How to Set Up a VPN Gateway with Raspberry Pi: Easy Guide

Having a VPN gateway has many advantages: control over who has access to the network, access to content from other geographical locations, etc. However, setting up the Pi to act as a middleman is quite complex. In this tutorial, I’ll show you how you can make the Raspberry Pi the central VPN gateway for your devices.

A Raspberry Pi VPN gateway can be created by first connecting the Raspberry Pi to a commercial VPN provider. Then, configuring the Pi as an access point allows it to route all incoming traffic through the VPN service, thus acting as a gateway.

Building this VPN gateway involves two main steps: first, we will connect our Raspberry Pi to an OpenVPN-supported VPN service, and second, we will set up the Pi as a Wi-Fi access point (which allows it to act as a Wi-Fi extender). So, let’s get started! Let’s learn a bit more about what exactly a VPN (Virtual Private Network) gateway is.

If you’re new to Raspberry Pi or Linux, I’ve got something that can help you right away!
Download my free Linux commands cheat sheet – it’s a quick reference guide with all the essential commands you’ll need to get things done on your Raspberry Pi. Click here to get it for free!

What is a VPN Gateway?

A VPN, or Virtual Private Network, is a technology that allows a user to establish a secure and encrypted connection over the internet to another network, often in a different location.

To learn more about this, refer to the following article What is a VPN?

A VPN Gateway is a hardware device (it can be a computer, router or even a Raspberry Pi as in our case) that is connected to a VPN service and routes all the traffic through the VPN so the clients can access the VPN without having the VPN software installed on their system.

It basically acts as an intermediary between the client devices and the VPN network.

Now that we have an idea of what we will be creating, let’s start with the tutorial. We will begin with the hardware and software requirements for this tutorial.

Note: If you want to self-host your own VPN gateway, I have a video on this topic just for community members where I show you all the steps. Join here to watch, and get access to 30+ other lessons for Raspberry Pi along with many other benefits!

Hardware and Software Prerequisites

To set up the Raspberry Pi as a VPN Gateway, you will need the following:

• VPN Subscription.
  Most VPN providers have a 30-day money-back guarantee, so you don’t take any risk by testing it out. There are many VPN providers you can try (I tested a few of them here), but I’ll use Surfshark for this tutorial.
• A Raspberry Pi.
  The steps will be similar on any Linux computer, but I’m testing this tutorial for you on a Raspberry Pi 4. It should work with any model.
• A good SD card or USB drive (I’ve linked my favorite products).
  There’s nothing special here, but if it’ll be an important node of your network later, choosing the right storage is essential. You want something reliable.
• An Ethernet Cable.
  You will need an Ethernet cable to connect your Pi to your router, as we will be using the Wi-Fi interface to create an access point.
• Raspberry Pi OS (Trixie).
  I would always recommend opting for the latest release of Raspberry Pi OS. This tutorial will only work for the latest version as the software providers switched to Network Manager, which is what we’ll be using in this tutorial.

Once you have everything set up, we are ready to start with the tutorial.

We will first set up the Surfshark VPN, an OpenVPN client on the Raspberry Pi.
Note that you can use any VPN provider which supports OpenVPN to follow this tutorial.

Here are a few alternatives to Surfshark along with the articles that will help you set them up on the Pi:

• ExpressVPN: ExpressVPN on Raspberry Pi: The Ultimate Guide.
• NordVPN: Ultimate guide to NordVPN on Raspberry Pi (Kodi & Raspbian).
• ProtonVPN: How To Install & Use ProtonVPN On Raspberry Pi (GUI & CLI).

And by the way, if you ever feel like this project is too hard for you, it’s okay. I can help you get better with a Raspberry Pi, one step at a time (VPN stuff shouldn’t be your first project!). Here’s my 30-day challenge for you, mission accepted?

Connecting to the VPN Provider on Raspberry Pi

In this step, we will go through the steps to set up a VPN connection on the Raspberry Pi:

• Getting the Authentication Credentials from the VPN provider.
• Installing OpenVPN on the Raspberry Pi.
• Connecting to the VPN provider.

Fetching VPN Authentication Credentials

The first step is to fetch your authentication credentials that you’ll use to connect to the VPN provider. These are not your login details, but a security file used to connect.

The example I give will be for Surfshark VPN server. You will need an active Surfshark subscription for this.

• First, log in to your Surfshark account.
  From the Dashboard menu on the left, go to VPN > Manual Setup.
  
