This article will show you how to use Raspberry Pi to act as a Secure VPN Wi-Fi Router. We shall use RaspAP, which is a much easier way to configure your Wireless AP than use hostapd. Finally, we shall explain how to secure your Wi-Fi AP(Access Point) with a VPN (Namely OpenVPN and NordVPN).

Setup for a Wireless AP

Components Required

Software:

Hardware:

  • A Raspberry Pi 4, 3, or Zero W (4 and 3 are preferred). Here,

we are using a Raspberry Pi 3B

2. VPN Wi-Fi Access Point Setup

We used RaspAP with a Raspberry Pi 3B and used the integrated network surfaces, with the ethernet port connected to the wireless router. This served as an internet gateway.

3. Installing Raspberry Pi OS Buster Lite on the microSD card

Make sure you download the current version of Raspberry Pi OS Buster Lite from here. Once you have the image, you can etch it onto the microSD card. The most convenient way to do so is to use Raspberry Pi Imager  and follow these steps:

  1. First, connect your microSD card to your PC
  2. Choose your operating system (Raspbian in this case), your SD card, and let the software confirm and verify your settings.
  3. Click on ‘Write,’ and the process will be completed depending on the OS and the speed of your microSD card. Mount it again immediately to prepare the OS for remote access.

4. Headless Boot Operations

We shall explain how to assign a headless static ip address to your Raspberry Pi. This can be done in 3 simple steps, after which you can remotely access your Wi-Fi connection. Best of all, it’s free!

  1. Creating a wpa_supplicant file

Create a text file named wpa_supplicant.conf in the same drive and paste the following. This is used to connect to the Wi-Fi for the first time.

Ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev<br>update_config=1
country=US 
network={
ssid=”mywifissid”
psk=”mywifipassword”
key_mgmt=WPA-PSK
}

Note: here, just write the country to be your own country of residence. The ‘mywifissid’ is the name of your Wi-Fi device, and ‘mywifipassword’ the password for your Wi-Fi device. The key_mgmt should be set to None if you don’t have a password for your Wi-Fi.

2. Finding out the IP Address of the Pi and Assigning Static IP address

Usually, one can find the IP address of their device after it has connected to the router via SSH by checking the router, as most routers usually tell you the IP addresses that have been assigned to it. 

Assigning Headless Static IP 

However, we recommend that you assign a static IP address (which can be done in headless mode, i.e., without the use of your computer or monitor, since we are using Raspbian OS) to your Pi. You can do this by assigning an IP address to a MAC address in the DHCP server of the router. This is because:

  • Once done, the IP address of your Raspberry Pi will always remain the same, and we don’t need to configure it within the OS.
  • The DHCP server doesn’t assign this IP address to any other device. This also means that DNS servers are also assigned to the Pi through the router.
  • Thus, you can assign this static IP at the time of the 1st bootup and it will automatically show up and connect to the home Wi-Fi with the assigned address. 

Once you find out the IP address, you should be able to have remote access. In our case, the IP address was 192.168.1.3. Hence we now enter the following command into the terminal:

ssh [email protected]

When prompted for a name and password, for the SSH, they are (respectively) pi and raspberry

Once done through this step, we recommend that you change your password for the user pi immediately. To do so, either uses the command:

passwd

or open the Pi configuration and enter the following:

sudo raspi-config

This command opens the command-line configuration tool, and since the necessary settings are already displayed, changing any settings (including setting the country settings) can be done so right away.

c. Creating an empty SSH file for remote login

We create an SSH file so that we can gain remote login access without having to go back to our monitor/PC. Creating an empty ssh file on the boot partition without extension is easy on the Linux OS. First, all you need to do is provide your Wi-Fi name and password. Then for creating the empty SSH file, the command to be used is:

touch ssh

Once the partition is created, you can activate the SSH server and access the OS via Secure Shell (or SSH). You don’t need to further configure if your Pi is already connected via an Ethernet Cable because Pi is assigned an IP address by the DHCP server of the router. This is the setup that has been used in our case. Usually, Raspberry Pi runs a DHCP server for the wireless network. In case it isn’t assigned, we need to create a separate file for that, which might complicate the process a bit.

5. Updating Raspbian

We need to check for updates, should there be any. To do so, enter the following commands into the terminal:

sudo apt update
sudo apt dist-upgrade
sudo reboot

To get the updates running, you have to restart your device and reconnect to the Pi via your SSH. Once updated and restarted, we can now use RaspAP to convert it into a Wireless AP.

