This is something I have been using for awhile now, thought i would show you the entire process, This is a tutorial for setting up a Raspberry Pi VPN router.
Requirements for Raspberry Pi VPN Router
Raspberry Pi 3 ► Amazon | Ebay
Private Internet Access ► https://goo.gl/StVNEU
Install Raspbian Pixel to your Pi’s sdcard. Use the Raspberry Pi Configuration tool or
sudo raspi-config to:
- Boot to console
- Configure the right keyboard map and timezone
- Configure the Memory Split to give 16Mb (the minimum) to the GPU
Static IP Address
/etc/network/interfaces like so:
auto lo
iface lo inet loopback
auto eth0
allow-hotplug eth0
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 8.8.8.8 8.8.4.4
Setup VPN Client
installing openvpn client
sudo apt-get install openvpnDownloading and uncompressing PIA OpenVPN profiles
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip openvpn.zip -d openvpnCopy the profile and certificates to OpenVPN Folder
sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/
sudo cp openvpn/US New York.ovpn /etc/openvpn/US.confnotice that the extension has changed from ovpn to conf create a login file with username and password for PIA
sudo nano /etc/openvpn/loginadd your username and password per line
username1234
password1234now we need to change the config file to point to correct file locations
sudo nano /etc/openvpn/US.confchange the following from this:
auth-user-pass
ca ca.rsa.2048.crt
crl-verif crl.rsa.2048.pemto:
auth-user-pass /etc/openvpn/login
ca /etc/openvpn/ca.rsa.2048.crt
crl-verif /etc/openvpn/crl.rsa.2048.pemremember to reboot
Testing the VPN
before moving forward with forwarding traffic, lets test out the connection
sudo openvpn --config /etc/openvpn/US.confto Exit use Ctrl + c Enable VPN at boot
sudo systemctl enable openvpn@USSetup Forwarding and IPTables (routes)
to enable forwarding
sudo nano /etc/sysctl.confuncomment the # to allow forwarding
net.ipv4.ip_forward = 1you can enable the service by typing this command
sudo sysctl -pIPTables this is best to just copy and past this to your ssh session. If you want to know more details about these rules, check out the video
sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -I INPUT -i eth0 -m comment --comment "In from LAN" -j ACCEPT
sudo iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
let make sure to keep the rules persistent across reboots
sudo apt-get install iptables-persistentthe installer will ask to save the rules, select YES now if you have new rules you want to add, do
sudo netfilter-persistent savenow lets apply this to startup
sudo systemctl enable netfilter-persistentALMOST DONE At this point you can now point your computer gateway to your Raspberry Pi IP address. Now you got a fully functional Raspberry Pi VPN Router. Check the video for more info -Don
Great guide. Got abit stuck, when copying openvpn newyork says there is no file /etc/openvpn/
I don’t think it has created that folder when it unzipped?
Great guide. Got abit stuck, when copying openvpn newyork says there is no file /etc/openvpn/
I don’t think it has created that folder when it unzipped?
— Found solution there is a typo in the code. \New \york**\**.ovpn — remove this backslash as there is no space between york.opvn
It is always a good idea to eliminate blank spaces from your directory and file names so that the use of “\ ” doesn’t make a huge mess of things. It can get really ugly in config files and scripts.
Hi Don, great guide!!
I’m trying to do the same thing but with a headless pi through ssh, andI use VNC as well. After typing the iptables I lose connection. What is the iptables rule that I need to define in this case for ssh and vnc??
Thanks so much and keep going with this amazing work!!!
Hi Don, great guide! Same here. I lose connection each time I type this iptable rule:
sudo iptables -P OUTPUT DROP
I am using ssh and VNC with a headless PI. Is this the reason?
You lose the connection because you are not allowing any outgoing traffic on the Pi. You would need to set up rules to allow established traffic out. Something like
sudo iptables -A OUTPUT -p tcp -m state –state ESTABLISHED -m comment –comment outgoing-established -j ACCEPT
Hi Don, one further query:
When I check if VPN is working (sudo openvpn –config /etc/openvpn/US.conf), it shows everything is fine.
However, when I change gateway in my computer to point to my PI Router, I have Internet connection but my IP address is not changing. It stays the same.
I am using the France.opvn file which I changed to France.conf. To enable VPN at boot, would this sentence be OK?:
sudo systemctl enable openvpn@France ;OR it should be:
sudo systemctl enable openvpn@France.conf
Many thanks!
openvpn@France.service
I know is an old post.. but maybe it will help someone! (I had a similar issue and solved it that way)
Hi Don,
I am still not able to get to the Internet through my Raspberry PIA router.
If I start the VPN service in my raspberry PI through a VNC connection, I successfully change my IP address and all traffic goes through my VPN. However, computers connected to the Raspberry gateway address do not get internet connection.
