Highspeed VPN Router With Raspberry Pi
by scottbarton in Circuits > Raspberry Pi
28652 Views, 104 Favorites, 0 Comments
Highspeed VPN Router With Raspberry Pi
Concerned about online privacy? A VPN or Virtual Private Network allows you to surf, search and download from the internet without your ISP, advertisers, big brother, or other organizations tracking you. Most VPN providers allow you to download an app that you can run on your machine to protect you while you surf, search, watch or download. But that only protects that particular device and only when you remember to start the VPN application and connect to the VPN.
Instead we will make a whole home highspeed Gigabit VPN Router that will go in between your current WiFi home router and your internet provider's modem. This will protect every device on your home network all the time without sacrificing speed and without having to remember to enable it each time you want to use it.
We will be using a Raspberry Pi 4 2GB for our router. This is a cheap ($35) computer with 1.5Ghz quad core CPU, 2GB 3200Mhz DDR4 RAM, and we will be using a 32GB highspeed MicroSD card. We can easily overclock it's CPU up to 2.0Ghz. These specs are better than most high end routers costing hundreds of dollars.
We will be using OpenWRT which is a lightweight and easy to use dedicated router firmware with a web interface that can be installed on the Raspberry Pi.
We will use Wireguard VPN which is relatively new tech and is orders of magnitude faster than OpenVPN which is outdated and clunky.
With this setup, I have been able to get speeds up to 800Mbs on my Gigabit internet. Without the VPN, I get around 940Mbs, so only a 15% loss in speed. By comparison, with OpenVPN I was only able to get 25Mbs.
Supplies
- Raspberry Pi 4 2GB (OpenWRT does not use a lot of memory. FYI, you MUST have a good 3A 5.1V power supply)
- MicroSD Card (16GB or 32GB is plenty but you want a fast SD Card like the one linked)
- USB 3.0 to Gigabit Ethernet Adapter (must have Linux drivers)
- Raspberry Pi Cooling Case (We are going to overclock the Pi so you will need a heatsink with a fan)
- Ethernet Cable
Install OpenWRT and LuCI on Your Raspberry Pi SD Card
- On a Windows machine, download and install Etcher
- Download latest OpenWRT image (rpi-4-ext4-factory.img.gz) for Raspberry Pi 4
- Use Etcher to flash the OpenWRT firmware image onto your MicroSD card
- When Etcher is complete a popup will tell you you need to format your drive, click Cancel
- Eject your SD card
- Download and install PuTTY so you can SSH into your Raspberry Pi
- Disconnect you PC from your network and plug your Raspberry Pi into your computer with the Ethernet cable
- Insert the SD card into your Pi and use the USB-C power plug to power on your Raspberry Pi
- Use PuTTY to SSH into your Raspberry Pi using 192.168.1.1 as the IP address and root as the login (no password)
- Change your password by typing at the command prompt: passwd root
- Change the IP Address to an unused IP address on your network (I'm using 192.168.1.2 as an example) by entering: uci set network.lan.ipaddr=192.168.1.2 && uci set network.lan.gateway=192.168.1.1 && uci set network.lan.dns=192.168.1.1 && uci commit
- poweroff your Raspberry Pi, plug it's ethernet cable into an unused port on your network, power it back on, reconnect your PC to your network and SSH back in with PuTTY using the new IP Address (192.168.1.2)
- Install LuCI Web Interface by entering: opkg update && opkg install luci
- Install Nano editor by typing: opkg install nano
Overclock Raspberry Pi (Optional)
Running Gigabits of data through a VPN is very CPU intensive. The stock Raspberry Pi4 is a quad core CPU running at 1.5Ghz. You can overclock the Pi 4 to up to 2.0Ghz safely with a proper heatsink and fan. We will overclock it to 1.9Ghz. Mine only gets up to 45*C under load. Max safe temp for the Raspberry Pi is around 80*C. We are going to do this now, that way if there are any issues with the overclock, you will know about it while you are setting it up.
You need to edit the /boot/config.txt file:
- SSH into your Raspberry Pi and login
- Edit the /boot/config.txt file by entering: nano /boot/config.txt
- Use the arrow buttons to navigate down to the bottom and add the following:
over_voltage=4 arm_freq-1900
- Hit CTRL+X, then Y, then Enter to save
- Reboot your Raspberry Pi by entering: reboot
Add Packages
Login to the LuCI web app by going to http://192.168.1.2 (or whatever your Raspberry Pi's IP Address is).
Go to System --> Software and then Click Update lists...
In the Filter text box, search for and Install the following packages:
- fdisk
- resize2fs
- kmod-fs-ext4
- block-mount
- kmod-usb-net-asix-ax88179
- curl
- git-http
- nano
- luci-app-wireguard
- ntpd
- node
- node-npm
If you run out of room on your SD card, remove node and node-npm. After you expand your file system in step 9, you can install node and node-npm and any other packages you may want.
Configure OpenWRT
Login to LuCI web interface via http://192.168.1.2
- Go to System --> System --> General Settings and set your Timezone
- Click Save & Apply
- Go to Network --> Interfaces --> Global network options and check Packet Steering
- Click Save & Apply
- Go to System --> Software then click Configure opkg...
- In /etc/opkg.conf section, change /var/opkg-lists to /usr/lib/opkg/lists <--This will save your opkg lists.
- Click Save
- Click Update lists...
Open PuTTY and SSH into your Raspberry Pi using its IP address (192.168.1.2) and login
Increase the Max Connections by editing the /etc/sysctl.d/11-nf-conntrack.conf file:
- At the command prompt type: nano /etc/sysctl.d/11-nf-conntrack.conf
-
Use the arrow keys to navigate down to net.netfilter.nf_conntrack_max and set it equal to 32768
- Hit CTRL+X, then Y, then Enter to save
Most VPN's cannot hide your IPv6 info, so we need to disable it. Disable IPv6 by editing the /boot/cmdline.txt file:
- At the command prompt type: nano /boot/cmdline.txt
- At the very end of the line add ipv6.disable=1
- Hit CTRL+X, then Y, then Enter to save
- reboot
You may also need to uninstall IPv6 packages.
Configure USB Ethernet Port As WAN
Install the USB 3.0 to Ethernet adapter drivers if you haven't already. The drivers for the adapter listed above is ASIX AX88179. If you got a different adapter, you will need to figure out what drivers you need.
- Login in to LuCI web interface at http://192.168.1.2
- Go to System --> Software, then click Update list...
- Search for kmod-usb-net-asix-ax88179 and Install
Plug in your USB to Ethernet adapter into a blue USB 3.0 port and System --> Reboot your Pi.
Now we need to create the WAN Interface. This is the ethernet port that connects to your modem to get to the internet.
- Go to Network --> Interfaces, then click Add new interface...
- Enter WAN as the interface name
- Select DHCP Client as the Protocol
- Select eth1 as the Interface
- Click Create Interface
- Click the Firewall Settings tab and select WAN as the Firewall Zone
- Click Save then click Save & Apply
Configure Client WireGuard VPN Interface
You will need to purchase a VPN subscription from a VPN provider that can do WireGuard. Search for OpenWRT Wireguard VPN Installation to find VPN companies that can do Wireguard VPN on OpenWRT routers. Do not bother with free VPN's as they don't work and aren't worth trying. Look for a VPN that has a no logs policy, is not based in your country or subject to their laws, and works with streaming video providers (Netflix, Amazon Prime, Hulu, Disney+, etc).
You will want to download a few WireguardVPN config files or copy the config info for servers near you or at locations you want to VPN to. You will need the following information:
- Private Key
- IP Address
- DNS Servers
- Peer Public Key
- Endpoint and Endpoint Port
Look for your VPN provider's Wireguard OpenWRT installation documents for more help and info. Your VPN provider's Wireguard on OpenWRT specific instructions should probably override the guide below if there is a conflict of info.
Once you have the needed info from your VPN provider we will configure the Wireguard VPN Interface:
- Open LuCi web interface and go to Network --> Interfaces, and click Add new interface...
- Create a unique name for your VPN connection, like VPNProvider_City but replace with the name of your VPN Provider and the city that you are VPNing to.
