Disclosure
Affiliate Commissions

CyberWaters is supported by its readers, therefore we may receive affiliate commissions if you purchase goods or services via our links. We appreciate your support.

How to Set Up a Raspberry Pi VPN Server 

Raspberry PI VPN

Raspberry Pi devices have many cool use cases, like using them as media centers or retro gaming machines. However, on their own, they don’t provide much online security, so it’s important to run a Raspberry Pi VPN on the device. 

Also, if you want secure remote access to your home, you could turn your Raspberry Pi device into a VPN server. Here’s a quick look at how to set up a VPN server with a Raspberry Pi running Raspberry Pi OS.

This is how to set up a VPN server on Raspberry Pi step-by-step:
  1. Install Raspberry Pi OS on your device.
  2. Update the OS and get OpenVPN.
  3. Create the certificate authority.
  4. Build the server keys.
  5. Configure the VPN server.
  6. Start the VPN server.
  7. Build the client keys.
  8. Configure the client.
  9. Set up port forwarding on your router.
  10. Connect to the client.

How to Turn Your Raspberry Pi Into a VPN Server (10 Steps)

It’s completely possible to use a Raspberry Pi as a VPN server to get secure, remote access to your home network. However, the setup process is pretty difficult. Here’s what we used for this setup:

  • The Raspberry Pi operating system. It’s based on Linux and is specifically designed for Raspberry Pi devices. You can use other Linux distros as well, but we can’t guarantee that all the steps in our guide will 100% work for other distros. 
  • A Linux computer. 
  • A 32 GB SD card.
  • An ethernet cable, which we used to connect the Raspberry Pi device to our router to get the fastest speeds possible. 
  • The OpenVPN protocol to set up our Raspberry Pi VPN server.

Here are the steps you need to follow to create a Raspberry Pi VPN server:

1. Install Raspberry Pi OS

Download the Raspberry Pi OS from the official source on your computer. It’s enough to get the Lite version since you don’t need a graphical interface in this case. In addition to that, you should also get balenaEtcher, a free tool used to write different image files, like .iso files. Also, get OpenSSH, which you’ll use to remotely access the Raspberry Pi device.

When you finish downloading Raspberry Pi OS, extract the operating system image file. Then, insert the SD card and use balenaEtcher to write the operating system image to the card. 

Next, use a file manager to access the SD card. Select the “boot” partition and create an empty text file on it, which you’ll simply call “ssh”.

Finally, connect the Raspberry Pi device, use a web browser to access your router’s dashboard, and find the Raspberry Pi’s IP address. Then, use OpenSSH on your computer to connect to the Raspberry Pi remotely — just use this command:

  • $ ssh pi@1.2.3.4

Instead of “1.2.3.4,” type in the Raspberry Pi’s IP address.

2. Update the Operating System and Get OpenVPN

Before you do anything, make sure that the operating system performed all updates. To do that, use these commands:

  • $ sudo apt update
  • $ sudo apt upgrade

After that, use this command to install OpenVPN and the certificate utility that you will need:

  • $ sudo apt install openvpn easy-rsa

3. Set Up a Certificate Authority

You need to do this to create signing keys, which will only allow your devices to access your home network.

Start by creating a directory for your certificates and then access it — here’s how:

  • $ sudo make-cadir /etc/openvpn/certs
  • $ cd /etc/openvpn/certs

Find the OpenSSL configuration files and link the last file with “openssl.cnf” using these commands:

  • $ ls | grep -i openssl
  • $ sudo ln -s openssl-1.0.0.cnf openssl.cnf

In the directory you created, you should also find a file called “vars.”, which you need to open with a text editor. Once you do that, look for the “KEY_SIZE” variable and change it from “2048” to “4096.” You should also check other variables like “KEY_COUNTRY” and “KEY_CITY” to make sure they’re accurate. When you’re done, save the file and exit.

Next, put the Easy-RSA package you downloaded previously to work, as it contains helpful scripts. Just use this command to add the “vars.” file as a source to load all the variables you just set:

  • $ sudo source ./vars

Now use this command to delete the keys (there aren’t any, so ignore the warning message): 

  • $ sudo ./clean-install

Finally, use this command to build the certificate authority:

  • $ sudo ./build-ca

Accept the defaults it presents and set a strong password. Also, answer “yes” to the last 2 questions.

