Setting up Raspberry Pi 3 as an OpenVPN router

- 6 mins


Raspberry Pi 3 makes up a great miniature PC and can be used to come up with some great projects. But there are reasons why would you want to tone down on that versitality and use it exclusively for a particular function. The LEDE Project, based on OpenWRT, lets you set up your Raspberry Pi as a router. Add to this, OpenVPN and you have got yourself a nice box that lets you create an access point which routes your traffic through a VPN, thus securing your browsing. This could be really convenient to have all your personal devices establish a secure wireless connecting in places like hotels where you can simply plug in your RPi to ethernet port.

Setting up Raspberry Pi

Fetching the LEDE Image

We would be fetching the latest LEDE snapshot for Rapberry Pi 3 from the official LEDE source. Execute the following commands to download the image into your current directory.


Flashing the LEDE Image

Uncompress the gzip archive to get the image file and install the image on a Micro SD Card. View instructions on this link in case you need help.

Configuring LEDE

Accessing Raspberry Pi

By default LEDE is configured to have a static IP and in order to access the RPi to change the configuration you would need to connect your computer directly to your RPi using an ethernet cable. Your computer would be assigned an IP and can now connect to the RPi using SSH. Log in to RPI using the following command.

ssh [email protected]

Now that we have access to the RPi filesystem, let’s modify the network and firewall configurations.

Modifying network configuration

The network configuration file is located in the /etc/config/network. We will modify the lan interface and add two new interfaces to achieve our goal, leaving the other interfaces unchanged.

config interface 'lan'
    option ifname 'eth0'
    option proto 'dhcp'

config interface 'tun0'
    option ifname 'tun0'
    option proto 'none'

config interface 'wireless'
    option proto 'static'
    option ipaddr ''
    option netmask ''
    option ip6assign '60'

To use a static IP instead of using DHCP to obtain an IP from the router use the following configuration for the lan interface. Here is an example of assigning an IP to the RPi for a router that provides IP’s in the 192.168.1.x range and has netmask

config interface 'lan'
    option ifname 'eth0'
    option proto 'static'
    option ipaddr ''
    option netmask ''

Modifying wireless configuration

The wireless configuration file is located in the /etc/config/wireless. The wireless adapter is disabled by default. Remove the line option disabled 1 or change 1 to 0 to enable the wireless adapter. Modify the default_radio0 wireless interface to the following (replace your_ssid and your_password with the name and the password you would like to give your wireless access point).

config wifi-iface 'default_radio0'
    option device 'radio0'
    option mode 'ap'
    option encryption 'psk2'
    option key 'your_password'
    option ssid 'your_ssid'
    option network 'wireless'

Modifying dhcp configuration

The wireless configuration file is located in the /etc/config/dhcp. We will add another dhcp configuration for the wireless interface we defined in the networks file so that client which connect to the AP are assigned IPs using DHCP.

config dhcp 'wireless'                           
    option interface 'wireless'              
    option start '100'                       
    option limit '150'                       
    option leasetime '12h'                   
    option dhcpv6 'server'                   
    option ra 'server'

Modifying firewall configuration

The firewall configuration file is located in the /etc/config/firewall. We will first define a zone with input, output and forward rules for the wireless interface we defined in the networks file.

config zone                      
    option name             wireless  
    list network            'wireless'
    option input            ACCEPT
    option output           ACCEPT      
    option forward          ACCEPT

We will add a similar zone for the tunnel interface using by the VPN.

config zone                                
    option name             tun0       
    list network            'tun0'    
    option input            REJECT          
    option output           ACCEPT    
    option forward          REJECT    
    option masq             1

The last thing we need to add to configuration file is forwarding packets from wireless client to the VPN.

config forwarding                                      
    option src              lan                
    option dest             wan

Reflecting changes to the configuration files

Execute the following commands on the RPi.

/etc/init.d/firewall restart   
wifi up
/etc/init.d/network restart

Connecting Raspberry Pi to the internet

We can now unplug the RPi from the computer and connect it to the LAN port of a router. If you chose dhcp for the lan interface, for your RPi to get an IP, DHCP should be enabled on the router. Check your router web interface to obtain the IP assigned to your RPi. If the RPi is assigned the IP for instance, execute the following command on your computer, connected to the same router, to log back into your router.

ssh [email protected]

Updating packages and installing LuCI

Once connected to the router, your RPi should be able to access the internet. Update the packages and install LuCI for web configuration by executing the following commands. You can now access your RPi’s configuration, similar to a conventional router, by keying in its IP.

opkg update
opkg install luci

Setting up OpenVPN

Installing OpenVPN

opkg install openvpn-openssl

Transferring .ovpn VPN configuration

Transfer the .ovpn configuration for VPN to your RPi using the following command, replacing vpn_config_file.ovpn is your configuration file and by your RPi’s IP.

scp vpn_config_file.ovpn [email protected]:~

Modifying OpenVPN configuration

The OpenVPN configuration is located at /etc/config/openvpn. Modify the custom_config configuration to the following

config openvpn custom_config

    # Set to 1 to enable this instance:
    option enabled 1

    # Include OpenVPN configuration
    option config vpn_config_file.ovpn

Enabling autostart and VPN

Now that all required configuration in place, we can enable autostart at boot. Finally we enable OpenVPN to get it running right away.

/etc/init.d/openvpn enable
/etc/init.d/openvpn start

Wrapping it up

The Raspberry Pi is now running as a router with OpenVPN. If you set it up to use DHCP for the ethernet connection and enabled autostart at boot you now have a nifty plug and play box which you can connect to an ethernet port to gain secure internet access through VPN, on your wireless devices.

Anirudh Singh Shekhawat

Anirudh Singh Shekhawat

Let's talk tech

rss facebook twitter github youtube mail spotify instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora file