Anyone who has been abroad will know it’s a constant pain to have to deal with content that has been switched to the local language, not to mention certain states that censor internet content. Fortunately, there’s a way to evade these restrictions using the Raspberry Pi.
In a few simple steps, you can configure your Pi to generate its own wireless AP (Access Point) and keep it permanently connected to a VPN (Virtual Private Network) service. All you need to do when travelling is bring your Pi and connect it to a working router and you’ll have your own private wireless network and connection.
Will a VPN keep You completely private and anonymous online?
VPNs were originally designed to allow office workers to connect to their corporate intranet while away, over an encrypted connection. These days they’re more commonly used both to protect your connection and make it seem as if your computer is located in another country.
In order to proceed with this project, you will require an active VPN subscription and the client configuration (.conf) file to automatically connect.
Make a Raspberry Pi VPN Access Point
1.Choose your VPN
In order to carry out this project, you need an account with a VPN provider. Find a provider that supports the OpenVPN protocol, as this connection is generally considered to be the most secure. Free providers won’t require any billing information but they are not as fast or reliable as paid services. If you choose a paid provider, try to find one that accepts anonymous payment methods such as Bitcoin. The website www.weusecoins.com has a list of these.
2.Download configuration
Attach the Pi to your router. Open Terminal or connect via SSH. If your VPN provider supports the secure OpenVPN standard, then they will have provided a configuration file with the extension .conf or .ovpn.
For this tutorial, a VPN configuration file from free provider VPNBook was used. Download the file to your Pi either by clicking the link or using wget in Terminal:
wget https://www.vpnbook.com/free-openvpnaccount/VPNBook.com-OpenVPN-Euro1.zip
3.Install OpenVPN
The Raspbian repositories contain the OpenVPN software but not the most current version. Use the command su to switch to the root user then run these commands:
wget -O – https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add –
echo “deb https://swupdate.openvpn.net/apt jessiemain” > /etc/apt/sources.list.d/swupdate.openvpn.net.list
apt-get update
apt-get install openvpn
Run openvpn –version to double-check you have the most up-to-date version of the software. At the time of writing this is 2.3.14
4.Configure and run OpenVPN
Use the mv command to move the configuration file into the openvpn folder /etc/openvpn, amending the extension if necessary, for instance:
sudo mv vpngate_vpn151111650.opengw.net_udp_1344.ovpn /etc/openvpn/vpn1.conf
Next, start the OpenVPN service with the command sudo service openvpn start. Start
OpenVPN using your .conf file with the openvpn–-config command, for instance:
sudo openvpn -config /etc/openvpn/vpn1.conf
Next, run the command:
sudo service openvpn start
5.Test OpenVPN connection
Once the OpenVPN service is running, open a new tab in your Terminal or start a new SSH service and run the command ifconfig to list your network interfaces. Usually the VPN connection will appear as tun0. You can check your apparent location with the command:
curl –interface tun0 freegeoip.net/json/
Next, make sure the OpenVPN service starts each time you log in. Then run
sudo nano /etc/default/openvpn
Remove the # at the start of the line reading
“#AUTOSTART=”all”.
6.Install prerequisites
Now we’ll install the necessary software to set up a Wireless AP. Do this by running:
sudo apt-get install dnsmasq hostapd
Next, run:
sudo nano /etc/dhcpcd.conf
You you’ve done that, add these lines to the very bottom of the file:
interface wlan0
static ip_address=172.24.1.1/24
Press Ctrl+X, Y then Return to save and exit.
7.Set static IP
The next step is to open your network interfaces configuration with:
sudo nano /etc/network/interfaces///ENDCODE
Change the line “iface wlan0 inet static” to “iface wlan0 inet manual”. Press Return to start a new line, and then paste:
address 172.24.1.1
netmask 255.255.255.0
network 172.24.1.0
broadcast 172.24.1.255
Place a ‘#’ at the start of the line beginning “wpaconf”. Save and exit in the same way as before. Restart the dhcpcd service with:
sudo service dhcpcd restart
8. Configure AP
Run the command:
sudo nano /etc/hostapd/hostapd.conf’
Paste the following:
interface=wlan0
driver=nl80211
ssid=piVPN
hw_mode=g
channel=1
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_passphrase=raspberry231
wpa_pairwise=TKIP
rsn_pairwise=CCMP
Feel free to change the name of the network from ‘PiVPN’ to one that is meaningful to you. Similarly change the password ‘raspberry231’ to something more secure. Next run:
nano /etc/default/hostapd
Find the line starting #DAEMON_CONF=”” and change to DAEMON_CONF=”/etc/hostapd/
hostapd.conf. Note the ‘#’ at the start of the line must be removed.
