Setting up a Raspberry Pi as a VPN router (Updated)

I’ve decided to update the VPN router on my home network using a Raspberry Pi 2, I’m quite impressed at how well it works. I was previously using a HomePlug AV adapter but found this to be a bit of a network bottleneck. So now my Raspberry Pi 2 is connected directly to my router using an ethernet cable.

Previously, I installed a DNS server (Unbound) as a caching recursive DNS server, this service resided on the same machine that I ran my VPN router on. Now however, after a bit of research I’ve decided to let my VPN’s DNS servers answer all the requests from my VPN connected devices.

I now run a separate DHCP/DNS server on my home network (DNSMasq) with a DNSCrypt wrapper that encrypts all the DNS requests that don’t go through my VPN Router.

Home VPN Setup

What you need

You will need some knowledge of networking and/or some IT knowledge.
A Raspberry Pi 2 or 3 running the current Raspian Jessie Lite – 2016-03-18.

Configure a static IP address

The new version of of the dhcpcd daemon included in the Jessie image doesn’t seem to read /etc/network/interfaces as it used to So if you configure a static IP in the usual way, you’ll end up with 2 IP addresses.

The workaround is to configure a static IP address as you would normally, then disable dhcpcd daemon. Then if you decide later to provision your Pi for something else, it’s easily reversible.

The above shows that the router’s IP address (Gateway) is, yours may be different, so remember to change it to suite your circumstances. You may well have to changing the network address if your network address differs from mine, which is

Setting up your VPN server

Next, you need to install openvpn on your raspberry pi and test it, I’ve provided an extensive list of VPN providers in the references section (right at the bottom) feel free to choose one after installing openvpn (make sure the VPN provider you choose, support openvpn).

First off, you need to install openvpn. You can do this by typing the following at the prompt.

After you’ve installed openvpn, you’ll need to choose a VPN provider. Ensure that the one you choose, supports Linux and Openvpn. If it’s a good provider, they will provide you with the option of downloading an OpenVPN configuration file, which should have the extension (.ovpn). After you’ve downloading the file to your Raspberry Pi, change the extension to a (.conf) extension and copy it to the “/etc/openvpn/” directory of your Raspberry Pi.

Test that the VPN actually works.

If it’s working as expected, then press ctrl-c to exit.

Enable VPN after reboot

You should get a message similar to this (see below), the “your_vpn_provider@” will of course be what you’ve called your file.

Fire-walling the interface and enabling forwarding

Below is the shell script that I wrote (with the help of online resources). What it does is firewall the tunnel interface and the internal eth0 interface. In the event of the openvpn daemon shutting down, or the connection to your VPN provider going down, all traffic stops being forwarded.

The only part that will need changed, is the “Home_Network” variable which is currently set to my home network ( and the VPN_DNS variable, which are the DNS servers supplied by your VPN provider. Download the script (or cut and paste) to your pi.

To change permission on the script (make it executable), type the following.

Run the script and apply the firewall.

I want to make the firewall rules persistent, so I’m going to install a package called iptables-persistent.

Make the rules apply at startup

If at any time you re-run the script after updating or changing it, then you will have to re-run the iptables-persistent program, to apply the updated rules after reboot. The command for that is.

Enable IPv4 forwarding

Edit the sysctl.conf file to enable IPv4 forwarding.

Uncomment the following.

Save the changes and run the following to make the change permanent.

You should get the following output.

Start VPN now

Testing your VPN Connection

IP Address:
Subnet :      
Default Gateway: (IP address of your now working Raspberry Pi VPN Router)
DNS Server :       (The IP address of your VPN provider’s DNS Servers)

Here’s a screenshot of my Windows 10 virtual machine with the static IP of the details above.

Windows 10 Network Settings

As you can see below, I’m currently in Canada (hurahh!), the DNS leak test shows one ip which is the same as my exit node IP.

VPN Connection

Here’s a good resource, with instructions on setting up a PC with a static IP address.


You can either install ntopng from the Raspberry Pi repository or you can install the new version, using the instructions provided on the ntopng website.

Installing ntopng (using the repository – Current Version 1.2.1 (r1.2.1)

Update repository

Upgrade software

Install ntopng from the repository

Installing ntopng from the ntopng website

Got to the ntop website and follow the instructions provided.

I got the following error message when I tried to run the program.

To fix this, I had to install a couple of libraries, instructions to fix the issue below.

Restart ntopng

Change the default ntopng login

Fire up your favorite browser and point it at the IP address of your new VPN router. For me that would be

Your may have used a different IP address, all you need to do is append the port number to the IP address.

After installing ntopng, I would suggest that you change the admin password after you login, the default login are as follows.

Default login – admin
Default password – admin

Screenshots of ntopng.

All hosts currently using my VPN router on my home network.

List of hosts using my VPN router.

Showing  one host on my network, and as you can see, you can look at the traffic type, ports, peers and protocols. It’s a great addition if you’re sharing your VPN with others in your family or friends. It allows you to see if someone is hogging your bandwidth or doing something a bit suspect.

It’s a really great program and if you find it useful then I would definitely buy a licence, because the paid version has a lot more functionality. If you want to see what the paid version looks like, restart your VPN router and connect to ntop, it runs the pro version for 10 minutes before defaulting to the community version.Host on ntopIf you like it they you can purchase a licence for the pro version from here. Alternatively, if you have a little cash you can also make a donation to the project.


Simple Stateful Firewall – ArchLinux
OpenVPN – Open Source – Website
How To Use Systemctl to Manage Systemd Services and Units – DigitalOcean
Wikipedia – Virtual Private Network
Networking – Pi as a VPN Router
15 best VPN Providers
Geospoofing with the Raspberry Pi
VPN Provider shuts down after Lavabit case undermines security
How do I know if my VPN provider is trustworthy? (Lifehacker)
How NSA Proof Are VPN Providers?
How (and why) to set up VPN today
Electronic Frontier Foundation
VPN Creative – What is my IP address
DNS Leak Test
IP and DNS Detect
Selective VPN routing : [Solution – DSVR]
iptables ipv4 firewall – Debian Firewall Wiki

Draft investigatory Powers Bill

GCHQ Mass Surveillance
Theresa May unveils UK surveillance measures in wake of Snowden claims
UK cyber-spy law takes Snowden’s revelations of mass surveillance and sets them in stone
UN privacy head slams ‘worse than scary’ UK surveillance bill
Investigatory Powers Bill: what’s in it, and what does it mean?
Don’t spy on us

37 thoughts on “Setting up a Raspberry Pi as a VPN router (Updated)

  1. Hi, do you know a repo wherein I can get a openvpn client or raspberry that support CUSTOM-HEADER?
    I’ve been googling for quite some time now but wasnt able to find one.
    btw, i’ve done your tutorial and was able to make it work flawlessly.

  2. There doesn’t seem to be a version of openvpn in the repo with that enabled, you may have to download the source, apply the patch and compile and install from source. I did notice that the the patch was on Github.

  3. I think your reffering to this?
    I did follow his guide (./configure && make && make install) using lubuntu in vmware prior to deploying it in my raspeberry, but due to the fact that I’m new to linux enviroment, I don’t know what t do next cause openvpn is not appearing in software manager or in the list of installed software.
    I hope you can create a blog entry or tutorial as easy as the other entry you’ve made in doing or assembling or compiling custom openvpn client


  4. Thanks for the useful tutorial, everything works as expected, apart from ntopng, I can install it using either method but when I go to the webpage it just times out, it appears to be listening for connections:

    pi@raspberrypi:~ $ sudo netstat -nap|grep ntopng
    tcp 0 0* LISTEN 13787/ntopng
    tcp 0 0 ESTABLISHED 13787/ntopng
    unix 3 [ ] STREAM CONNECTED 25734 13787/ntopng
    unix 2 [ ] DGRAM 25749 13787/ntopng

    I’m not sure what to do from here.