- For Protocol, select WireGuard VPN
- Click Create interface
- Add the Private Key that your VPN Provider provided you
- Add the IP Address that your VPN Provider provided you
- Click Save, then click Edit, then click the Peers tab
- Click Add peer if No peers defined yet
- Enter the Public Key your VPN Provider provided you
- Set Allowed IPs to 0.0.0.0/0 (or whatever your VPN provider gave you), then click the plus sign
- Check Route Allowed IPs
- Enter the Endpoint IP Address that your VPN Provider gave you
- Enter the Endpoint Port that your VPN provider gave you
- Set Persistent Keep Alive to 30
- For now, uncheck Bring up on boot. We will change this later.
- Click Save
- Open the VPN settings again and go to the Firewall Settings tab
- For Create/Assign firewall zone, select WAN
- Click Save
- Go to Network --> Interfaces --> WAN and click Edit and select the Advanced Settings tab
- Uncheck the Use DNS Servers advertised by peers
- Delete the DNS servers listed and add the DNS Servers your VPN Provider provided to you. If you have problems with streaming services, make sure your home WiFi router is also using your VPN providers DNS servers.
You can also use the following Anonymous DNS Servers:
- 9.9.9.9
- 84.200.69.80
- 8.26.56.26
- 1.1.1.1
- 176.103.130.130
- 4.2.2.2
23. Click Save, then click Save & Apply
Use IP Address for NTP Servers
When restarting the VPN Router, you may run into issues where you can't access websites (usually because it says the security certificate can't be verified). The most likely reason is that the VPN was started before the router could synchronize its time with an NTP server. You can check to see if your Router's system time is valid by going to the Status Overview page in LuCI. If it does not match the correct time on your PC, it is out of sync. You can force it to update manually by going to System --> System --> General Settings tab and clicking Sync with Browser or Sync with NTP Server
To ensure you do not have to do this manually every time your VPN router restarts, we need to change the NTP servers to their IP Addresses. NTP Servers actually use pools of IP Addresses that can change over time. We will PING a few NTP server pools to get the IP Address they are currently using and look for the ones that are closest to you.
NTP Server Pools:
- https://www.pool.ntp.org/zone/us (There are different NTP.org server pools by location, select the NTP server pools closest to you)
- https://tf.nist.gov/tf-cgi/servers.cgi
From the list of NTP Server Pools above, we will PING each server pool to get its current IP Address, we will then lookup where that server is located and find the ones closest to you so we can use those IP Addresses. Open a new text file to keep track of the NTP Pool server IP addresses and their locations.
- On your Windows machine, open a Command Prompt (type CMD in the search bar)
- Grab the a NTP server pool domain name (ie 0.us.pool.ntp.org)
- In the Command Prompt, type ping 0.us.pool.ntp.org (or whatever NTP Pool address you grabbed)
- It will Reply back with with an IP Address. Copy that IP Address to the clipboard.
- In a web browser, go to https://ipinfo.io/ and paste in the IP address you just got to see its location.
- In your text file, write the IP Address and the location.
- Repeat steps 2-6 for all of the NTP Servers near you
- Order your IP Addresses by location, nearest to furthest from you.
Now we need to update our NTP Servers to use the closest IP Addresses we just found:
- Open the LuCI web interface (http://192.168.1.2) and go to System --> System --> Time Synchronization
- Check Enable NTP Client
- Using the closest 4-6 NTP server IP Addrresses you found in the list above, add them to the list of NTP Server Candidates list.
- Copy the NTP Servers that were already there when we started, delete them, and add them to the bottom of the list. (ie 0.openwrt.pool.ntp.org)
- Click Save & Apply
If you don't see the Time Synchronization tab, go to System --> Software and uninstall NTPd and reboot. After you are done, you can re-install NTPd.
Backup Your Raspberry Pi SD Card Image
- On Windows machine, download and install Win32DiskImager
- poweroff your Raspberry Pi and insert the SD card in your Windows machine
- Open Win32DiskImager
- Click the Folder Icon to select a location and enter a name to save your SD Card Image
- Under Device, select your SD Card
- Check Read Only Allocated Partitions
- Click Read
- When done, you may have to Eject and re-insert your SD card
If your SD card gets corrupted, you can always get back to this image by using Etcher and using this image instead.
Expand Your SD Card to Use All Available Space
The default installation of OpenWRT will only use a small portion of your SD Card's available space. We will need to format the unallocated space and then mount it in Linux, and resize it.
- Insert the SD card in your Windows machine.
- Open up Control Panel, Click System and Security, and under Administrative Tools, click Create and format hard disk partitions to bring up Disk Management
- Click on the SD Card volume labeled boot
- Click on the Unallocated partition (should be the one whose size is in GB, pretty close to the size of the SD card)
- Right click on it and click New Simple Volume...
- Click Next, Next, Next,Next, Finish to create a new FAT32 volume with the maximum size remaining.
- Eject the boot drive and put it back in your Raspberry Pi and boot it back up
Now we need to expand your file system with extroot <-- Take a look at this link for more info. We are using the newly created partition instead of an external USB drive though. ie use "/dev/mmcblk0p3" instead of "/dev/sda1" in those directions.
Install fdisk, kmod-fs-ext4, resize2fs, and block-mount if you haven't already. If your SD card is bigger than 32GB, you will also have to install kmod-fs-exfat.
- Open up PuTTY and SSH into your Pi (IP address is 192.168.1.2, unless yours is different)
- Type: opkg update && opkg install fdisk kmod-fs-ext4 resize2fs block-mount
Configure rootfs_data:
mkdir /rwm DEVICE="$(sed -n -e "/\s\/overlay\s.*$/s///p" /etc/mtab)" uci -q delete fstab.rwm uci set fstab.rwm="mount" uci set fstab.rwm.device="${DEVICE}" uci set fstab.rwm.target="/rwm" uci commit fstab
Get Partition Info:
- Type block info to see your partitions. Results should look like something the black image above.
- The last FAT32 partition with the LABEL we gave it when we created the partition in Windows is the partition we want. In this case it is /dev/mmcblk0p3
Format the new partition
DEVICE="/dev/mmcblk0p3" mkfs.ext4 ${DEVICE}
Make the new partition the new overlay
eval $(block info ${DEVICE} | grep -o -e "UUID=\S*") uci -q delete fstab.overlay uci set fstab.overlay="mount" uci set fstab.overlay.uuid="${UUID}" uci set fstab.overlay.target="/overlay" uci commit fstab
Transfer the data
mount ${DEVICE} /mnt cp -f -a /overlay/. /mnt umount /mnt
Now reboot
Type df -h to get partition sizes to double check. You should also see almost the full size of your SD Card available when you go to System --> Software and look at the free space.
If you screw this up, you can always go back to the image you created in the last step. ;)
Move VPN Router Between Your Home Router and Modem
Now we are almost ready to put our VPN router in place between your home WiFi router and your internet provider's modem. We need to change the VPN router's network as it cannot use the same network as your home network (ie usually 192.168.1.x) when in use.
- In LuCi, go to Network --> Interfaces and click Edit on the LAN interface
- Make sure Protocol is set to Static address
- Change the IPv4 address to 192.168.2.1 (You will use 192.168.2.1 to access the LuCI web interface as well as SSH from now on)
- Change IPv4 broadcast to 192.168.2.255
- Clear IPv4 Gateway and Use Custom DNS Server fields
- Click Save
- Click Edit on your VPN Interface
- Check Bring up on boot
- Click Save
- Click Save & Apply
- Shutdown the Raspberry Pi
Install the VPN Router between your home WiFi Router and Modem
- Unplug the Ethernet cable from your internet provider's modem that goes to your WiFi router
- Power cycle your modem
- Plug the Ethernet cable from your modem into the Raspberry Pi's USB Ethernet Adapter
- Plug your WiFi router's Ethernet cable into the built in Ethernet port of the Raspberry Pi
- Power on your Raspberry Pi
- Reboot your home WiFi Router
- You can use IPLeak.net and SpeedTest.net to test your VPN's security and speed
- Enjoy your internet privacy with your new whole home high speed VPN
Install Other Useful Packages (optional)
There are several other useful packages you may want to install and configure for your OpenWRT router like:
Create Scripts to Run at Startup (optional)
If your VPN still starts up before your router can sync its time with an NTP server and gives you trouble connecting to sites, you may have to delay the startup of the VPN Interface.
Create custom scripts:
- Use PuTTY to SSH into your Pi (it's new address should be 192.168.2.1)
- Create a directory to hold all your scripts: mkdir /scripts
- Change to that directory: cd /scripts
- Create a new custom script called enablevpn: nano enablevpn
- I am using VPN_Name as an example, you will need to change it to whatever you named your WireGuard VPN Interface when you created it
- Enter the following code in your enablevpn script, changing VPN_Name as needed.
#! /bin/ash ifup VPN_Name
- Hit CTRL+X, then Y, then Enter to Save
- Make the script file executable: chmod +x enablevpn
- Add the /scripts directory to your $PATH variable so you can execute them from anywhere: nano /etc/profile
- Use the arrows to scroll down to where it says export PATH= and add :/scripts to the end of that line
- Hit CTRL+X, then Y, then Enter to Save
- You can now run the enablevpn script from anywhere by typing: enablevpn
Disable VPN Interface from Starting on Boot:
- In LuCI web interface, go to Network --> Interfaces then click Edit next to your WireGuard VPN Interface
- Uncheck Bring up on boot
- Click Save & Apply
Add a delay and then the StartVPN command to Startup Script:
- In LuCI web interface. go to System --> Startup then click the Local Startup tab
- Add the command to enable your VPN you wrote above by adding: sleep 20 && /scripts/enablevpn
Make sure that line is added before the exit 0 line, This will give your router 20 seconds to sync its time with an NTP server before starting the VPN.
You may want to create some more custom scripts:
Script to Disable the VPN:
- Change directory to your /scripts directory: cd /scripts
- Create a script to disable the VPN called disablevpn: nano disablevpn
- Enter the following code in your disablevpn script, changing VPN_Name as needed
#! /bin/ash ifdown VPN_Name
- Hit CTRL+X, then Y, then Enter to Save
- Make the script file executable: chmod +x disablevpn
Script to Start the Simple Ad Blocker (assuming you've installed that package already):
- Create a script to disable the VPN called enableadblock: nano enableadblock
- Enter the following code in your enableadblock script
#! /bin/ash uci set simple-adblock.config.enabled=1; uci commit simple-adblock; /etc/init.d/simple-adblock start
- Hit CTRL+X, then Y, then Enter to Save
- Make the script file executable: chmod +x enableadblock
Script to Stop Simple Ad Blocker:
- Create a script to disable the VPN called disableadblock: nano disableadblock
- Enter the following code in your disableadblock script
#! /bin/ash /etc/init.d/simple-adblock stop uci set simple-adblock.config.enabled=0; uci commit simple-adblock;
- Hit CTRL+X, then Y, then Enter to Save
- Make the script file executable: chmod +x disableadblock
Voice Control Your VPN Router With Smart Home Assistant (optional)
If you want to turn off your VPN or Ad Blocker because it is blocking a site or streaming service you want to use, you can just tell Alexa or Google to do it so you don't have to login and do it yourself.
You can use TRIGGERcmd to enable/disable your VPN, enable/disable your ad blocker, reboot the router, or run just about any command or script on your Raspberry Pi.
See this thread for more info on how to install TRIGGERcmd on Raspberry Pi with OpenWRT:
Note, you will need to make sure node and node-npm packages are installed under System --> Software in order to install TIRGGERcmd.
You will need to create the scripts for TRIGGERcmd to execute (see step 11 above for more info and ideas):
- Create a scripts directory if you haven't already by typing: mkdir /scripts
- Create a new text file called vpn.sh for your script by typing: nano /scripts/vpn.sh
- Add the following code to it (change YOURVPN_Name to whatever you named your WireGuard VPN Interface in step 6)
#/bin/ash case "$1" in "on") ifup YOURVPN_Name ;; "off") ifdown YOURVPN_Name ;; *) echo "Run this with on or off as the parameter." exit 1 ;; esac
- Hit CTRL+X, then Y, then Enter to Save.
- Make the file executable by typing: chmod +x /scripts/vpn.sh
- Add /scripts to your PATH variable so the script can be run from anywhere: export PATH=$PATH:/scripts
Add your new script to your /root/.TRIGGERcmdData/commands.json file.
- nano /root/.TRIGGERcmdData/commands.json
- Add:
{ "trigger":"VPN","command":"/scripts/vpn.sh","ground":"background","voice":"v p n","allowParams":"true" }
Use Safer Browsers and Search Engines (optional)
Most popular search engines and browsers track and log your every move so as to be able to sell your data to advertisers among other things. Switch to a web browser and search engine that do not log, track, or sell your data.
DuckDuckGo.com is one such Search Engine and they also have a web browser.