Home RASPBERRY PI How To Make a Raspberry Pi VPN Access Point

How To Make a Raspberry Pi VPN Access Point

Anyone who has been abroad will know it’s a constant pain to have to deal with content that has been switched to the local language, not to mention certain states that censor internet content. Fortunately, there’s a way to evade these restrictions using the Raspberry Pi.

In a few simple steps, you can configure your Pi to generate its own wireless AP (Access Point) and keep it permanently connected to a VPN (Virtual Private Network) service. All you need to do when travelling is bring your Pi and connect it to a working router and you’ll have your own private wireless network and connection.

Will a VPN keep You completely private and anonymous online?

VPNs were originally designed to allow office workers to connect to their corporate intranet while away, over an encrypted connection. These days they’re more commonly used both to protect your connection and make it seem as if your computer is located in another country.

In order to proceed with this project, you will require an active VPN subscription and the client configuration (.conf) file to automatically connect.

Make a Raspberry Pi VPN Access Point

1.Choose your VPN

In order to carry out this project, you need an account with a VPN provider. Find a provider that supports the OpenVPN protocol, as this connection is generally considered to be the most secure. Free providers won’t require any billing information but they are not as fast or reliable as paid services. If you choose a paid provider, try to find one that accepts anonymous payment methods such as Bitcoin. The website www.weusecoins.com has a list of these.

2.Download configuration

Attach the Pi to your router. Open Terminal or connect via SSH. If your VPN provider supports the secure OpenVPN standard, then they will have provided a configuration file with the extension .conf or .ovpn.

For this tutorial, a VPN configuration file from free provider VPNBook was used. Download the file to your Pi either by clicking the link or using wget in Terminal:

wget https://www.vpnbook.com/free-openvpnaccount/VPNBook.com-OpenVPN-Euro1.zip

3.Install OpenVPN

The Raspbian repositories contain the OpenVPN software but not the most current version. Use the command su to switch to the root user then run these commands:

wget -O – https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add –
echo “deb https://swupdate.openvpn.net/apt jessiemain” > /etc/apt/sources.list.d/swupdate.openvpn.net.list

apt-get update

apt-get install openvpn

Run openvpn –version to double-check you have the most up-to-date version of the software. At the time of writing this is 2.3.14

4.Configure and run OpenVPN

Use the mv command to move the configuration file into the openvpn folder /etc/openvpn, amending the extension if necessary, for instance:

sudo mv vpngate_vpn151111650.opengw.net_udp_1344.ovpn /etc/openvpn/vpn1.conf

Next, start the OpenVPN service with the command sudo service openvpn start. Start
OpenVPN using your .conf file with the openvpn–-config command, for instance:

sudo openvpn -config /etc/openvpn/vpn1.conf

Next, run the command:

sudo service openvpn start

5.Test OpenVPN connection

Once the OpenVPN service is running, open a new tab in your Terminal or start a new SSH service and run the command ifconfig to list your network interfaces. Usually the VPN connection will appear as tun0. You can check your apparent location with the command:

curl –interface tun0 freegeoip.net/json/

Next, make sure the OpenVPN service starts each time you log in. Then run

sudo nano /etc/default/openvpn

Remove the # at the start of the line reading

6.Install prerequisites

Now we’ll install the necessary software to set up a Wireless AP. Do this by running:

sudo apt-get install dnsmasq hostapd

Next, run:

sudo nano /etc/dhcpcd.conf

You you’ve done that, add these lines to the very bottom of the file:

interface wlan0
static ip_address=

Press Ctrl+X, Y then Return to save and exit.

7.Set static IP

The next step is to open your network interfaces configuration with:

sudo nano /etc/network/interfaces///ENDCODE

Change the line “iface wlan0 inet static” to “iface wlan0 inet manual”. Press Return to start a new line, and then paste:


Place a ‘#’ at the start of the line beginning “wpaconf”. Save and exit in the same way as before. Restart the dhcpcd service with:

sudo service dhcpcd restart

8. Configure AP

Run the command:

sudo nano /etc/hostapd/hostapd.conf’

Paste the following:


Feel free to change the name of the network from ‘PiVPN’ to one that is meaningful to you. Similarly change the password ‘raspberry231’ to something more secure. Next run:

nano /etc/default/hostapd

Find the line starting #DAEMON_CONF=”” and change to DAEMON_CONF=”/etc/hostapd/
hostapd.conf. Note the ‘#’ at the start of the line must be removed.

