loading

There are a few different uses for VPN. Either you want to protect your privacy and private data from prying eyes or you need to source from another country. Sourcing from another country can be very useful to get access to services not provided in your country. There are a number of VPN services out there today and most of them offer easy to use software for your computer and apps for your tablet or phone. But if you have other devices not supported by the software that you want to go over the VPN? Then build a gateway that gives you internet access over the VPN.

If you look at your basic network setup you have a "default gateway" which is used for any ip-address not located in your current subnet (very simplified). So if you setup a gateway that can route internet traffic over an established VPN connection any network enabled device can take advantage of the VPN tunnel.

My major use case in my San Francisco apartment is a VPN tunnel to my native Sweden so I can stream Swedish play channels on my media players and smart TV. This is a pretty common use case for most people in need of a VPN tunnel. Since my media players and smart TV's aren't supported by the VPN software I built one out of a Raspberry Pi.

You can pick one up for under $40 on Amazon. I do however recommend that you buy a case and decent power adapter as well. For this instructable you need:

  • Raspberry Pi 2 or 3
  • A case of your liking
  • A decent power adapter
  • A network cable

Step 1: Choosing Your VPN Service

The important thing when selecting a VPN service is that it meets your requirements. For this use case I needed a VPN service with a Swedish exit point, that is the most important thing since I need the Swedish services to be convinced that I'm in Sweden. Over the years I have used several different supliers and below are the things I take into concideration when selecting the VPN supplier for the specific use case:

Free test

I want a free test period or a small amount of test data to get a feel for the software or app. Also I want to test the performance and overall experience before I pay for it. It's also nice to check that my idea will work before I start paying.

Privacy

If the implementation is for privacy concerns then it's really important what the privacy policy states. It's also important what country the company operates from and what laws are protecting your privacy. The really privacy concerned users should look at a service that states that no traffic logs are stored and allow anonymous payments via Bitcoin for example.

Allowed traffic

There might be limitations on what type of traffic you will be allowed to run. The more serious supliers usually block peer-to-peer traffic. This is not only to avoid legal issues but to be able to maintain performance for all users. There are how ever a lot of good suppliers out there that allows peer-to-peer and still deliver a high quality service. But if that isn't your main recuirment I recommend to select a service that doesn't allow peer-to-peer.

Data cap

Never use a service who keeps a data cap over their paying users. This will just run out at the worst possible time exactly like the data on your phone just before the funny part in a video clip!

Exit countrys

Depending on the use case this has different importance. For a use case like mine, where I need to end up in a specific country, of course that needs to be on the list. I also need to be allowed to select which country I exit in. There are services where you are unable to select exit country, stay away from those. You can end up in a country with bad performance or privacy laws. Even if you don't need a specific country you should still select a service with a few different countrys to show from to be able to find one with good performance.

Type of software and support

This is one of the main reasons why I prefer services with a free test. There are so many providers with bad software that are buggy, insecure or just don't work. For a Raspberry Pi implementation I need a provider that supports OpenVPN.

My selection

For this build I went with Tunnel Bear. A free test up to 500GB is offered so I could test that I could actually stream before I payed anything. They are based in Canada which, next to Sweden, have some of the strongest privacy laws in the world. No data cap on payed service and I'm also allowed to have several devices connected at once. So protection for my phone, tablet and computer while traveling on unsecure wifi is sorted as well. Exit node in Sweden is supported, it's actually provided via Bahnhof which is known for strong privacy in Sweden. For the payed plans they offer OpenVPN support. They do not for the free test but it was enough to run that from my laptop to make sure that the streaming services worked.

Step 2: Install the Raspberry Pi

For implementations like this I use the Raspbian Lite operating system. Since I have no need for the GUI at all. You can get the latest release here.

I use Win32DiskImager to load the .img file on the SD-card for the Raspberry Pi.

Once the Raspberry Pi have booted I look in my routers DHCP list to get the IP-address and then connect over SSH with Putty. Standard username and password are pi/raspberry

Once connected I run the raspi-config tool to change the basic settings.

sudo raspi-config

The most importent things to take care of in this config is:

  • Expand file system
  • Change password

You can also change the hostname of your Raspberry Pi if you like. My DHCP have very long leases and I can also reserve a specific address. If you don't have that ability you have to configure the Raspberry Pi to use a static IP-address. Since other devices will use this as there default gateway it is important that it keeps using the same IP-address. Here is a post I wrote about setting a static IP in Raspbian Jessie.

