Making a VPN access point by using a Raspberry Pi 3
The Raspberry Pi 3 full of capabilities and fun. You can do anything you want with a raspberry. In this case we are going to build a VPN access point(hotspot). What I mean is that we are going to create a wifi network which automatically redirects our normal traffic into the VPN network.
I tried to make a network topology in order to explain it visually.
- Raspberry Pi 3 Model B (installed Raspbian Stretch Lite image and SSH is activated)
- Ethernet cable
- A computer in order to setup raspberry via ssh
- A subscription of a VPN service provider which supports OpenVPN or just a OpenVPN config file(
Step 1: Update the Raspbian repositories
sudo apt-get update sudo apt-get upgrade
After the upgrade finishes reboot the Pi,
Step 2: Install the wireless access point packages
We are going to use two packages in order to make our raspberry into a wireless access point. The packages are:
- hostapd - this is the package that lets us to create wifi hotspot
- dnsmasq - this is a easy-to-use DHCP and DNS server package.
Let’s install these,
sudo apt-get install hostapd dnsmasq -y
Since we’re going to configure these packages we should stop them in order to prevent errors.
sudo systemctl stop hostapd sudo systemctl stop dnsmasq
Step 3: Set a static IP for wlan0 interface
Use a text editor to edit
/etc/dhcpcd.conf file and add the following lines to the end of the file. I use vim editor to do that.
sudo vim /etc/dhcpd.conf
Add the followings to the end of the
interface wlan0 static ip_address=192.168.1.40/24 denyinterfaces eth0 denyinterfaces wlan0
I set 192.168.1.40 IP for wlan0 interface due to the DHCP server of my home router gives an IP like 192.168.1.xx The last two lines which are starting with deny are needed for the next steps(in order to make our bridge setup work).
Step 4: Configure DHCP server(dnsmasq)
As I said before we are going to use dnsmasq package as our DHCP server. “Dynamic Host Configuration Protocol (DHCP) is a protocol for assigning dynamic IP addresses to devices on a network”.
Since dnsmasq’s default configuration file is contains lots of unnecessary information(unnecessary for our case) it’s easier to start from strach. Let’s rename the default file and create an new one.
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig sudo vim /etc/dnsmasq.conf
Add the followings into the new file that we have just created with vim.
With this config file I tell dnsmasq to give an IP to every hotspot client within the range of 192.168.1.41-192.168.1.80
Step 5: Configure the wifi access point(hostapd)
Create a config file into
/etc/hostapd/ folder and call it
hostapd.conf by using the following command.
sudo vim /etc/hostapd/hostapd.conf
And add the followings into this file
interface=wlan0 bridge=br0 hw_mode=g channel=7 wmm_enabled=0 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 wpa=2 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP ssid=NETWORK wpa_passphrase=PASSWORD
The last two lines are our new wifi access point name and its password. Edit these as you wish, NETWORK is the wifi name and PASSWORD is the wifi password.
Now, we need to show the system the location of the hostapd config file. Open the
/etc/default/hostapd file with your favorite text editor.
sudo vim /etc/default/hostapd
In this file find the
#DAEMON_CONF=”” line and change it with this
DAEMON_CONF="/etc/hostapd/hostapd.conf" and check that
# symbol is removed from beginning of the line.
Step 6: Enable traffic forwarding
We need to enable traffic forwarding in order to let our wlan0 traffic flows into eth0 interface, to do that we need to edit another configuration file.
sudo vim /etc/sysctl.conf
Find this line
And delete the
# symbol then leave the rest as it is, so that the line should be like this
After that, start the services that we’ve stopped at step 2:
sudo systemctl start hostapd sudo systemctl start dnsmasq
Step 7: Add a new iptables rule
In this step, we’re going to add IP masquerading for outbound traffic on eth0 using iptables:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Since iptables doesn’t restore previous rules on reboot therefore we need to install another package in order to make iptables rules persistent on reboot.
sudo apt install iptables-persistent -y
While apt installing iptables-persistent package it will ask you to save current rules, you need to select yes option. If you selected no option then you need to save it manually by using this command
sudo netfilter-persistent save
Step 8: Enable internet connection
We’re almost done with the access point part. So far, we’ve built the access point but we cannot use Pi’s internet connection. You may check with your devices, the wifi network that we’ve set at step 5 should be appeared to your devices now. You can connect to the wifi network but you’ll see there is no internet connection.
In order to connect to the internet we should create a bridge between wlan0 and eth0 interfaces. To build the bridge we need to install another package:
sudo apt-get install bridge-utils
After it’s installed we’re ready to add a new bridge called br0
sudo brctl addbr br0
Next, connect the eth0 interface to our bridge:
sudo brctl addif br0 eth0
Then, edit the
sudo vim /etc/network/interfaces
Finally, add the followings to the end of the file.
auto br0 iface br0 inet manual bridge_ports eth0 wlan0
So far so good, let’s reboot the Pi and try to connect Pi’s wifi network.
If there is was no error or misconfigured package it should work as a normal wireless access point which extends your ethernet network. If everything is OK then continue with the next part which is routing over the VPN.
Step 9: Install OpenVPN Package
sudo apt install openvpn
And reboot again
Step 10: Connecting to the VPN
As I said in the requirements section we need a OpenVPN config file which you can easily download your VPN service provider’s website or if you have your own OpenVPN server then use its config file. I’m using ProtonVPN therefore I’m going to use ProtonVPN’s OpenVPN config file.
I copied my config file into the Pi’s home directory and called it
open.ovpn. The location of the config file is
/home/pi/open.vpn and I also copied my VPN credentials into the same directory and called it
Let’s test if we can connect to VPN:
sudo openvpn --config open.ovpn --auth-user-pass pass
If there was no error or misconfiguration we should see these magical words
Initialization Sequence Completed.
Step 11: Reconfigure iptables
To creating and testing the access point we add a iptables rule. Now we need to change the iptables rules. Execute the following commands to erase old iptables rules.
sudo iptables -F sudo iptables -t nat -F sudo iptables -X
And add the new ones:
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
After that, we need to save iptables rules. Remember the command from step 7
sudo netfilter-persistent save
Step 12: Set OpenVPN starts on boot
We don’t want to start OpenVPN manually every time Pi starts therefore we need to edit one last config file
sudo vim /etc/rc.local
And add the followings into this file but just above the line
exit 0 with respect to your config and credentials file.
sleep 5 sudo openvpn --config /home/pi/open.ovpn --auth-user-pass /home/pi/pass
Final step: Reboot
Just reboot the Pi one last time then sit back and connect your devices to Pi’s Wifi over VPN
Testing from my mobile phone the IP address results from the website
When I connect to my normal wifi my IP address ends with
When I connect to Pi’s wifi my IP address ends with