Using your Pi as a VPN Gateway with an Access Point

Valery Kachaev,

Good Tunneling

Have you ever been told by a website that certain content isn't available in your country? Configuring your Pi to route all your network traffic through a VPN can help.

There are many VPN (Virtual Private Network) providers competing over the Internet for customers. This means that for a small monthly fee you can securely use public WiFi hotspots. This is done by creating an encrypted tunnel to the Internet. The Raspberry Pi is ideally suited to act as a VPN gateway with an integrated access point for mobile devices.

As a rule, employing a VPN does away with virtual boundaries on the internet. However, privacy requires more than just tunneling into the Internet of a foreign country. Each time you access a website with a standard web browser, traces are left behind. These can then be used to track down the owner of the connection. For this reason, if you're extremely concerned with your privacy, consider using a specialized Linux distribution like Tails [1].

Tails is a live operating system that boots from a USB stick or DVD. It is not designed for installation on a hard drive. Tails currently only runs on 32 and 64 bit PCs. The OS loads directly into your RAM and routes all internet through tor to anonymize your connection. An ARM version for the Raspberry Pi is still not available. This has to do with the small working memory of the Raspberry Pi. The complete system cannot load within 1 GByte RAM.

Nonetheless, the Raspberry Pi is an ideal system for protecting your privacy. You can easily install a Linux system in such a way that every data bit sent from the computer is guaranteed to go through a trusted VPN. For the purposes of this article, we will use the US service Private Internet Access, PIA [2].


At several stages during setup, you will need to edit configuration files. The easiest way to do this on the Raspberry Pi is to use the Nano editor. To start editing, open the file with the sudo nano file command. The sudo in front of the command takes care of administrative rights. Save the changes you make by pressing [Ctrl]+[O] and the return key. Once you are finished, close the editor by pressing the [Ctrl]+[X] keys.

VPN Gateway

First install Raspbian [3] on the Raspberry Pi. If you want the operating system to serve solely as a VPN gateway, you can do this without the graphical user interface. This means you can install the light version of Raspbian.

After installation, update the system and modify the language settings using the Raspberry Pi configuration tool (Listing 1). If you want to operate the Raspberry Pi without input devices and without a monitor, then as of 11.25.2016 version of Raspbian, you will need to activate the SSH server before installation. also create an empty file named ssh [4] on the boot partition.

Listing 1

output of raspi-config

$ sudo apt update
$ sudo apt full-upgrade
$ sudo raspi-config

Next you need the packages from the first line of Listing 2 to connect to an OpenVPN server. The Uncomplicated Firewall, ufw, application acts as a safeguard in case the VPN fails. Transmission, a BitTorrent client with an integrated web frontend (second and third line), will later be used to verify whether critical services such as file sharing are running over the VPN. If you don't need BitTorrent, you can skip installation of Transmission.

Listing 2


$ sudo apt install openvpn ufw
$ sudo apt install transmission-daemon
$ sudo update-rc.d -f transmission-daemon remove

If instead, you decide that you do need the Transmission client, then stop the service and configure it so that it no longer automatically loads during the boot process (Listing 3). In addition, you will need to make sure that you and other users in your network can call up the web frontend. The stream editor sed does this directly from the command line. The syntax for this operation is:

Listing 3

Output of settings.json

$ sudo service transmission-daemon stop
$ sudo sed -i -e s/'"rpc-authentication-required": true'/'"rpc-authentication-required": false'/ /etc/transmission-daemon/settings.json
$ sudo sed -i -e s/''/', <192.168.*.*>'/ /etc/transmission-daemon/settings.json
$ sudo grep rpc /etc/transmission-daemon/settings.json
 "rpc-authentication-required": false,
 "rpc-whitelist": ", <192.168.*.*>",
$ sudo service transmission-daemon start
sed -i -e s/'<search>'/'<replace>'/ <file>

The -i option indicates to sed that it should work directly in the file and -e executes the option that follows as an sed script.

