The Raspberry Pi 3 full of capabilities and fun. You can do anything you want with a raspberry. In this case we are going to build a VPN access point(hotspot). What I mean is that we are going to create a wifi network which automatically redirects our normal traffic into the VPN network.
I tried to make a network topology in order to explain it visually.
- Raspberry Pi 3 Model B
- I used Raspbian Stretch Lite(version 2018-10-09) image and SSH is activated
- Ethernet cable
- A computer in order to setup raspberry via ssh
- A subscription of a VPN service provider which supports OpenVPN or just a OpenVPN config file(
Step 1: Update the Raspbian repositories
sudo apt-get update
After the upgrade finishes reboot the Pi,
We are going to use two packages in order to make our raspberry into a wireless access point. The packages are:
- hostapd - this is the package that lets us to create wifi hotspot
- dnsmasq - this is a easy-to-use DHCP and DNS server package.
Let’s install these,
sudo apt-get install hostapd dnsmasq -y
Since we’re going to configure these packages we should stop them in order to prevent errors.
sudo systemctl stop hostapd
Use a text editor to edit
/etc/dhcpcd.conf file and add the following lines to the end of the file. I use vim editor to do that.
sudo vim /etc/dhcpd.conf
Add the followings to the end of the
I set 192.168.1.40 IP for wlan0 interface due to the DHCP server of my home router gives an IP like 192.168.1.xx
The last two lines which are starting with deny are needed for the next steps(in order to make our bridge setup work).
As I said before we are going to use dnsmasq package as our DHCP server. “Dynamic Host Configuration Protocol (DHCP) is a protocol for assigning dynamic IP addresses to devices on a network”.
Since dnsmasq’s default configuration file is contains lots of unnecessary information(unnecessary for our case) it’s easier to start from strach. Let’s rename the default file and create an new one.
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
Add the followings into the new file that we have just created with vim.
With this config file I tell dnsmasq to give an IP to every hotspot client within the range of 192.168.1.41-192.168.1.80
Create a config file into
/etc/hostapd/ folder and call it
hostapd.conf by using the following command.
sudo vim /etc/hostapd/hostapd.conf
And add the followings into this file
The last two lines are our new wifi access point name and its password. Edit these as you wish, NETWORK is the wifi name and PASSWORD is the wifi password.
Now, we need to show the system the location of the hostapd config file.
/etc/default/hostapd file with your favorite text editor.
sudo vim /etc/default/hostapd
In this file find the
#DAEMON_CONF=”” line and change it with this
DAEMON_CONF="/etc/hostapd/hostapd.conf" and check that
# symbol is removed from beginning of the line.
We need to enable traffic forwarding in order to let our wlan0 traffic flows into eth0 interface, to do that we need to edit another configuration file.
sudo vim /etc/sysctl.conf
Find this line
And delete the
# symbol then leave the rest as it is, so that the line should be like this
After that, start the services that we’ve stopped at step 2:
sudo systemctl start hostapd
In this step, we’re going to add IP masquerading for outbound traffic on eth0 using iptables:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo apt install iptables-persistent -y
While apt installing iptables-persistent package it will ask you to save current rules, you need to select yes option. If you selected no option then you need to save it manually by using this command `sudo netfilter-persistent save`
sudo apt-get install bridge-utils
sudo brctl addbr br0
sudo brctl addif br0 eth0
sudo vim /etc/network/interfaces
iface br0 inet manual
bridge_ports eth0 wlan0
sudo apt install openvpn
sudo openvpn –config open.ovpn –auth-user-pass pass
sudo iptables -F
sudo iptables -t nat -F
sudo iptables -X
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state –state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
sudo vim /etc/rc.local
sudo openvpn –config /home/pi/open.ovpn –auth-user-pass /home/pi/pass
Just reboot the Pi one last time then sit back and connect your devices to Pi’s Wifi over VPN
Testing from my mobile phone the IP address results from the website
When I connect to my normal wifi my IP address ends with
When I connect to Pi’s wifi my IP address ends with