Highspeed VPN Router With Raspberry Pi

by scottbarton in Circuits > Raspberry Pi

28517 Views, 104 Favorites, 0 Comments

Highspeed VPN Router With Raspberry Pi

PiRouter.jpg

Concerned about online privacy? A VPN or Virtual Private Network allows you to surf, search and download from the internet without your ISP, advertisers, big brother, or other organizations tracking you. Most VPN providers allow you to download an app that you can run on your machine to protect you while you surf, search, watch or download. But that only protects that particular device and only when you remember to start the VPN application and connect to the VPN.

Instead we will make a whole home highspeed Gigabit VPN Router that will go in between your current WiFi home router and your internet provider's modem. This will protect every device on your home network all the time without sacrificing speed and without having to remember to enable it each time you want to use it.

We will be using a Raspberry Pi 4 2GB for our router. This is a cheap ($35) computer with 1.5Ghz quad core CPU, 2GB 3200Mhz DDR4 RAM, and we will be using a 32GB highspeed MicroSD card. We can easily overclock it's CPU up to 2.0Ghz. These specs are better than most high end routers costing hundreds of dollars.

We will be using OpenWRT which is a lightweight and easy to use dedicated router firmware with a web interface that can be installed on the Raspberry Pi.

We will use Wireguard VPN which is relatively new tech and is orders of magnitude faster than OpenVPN which is outdated and clunky.

With this setup, I have been able to get speeds up to 800Mbs on my Gigabit internet. Without the VPN, I get around 940Mbs, so only a 15% loss in speed. By comparison, with OpenVPN I was only able to get 25Mbs.

Supplies

  1. Raspberry Pi 4 2GB (OpenWRT does not use a lot of memory. FYI, you MUST have a good 3A 5.1V power supply)
  2. MicroSD Card (16GB or 32GB is plenty but you want a fast SD Card like the one linked)
  3. USB 3.0 to Gigabit Ethernet Adapter (must have Linux drivers)
  4. Raspberry Pi Cooling Case (We are going to overclock the Pi so you will need a heatsink with a fan)
  5. Ethernet Cable

Install OpenWRT and LuCI on Your Raspberry Pi SD Card

Etcher.PNG
PuTTy.PNG
SSH.PNG
  1. On a Windows machine, download and install Etcher
  2. Download latest OpenWRT image (rpi-4-ext4-factory.img.gz) for Raspberry Pi 4
  3. Use Etcher to flash the OpenWRT firmware image onto your MicroSD card
  4. When Etcher is complete a popup will tell you you need to format your drive, click Cancel
  5. Eject your SD card
  6. Download and install PuTTY so you can SSH into your Raspberry Pi
  7. Disconnect you PC from your network and plug your Raspberry Pi into your computer with the Ethernet cable
  8. Insert the SD card into your Pi and use the USB-C power plug to power on your Raspberry Pi
  9. Use PuTTY to SSH into your Raspberry Pi using 192.168.1.1 as the IP address and root as the login (no password)
  10. Change your password by typing at the command prompt: passwd root
  11. Change the IP Address to an unused IP address on your network (I'm using 192.168.1.2 as an example) by entering: uci set network.lan.ipaddr=192.168.1.2 && uci set network.lan.gateway=192.168.1.1 && uci set network.lan.dns=192.168.1.1 && uci commit
  12. poweroff your Raspberry Pi, plug it's ethernet cable into an unused port on your network, power it back on, reconnect your PC to your network and SSH back in with PuTTY using the new IP Address (192.168.1.2)
  13. Install LuCI Web Interface by entering: opkg update && opkg install luci
  14. Install Nano editor by typing: opkg install nano

Overclock Raspberry Pi (Optional)

OC.PNG

Running Gigabits of data through a VPN is very CPU intensive. The stock Raspberry Pi4 is a quad core CPU running at 1.5Ghz. You can overclock the Pi 4 to up to 2.0Ghz safely with a proper heatsink and fan. We will overclock it to 1.9Ghz. Mine only gets up to 45*C under load. Max safe temp for the Raspberry Pi is around 80*C. We are going to do this now, that way if there are any issues with the overclock, you will know about it while you are setting it up.

You need to edit the /boot/config.txt file:

  1. SSH into your Raspberry Pi and login
  2. Edit the /boot/config.txt file by entering: nano /boot/config.txt
  3. Use the arrow buttons to navigate down to the bottom and add the following:
    over_voltage=4
    arm_freq-1900
    
  4. Hit CTRL+X, then Y, then Enter to save
  5. Reboot your Raspberry Pi by entering: reboot

Add Packages

SoftwareFreeSpace.PNG

Login to the LuCI web app by going to http://192.168.1.2 (or whatever your Raspberry Pi's IP Address is).

Go to System --> Software and then Click Update lists...

In the Filter text box, search for and Install the following packages:

  • fdisk
  • resize2fs
  • kmod-fs-ext4
  • block-mount
  • kmod-usb-net-asix-ax88179
  • curl
  • git-http
  • nano
  • luci-app-wireguard
  • ntpd
  • node
  • node-npm

If you run out of room on your SD card, remove node and node-npm. After you expand your file system in step 9, you can install node and node-npm and any other packages you may want.

Configure OpenWRT

SSH.PNG

Login to LuCI web interface via http://192.168.1.2

  1. Go to System --> System --> General Settings and set your Timezone
  2. Click Save & Apply
  3. Go to Network --> Interfaces --> Global network options and check Packet Steering
  4. Click Save & Apply
  5. Go to System --> Software then click Configure opkg...
  6. In /etc/opkg.conf section, change /var/opkg-lists to /usr/lib/opkg/lists <--This will save your opkg lists.
  7. Click Save
  8. Click Update lists...

Open PuTTY and SSH into your Raspberry Pi using its IP address (192.168.1.2) and login

Increase the Max Connections by editing the /etc/sysctl.d/11-nf-conntrack.conf file:

  1. At the command prompt type: nano /etc/sysctl.d/11-nf-conntrack.conf
  2. Use the arrow keys to navigate down to net.netfilter.nf_conntrack_max and set it equal to 32768

  3. Hit CTRL+X, then Y, then Enter to save

Most VPN's cannot hide your IPv6 info, so we need to disable it. Disable IPv6 by editing the /boot/cmdline.txt file:

  1. At the command prompt type: nano /boot/cmdline.txt
  2. At the very end of the line add ipv6.disable=1
  3. Hit CTRL+X, then Y, then Enter to save
  4. reboot

You may also need to uninstall IPv6 packages.

Configure USB Ethernet Port As WAN

WAN.PNG

Install the USB 3.0 to Ethernet adapter drivers if you haven't already. The drivers for the adapter listed above is ASIX AX88179. If you got a different adapter, you will need to figure out what drivers you need.

  1. Login in to LuCI web interface at http://192.168.1.2
  2. Go to System --> Software, then click Update list...
  3. Search for kmod-usb-net-asix-ax88179 and Install

Plug in your USB to Ethernet adapter into a blue USB 3.0 port and System --> Reboot your Pi.

Now we need to create the WAN Interface. This is the ethernet port that connects to your modem to get to the internet.

  1. Go to Network --> Interfaces, then click Add new interface...
  2. Enter WAN as the interface name
  3. Select DHCP Client as the Protocol
  4. Select eth1 as the Interface
  5. Click Create Interface
  6. Click the Firewall Settings tab and select WAN as the Firewall Zone
  7. Click Save then click Save & Apply

Configure Client WireGuard VPN Interface

StrongVPN.PNG
DNS.PNG

You will need to purchase a VPN subscription from a VPN provider that can do WireGuard. Search for OpenWRT Wireguard VPN Installation to find VPN companies that can do Wireguard VPN on OpenWRT routers. Do not bother with free VPN's as they don't work and aren't worth trying. Look for a VPN that has a no logs policy, is not based in your country or subject to their laws, and works with streaming video providers (Netflix, Amazon Prime, Hulu, Disney+, etc).

You will want to download a few WireguardVPN config files or copy the config info for servers near you or at locations you want to VPN to. You will need the following information:

  • Private Key
  • IP Address
  • DNS Servers
  • Peer Public Key
  • Endpoint and Endpoint Port

Look for your VPN provider's Wireguard OpenWRT installation documents for more help and info. Your VPN provider's Wireguard on OpenWRT specific instructions should probably override the guide below if there is a conflict of info.

Once you have the needed info from your VPN provider we will configure the Wireguard VPN Interface:

  1. Open LuCi web interface and go to Network --> Interfaces, and click Add new interface...
  2. Create a unique name for your VPN connection, like VPNProvider_City but replace with the name of your VPN Provider and the city that you are VPNing to.
  3. For Protocol, select WireGuard VPN
  4. Click Create interface
  5. Add the Private Key that your VPN Provider provided you
  6. Add the IP Address that your VPN Provider provided you
  7. Click Save, then click Edit, then click the Peers tab
  8. Click Add peer if No peers defined yet
  9. Enter the Public Key your VPN Provider provided you
  10. Set Allowed IPs to 0.0.0.0/0 (or whatever your VPN provider gave you), then click the plus sign
  11. Check Route Allowed IPs
  12. Enter the Endpoint IP Address that your VPN Provider gave you
  13. Enter the Endpoint Port that your VPN provider gave you
  14. Set Persistent Keep Alive to 30
  15. For now, uncheck Bring up on boot. We will change this later.
  16. Click Save
  17. Open the VPN settings again and go to the Firewall Settings tab
  18. For Create/Assign firewall zone, select WAN
  19. Click Save
  20. Go to Network --> Interfaces --> WAN and click Edit and select the Advanced Settings tab
  21. Uncheck the Use DNS Servers advertised by peers
  22. Delete the DNS servers listed and add the DNS Servers your VPN Provider provided to you. If you have problems with streaming services, make sure your home WiFi router is also using your VPN providers DNS servers.

You can also use the following Anonymous DNS Servers:

  • 9.9.9.9
  • 84.200.69.80
  • 8.26.56.26
  • 1.1.1.1
  • 176.103.130.130
  • 4.2.2.2

23. Click Save, then click Save & Apply

Use IP Address for NTP Servers

NTP.PNG
PING.PNG
IPInfo.PNG

When restarting the VPN Router, you may run into issues where you can't access websites (usually because it says the security certificate can't be verified). The most likely reason is that the VPN was started before the router could synchronize its time with an NTP server. You can check to see if your Router's system time is valid by going to the Status Overview page in LuCI. If it does not match the correct time on your PC, it is out of sync. You can force it to update manually by going to System --> System --> General Settings tab and clicking Sync with Browser or Sync with NTP Server

To ensure you do not have to do this manually every time your VPN router restarts, we need to change the NTP servers to their IP Addresses. NTP Servers actually use pools of IP Addresses that can change over time. We will PING a few NTP server pools to get the IP Address they are currently using and look for the ones that are closest to you.

NTP Server Pools:

From the list of NTP Server Pools above, we will PING each server pool to get its current IP Address, we will then lookup where that server is located and find the ones closest to you so we can use those IP Addresses. Open a new text file to keep track of the NTP Pool server IP addresses and their locations.

  1. On your Windows machine, open a Command Prompt (type CMD in the search bar)
  2. Grab the a NTP server pool domain name (ie 0.us.pool.ntp.org)
  3. In the Command Prompt, type ping 0.us.pool.ntp.org (or whatever NTP Pool address you grabbed)
  4. It will Reply back with with an IP Address. Copy that IP Address to the clipboard.
  5. In a web browser, go to https://ipinfo.io/ and paste in the IP address you just got to see its location.
  6. In your text file, write the IP Address and the location.
  7. Repeat steps 2-6 for all of the NTP Servers near you
  8. Order your IP Addresses by location, nearest to furthest from you.

Now we need to update our NTP Servers to use the closest IP Addresses we just found:

  1. Open the LuCI web interface (http://192.168.1.2) and go to System --> System --> Time Synchronization
  2. Check Enable NTP Client
  3. Using the closest 4-6 NTP server IP Addrresses you found in the list above, add them to the list of NTP Server Candidates list.
  4. Copy the NTP Servers that were already there when we started, delete them, and add them to the bottom of the list. (ie 0.openwrt.pool.ntp.org)
  5. Click Save & Apply

If you don't see the Time Synchronization tab, go to System --> Software and uninstall NTPd and reboot. After you are done, you can re-install NTPd.

Backup Your Raspberry Pi SD Card Image

Win32DiskImager.PNG
  1. On Windows machine, download and install Win32DiskImager
  2. poweroff your Raspberry Pi and insert the SD card in your Windows machine
  3. Open Win32DiskImager
  4. Click the Folder Icon to select a location and enter a name to save your SD Card Image
  5. Under Device, select your SD Card
  6. Check Read Only Allocated Partitions
  7. Click Read
  8. When done, you may have to Eject and re-insert your SD card

If your SD card gets corrupted, you can always get back to this image by using Etcher and using this image instead.

Expand Your SD Card to Use All Available Space

FormatUnallocatedSpaceSD.PNG
blockinfo.PNG

The default installation of OpenWRT will only use a small portion of your SD Card's available space. We will need to format the unallocated space and then mount it in Linux, and resize it.

  1. Insert the SD card in your Windows machine.
  2. Open up Control Panel, Click System and Security, and under Administrative Tools, click Create and format hard disk partitions to bring up Disk Management
  3. Click on the SD Card volume labeled boot
  4. Click on the Unallocated partition (should be the one whose size is in GB, pretty close to the size of the SD card)
  5. Right click on it and click New Simple Volume...
  6. Click Next, Next, Next,Next, Finish to create a new FAT32 volume with the maximum size remaining.
  7. Eject the boot drive and put it back in your Raspberry Pi and boot it back up

Now we need to expand your file system with extroot <-- Take a look at this link for more info. We are using the newly created partition instead of an external USB drive though. ie use "/dev/mmcblk0p3" instead of "/dev/sda1" in those directions.

Install fdisk, kmod-fs-ext4, resize2fs, and block-mount if you haven't already. If your SD card is bigger than 32GB, you will also have to install kmod-fs-exfat.

  1. Open up PuTTY and SSH into your Pi (IP address is 192.168.1.2, unless yours is different)
  2. Type: opkg update && opkg install fdisk kmod-fs-ext4 resize2fs block-mount

Configure rootfs_data:

mkdir /rwm
DEVICE="$(sed -n -e "/\s\/overlay\s.*$/s///p" /etc/mtab)"
uci -q delete fstab.rwm
uci set fstab.rwm="mount"
uci set fstab.rwm.device="${DEVICE}"
uci set fstab.rwm.target="/rwm"
uci commit fstab

Get Partition Info:

  1. Type block info to see your partitions. Results should look like something the black image above.
  2. The last FAT32 partition with the LABEL we gave it when we created the partition in Windows is the partition we want. In this case it is /dev/mmcblk0p3

Format the new partition

DEVICE="/dev/mmcblk0p3"
mkfs.ext4 ${DEVICE}

Make the new partition the new overlay

eval $(block info ${DEVICE} | grep -o -e "UUID=\S*")
uci -q delete fstab.overlay
uci set fstab.overlay="mount"
uci set fstab.overlay.uuid="${UUID}"
uci set fstab.overlay.target="/overlay"
uci commit fstab

Transfer the data

mount ${DEVICE} /mnt
cp -f -a /overlay/. /mnt
umount /mnt

Now reboot

Type df -h to get partition sizes to double check. You should also see almost the full size of your SD Card available when you go to System --> Software and look at the free space.

If you screw this up, you can always go back to the image you created in the last step. ;)

Move VPN Router Between Your Home Router and Modem

LAN.PNG
SpeedTest.jpg

Now we are almost ready to put our VPN router in place between your home WiFi router and your internet provider's modem. We need to change the VPN router's network as it cannot use the same network as your home network (ie usually 192.168.1.x) when in use.

  1. In LuCi, go to Network --> Interfaces and click Edit on the LAN interface
  2. Make sure Protocol is set to Static address
  3. Change the IPv4 address to 192.168.2.1 (You will use 192.168.2.1 to access the LuCI web interface as well as SSH from now on)
  4. Change IPv4 broadcast to 192.168.2.255
  5. Clear IPv4 Gateway and Use Custom DNS Server fields
  6. Click Save
  7. Click Edit on your VPN Interface
  8. Check Bring up on boot
  9. Click Save
  10. Click Save & Apply
  11. Shutdown the Raspberry Pi

Install the VPN Router between your home WiFi Router and Modem

  1. Unplug the Ethernet cable from your internet provider's modem that goes to your WiFi router
  2. Power cycle your modem
  3. Plug the Ethernet cable from your modem into the Raspberry Pi's USB Ethernet Adapter
  4. Plug your WiFi router's Ethernet cable into the built in Ethernet port of the Raspberry Pi
  5. Power on your Raspberry Pi
  6. Reboot your home WiFi Router
  7. You can use IPLeak.net and SpeedTest.net to test your VPN's security and speed
  8. Enjoy your internet privacy with your new whole home high speed VPN

Install Other Useful Packages (optional)

SoftwareFreeSpace.PNG

There are several other useful packages you may want to install and configure for your OpenWRT router like:

Create Scripts to Run at Startup (optional)

StartUp.PNG
profile.PNG
enableadblock.PNG

If your VPN still starts up before your router can sync its time with an NTP server and gives you trouble connecting to sites, you may have to delay the startup of the VPN Interface.

Create custom scripts:

  1. Use PuTTY to SSH into your Pi (it's new address should be 192.168.2.1)
  2. Create a directory to hold all your scripts: mkdir /scripts
  3. Change to that directory: cd /scripts
  4. Create a new custom script called enablevpn: nano enablevpn
  5. I am using VPN_Name as an example, you will need to change it to whatever you named your WireGuard VPN Interface when you created it
  6. Enter the following code in your enablevpn script, changing VPN_Name as needed.
    #! /bin/ash
    
    ifup VPN_Name
  7. Hit CTRL+X, then Y, then Enter to Save
  8. Make the script file executable: chmod +x enablevpn
  9. Add the /scripts directory to your $PATH variable so you can execute them from anywhere: nano /etc/profile
  10. Use the arrows to scroll down to where it says export PATH= and add :/scripts to the end of that line
  11. Hit CTRL+X, then Y, then Enter to Save
  12. You can now run the enablevpn script from anywhere by typing: enablevpn

Disable VPN Interface from Starting on Boot:

  1. In LuCI web interface, go to Network --> Interfaces then click Edit next to your WireGuard VPN Interface
  2. Uncheck Bring up on boot
  3. Click Save & Apply

Add a delay and then the StartVPN command to Startup Script:

  1. In LuCI web interface. go to System --> Startup then click the Local Startup tab
  2. Add the command to enable your VPN you wrote above by adding: sleep 20 && /scripts/enablevpn

Make sure that line is added before the exit 0 line, This will give your router 20 seconds to sync its time with an NTP server before starting the VPN.

You may want to create some more custom scripts:

Script to Disable the VPN:

  1. Change directory to your /scripts directory: cd /scripts
  2. Create a script to disable the VPN called disablevpn: nano disablevpn
  3. Enter the following code in your disablevpn script, changing VPN_Name as needed
    #! /bin/ash
    ifdown VPN_Name
  4. Hit CTRL+X, then Y, then Enter to Save
  5. Make the script file executable: chmod +x disablevpn

Script to Start the Simple Ad Blocker (assuming you've installed that package already):

  1. Create a script to disable the VPN called enableadblock: nano enableadblock
  2. Enter the following code in your enableadblock script
    #! /bin/ash
    
    uci set simple-adblock.config.enabled=1; uci commit simple-adblock;
    /etc/init.d/simple-adblock start
  3. Hit CTRL+X, then Y, then Enter to Save
  4. Make the script file executable: chmod +x enableadblock

Script to Stop Simple Ad Blocker:

  1. Create a script to disable the VPN called disableadblock: nano disableadblock
  2. Enter the following code in your disableadblock script
    #! /bin/ash
    
    /etc/init.d/simple-adblock stop
    uci set simple-adblock.config.enabled=0; uci commit simple-adblock;
  3. Hit CTRL+X, then Y, then Enter to Save
  4. Make the script file executable: chmod +x disableadblock

Voice Control Your VPN Router With Smart Home Assistant (optional)

TriggerCMD.jpg
vpnsh.PNG
TriggerJson.PNG

If you want to turn off your VPN or Ad Blocker because it is blocking a site or streaming service you want to use, you can just tell Alexa or Google to do it so you don't have to login and do it yourself.

You can use TRIGGERcmd to enable/disable your VPN, enable/disable your ad blocker, reboot the router, or run just about any command or script on your Raspberry Pi.

See this thread for more info on how to install TRIGGERcmd on Raspberry Pi with OpenWRT:

https://www.triggercmd.com/forum/topic/1198/how-do-you-install-triggercmd-on-raspberry-pi-with-openwrt

Note, you will need to make sure node and node-npm packages are installed under System --> Software in order to install TIRGGERcmd.

You will need to create the scripts for TRIGGERcmd to execute (see step 11 above for more info and ideas):

  1. Create a scripts directory if you haven't already by typing: mkdir /scripts
  2. Create a new text file called vpn.sh for your script by typing: nano /scripts/vpn.sh
  3. Add the following code to it (change YOURVPN_Name to whatever you named your WireGuard VPN Interface in step 6)
    #/bin/ash
    case "$1" in
      "on")
        ifup YOURVPN_Name
        ;;
      "off")
        ifdown YOURVPN_Name
        ;;
      *)
        echo "Run this with on or off as the parameter."
        exit 1
        ;;
    esac
    
  4. Hit CTRL+X, then Y, then Enter to Save.
  5. Make the file executable by typing: chmod +x /scripts/vpn.sh
  6. Add /scripts to your PATH variable so the script can be run from anywhere: export PATH=$PATH:/scripts

Add your new script to your /root/.TRIGGERcmdData/commands.json file.

  1. nano /root/.TRIGGERcmdData/commands.json
  2. Add:
{
  "trigger":"VPN","command":"/scripts/vpn.sh","ground":"background","voice":"v p n","allowParams":"true"
}

Use Safer Browsers and Search Engines (optional)

DuckDuckGo.png

Most popular search engines and browsers track and log your every move so as to be able to sell your data to advertisers among other things. Switch to a web browser and search engine that do not log, track, or sell your data.

DuckDuckGo.com is one such Search Engine and they also have a web browser.