Desktop System

The steps illustrated here for the Raspberry Pi can also be used without any problems on PCs running Debian or its derivatives such as Ubuntu.

BitTorrent over VPN

Instead of using sed commands, you can modify /etc/transmission-daemon/settings.json with a classic editor like nano. The output from the grep command in Listing 3 details the finishing touches you must make. Depending on how your router is configured, you may have to adapt the commands to your network's IP range. The entry 192.168.*.* covers all IP addresses from to

After concluding these steps and restarting the Transmission server, you can now access it via your LAN at http://<Your_IP_Address>:9091 (Figure 1). However, do not add any torrents just yet! The Raspberry Pi is still transmitting all data directly via your own Internet connection.

Figure 1: The Transmission daemon is suitable for use with the Raspberry Pi as a lean BitTorrent client with integrated web interface.

VPN Providers usually offer OpenVPN and corresponding configuration files for download. With PIA, you will find these files on the home page. The commands from Listing 4 let you download these as a package and then unzip them together with the required certificates. Store them in /etc/openvpn/.

Listing 4

$ wget
$ sudo unzip -d /etc/openvpn
 inflating: /etc/openvpn/AU Melbourne.ovpn
 inflating: /etc/openvpn/ca.rsa.2048.crt
 inflating: /etc/openvpn/crl.rsa.2048.pem
$ sudo sed -i -e s/'#AUTOSTART="home office"'/'AUTOSTART="PIA"'/ /etc/default/openvpn
$ grep AUTOSTART /etc/default/openvpn

Modify the autostart entry in the /etc/default/openvpn file so that the OpenVPN client will automatically load one of the country specific VPN servers from PIA when it boots. The option AUTOSTART="PIA" causes the OpenVPN service during start up to automatically load the configuration file PIA.conf (which is still to be set up) from the /etc/openvpn/ file.

You can get the contents of this file from Listing 5. The configuration is configured to use PIA's server in the Netherlands. It has been augmented with additional logs and it also calls for two scripts, and, after start up and after the VPN connection is closed. If you prefer a VPN tunnel in a different country, modify the configuration accordingly.

Listing 5


dev tun
proto udp
remote 1198
resolv-retry infinite
cipher aes-128-cbc
auth sha1
remote-cert-tls server
auth-user-pass /etc/openvpn/
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
log-append /var/log/piavpn.log
status-version 3
status status
script-security 2
up /etc/openvpn/update-resolv-conf
route-up /etc/openvpn/
down /etc/openvpn/

The OpenVPN client gets its access data from the file /etc/openvpn/ Enter your user name for the VPN provider on the first line of this file and the password on the second line (Listing 6). In order to prevent other system users from seeing this data, change the file permissions using

Listing 6

sudo chmod 600 /etc/openvpn/

so that only Root can read it.

Next fill in the scripts /etc/openvpn/ (Listing 7) and /etc/openvpn/ (Listing 8). Use the commands from the first line of Listing 9 to give the system permission to execute them. Next, have systemd search for modified configuration files to save the changes made to the /etc/default/openvpn file. Finally, re-start the OpenVPN service (second and third line).

Listing 7

# Start services like Transmission
service transmission-daemon start

Listing 8

# Stop services like Transmission
service transmission-daemon stop
# prevent DNS-Leaks

Listing 9

$ sudo chmod +x /etc/openvpn/ /etc/openvpn/
$ sudo systemctl daemon-reload
$ sudo service openvpn restart

Now OpenVPN will automatically start the connection. The program will store any log files in /var/log/piavpn.log. Take a look at these while OpenVPN is connecting. Use sudo tail -f /var/log/piavpn.log to see what's going on (Figure 2).

Figure 2: The /var/log/piavpn.log log is used for detecting problems that may occur while the connection to the VPN server is being generated.

Buy this article as PDF

Express-Checkout as PDF

Pages: 8

Price $2.95
(incl. VAT)

Buy Raspberry Pi Geek

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content