4. Build the Server Keys

To build the keys for your server, just use this command:

  • $ sudo ./build-key-server server

Next up, use this command to build the Diffie-Hellman PEM (OpenVPN uses it to secure client connections to the server):

  • $ sudo openssl dhparam 4096 > /etc/openvpn/dh4096.pem

Then, finish up by building the HMAC key, which OpenVPN uses to sign each packet of data shared between the client and server. To do that, use this command:

  • $ sudo openvpn –genkey –secret /etc/openvpn/certs/keys/ta.key

5. Perform the Server Configuration

Start by using this command to get a base configuration for the OpenVPN server: 

  • $ sudo gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

Now, use the text editor to open this file “/etc/openvpn/server.conf.” Look for the following files:

  • ca
  • cert
  • key

You need to use the following commands to make the files match the locations of the keys that you created:

  • ca /etc/openvpn/certs/keys/ca.crt
  • cert /etc/openvpn/certs/keys/server.crt
  • key /etc/openvpn/certs/keys/server.key

Then, look for the “dh” setting and make it match the Diffie-Hellman PEM that you created with this command:

  • dh dh4096.pem

After that, set the path for the HMAC key:

  • tls-auth /etc/openvpn/certs/keys/ta.key 0

Look for the “cipher” option and make sure it matches this: “cipher AES-256-CBC.”

For the next options, remove the semicolons in front of them to enable them. They should look like this:

  • push “redirect-gateway def1 bypass-dhcp”
  • push “dhcp-option DNS 208.67.222.222”
  • push “dhcp-option DNS 208.67.220.220”

Now, find the “user” and “group” settings, uncomment them, and make these changes:

  • user openvpn
  • group nogroup

Finally, use this command to improve user authentication encryption:

  • # Authentication Digest
  • auth SHA512

Then use this command to limit OpenVPN to strong ciphers:

  • # Limit Ciphers
  • tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Once done, save the file and exit.

6. Start Up the Server

Start by making the user that will run OpenVPN: 

  • $ sudo adduser –system –shell /usr/sbin/nologin –no-create-home openvpn

Then, use these commands to start the Raspberry Pi VPN server:

  • $ sudo systemctl start openvpn
  • $ sudo systemctl start openvpn@server

Make sure you check that everything is running as it should:

  • $ sudo systemctl status openvpn*.service

If everything’s okay, use these commands to enable the server and user on startup:

  • $ sudo systemctl enable openvpn
  • $ sudo systemctl enable openvpn@server

7. Build the Client Keys

The process is pretty much the same as when you created the server keys. Head to the “certs” folder you created and use these commands:

  • $ cd /etc/openvpn/certs
  • $ sudo source ./vars
  • $ sudo ./build-key client

8. Configure the Client

Go to the “client” directory and use this command to get the template, which you will modify to match the server:

  • $ cd /etc/openvpn/client
  • $ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client/client.ovpn

Use the text editor to open “client.ovpn” and look for the “remote” option and set it to your IP address:

  • remote 1.2.3.4 1194

“1.2.3.4” is where you’ll add the IP address.

Next, change the certificates so that they’re similar to the ones you created:

  • ca ca.crt
  • cert client.crt
  • key client.key

After that, locate the user settings and uncomment them. You can run them this way:

  • user nobody
  • group nogroup

Then, find the HMAC “tls-auth” option and uncomment it: 

  • tls-auth ta.key 1

When you’re done, check the “cipher” setting and make sure it’s the same as the server’s “cipher” option: “cipher AES-256-CBC.” Next, add this info to the end of the file:

  • # Authentication Digest
  • auth SHA512
  • # Cipher Restrictions
  • tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Save the file and exit when you’re done, and use this command to archive the configuration and certificates:

  • $ sudo tar cJf /etc/openvpn/clients/client.tar.xz -C /etc/openvpn/certs/keys ca.crt client.crt client.key ta.key -C /etc/openvpn/clients/client.ovpn

All you need to do now is transfer the archive to the client — a USB drive is a pretty hassle-free method.

9. Configure Your Router to Port Forward

Head into your router’s dashboard and configure it to port forward all incoming VPN traffic to the Raspberry Pi device. If you don’t do this, this VPN setup won’t work.

We can’t provide exact instructions since each router’s firmware has different layouts and settings. Still, we can tell you the following:

  • You need to enter the start and end ports. Make sure both ports are the same and that they match the ports you set in the configurations (in this guide, we used port 1194).
  • In the IP address field, add your Raspberry Pi’s IP address.

10. Connect to the Client

All that’s left is to connect to the VPN client. No matter the device, we recommend using the OpenVPN client. You can easily download it and use it on most devices.

However, if you use Linux, you’ll need to perform some extra steps:

  1. Install OpenVPN with this command $ sudo apt install openvpn.
  2. Then, head to “/etc/openvpn”: $ cd /etc/openvpn.
  3. Use this command to unpack the archive you sent over: $ sudo tar xJf /path/to/client.tar.xz
  4. Change the client file’s name: $ sudo mv client.ovpn client.conf.
  5. Start the client.