6. Installing RaspAP onto your system

Now let us move on to the fun stuff! We need to install RaspAP before we can finally configure our AP. The command to install RaspAP is:

wget -q https://git.io/voEUQ -O /tmp/raspap && bash
/tmp/raspap

Although this is more than sufficient for you to install RaspAP, we still provided you with the link so that you can download from the source, should you choose to do so.

Now, during the installation, you will be prompted with two questions:


Do you want to continue? [Y/n]

The next question that is prompted to you is:

Enable HttpOnly for session cookies (Recommended)? [Y/n]

After that, you will be prompted to enable control services:

Enable RaspAP control service (Recommended)? [Y/n]

For all these questions, enter y to agree to the enabling of the respected services.

With this, you now have successfully installed RaspAP onto your system – and the next you will have to reboot your system as a final step, for which you will be prompted:

The system needs to be rebooted as a final step. Reboot now? [Y/n] 

After doing so, you can now properly configure your RaspAP’s IP address. A major advantage of using RaspAP is that the side menu gives you a list of all the configurations you may need to do so, in the order of configuring. So, we can adopt a step-by-step approach to configuring our Raspberry Pi with much ease. Just complete one part and move on to the next setting, and within no time, your Raspberry Pi will be up and running!

7. The IP address of your RaspAP hotspot

The default hotspot gateway for your RaspAP is 10.3.141.1. As the DHCP area, it is pre-configured with IP addresses with values ranging from 10.3.141.50 to 10.3.141.255. This is done so because it should not interfere with the other network (whose IP address was 192.168.1.3). Thus, we can see that a static IP address is already added by default to the AP, and we do not need hostAPD for such purposes.

From the default setting, the SSID name is raspi-webgui, and the password is ChangeMe. Now once logged in, the hotspot AP is ready to use. If you wish to do so, the password and the SSID can be changed in the web GUI – which we will now cover in the next section.

8. The web gui of RaspAP

  1. Configuring your hotspot and networking

The configuration of your hotspot can be completely done via your browser. This can be done in two ways. Either you use the URL 10.3.141.1 and log into your hotspot, or you are on another network (say your home network), and you open the admin interface with the URL 192.168.1.2.

As a default, you log in with admin and secret. We advise you to replace your passwords from the default passwords and then configure the hotspot to suit your needs. Then, the DHCP server can also be configured via the web GUI.

Under the Configure hotspot > Basic, you can set how the Pi hotspot should be found. Once done so, you can check your IP of the Raspberry Pi AP, which will now show you your IP address assigned in the web terminal – upon which ping to the website will confirm accessing the internet via your RaspAP.

The password of your hotspot can be changed under Configure hotspot > Security. A reason to do so is to upgrade your security to much more secure network protocols to fully protect your AP. One such upgrade you could choose to do is use WPA+WPA2 or WPA2+PSK instead of WPA.

  1. Configuring DHCP server

All settings for configuring the Dynamic Host Configuration Protocol (or DHCP) server are under the settings Configure DHCP Server. Here, you can choose to configure the Server settings – in which you can choose the Interface (we have set it to wlan0), the starting IP address, and the Ending IP Address (which is usually between 10.3.141.50 and 10.3.141.255, and as was in our case), the Lease Time and the Interval (in hours). We can then save these settings to whatever we need them to be to suit our needs.

In most cases, though, we do not need to change anything as the default settings are more than enough to serve our purpose. Other settings we can configure are Static Leases and Client Lists. Lastly, should you choose to do so, there is even an option of stopping dnsmasq.

  1. Additional Settings

The RaspAP software additionally allows you to access an in-built console under the System settings. The major drawbacks to this are that there is no root access, and you cannot switch with sudo. Thus, we recommend that you manage your OS solely via SSH.

You can also change the theme of your software via the Change Theme setting in the terminal! There are a few options for themes to choose from, and even old-school retro-styled themes back from the Macintosh days of computing for a nostalgic trip while you set your newly configured Raspberry Pi AP!

  1. Dashboard

Under the Dashboard in the web GUI, you can see all your important settings and information at a glance. Information such as your Interface name, IPv4 Address, Subnet Mask, IPv6 Address, and Mac address are all displayed here.