  5. I reinstalled from scratch and everything works great now including ntop, I know this is probably outside the scope of this article but I understand how to get my android, Xbox, Windows PC to connect through this, how about something like a Roku player where you can’t change network settings manually, it just does everything through DHCP

  6. Excellent article! I’ve not had any experience with Raspberry Pi but certainly will after reading this.
    I’m running a simple NAS home network with a WHS 2011 server at it’s core, WebDav remote access, nothing fancy. As this server is “always on” I’m running an instance of OpenVPN as a NSSM service which has proved very stable.
    I use the VPN provider BolehVPN,net as they provide Socks 5 Proxy OpenVPN (as well as the more usual Fully Routed and GeoLocation specific) connections.
    My NSSM OpenVPN service connects to one of Boleh’s Socks 5 Proxy connections providing the Socks 5 Proxy address on port 1080, to which selected programs / services running on the server can connect to, leaving the more mundane processes access to the vanilla internet.
    What I would’ve liked to have done was be able to connect to the OpenVPN Sock 5 Proxy service on the WHS 2011 server from other devices on my home network. Such web browsers or a Fire Stick by pointing their Proxy config settings to those on the WHS 2011’s OpenVPN Sock 5 Proxy – phew.
    I think you solution of running OpenVPN on a Raspberry Pi is a much better solution.
    How would (or indeed is it possible) you advise setting up a OpenVPN Socks 5 Proxy via Raspberry Pi in the similar fashion as your set up here? This way applications from any device on the home network could be pointed at the OpenVPN Sock 5 Proxy (e.g. Firefox via Foxy Proxy etc.) on the RPi rather than have to change the address of the connecting PC’s network adapter?
    Or would it even be possible to route other devices on my network to the existing OpenVPN Sock 5 Proxy TAP-Win32 V9 on my WHS 2011? I’ve tried this second option and not found a way as of yet…

  7. Pingback: Raspbeery Pi3 with 2 wifi donggle/VPN router | 桥梁工程教学

  8. If I set my client’s DNS server to the raspberry pi’s IP. Will the Pi accept and answer them? Or do changes need to be made in the

  9. A great article, there are so many but this one is clear and explanatory……I am however having a senior moment on the “Fire-walling the interface and enabling forwarding” section, where does the script reside in the directory structure? Thanks in advance…..

  10. Great article, just a little confused before I start the install…how do I connect my computer or device to the raspberry pi 2 via Ethernet if the port is already taken connected to the internet router? Also can I use the raspberry pi before a homeplug? Thanks in advanced 👍🏼

  11. If you’ve cut and pasted the firewall rules, then it will be where you’ve saved it. Usually /home/pi unless you’re logged in as another use of course.

    I usually use putty (available for windows) to connect the the raspberry pi, then use nano to save the file.

    At the prompt type.


    copy the firewall rules from the page and save and exit.



  12. Maybe someone can explain how pivpn server works. I install pivpn on my raspberry pi 3 and I connect to my pivpn server from remote location over WAN. In my remote location I used wireless network connection and when I have successfully joined pivpn server in my network connections also I saw active local area connection.
    Then I tried to check all traffic on both connections with Wire Shark by browsing over different websites. I was able successfully open any web but when I checked my both connections Status details, on “Wireless network connection status” I saw IPv4 connectivity: Internet and on IPv6 Connectivity: No Internet access. On “Local area connection” I saw IPv4 and IPv6 connectivity: no internet access.
    On Wire Shark window with my wireless traffic I saw my local private IP and destination IP was my remote site where is my pivpn server public IP. All traffic in protocols raw was openvpn, I not seen any http traffic so it seems like that traffic was encrypted.
    On Wire Shark window with my local area traffic I saw in source row IP from my visited websites and in my destination row I saw IP provided to me by pivpn server. In protocol row I saw just TCP traffic and no HTTP.
    Can somebody explain how all traffic moving between pivpn server and clients? Seems that traffic between client and pivpn server encrypted but what about traffic between pivpn server and destination websites? Is all traffic routed through pivpn server raspberry pi or traffic bypasses raspberry pi? On raspberry pi cpu usage bar I see only 1% – 5% when I using it as vpn server so seems that raspberry pi don’t have any load.