How to Set Up a VPN with Raspberry Pi

If you’re only interested in using a Raspberry Pi SSL VPN and don’t want to turn your device into a VPN server, here’s how to easily do that:

  1. Sign up for a VPN that has a Linux app — we recommend NordVPN.
  2. Install a user-friendly Linux distro, like Ubuntu, Debian, Elementary OS, or Linux Mint.
  3. Open the Terminal.
  4. Use the Terminal to download the VPN provider’s app.
  5. Log into your VPN account.
  6. Connect to a server.
  7. Securely surf the web.

All top providers have easy-to-follow setup tutorials that show you how to install and use their Linux apps.

The Best VPNs for Raspberry Pi

There are no VPNs that have native apps for Raspberry Pi OS and are also really good. However, most top VPNs have Linux apps, which you can use on your Raspberry Pi device as long as it’s running a compatible Linux distro. Here are the best Raspberry Pi VPNs on the market:

1. NordVPN

We think this is the best RPI VPN on the market. Its Linux app runs on distros like Ubuntu and Linux Mint. 

You also get high-end security features like a twice-audited no-logs policy and RAM-only servers. Plus, the Threat Protection feature protects you from malicious ads and sites. Double VPN servers are also available — they send your data through 2 VPN servers instead of 1 server, providing extra security.

In addition to that, this VPN comes with excellent streaming and P2P support, and has 5,000+ servers in 55+ countries. It has affordable plans and a 30-day money-back guarantee.

Pros:
  • Thousands of lightning-fast servers
  • Unblocks streaming services
  • Fully supports Torrenting and P2P
  • Strict no-logs policy and RAM-disk servers
  • Ad blocker and malware protection features
  • Robust security features and military-grade encryption
  • 24/7 live chat support
  • 30-day money-back guarantee
Cons:
  • Only 6 simultaneous connections
  • No free trial

2. Surfshark

Surfshark has a Linux app that works on distros like Debian, Suse, and Fedora. This VPN allows unlimited connections, meaning you can use it on as many devices as you want. 

It also provides excellent security since it has RAM-only servers and CleanWeb, a good ad blocker. On top of that, you can purchase a great antivirus for a small additional price to protect your device from malware infections. You can also buy Surfshark Alert, which lets you know if your accounts are compromised.

Surfshark works with pretty much all streaming sites and allows P2P traffic on all of its 3,200+ servers in 90+ countries. This provider’s plans are very affordable and all purchases are backed by a 30-day money-back guarantee.

Pros:
  • Very affordable
  • Unlimited simultaneous connections
  • Ad-blocking feature
  • Unblocks streaming platforms
  • Allows split-tunneling and has multi-hop VPN feature
  • No-log policy and strong security features
  • GPS spoofing on Android devices
  • 30-day money-back guarantee
Cons:
  • No free version
  • Does not allow P2P seeding

3. ExpressVPN

This VPN’s Linux app works on Ubuntu, Fedora, Arch, and many other distros. 

ExpressVPN comes with an audited no-logs policy. Plus, it has advanced security features like RAM-only servers and full leak protection. It also provides access to Threat Manager (blocks malicious sites) and ExpressVPN Keys (a good password manager). 

This VPN unblocks 65+ streaming services, has excellent P2P support, and comes with 3,000+ servers in 90+ countries. Its plans are slightly expensive, but they’re all backed by a 30-day money-back guarantee.

Pros:
  • Works with streaming
  • Supports torrenting
  • No-logs policy
  • TrustedServer technology with RAM-only servers
  • Premium security features
  • 30-day money-back guarantee
Cons:
  • Expensive subscription plans
  • Only 5 simultaneous connections

4. CyberGhost

This VPN’s apps work on Kali, CentOS, Ubuntu, Mint, and more. 

It comes with advanced security features like full leak protection and RAM-only servers. There’s also a feature called My ID Guard, which alerts you if your email addresses and passwords have been leaked on the dark web.

CyberGhost VPN has dedicated streaming servers in 20+ countries that work with 70+ streaming apps. It also allows torrenting on all of its 8,200+ servers, which are located in 90+ countries. What’s more, this VPN provides cool automation via its Smart Rules feature. Also its plans are very affordable, and there’s a 45-day money-back guarantee for all long-term plans.

Pros:
  • Good for streaming and torrenting
  • WireGuard protocol available
  • No Logs
  • Offers Dedicated IP option
  • Free browser extension
  • 45-day money-back guarantee
Cons:
  • No third-party audits
  • Messy app’s interface

5. Private Internet Access 

Private Internet Access (PIA) has Linux apps for Ubuntu, Debian, Mint, Arch, and more.

This VPN provides excellent privacy because its no-logs policy has been proven true in court on many occasions. Also, all of its apps are open-source, which means anyone can inspect the code for security vulnerabilities.

Plus, PIA provides access to advanced security features like RAM-only servers and full leak protection. What’s more, it has a good ad blocker (PIA MACE) and traffic obfuscation, which hides your VPN traffic.

This provider comes with servers in 80+ countries, works with all top streaming sites, and supports torrenting on all of its servers. It has affordable plans and a 30-day money-back guarantee.

Pros:
  • Thousands of servers
  • Great for torrenting and P2P
  • Strong security and encryption
  • Block ads, trackers, and malware
  • 10 simultaneous device connections
  • Anonymous payment methods
  • 30-day money-back guarantee
Cons:
  • Based in the US
  • Not all streaming services can be unblocked

Why Use a Raspberry Pi VPN?

Raspberry Pi devices are safe, but they don’t provide good online security since they don’t encrypt your online traffic. So, cybercriminals can spy on any data that travels through your Raspberry Pi device. If you use the device to access smart devices in your home, hackers could compromise your home’s security.

That’s why it’s important to use a Raspberry Pi VPN — it encrypts all traffic, making it completely unreadable. If hackers were to spy on your device’s data, they would only see gibberish. 

Can I Use a Free VPN for Raspberry Pi?

We don’t recommend using free VPNs. Most of them don’t have Linux apps, so you need to manually set them up on your Raspberry Pi, which is inconvenient. Plus, free VPNs usually lack essential security features, like a kill switch or a no-logs policy. Also, most free VPNs have data caps and very slow speeds.

Still, if you insist on using a free Raspberry Pi VPN, we recommend going with ProtonVPN’s free plan. It comes with Linux apps for distros like Ubuntu, Debian, and Fedora. Also, it has good speeds, strong security features, and unlimited data. However, it restricts you to 1 connection and 100+ servers in 3 countries (the US, the Netherlands, and Japan).

Overall, though, we still recommend getting a paid VPN (like NordVPN) instead because you simply get a better experience. 

Raspberry Pi VPN FAQs

We found the most common questions people ask about using an RPI VPN and answered them all here. If you have other questions, just leave them in the comments and we’ll get back to you.

How to Set Up Raspberry Pi for the First Time

The process is pretty lengthy and complicated, so we can’t cover it in-depth here. We recommend following tutorials from official sources (like this one) to set up your Raspberry PI device for the first time.

Is Using a Raspberry Pi VPN Safe?

Yes — VPNs are great security tools that encrypt your traffic, making it unreadable so that nobody can spy on it. Also, a VPN will hide your IP address, which prevents anyone from seeing what your real location is.

However, keep in mind that not all VPNs provide the same level of security. Some free or subpar services can’t protect your data because they lack essential security features, like a kill switch or a no-logs policy. Always stick to top providers like NordVPN to make sure your traffic is 100% protected.

How Fast Is a Raspberry Pi VPN?

That depends on the VPN. Using a VPN might slow down your speeds anyway because it encrypts your data. However, the best VPNs limit the speed loss so that the slowdown is barely noticeable. With top VPNs like NordVPN and Surfshark, we always had very fast speeds for browsing, streaming, and torrenting on all servers.

How Much Does a Raspberry Pi Cost?

The price depends on the Raspberry Pi model you want to get, but most Raspberry Pi devices are pretty affordable. On average, the prices can start as low as $5 and $6 and go up to $125 or a little above.

Which VPN Providers Are Compatible with Raspberry Pi?

Pretty much no VPN provider has an app for Raspberry Pi OS, the main operating system for Raspberry Pi devices. Most providers support manual setups via OpenVPN on that platform, but that’s not the most convenient option. However, if you use a popular Linux distro, you can install Linux apps from many top VPNs.

Can I Turn My Raspberry Pi Into a VPN?

Yes, it’s possible to use Raspberry Pi as a VPN server, but you need to perform a complicated manual setup. We offered an example of such a setup in this article using Raspberry Pi OS. We only recommend doing this if you need secure home access to your home network when you’re traveling.

Can You Install a VPN on Raspberry Pi?

While barely any VPN has a Raspberry Pi VPN client, you can still install a VPN service on this device. You just need to run a popular Linux distro like Ubuntu, Debian, or Arch on your Raspberry Pi device. Then, just sign up for a VPN that has a Linux app for those distros and download and install it on your device.

What Are Reddit’s Favorite Cheap Raspberry Pi VPNs?

Most Reddit users like affordable top VPNs like Surfshark, CyberGhost, and Private Internet Access. All these providers have Linux apps, which can be installed on a Raspberry Pi device. They also offer high-end security, excellent streaming support, and fast speeds.

These articles could be helpful too
Leave Comment

Your email address will not be published. Required fields are marked *