Looks like the issue is with the IP Tables or the rules in the aforesaid Tables.
Any ideas?
Many thanks!
hey . I got an issue.
sudo openvpn –config India.conf
when i try the above code i m getting this error message . what do i do.
Wed Jun 28 15:24:58 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Wed Jun 28 15:24:58 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Enter Auth Username: ************
Enter Auth Password: ************
Wed Jun 28 15:25:10 2017 UDPv4 link local: [undef]
Wed Jun 28 15:25:10 2017 UDPv4 link remote: [AF_INET]138.128.180.122:1198
Wed Jun 28 15:25:11 2017 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
Wed Jun 28 15:25:14 2017 [477b1af7610251c72dd1748718b8634f] Peer Connection Initiated with [AF_INET]138.128.180.122:1198
Wed Jun 28 15:25:17 2017 AUTH: Received control message: AUTH_FAILED
Wed Jun 28 15:25:17 2017 SIGTERM[soft,auth-failure] received, process exiting
Hello, I have the same problem …… Can anyone help, please!
same I dont know what to do
I had the same issue. You need to use your PPTP/L2TP/SOCKS Username and Password, not your normal PIA username/password. You can find it on your “Client Control Panel” when you log in to PIA on their website. https://www.privateinternetaccess.com/pages/client-control-panel
What is your opinion doing it this way verses making a DD-WRT Box with OpenVPN?
Thank you for doing this. I find it very useful.
Terrific guide. I was using AirVPN initially so config was slightly different but easy to implement.
As AirVPN subscription is expiring this week, I have switched to PIA based on your recommendation.
Service is fine and appears ever so slightly faster. I am in central Texas and both have servers in the Dallas area, so a good comparison.
Thanks for the guide, I’m curious to know how the RPi 3 handles the openVPN overhead with 5+ devices using the VPN simultaneously. Is the internet speed adversely affected or can the RPi3 processor keep up.
Hey Don, great stuff as always.
Would be awesome if you could do a tutorial on how to setup a VPN hotspot using a combination of the Raspberry Pi 3’s on-board wifi and ethernet port. I’ve seen a few tutorials touching on this elsewhere but they’re not very newbie friendly like yours, and they also fail to include a killswitch, DNS leak protection, reconnection/persistence after reboot etc.
Being able to just plug the Pi into my router’s ethernet port and within seconds having a dedicated VPN hotspot ready to go would be awesome.
what’s the link? i would like to see that tutorial.
Hi Don
I did half of the steps, until I reboot the Pi actually I lose the internet connection for both interfaces, and when I test the server by typing sudo openvpn –config /etc/openvpn/SE.conf I tells me that it (cannot resolve host address) and (could not determine IPv4/IPv6 protocol)
How can we resolve this.
Please I need help.
can we set the DNS server to rasberry pi IP address in the router admin settings so that all the devices connected to router uses VPN?
Great video, I understand how the Raspberry Pi works as a VPN Router but I was wondering if you could explain how the VPN works with kodi on an Ubuntu OS.
I have Ubuntu 14.04 OS with Kodi and PIA VPN software installed hooked to ASUS router with PIA always on somewhere.
My question is: When I’m on kodi streaming a movie, is my IP in London (where ever) or my ISP in the USA. When I go to system info in Kodi it says my IP address is exactly what is assigned by my router not some server somewhere in the world.
I’m I looking at the wrong info. How does Kodi work with the VPN on an Ubuntu System.
I have this configured. Is it possible to have my device connect to the Raspberry Pi’s wifi radio? In other words, the Raspberry would put out a wifi signal like a router that my device would connec to. Thanks.
I’m a noob, so stupid question. How is this physically hooked up? Lan coming from modem and then devices connect via WiFi? Or later coming in from router then devices connecting via WiFi? Thanks
i was going to ask the same thing. i’m guessing it bounces the info to the pi and back out the router or ISP provided equipment
I have one issue with the setup and that is that I only want the forwarding of traffic to only work when the vpn is up. I have had a few time ( power outage) that the vpn did not come up and clients using the PI as the default gateway was being passed to the local ISP.
does any one else have this issue?
to fix my issue, her is my Iptables setup
# clear iptables
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X
#start definitions
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
sudo iptables -A OUTPUT -o tun0 -m comment –comment “vpn” -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p icmp -m comment –comment “icmp” -j ACCEPT
# lan subnet example 192.168.1.0/24
sudo iptables -A OUTPUT -d (your lan ip subnet) -o eth0 -m comment –comment “lan” -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp –dport 1198 -m comment –comment “openvpn” -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp –dport 502 -m comment –comment tcpopenvpn -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp –sport 22 -m comment –comment “ssh” -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp –dport 123 -m comment –comment “ntp” -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp –dport 53 -m comment –comment “dns” -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp –dport 53 -m comment –comment “dns” -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -j DROP
sudo netfilter-persistent save
this setup will block traffic if vpn goes down.
