Decided you need a VPN? It’s easy enough to rent one for a monthly fee, but with just a Raspberry Pi and a bit of know-how you can build your own VPN server!
VPN stands for virtual private network. It’s a secure, encrypted connection over the internet that connects you to a private network somewhere else.
Most wireless networks use encryption, but it’s usually only for people unconnected to the network. Everyone on your network can see all the traffic you send and receive. Some of that might be sensitive, like passwords or financial information.
This means that VPNs are very useful when you travel. It’s near impossible to know how well someone else’s wireless network is configured, or who else might be on it.
By encrypting all your traffic and sending it elsewhere, nobody else on your local network can see what you’re sending or where you’re sending it.
The big advantage is of a VPN server on your local network is that it’s where you connect to. That gives you access to your file server, your media centre, even to print documents on your printers.
It’s also about trust. Despite common misconceptions, using a VPN doesn’t totally remove the risk of malicious actors spying on you, it just shifts it to another network. If that network is your home or office, then – hopefully – you have some understanding and control of what goes on there.
When you sign up to a service, what do you really know about it? This risk can be mitigated by using a reliable service, but make sure you do your homework first to avoid bad actors.
On the other hand, if your reasons for wanting a VPN involve top secret activity that you don’t want traced back to you, hosting a VPN server on your home network is a terrible idea. It makes more sense there to choose a commercial service used by many others.
A Raspberry Pi VPN serer won’t offer foolproof reliability. There’s a small chance of something like a power outage or SD card corruption knocking it offline.
This will be a bother if you’re halfway around the world and you need it to access something. That’s especially true if there’s nobody back home to switch it back on again.
It’s worth noting that you can also install your own VPN server somewhere in the cloud. This is something of a middle option that mixes the benefits of both.
VPN software has two parts – the client and the server.
The client goes on your phone, laptop or other device that you’re traveling with. It usually connects to only one server.
The server sits on the network you want to connect to and can accept connections from multiple clients.
Our Raspberry Pi runs a version of Linux on top of an ARM architecture, so our server software needs to support this.
There’s a good chance that your client is something different: perhaps a Windows, Mac or Android device. As such, we want it to run there too.
For this project we’ll use a script called PiVPN, which makes installing a VPN server on a Raspberry Pi dead simple.
PiVPN actually offers two options that meet these needs: OpenVPN, which is well established and widely supported, and Wireguard, which is newer and offers great performance.
Before we install Wireguard, we need to tell your router where to send the VPN traffic when it arrives.
Your Raspberry Pi VPN server should be allocated a reserved IP address, so that it will always be found at the same address on the local network.
If this isn’t configured already, you can do it in your router’s dashboard. The exact steps vary from router to router, though it’s generally just a simple matter of logging in and configuring the DHCP settings.
If you get stuck, use a search engine to find the manual for your device.
Now you need to set up port forwarding on the router to send UDP traffic that arrives at a particular port to the IP address you just reserved for the VPN server.
Again, the exact steps vary from router to router, so you may need to track down the manual for your device.
Your router may allow you the option of opening a range of ports, and to assign them different internal and external numbers. You only need one port open, and it can have the same internal and external number.
By default, Wireguard uses port 51820, though you can configure another one if you prefer. Just be careful not to assign one used by something else. Select UDP as the protocol.
If your public IP address is static – i.e. it stays the same all the time – you can skip this.
If you’re connecting to the internet through a regular residential or small business plan, it’s likely that your internet provider is assigning you a dynamic IP address; this means it can change periodically. That’s not very helpful when you’re trying to connect to your local network from across the internet and it’s no longer there.
If you have a dynamic IP address – or even if you just have no idea whether it’s static or dynamic – you can configure Dynamic DNS or DDNS. This updates a custom hostname with your public IP address every time it changes.
We’re going to need someone to host our hostname on their domain. There are many service providers who offer this. With the right DNS host, it’s even possible to set one up on your own domain.
For this tutorial, we’ll use No-IP, which lets you set up a hostname for free.
Browse to https://www.noip.com/, enter a hostname into the field and press sign up.
Go through the free sign up process and confirm your email address.
Now browse to “My Account” and configure a username. Take a note of your username and password, we’ll need it shortly.
From the terminal, update your operating system by typing:
sudo apt update && sudo apt upgrade -y
Now install ddclient.
sudo apt install ddclient -y
Now edit the ddclient configuration file.
sudo nano /etc/ddclient.conf
Edit the configuration to look like this, replacing in your username, password and hostname.
Now run ddclient with the following command:
sudo ddclient -daemon 10m
Now you’re ready to run PiVPN. Type:
curl -L https://install.pivpn.io | bash
After a moment, you will see a screen welcoming you to the automated installer. Press enter twice.
Next, it will ask you if your Raspberry Pi has a reserved IP. You’ve already sorted that out, so select yes with the arrow keys and press enter.
Then, it will ask you to choose a user account to host the VPN. The pi user is fine, press enter.
Now it will ask you to choose between Wireguard and OpenVPN. Wireguard is the default choice, so press enter.
It will take a few minutes to install Wireguard. Then it will ask you which port Wireguard is to run on. If you configured something other than 51820 in your router earlier, enter the number here.
Press enter again to confirm the settings. Next it will ask you to select a DNS server. If you have your own DNS server (link to earlier DNS server article) then select “custom”.
I find I get a good service using the Google DNS servers. If you’d prefer to choose something else, that’s no problem.
Next it will ask whether to connect via a public IP address or by dynamic DNS. If you have a static IP, you can keep this as it is, otherwise press the down arrow and press space to configure the client for DNS entry. Press enter, and type in the hostname you configured on noip.net if that’s what you’re using.
You will now be prompted to say that the server keys will be generated. Press enter and wait a moment while it runs.
Next it will ask you whether you want the server configured to apply automatic security updates. This is a good idea, so press Enter again to accept.
When you finish this script, it will ask you if you want to reboot. Select yes and press enter.
Your VPN server will need to be configured for at least one client to be useful.
You can do that with this command:
It will then ask for a name for the client, and then generate a .conf file in /home/pi/configs/ which you can use with the wireguard client for your relevant operating system.
Wireguard client software is available for:
Be careful with this .conf file! It contains everything that anyone needs to access your local network from anywhere in the world. So, don’t just leave it on a portable hard drive or USB stick.