  13. Hi Billy,

    Really simple, dumb question.

    If I follow your guide, or close to it. Is it possible to have some devices on my network use the VPN (Pi?) and other devices go straight out, sans VPN? Is it as simple as changing the gateway on said devices?

    I have a VOIP provider with my ISP for my home phone landline, I’d hate to add latency to it. As well as local content in my country that’s Geoblocked- so over 2/3 of my network, I’m happy to have “using the internet as normal” but I’ve love to have several other computers be VPN only.


  14. Billy thanks so much. I always thought I needed some kind of VLAN or different range or something complicated like 192.168.1.x and 192.168.2.x and so on or 255.255.252 or (god I don’t know) – but if it’s as simple as defining a different gateway, that’s very managable!

  15. Hi Billy

    Top post!

    Agree with Internet Lad – excellent way of doing it!!!
    Simplest ways are always the best!

    Another really simple, dumb question though:

    Is it possible to route some applications within, say, a PC via the VPN gateway and others straight internet access – like with a proxy..?

    Rather than routing all internet traffic via the VPN..?

  16. It looks like they’ve changed the naming of adapters.
    Eth0 is no longer , it gets the name according to the Mac address of the adapter in use which is why the firewall script would be failing.

    Haven’t had chance to test out the new naming as away from system for couple of days but will test out next week if no one else has sorted out by then

  17. Replace eth0 with enp2s0 in the script.
    Change in line 56, 93, 93 and save.
    Run and re-run netfilter-persistent and save (as in the tutorial)

  18. No problem. Initially I ran ifconfig then edited your code to use the long MAC-like device ID that appears where you usually see eth0. That worked, but obviously it’s unique to my pi.
    I’m assuming that enp2s0 is universal for Ras Pi – anyone else confirm?
    Also see

    I had some trouble with setting a static IP in interfaces too, (maybe stretch, maybe me!) and didn’t resolve it in the end. I just set my router to reserve an IP against the pi MAC address.

    Thanks for the tutorial Billy.

    edit to above post : lines 56,92,93

  19. Looks like the naming of the interfaces is a right headache, different people are getting different names for eth0, enp2s0 isnt standard.

    The best option at the moment is to add et.ifnames=0 at /boot/cmdline.txt

    This will then revert back to the old naming of eth0 etc.

    Or as im doing for the time being stay with Jessie 🙂

  20. Quick update, the new naming convention is different for every PI.

    Use ifconfig on the command line and this will display the network interface details and the name of the eth port.

    Mine is enxb827eb31f534

    Just replace eth0 with ‘your network adapter name’ in the config file.

  21. Does anyone know how to temporarily turn off the VPN and let all traffic through as normal.

  22. awesome tutorial! 😉 the only thing is, when I copy and paste the, and start vpn it works fine, but when I reboot the Raspberry pi 3, the VPN doesn’t work and I get locked out, when trying to SSH to it.. can anyone help? 🙂

  23. Having read through the previous comments, it look like the firewall script won’t work on the current version of Debian on the Raspberry Pi. There should be enough information below to make it work and I’ll change the tutorial and test when I have the time. Sorry about that.

  24. I don’t know how to get around the user name and password needed for my vpn provider as credentials to get this to work. I had to use some other instructions but did find your firewall and ntopng instructions very useful though. Perhaps you could explain how you got your credentials to work and i can save your instructions for my next install

  25. Awesome! So many either out of date, or just crap articles around this subject. And I come here and it’s there, in black and white – and it works!

    Top man, thanks for posting.

  26. A question, if I may?t I noticed that the VPN loses connection if the home router goes (deliberately) offline. It never attempts to reconnect from what I can gather. Is there a way with openvpn, or would this involve running a probe to an external address and acting accordingly when there is packet loss?

    I don’t expect a reply, but if you got a few I would be chuffed.

Leave a Reply