I think you are still missing the FORWARD drop if the VPN goes down. I believe you want iptables -P FORWARD DROP
Otherwise, if the route to the tun+ adapter failed it will try your eth0 which means it is going out unencrypted to your actual router. Test it by stopping the vpn service and checking the VPN status bar at the top of privateinternetaccess.com
The output rule you have will make traffic that originates on the Pi drop if there is an issue with the VPN so that is good.
I watched your video and checked out your post. In your video, at 18:51, you mention on your website you will post additional commands to include in the iptables. I cant find where you posted the additional info. Can you tell me where I can get the additional info?
Thanks
Jose
Yes I’m hoping for that also.
Love this …. set this up with a older laptop running ubuntu 16.04 …. works great.
i just point everything to the ip of the laptop and done.
Would love to run everything to a squid proxy first then filter what needs to be pushed to the vpn.
From looking over this again today will need to add a iptable rule to route proxy port “3128” to tun0.
But as of now I cant get it to work.
Hi Don,
Nice tutorial! What If my vpn provider has ovpn files with pem and crt included? Can i skip those steps?
Hi,
Thanks for this guide! Setup my trusty Raspberry pi B as an openvpn server last night using pivpn and your guide so that I can connect my home devices to the pivpn tunnel to ipvanish. This works very well. Just had to vary the PIA instructions to suit IPVanish. (just a note for others trying this with IPVanish, IPVanish doesnt require a .pem file to work.
Killswitch seems to work and very happy with the setup so far.
Worked first time!
Did a top when tunnel was being heavily used for download and it spicked to about 37%.
Thanks again
does not work. Have only the tunnel in vpn test, after brake it or reboot it is away
I have had this running for over six months and it has been working flawlessly until recently when I had to upgrade my connection from HFC to Australias new NBN-HFC which came with a new Modem. Since the new modem was installed the openvpn@AU service drops after approx 5-10minutes.
I have done a full reinstall on the PI with the latest version of Jessie and I am still having the same results so I am thinking that it must be an issue with the modem but I am stuck with this modem due to the fact it has inbuilt VOIP and I am unable to change it for something else without a lot of mucking around.
Is there a way to get the client to restart automatically if it drops the connection without me having to do it manually?
Any other thoughts would be appreciated.
I had a lot of problems to setup a static IP in Raspbian Stretch as your example did not work for me:
auto lo
iface lo inet loopback
auto eth0
allow-hotplug eth0
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 8.8.8.8 8.8.4.4
But there are some good tutorials on the net to do this.
This did the trick for me:
https://www.youtube.com/watch?v=B_vGNCCkEuc
Hope this helps someone.
I have successfully completed this tutorial, and I now have PIA running through my pi just fine. As I have a 3b+, I have also been able to set it up as a wireless AP. The issue that I am having is that while traffic on the pi itself is going through the VPN tunnel, when I connect other devices to the AP, they are about to get internet access, but the traffic is not going through the VPN tunnel. It’s going straight out to the internet. Does anyone know of a way to make that work? I would really appreciate it.
Have you received a reply regarding this? I am facing the same issue.
is there a way to direct wlan traffic through the vpn , but eth traffic NOT. ?
I visit everyday some blogs and information sites to read content, however this webpage offers feature based writing.
Hi all, Don,
I found this guide and got my vpn router on old asus eeecpc.
I have a problem right now: netflix.
If i use the new gateway, netflix replies me to deactivate unblocker and block any content.
My question is: can I configure iptables to forwarding only netflix traffic to my ISP instead through VPN?
Tnx in advance.
Roberto
Hi Don
When I edit /etc/network/interfaces of my RBPi,,,
Something is writen…
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Please note that this file is written to be used with dhcpcd
# For static IP, consult /etc/dhcpcd.conf and ‘man dhcpcd.conf’
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Should those be erased ?
Hi Don
When I edit /etc/network/interfaces of my RBPi,,,
Something is writen…
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Please note that this file is written to be used with dhcpcd
# For static IP, consult /etc/dhcpcd.conf and ‘man dhcpcd.conf’
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Should those be erased ?
For anyone having issues with the first step. Here is what you do. You need to change a different file as raspbian has changed a few things since the time of this tutorial
you need to edit this file instead:
sudo nano /etc/dhcpcd.conf
then add the following at the top of the file, remember to make sure its your IP address and the 111 is any number valid within your IP range that you can choose:
interface eht0
static ip_address=192.168.111/24
static routers=192.168.1.1
static domain_name_servers=8.8.8.8 8.8.4.4
ctrl-x to exit
Y to save
Now reboot and follow the rest of the tutorial.