9. Configure dnsmasq
Move the old dnsmasq configuration file with:
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf. orig
Then create a new one by running:
sudo nano /etc/dnsmasq.conf
Paste in the following text:
interface=wlan0
listen-address=172.24.1.1
bind-interfaces
server=8.8.8.8
domain-needed
bogus-priv
dhcp-range=172.24.1.50,172.24.1.150,12h
Note we are using Google’s DNS server (8.8.8.8) for now; change this if you wish, then save and exit. Run:
sudo nano /etc/sysctl.conf
Find the line starting “net.ipv4.ip_forward=1” and remove the ‘#’ at the start. Now reboot the Pi.
10.Set up IPV4 Forwarding
For the next step, you need to run each of these commands individually:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD –i eth0 -o wlan0 -m state –state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD –i wlan0 -o eth0 -j ACCEPT
sudo sh -c “iptables-save > /etc/iptables.ipv4.nat”
Next, run the command:
sudo nano /etc/rc.local
Paste the following right above the line reading “exit 0”:
iptables-restore < /etc/iptables.ipv4.nat /usr/sbin/hostapd /etc/hostapd/hostapd.conf
11.Test Access Point
Run the commands:
sudo update-rc.d hostapd enable
And:
sudo update-rc.d dnsmasq enable
Reboot the Pi. You’ll need a second device at this stage to see if you can access the Wireless AP. Search for it in your network menu and enter the password you created earlier on. If you can’t remember this, run the following on the Raspberry Pi to view it again:
sudo nano /etc/hostapd/hostapd.conf
Once connected, visit www.whatismyipaddress.com to check you’re behind the VPN.
12.Fix DNS Leaks
Certain VPN providers use their own DNS servers. Other VPN Providers are less cautious. Visit https://www.dnsleaktechnicalustad.com/ and click Extended Test to check you’re safe. If any of the DNS servers match your regular ISP, your connection is not fully secure.To resolve this, edit your VPN configuration file, for example:
sudo nano /etc/openvpn/vpn2.conf
Once you’ve done that, add these lines immediately above “”:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
Save and exit, then restart your Pi. Check the DNS leak website once again. If this fails to resolve the issue, try using another VPN provider.
13.Block unsolicited connections
As your Pi is sitting between your computer and the internet, it can potentially be accessed by other devices. Prevent unsolicited incoming connections from other devices with the following commands:
sudo iptables -A INPUT -i tun0 -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i tun0 -j DROP
Make sure to save your changes so that they’ll apply on reboot:-
sudo sh -c “iptables-save > /etc/iptables.ipv4.nat”
14.Route all traffic through OpenVPN
When you boot the Pi initially, certain applications may try to connect directly to the internet, which can undermine your anonymity. To channel all network traffic through the VPN, you need to edit your configuration file in /etc/openvpn, for instance by running:
sudo nano /etc/openvpn vpn2.conf
Make sure the line “redirect-gateway” reads “redirect gateway def1”. DNS queries will also be routed through the VPN also so make sure your provider supports this.
15.Set up Firewall
Although you may have previously configured iptables to prevent unsolicited incoming
connections, to be on the safe side, consider installing ufw (Uncomplicated Firewall) with
sudo apt-get install ufw
Run the command:
sudo ufw enable
To fire it up, then open the default OpenVPN port 1194 with:
sudo ufw allow 1194
Once you’ve done this, you may also want to enable Port 22 to allow connecting via SSH.
Remember that this doesn’t change which ports are open and closed on the router.
Note:- If you need a username and password for your VPN, you can save these so OpenVPN will connect automatically.
First run: sudo nano auth.txt
On the first line put the username and on the second put your password. Save
and exit. Next edit your OpenVPN config file, for instance:
sudo nano /etc/openvpn/vpn2.conf’
Scroll down to the line with the text “auth-userpass”. Leave a space and enter the path auth.txt, for example:
auth-user-pass /home/pi/auth.txt
Save and exit once again.
We are recommending Kodi 17 Installation and VPNs Setup on Raspberry Pi 2 & 3 Guide to our Readers.