  
• In Setup methods, select the Router option and on the right, select OpenVPN (WireGuard is yet another protocol supported on the Pi – WireGuard Installation on Raspberry Pi: Easy Setup Guide).
  
  
  
• Once you click on OpenVPN, you should see the required credentials (username and password) on the screen. Just copy and keep these credentials, as we will be using them later to establish a connection to Surfshark servers from our Pi.
  
  

If you’re using a different VPN provider, search to download the OpenVPN configuration files for your provider. It might be listed as “manual connection” files.

Next, we will move to our Pi and set it up so that we can connect to to our VPN provider. That involves installing OpenVPN on our Pi.

Configuring the Raspberry Pi for a VPN Connection

In this section, we will set up our Pi so that we can establish a VPN connection. For this, we will first need the OpenVPN client, which is what we will be using to establish this connectivity. Then we’ll download an OpenVPN configuration file for your VPN provider.

• To install OpenVPN (and a dependency we’ll need later), enter the following command:
  sudo apt install openvpn unzip
  
• After this, navigate to the OpenVPN directory:
  cd /etc/openvpn
  
• We will now download the Surfshark OpenVPN configuration files, which will allow us to connect to various VPN servers hosted by Surfshark. Run the following command for this:
  sudo wget https://my.surfshark.com/vpn/api/v1/server/configurations
  
  (If you’re using a different VPN provider, then download its .ovpn file here.)
  
• This should download a zip file with all the config files. Just unzip and delete the original zip file using these commands.
  sudo unzip configurations
sudo rm configurations
  
• To see the list of available servers, you can just execute the ls command to list all the files present in the directory. All the available servers will have .opvn files.

This completes the required configurations. In the next section, we will learn how to establish a connection with Surfshark.

Connecting to the VPN Server

Follow the steps given below:

• Once you have selected a server, just type in the following command to establish a connection with Surfshark:
  sudo openvpn <server-file-name>
  
  An example command for the same is: 
  sudo openvpn us-dal.prod.surfshark.com_tcp.ovpn
  
• Here, you will be prompted for credentials. Enter the credentials we obtained in the first part of this tutorial. If you have followed everything correctly, you should see the Initialization Sequence Completed message on the terminal, indicating a successful connection.
  
  

Congratulations! You have successfully connected your Pi to a VPN service.

Next, we want to create a wireless access point on our Pi (fancy word for Wi-Fi Hotspot) and then route all incoming traffic through the VPN we connected to. This is what we will be doing in the next section. So, let’s get started.

Tip: Command lines can be a pain to memorize. I put the essential Linux commands on a printable cheat sheet so you don't have to keep googling them. You can grab the PDF here if you want to save some time.

Raspberry Pi as a Wireless Gateway

In this section, the following things will be covered:

• Setting up the Pi as a Wireless Access Point (Wi-Fi Hotspot).
• Raspberry Pi VPN Configuration for the Gateway.
• Test the gateway in action!

We will first learn how to set up the Pi as a wireless access point. Note that this tutorial assumes that you are running the latest releases (Bookworm/Trixie), which use the Network Manager package by default.

Raspberry Pi as a Wireless Access Point

Setting this up will allow other devices to connect to your home router through the Raspberry Pi (we will be creating a standalone network), which will allow us to route this traffic through our VPN service. Follow the steps given below:

• We will be using the nmcli package to set up a new Wi-Fi access point for our Raspberry Pi. We will have to run a series of commands to achieve this. You can read this tutorial about nmcli if you’re not (yet) familiar with it.
  
  You can switch to the root user to run all these commands (or prefix all of them with sudo):
  sudo su

• The first command creates a new connection called “vpn-gateway” and sets the SSID (Wi-Fi name) to “RaspberryTips-VPN-Gateway” where the device (ifname) is wlan0 and the type is wifi (it may be different for you if you are using an external Wi-Fi dongle).
  nmcli con add con-name vpn-gateway ifname wlan0 type wifi ssid "RaspberryTips-VPN-Gateway"
  
• The second and the third command set up the Wi-Fi password.
  Choose a complex password of your choice for enhanced security.
  nmcli con modify vpn-gateway wifi-sec.key-mgmt wpa-psk
nmcli con modify vpn-gateway wifi-sec.psk "p@ssW0rd#123"
  
• The fourth command does the following: sets the wireless mode to Access Point, sets the band to BG (2.4 GHz) (you can set it to A for 5 GHz) and sets the IPv4 configuration to shared.
  nmcli con modify vpn-gateway 802-11-wireless.mode ap 802-11-wireless.band bg ipv4.method shared
  
• Finally, we activate the vpn-gateway connection using the “con up” command.
  nmcli con up vpn-gateway
  
  
  
• After a few seconds, you will be able to connect to the “RaspberryTips-VPN-Gateway” network from your system.
  
  

Next, we will connect our Raspberry Pi to a VPN (Surfshark in our case) so that we can tunnel all the incoming traffic through it.

Related: Turn Your Raspberry Pi into an Access Point (Bookworm ready)

Raspberry Pi VPN Configuration for the Gateway

In the last section, we saw how to connect to Surfshark VPN from the Pi. Now, we will configure the VPN so that we can turn our Wi-Fi Access Point into a full-blown VPN Gateway. For this, we will need to do some configurations.

Creating the auth.txt File

When connecting to the VPN, one thing we saw is that running the connection command requires us to enter the username and password every time. So, when you reboot the Pi, you will have to connect with the VPN again. This is not ideal if we would like to run everything as a service which starts on boot.

So, let’s automate this connection. Open a terminal and do the following:

• Go to your OpenVPN configuration folder:
  cd /etc/openvpn
• Create an auth file:
  sudo nano auth.txt
• Add the credentials we obtained from the VPN provider in the last section:
  
• Save & exit (CTRL+X).

Next, let’s modify and create a configuration file which will allow us to connect to our preferred VPN server location automatically.

Automating Authentication for VPN Connectivity

To create these config files, we will use the existing .ovpn files we obtained from Surfshark as the base. For this example, I’ll use the San Francisco server: us-sfo.prod.surfshark.com_tcp.ovpn.

• Create a copy of this file using the below commands:
  sudo cp us-sfo.prod.surfshark.com_tcp.ovpn ussfo.conf
• Open the new config file:
  sudo nano ussfo.conf
• Look for a line that says “auth-user-pass” on it.
  It was around line 15 on my version.
  Modify this line to specify your custom authentication file from earlier:
  auth-user-pass auth.txt

This will allow the configuration file to complete the authentication process using the auth.txt file we created. We can easily connect to Surfshark VPN now using the following command (note that you should be in the same directory where you placed the config file):
sudo openvpn --config "ussfo.conf"

This command will allow you to connect to the US SF server hosted by Surfshark.

Great! We will now see our VPN Gateway in action.

Testing the VPN Gateway

Now that everything is set up, we can test that our VPN gateway is operational. To do this, just start an access point by running the nmcli commands in the previous section and connect to the VPN server using the configuration file we created.

This is where using Network Manager comes in handy. We do not need to do any additional routing configurations, everything is done automatically.

Now, I will connect to my Pi’s Wi-Fi from my laptop. Once I have done that, I can open a browser window and search “What is my IP” on Google to fetch the details about my current location, which in this case will be San Francisco.

This is awesome! You now have a fully operational VPN Gateway that you can use to access content from different geographical locations or just have a more secure and encrypted home network.

Going Further

We successfully configured a Raspberry Pi to work as a VPN Gateway in two simple steps in this tutorial. Here are the advantages of having a gateway between your home devices and the Internet:

1. You can set up a firewall that will allow you to moderate the incoming and outgoing traffic on your network. Refer to this article to know more about it: How to use Raspberry Pi as a Wireless Router with Firewall.
2. You can access content from different countries which may not be normally allowed.
3. It provides more security for the overall network.

That being said, using a VPN service does limit you in terms of capabilities and it also incurs a monthly charge to use them for longer periods. Alternatively, you can set your Pi as a standalone VPN server which gives you a lot more control.

Refer to this article for a detailed article on how to do just this: How to install your own VPN server on Raspberry Pi? (OpenVPN).

Alternatively, you can also use FreedomBox, an all-in-one private server that will let you install VPN gateways with just a few easy clicks.

Whenever you’re ready, here are other ways I can help you:

Test Your Raspberry Pi Level (Free): Not sure why everything takes so long on your Raspberry Pi? Take this free 3-minute assessment and see what’s causing the problems.

The RaspberryTips Community: Need help or want to discuss your Raspberry Pi projects with others who actually get it? Join the RaspberryTips Community and get access to private forums, exclusive lessons, and direct help.

Master your Raspberry Pi in 30 days: If you are looking for the best tips to become an expert on Raspberry Pi, this book is for you. Learn useful Linux skills and practice multiple projects with step-by-step guides.

Master Python on Raspberry Pi: Create, understand, and improve any Python script for your Raspberry Pi. Learn the essentials step-by-step without losing time understanding useless concepts.

You can also find all my recommendations for tools and hardware on this page.