I can confirm this works great with no IP or DNS leaks.
——————————————————————-
If you are unsure of your IP or router setting you can check them with this command
cat /etc/resolv.conf
this will output the following and it is your static routers setting.
nameserver 192.168.1.1
and this command:
ip -4 addr show dev wlan0 | grep inet
will be your IP range and it will look something like this as an output (which might be different depending on your router) In this case you can choose any number between 192.168.1.1 & 192.168.1.255:
inet 192.168.1.1/24 brd 192.168.1.255
Great write up. I had been pulling my hair out for a long time trying to get this to work.
The killswitch does not appear to work for me. If I issue a ‘sudo killall openvpn’ to the pi, then there is a non-VPN connection to the internet.
I’ve now been using this for a couple of days and it doesn’t appear to be very stable or reliable. The connection drops and doesn’t automatically reconnect and the killswitch doesn’t work, resulting in a connection straight to my ISP without any VPN.
What about these DNS Leaks?
I also read here about it: https://dietpi.com/phpbb/viewtopic.php?f=15&t=3074#p12318
Putting some lines to /etc/openvpn/PIAvpn.conf
These lines at the bottom:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
And test for leaks.
i have added this role to reach my local network from outside
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Hey!
Is there a way a client can retrieve a DNS from the OVPN-Host? Or only use him as “gateway”? :/
Thanks
asking myself the same. regarding other users and youtube comments: this blog is propably dead and just left to earn some cash
Hi, this was a great guide and I got all setup and running. The only issue I’ve currently encountered has been IPv6 leaks and I’m curious how to plug those up with my Pi VPN router that I’ve now setup. Any help would be greatly appreciated. Thanks
I too am now getting a DNS leak. I followed this tutorial before without issues. My RPI was constantly leaking so I decided to do a fresh install. Could we maybe get an updated tutorial? Thanks in advance.
I have found the best way to stop the DNS leak is to put in the PIA DNS as both your primary and secondary DNS into your Pi. This fixes the leak.
209.222.18.222 and 209.222.18.218
Zach.
Due to the complexity of IPV6 I wouldn’t worry about that leak to much but having said that PIA blocks IPV6 traffic because most IPV6 requests default to traffic outside the VPN tunnel. Best bet is to disable IPV6 on the Pi.
Used this guide after watching the Youtube video. Worked flawlessly first time. Pointed my geo-locked mediabox to it and we’re away. Raspberry Pi 1b+ hovering at ~5% CPU while streaming.
You need to specify:
push “redirect-gateway def1”
to push all traffic via VPN tunnel. I dont think you need to mesh around with dhcpclient.conf or /etc/network/interfaces
in your server configuration fille (not in your client configuration file).
If you specify:
push “redirect-gateway def1 bypass-dhcp”
to push ONLY DNS traffic. Once your machine receives IP address of the webserver machine you are trying to visit, your machine and the webserver machine will be connected via your ISP outside VPN tunnel. So although ISP only sees the IP address of the web server you are trying to visit, not knowing the web address name, e.g., hotmail, youtube, cnn, etc, they have large libraries of IP address and web server name that they can use to figure out the webserver you were visiting. This is the information they take from you and sell it to the third party.
Hi there im taking a error ”TLS handshake failing” with the command (sudo openvpn –config /etc/openvpn/US.conf) any ideas pleassssse
Hey Don,
Thanks for the guide. I have used it more than once now.
But I am just now finding out that the kill switch is not working as it should. I tested this by starting a torrent downloaded after it begin downloading I turned off the OpenVPN service, and the download continue to download without stopping. I checked to make sure that I had all of the iptables added that you had in the post.
Is there an updated list of iptables for the kill switch?
Thanks,
Slaier
Hi
Great tutorial.
Can we do this, with OpenVPN server installed in rpi?
Thank you very much. It works for me!! Yay. 2022.
However, the Ip in my raspberry is now the same as the PIA. Is it possible to keep the internet directly in the raspberry, not through PIA. I just wanted other devices to be connected via PIA
Hi
Great tutorial.
Can we do this, with OpenVPN server installed in rpi?
Hi Don,
I’ve been referring to your guide since couple of years now, and recently I wanted to redo this project as all versions changed a bit (debian, openvpn, isc-dhcp-server…) and even PIA now provides a compile app we can just download and run on rpi.
My question is thus: would this guide still apply even today ? If not, would it be possible to update that guide please to its latest 2024 version 🙂 ?
Looking forward for reading from you, I do thank you in advance for your feedback.
Regards,
David