Useful Resources:
- https://www.raspberrypi.org/documentation/configuration/wireless/access-point-routed.md
- https://thepi.io/how-to-use-your-raspberry-pi-as-a-vpn-router/
- https://github.com/rudiratlos/hotspot
NOTE: The raspberry pi may take a long time to reboot (about 5 minutes) after this installation.
sudo apt install openvpn
sudo systemctl enable openvpn
Create a file /etc/openvpn/auth
with only the following two lines:
USERNAME # Your openvpn username.
PASSWORD # Your openvpn password.
Then, restrict access:
sudo chmod 600 /etc/openvpn/auth
Upload your openvonv configuration file <FILENAME>.ovpn
to /etc/openvpn/
; Open that file and replace auth-user-pass
by auth-user-pass /etc/openvpn/auth
; then make the configuration file automatically discoverable by openvpn:
sudo mv /etc/openvpn/<FILENAME>.ovpn /etc/openvpn/<FILENAME>.ovpn.conf
The above method works for ProtonVPN; the configuration files of other VPN providers may require to specify the path to certificates (ProtonVPN embeds their certificate into their configuration files).
sudo apt install hostapd dnsmasq
sudo DEBIAN_FRONTEND=noninteractive apt install -y netfilter-persistent iptables-persistent
sudo systemctl unmask hostapd
sudo systemctl enable hostapd
Open /etc/dhcpcd.conf
and insert the following lines at the end of the file:
interface wlan0
static ip_address=192.168.4.1/24
nohook wpa_supplicant
Insert the following lines into /etc/sysctl.d/routed-ap.conf
:
# https://www.raspberrypi.org/documentation/configuration/wireless/access-point-routed.md
# Enable IPv4 routing
net.ipv4.ip_forward=1
Update the iptables:
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
and persist the changes:
sudo netfilter-persistent save
Make a copy of /etc/dnsmasq.conf
:
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
Then insert the following lines int /etc/dnsmasq.conf
:
interface=wlan0 # Listening interface
dhcp-range=192.168.4.2,192.168.4.20,255.255.255.0,24h
# Pool of IP addresses served via DHCP
domain=wlan # Local wireless DNS domain
address=/gw.wlan/192.168.4.1
# Alias for this router
Make sure the WiFi card is unblocked:
sudo rfkill unblock wlan
Insert the following lines into /etc/hostapd/hostapd.conf
. Note there cannot be quotes around the SSID or password.
interface=wlan0
hw_mode=a
channel=36
ieee80211d=1
country_code=GB
ieee80211n=1
ieee80211ac=1
wmm_enabled=1
auth_algs=1
wpa=2
ssid=<YOUR SSID>
wpa_passphrase=<YOUR PASSWORD>
sudo systemctl reboot