raspberry via ssh
- A subscription of a VPN service provider which supports OpenVPN or just a OpenVPN config file(
Step 1: Update the Raspbian repositories
sudo apt-get update
After the upgrade finishes reboot the Pi,
We are going to use two packages in order to make our raspberry into a wireless access point. The packages are:
- hostapd - this is the package that lets us to create wifi hotspot
- dnsmasq - this is a easy-to-use DHCP and DNS server package.
Let’s install these,
sudo apt-get install hostapd dnsmasq -y
Since we’re going to configure these packages we should stop them in order to prevent errors.
sudo systemctl stop hostapd
Use a text editor to edit
/etc/dhcpcd.conf file and add the following lines to the end of the file. I use vim editor to do that.
sudo vim /etc/dhcpd.conf
Add the followings to the end of the
I set 192.168.1.40 IP for wlan0 interface due to the DHCP server of my home router gives an IP like 192.168.1.xx
The last two lines which are starting with deny are needed for the next steps(in order to make our bridge setup work).
As I said before we are going to use dnsmasq package as our DHCP server. “Dynamic Host Configuration Protocol (DHCP) is a protocol for assigning dynamic IP addresses to devices on a network”.
Since dnsmasq’s default configuration file is contains lots of unnecessary information(unnecessary for our case) it’s easier to start from strach. Let’s rename the default file and create an new one.
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
Add the followings into the new file that we have just created with vim.
With this config file I tell dnsmasq to give an IP to every hotspot client within the range of 192.168.1.41-192.168.1.80
Create a config file into
/etc/hostapd/ folder and call it
hostapd.conf by using the following command.
sudo vim /etc/hostapd/hostapd.conf
And add the followings into this file
The last two lines are our new wifi access point name and its password. Edit these as you wish, NETWORK is the wifi name and PASSWORD is the wifi password.
Now, we need to show the system the location of the hostapd config file.
/etc/default/hostapd file with your favorite text editor.
sudo vim /etc/default/hostapd
In this file find the
#DAEMON_CONF=”” line and change it with this
DAEMON_CONF="/etc/hostapd/hostapd.conf" and check that
# symbol is removed from beginning of the line.
We need to enable traffic forwarding in order to let our wlan0 traffic flows into eth0 interface, to do that we need to edit another configuration file.
sudo vim /etc/sysctl.conf
Find this line
And delete the
# symbol then leave the rest as it is, so that the line should be like this
After that, start the services that we’ve stopped at step 2:
sudo systemctl start hostapd
In this step, we’re going to add IP masquerading for outbound traffic on eth0 using iptables:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Since iptables doesn’t restore previous rules on reboot therefore we need to install another package in order to make iptables rules persistent on reboot.
sudo apt install iptables-persistent -y
While apt installing iptables-persistent package it will ask you to save current rules, you need to select yes option. If you selected no option then you need to save it manually by using this command
sudo netfilter-persistent save
We’re almost done with the access point part. So far, we’ve built the access point but we cannot use Pi’s internet connection. You may check with your devices, the wifi network that we’ve set at step 5 should be appeared to your devices now. You can connect to the wifi network but you’ll see there is no internet connection.
In order to connect to the internet we should create a bridge between wlan0 and eth0 interfaces.
To build the bridge we need to install another package:
sudo apt-get install bridge-utils
After it’s installed we’re ready to add a new bridge called br0
sudo brctl addbr br0
Next, connect the eth0 interface to our bridge:
sudo brctl addif br0 eth0
Then, edit the
sudo vim /etc/network/interfaces
Finally, add the followings to the end of the file.
If there is was no error or misconfigured package it should work as a normal wireless access point which extends your ethernet network. If everything is OK then continue with the next part which is routing over the VPN.
sudo apt install openvpn
And reboot again
As I said in the requirements section we need a OpenVPN config file which you can easily download your VPN service provider’s website or if you have your own OpenVPN server then use its config file. I’m using ProtonVPN therefore I’m going to use ProtonVPN‘s OpenVPN config file.
I copied my config file into the Pi’s home directory and called it
open.ovpn. The location of the config file is
/home/pi/open.vpn and I also copied my VPN credentials into the same directory and called it
Let’s test if we can connect to VPN:
sudo openvpn --config open.ovpn --auth-user-pass pass
If there was no error or misconfiguration we should see these magical words
Initialization Sequence Completed.
To creating and testing the access point we add a iptables rule. Now we need to change the iptables rules. Execute the following commands to erase old iptables rules.
sudo iptables -F
And add the new ones:
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
After that, we need to save iptables rules. Remember the command from step 7
sudo netfilter-persistent save
We don’t want to start OpenVPN manually every time Pi starts therefore we need to edit one last config file
sudo vim /etc/rc.local
And add the followings into this file but just above the line
exit 0 with respect to your config and credentials file.
Just reboot the Pi one last time then sit back and connect your devices to Pi’s Wifi over VPN
Testing from my mobile phone the IP address results from the website
When I connect to my normal wifi my IP address ends with
When I connect to Pi’s wifi my IP address ends with