Then we need to upgrade everything to the latest version:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

Step 3: Install OpenVPN

Now we need to install OpenVPN on the Raspberry Pi.

sudo apt-get install openvpn

When the installation is finished we need to copy the OpenVPN config files and certificates to the box. This will be provided to you by your VPN provider. In my case, using TunnelBear, I found there blog post about Linux Support. On that page there is a link to zip file containing everything we need.

The file contains the certificate files and a .opvn configuration file for each country you can tunnel to. You need all the certificate files and the .opvn configuration file for the country of your choice, in my case Sweden. Unzip the files needed and the use winscp to upload the files to your Raspberry Pi. The same username/password as used for SSH will bring you to /home/pi, just drop the files there.

Then we go back to the SSH terminal and move the files over to the OpenVPN folder. First command is just to make sure we are in the /home/pi folder.

cd /home/pi<br>sudo mv * /etc/openvpn/

Now we need to do some modifications to the files. First we need to rename the configuration file from .ovpn to .conf. Any file ending in .conf in the /etc/openvpn folder will automatically start when the OpenVPN daemon is started. First we need to get into that directory.

cd /etc/openvpn

Then we change the name of the config file. You can name it anything you want as long as it ends in .conf. I prefer to use file names without blank spaces, in this case I'm going with swe.conf.

sudo mv *.ovpn swe.conf

Then we need an authentication file containing the username and password used for the VPN tunnel. Open up a text editor and write the username and password on separate lines. We will call this file auth.txt.

sudo nano auth.txt

The content should be like this example:

username
password

Then use CTRL + O to write to the file and the CTRL + X to exit the nano text editor. Then we need to edit the config file to make sure all paths are correct and add a reference to the newly created auth.txt file.

sudo nano swe.conf

The lines that needs to be changed are the ones referring to other files, they need to be absolute paths. In this example this is what we are looking for:

ca CACertificate.crt
cert UserCertificate.crt
key PrivateKey.key

We change them to absolut paths like this:

ca /etc/openvpn/CACertificate.crt
cert /etc/openvpn/UserCertificate.crt
key /etc/openvpn/PrivateKey.key

Then at the end of the file we add a reference to the auth.txt file, like this:

auth-user-pass /etc/openvpn/auth.txt

Once again we use CTRL + O to save the file and then CTRL + X to exit nano. Now we can restart the OpenVPN daemon and see that the tunnel is working.

sudo service openvpn restart 

If you run the command ifconfig you should see a tun0 adapter in addition to your eth0 and lo adapters if the tunnel is up. You can also run the command this command to check your public IP:

wget http://ipinfo.io/ip -qO -

If you are having issues getting the tunnel up first try rebooting your Raspberry Pi and then double check the configuration for errors.

Step 4: Setup Routing

Now we need to enable IP forwarding. It enables the network traffic to flow in from one of the network interfaces and out the other. Essentially creating a router.

sudo /bin/su -c "echo -e '\n#Enable IP Routing\nnet.ipv4.ip_forward = 1' > /etc/sysctl.conf"

If you run sudo sysctl -p you should see this printed on the screen:

net.ipv4.ip_forward = 1

Now routing is enabled and traffic can go through the Raspberry Pi, over the tunnel and out on the internet.

Step 5: Setup Firewall and NAT

Since we will have several clients on the inside accessing the internet over one public IP address we need to use NAT. It stands for network address translation and will keep track on which client requested what traffic when the information returns over the tunnel. We also need to setup some security around the Raspberry Pi it self and the tunnel.

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Enabling NAT.

sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

Allowing any traffic from eth0 (internal) to go over tun0 (tunnel).

sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Allowing traffic from tun0 (tunnel) to go back over eth0 (internal). Since we specify the state RELATED,ESTABLISHED it will be limited to connection initiated from the internal network. Blocking external traffic trying to initiate a new connection.

sudo iptables -A INPUT -i lo -j ACCEPT

Allowing the Raspberry Pi's own loopback traffic.

sudo iptables -A INPUT -i eth0 -p icmp -j ACCEPT

Allowing computers on the local network to ping the Raspberry Pi.

sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

Allowing SSH from the internal network.