9. Configure dnsmasq

Move the old dnsmasq configuration file with:

sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf. orig

Then create a new one by running:

sudo nano /etc/dnsmasq.conf

Paste in the following text:


Note we are using Google’s DNS server ( for now; change this if you wish, then save and exit. Run:

sudo nano /etc/sysctl.conf

Find the line starting “net.ipv4.ip_forward=1” and remove the ‘#’ at the start. Now reboot the Pi.

10.Set up IPV4 Forwarding

For the next step, you need to run each of these commands individually:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD –i eth0 -o wlan0 -m state –state RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A FORWARD –i wlan0 -o eth0 -j ACCEPT
sudo sh -c “iptables-save > /etc/iptables.ipv4.nat”

Next, run the command:

sudo nano /etc/rc.local

Paste the following right above the line reading “exit 0”:

iptables-restore < /etc/iptables.ipv4.nat /usr/sbin/hostapd /etc/hostapd/hostapd.conf

11.Test Access Point

Run the commands:

sudo update-rc.d hostapd enable


sudo update-rc.d dnsmasq enable

Reboot the Pi. You’ll need a second device at this stage to see if you can access the Wireless AP. Search for it in your network menu and enter the password you created earlier on. If you can’t remember this, run the following on the Raspberry Pi to view it again:

sudo nano /etc/hostapd/hostapd.conf

Once connected, visit www.whatismyipaddress.com to check you’re behind the VPN.

12.Fix DNS Leaks

Certain VPN providers use their own DNS servers. Other VPN Providers are less cautious. Visit https://www.dnsleaktechnicalustad.com/ and click Extended Test to check you’re safe. If any of the DNS servers match your regular ISP, your connection is not fully secure.To resolve this, edit your VPN configuration file, for example:

sudo nano /etc/openvpn/vpn2.conf

Once you’ve done that, add these lines immediately above “”:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Save and exit, then restart your Pi. Check the DNS leak website once again. If this fails to resolve the issue, try using another VPN provider.

13.Block unsolicited connections

As your Pi is sitting between your computer and the internet, it can potentially be accessed by other devices. Prevent unsolicited incoming connections from other devices with the following commands:

sudo iptables -A INPUT -i tun0 -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i tun0 -j DROP

Make sure to save your changes so that they’ll apply on reboot:-

sudo sh -c “iptables-save > /etc/iptables.ipv4.nat”

14.Route all traffic through OpenVPN

When you boot the Pi initially, certain applications may try to connect directly to the internet, which can undermine your anonymity. To channel all network traffic through the VPN, you need to edit your configuration file in /etc/openvpn, for instance by running:

sudo nano /etc/openvpn vpn2.conf

Make sure the line “redirect-gateway” reads “redirect gateway def1”. DNS queries will also be routed through the VPN also so make sure your provider supports this.

15.Set up Firewall

Although you may have previously configured iptables to prevent unsolicited incoming
connections, to be on the safe side, consider installing ufw (Uncomplicated Firewall) with

sudo apt-get install ufw

Run the command:

sudo ufw enable

To fire it up, then open the default OpenVPN port 1194 with:

sudo ufw allow 1194

Once you’ve done this, you may also want to enable Port 22 to allow connecting via SSH.
Remember that this doesn’t change which ports are open and closed on the router.

Note:- If you need a username and password for your VPN, you can save these so OpenVPN will connect automatically.

First run: sudo nano auth.txt

On the first line put the username and on the second put your password. Save
and exit. Next edit your OpenVPN config file, for instance:

sudo nano /etc/openvpn/vpn2.conf’

Scroll down to the line with the text “auth-userpass”. Leave a space and enter the path auth.txt, for example:

auth-user-pass /home/pi/auth.txt

Save and exit once again.

We are recommending Kodi 17 Installation and VPNs Setup on Raspberry Pi 2 & 3 Guide to our Readers.