9. Changing DNS server of RaspAP hostpost

Rasp AP uses 1.1.1.1 (Cloudfare) and 8.8.8.8 (Google) as their DNS servers. These are stored in the file /etc/dhcpcd.conf. This can be accessed from the command prompt by entering the following commands:

Interface wlan0
static ip_addresses=10.3.141.1/24
static routers=10.3.141.1
static domain_name_server=1.1.1.1 8.8.8.8

Here, you can change your server settings. An example is the AdBlocker Pi-Hole in your network can be set to be used as a DNS server by RaspAP. FreeDNS is another great alternative.

With this, your Raspberry Pi has successfully been converted into a wireless AP! Now the next step is to add a VPN to your router. Before we do so, we must first make sure which VPNs are actually compatible with the Pi device. In theory, any ovpn file provider works. And the two best VPN clients available on the internet are:

We shall Discuss the procedures for installing both of these in your Pi device so you can have a better and secure internet experience.

Procedure for Setting up OpenVPN

1. Install OpenVPN

To install the OpenVPN on your Raspberry Pi, enter the following command in the command prompt:

sudo apt install OpenVPN

2. Testing the VPN

To test your VPN, you need to first access your auth.txt file (which should be in the same directory in the ovpn file), and in it, enter the Username and Password. Then you must modify the following line in your ovpn file to auth-user-pass auth.txt:

client
dev tun
proto udp
remote 194.36.110.213 1194
resolv-retry infinite
remote-random
nobind
tun-mtu-extra 32
mssfix 1450
persist-key
persist-turn
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

remote-cert-tls server

auth-user-pass auth.txt
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512

<ca>
-----BEGIN CERTIFICATE-----
.
.
.

Procedure for Setting up NordVPN

NordVPN is one of the best VPN software out there, which offers a 30-day money-back guarantee if your VPN does not work on your Raspberry Pi.

1. Install NordVPN

Log into your device via SSH (headless boot). Then download the deb file from NordVPN:

wget -c
https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn-release_1.0.0_all.deb 

Install (i.e., unpack the deb file) the file via the shell prompt:

sudo dpkg -i nordvpn-release_1.0.0_all.deb

Install the Linux client of NordVPN

sudo apt update
sudo apt install nordvpn

Enter y when prompted.

2. Setting up the NordVPN Linux Client

  1. First, log in to the client with your credentials from NordVPN using:
nordvpn login

2. The Linux client of NordVPN provides something called Whitelist. We added port 22 to be on the safe side for accessing SSH.


nordvpn whitelist add port 22

3. The settings can then be reviewed by entering the command:

nordvpn settings

4. Connect to NordVPN by entering the following command:

nordvpn -c

3. Changing iptables

  1. The Linux Client of NordVPN modifies iptables, and this can be seen with the following command:
sudo iptables -S

2. This means that to connect to the Pi hotspot; there is no IP address anymore! Thus, we need to enter the following commands so that the hotspot again assigns us an IP address:

sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT

3. But since the internet traffic is not routed, we must enter the following iptables:

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state –-state 
RELATED, ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

4. Keeping the VPN settings permanent

The settings we have assigned so far are temporary, and we need to fix this in place for every use. A way to do so is by using a cronjob via /etc/crontab. Here are the steps for the same:

  1. Create a script file called nordvpn. sh using the command:
nano nordvpn.sh

2. Enter the following lines:

sleep 30
 
nordvpn c UK
sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state –-state RELATED, ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -I wlan0 -o tun0 -j ACCEPT


We need the sleep line because the NordVPN daemon needs a bit after the systems start. The next line of code, as you can imagine, connects you to a NordVPN server in the UK, and we recommend that you do not skip this 30-second wait.

3. Make nordvpn. sh an executable file with the following command:

chmod +x nordvpn.sh

4. Finally, we put this executable at the end of /etc/crontab by using:

@reboot pi /home/pi/nordvpn.sh

5. Auto-Connecting to the VPN

This can be done using the following command, which reconnects to the VPN automatically once the device is started:

nordvpn set auto-connect on

You can also specify which country you want to auto-connect to by using the command (here, we have used the U.K. as an example):

nordvpn set auto connect enabled the UK
3 2 votes
Article Rating
Previous articleStart Home Automation using IFTTT and Node Red
Next articleFirewalla Review – A Complete Cybersecurity For Home and Business
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments