VPN Wi-Fi Hotspot with Raspberry Pi
TL;DR: I explain here how to setup a home Wi-Fi network, which routes all traffic through a VPN, using a Raspberry Pi.
No one wants to get tracked or sniffed while browsing. Even those, who "have nothing to hide".
One of the ways to hide your traffic is to use a VPN. But connecting and disconnecting to it can be annoying. So, I want to setup a home Wi-Fi network, and, when connected to it, to browse automatically through the VPN.
There are already many VPN providers out there, the goal of this post is not to compare them. We just need one, which supports OpenVPN.
Any Raspberry Pi OS will do. I recommend using the Lite version.
Some of the values are based on a home network 192.168.0.0/24
Add to /etc/network/interfaces:
Add this to /etc/resolvconf.conf to disable DNS Leaks:
Make sure it works:
Copy the .ovpn you get from your VPN provider to the Raspberry Pi and then copy it to the OpenVPN configuration:
Add your credentials in /etc/openvpn/login (each on a separate line):
and secure them:
You are now ready to test the VPN:
(Ctrl-C to stop)
Enable the OpenVPN service to connect to the VPN on startup and restart:
Check your IP address (to make sure you are connected):
In case the VPN connection is dropped, you might want to block any access to
the Internet with your real IP address. This can be achieved with a "kill switch" - it
won't allow any Internet traffic outside of the VPN.
Allow loopback device (localhost):
Allow all local traffic:
Allow VPN establishment. Only 2 ports will be open - 1 for DNS and 1 for VPN:
Accept all TUN connections (tun = VPN tunnel)
Set default policies to drop all communication unless specifically allowed:
Persist the iptables configuration after rebooting:
(You will be asked to confirm this. Choose Yes for both IP4 and IP6.)
Test the kill switch - the ping should not work while the OpenVPN service is stopped:
This basically turns your Raspberry Pi into a WiFi router. Install hostapd:
Install dnsmasq (for a dhcp server)
Configure the wlan interface in /etc/network/interfaces. The Wi-Fi network will be 192.168.4.0/24.
Enable IPv4 routing in /etc/sysctl.d/routed-ap.conf:
Allow forwarding in iptables:
Configure the DHCP server in /etc/dnsmasq.conf:
Unblock the WLAN if it is blocked:
Configure the new WiFi network in /etc/hostapd/hostapd.conf:
And set the config in /etc/default/hostapd:
At this point you should have a new WiFi network. Connect with you device(s) and check you IP address.