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allowing all traffic initiated by the Raspberry Pi to return. This is the same state principal as earlier.

sudo iptables -P FORWARD DROP
sudo iptables -P INPUT DROP
sudo iptables -L

If traffic doesn't match any of the the rules specified it will be dropped.

sudo apt-get install iptables-persistent
sudo systemctl enable netfilter-persistent

First line installs a peace of code that makes the iptable rules we just created persistent between reboots. The second one saves the rules after you changed them. This time it's enough to run the first one. If you change the rules run the second one to save. Iptable rules are in effect as soon as you add them if you mess up and lose access just reboot and the ones not already saved will revert.

Step 6: Conclusion

Now you can use this tunnel from any device or computer on the same network. Just change the default gateway to whatever IP-address your Raspberry Pi has. In my case both my Kodi media centers (one bedroom and one livingroom) uses this connection so I can stream my Swedish play channels. Of course there are other things you can use this for as well.

Just keep in mind that depending on the VPN supplier you chose and the speed of your internet connection there might be slow performance.

If you have any questions or want me to clarify anything let me know in the comments! For more tech post please visit my blogg Hackviking!

<p>Excellent tutorial.</p><p>Stuck at the end of step #3.</p><p>Open VPN reports </p><p>TLS key negotiation failed yo occur within ...</p><p>TLS handshake failed</p><p>OpenVPN status is active (exited)</p><p>Can you help me get past this?</p><p>I believe I re-checked all the steps and configs</p>
There are a few common issues that can cause this. You can read more here: https://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html
<p>How about split VPN tunnelling? Web browsing traffic / torrents over VPN and everything else is bypassed?</p>
Then you would have to make the Pi your main router and have configurations for what traffic should go where. It can be done but is a much more complex setup that I wouldn't do for two reasons.<br><br>1. It will take a lot of maintenance and testing to make sure you don't have a DNS leak or similar that will expose your traffic.<br><br>2. Depending on your internet connection the Pi isn't powerful enough to give you all the speed.
<p>Hey, thanks for a great tutorial - got the pi up and running as instructed.</p><p>However, my devices connect to the LAN via my router and if i redirect the gateway to the pi i don't receive an IP.</p><p>So how would you configure a wireless laptop to go via the pi/vpn/router?</p><p>Thanks again.</p>
<p>Just give it a fixed IP address in the same subnet and it should work just fine. A more &quot;sexy&quot; approach would be to add a DHCP server to the Pi but that would require some more work. </p>
Hi ! Thanks for your tuto !<br>I've installed OpenVPN with PiVpn on my RPI3 (with Raspbian Pixel) and it works.<br>I'd like to access to my local wifi printer from anywhere : when I try tp print something, it says that the printer is out of connection.<br>Note that I can ping it from outside...<br>Do you have a idea of the way to do it ?<br>Many thanks.
<p>Are you sure that the printer is setup with the correct IP when you added it to windows? It might get another IP over the VPN. Try to add it again over the VPN.</p>
<p>Great tutorial and idea for the Raspberry pi. However is this still working for you, I was trying out TunnelBear and they are not compatible with Netflix anymore (are you getting the same issue?) I am currently trying with NordVPN but running in to some issues when sudo openvpn file_name (currently working with the IT team, but maybe you would like to give it a try https://nordvpn.com/tutorials/raspberry-pi/openvpn... <br>Keep up the great work!</p>
<p>Hi, haven't had any issues so far. Not a daily user my self to be honest. Every now and then the outgoing IP's get blocked but they usually sort it out fairly quickly.</p>
<p>What a great tutorial. Exactly what I needed/wanted. Works great with my Apple TV. Small thing missing in the tutorial; SSH is off by default so you have to know how to enable it on a headless install.</p>
<p>I've set this up and configure Windows 10 succesfully to route internet traffic via the PI, I need to know how to do the same for android but after following suggestions of modifying the Wifi connection and using the PI IP as the gateway the Wifi connection fails and disconnects.</p>
It might be that the android doesn't accept changes to the settings supplied by the DHCP. Try changing the config that the DHCP assigns to the clients.
<p>Thanks for the reply, no matter what I did it wouldn't work, I think I messed up somewhere along the way, I changed my router other to a 192.168.2.0 network from the 10.0.0.0 it was, wiped the PI, then set it up again, it now works flawlessly along with dnsmasq serving DNS, I do have a couple of ROKU's which don't have manual configuration though so I guess I'll have to use the PI to handle DHCP instead of the router?</p>
<p>If your router doesn't allow you to set specifics then you have to use a secondary DHCP. </p>
could you possibly help me get started
Were are you stuck?
<p>Excellent tutorial, works very well!</p>
Thank you!
<p>Great use for a Raspberry Pi.</p>