Setting Up a Raspberry Pi as a Wi-Fi Hotspot with VPN Routing: A Step-by-Step Guide
Have you ever wanted to create your own secure Wi-Fi hotspot that routes all traffic through a VPN? In this guide, we’ll walk you through the process of setting up a Raspberry Pi to do just that. This project is perfect for enhancing your privacy when using public Wi-Fi or for creating a secure network for your smart home devices.
Prerequisites
Before we dive into the setup, make sure you have the following:
Raspberry Pi: We’re using a Raspberry Pi 3B for this guide, but other models should work as well.
Two Wi-Fi adapters: At least one of these should support AP (Access Point) mode. The built-in Wi-Fi on the Raspberry Pi 3B can be used as one of these.
Bootable USB drive or microSD card: We’ll be using Fedora as our operating system. I’ve used a USB drive, but a microSD card works too.
Power supply for your Raspberry Pi
Ethernet cable (optional, but recommended for initial setup)
Step 1: Prepare Your Raspberry Pi
Download the latest version of Fedora IoT from the official Fedora website.
Flash the Fedora image onto your USB drive or microSD card using a tool like Etcher or Rufus.
Insert the USB drive or microSD card into your Raspberry Pi.
Connect your Raspberry Pi to power and, if possible, to your router via Ethernet for the initial setup.
Boot up your Raspberry Pi and wait for it to fully start up.
Step 2: Initial Configuration
Connect to your Raspberry Pi via SSH or using a keyboard and monitor.
Update your system:
sudo dnf updateInstall necessary tools:
sudo dnf install NetworkManager wireguard-tools
Now that we have our Raspberry Pi set up and running, let’s move on to configuring our Wi-Fi hotspot and VPN.
Step 3: Setting up the Wi-Fi Hotspot
We’ll use NetworkManager (nmcli) to set up our Wi-Fi hotspot. Replace wlu1u5 with the name of your Wi-Fi interface that supports AP mode.
nmcli con add type wifi ifname wlu1u5 con-name portal autoconnect yes ssid Entralink-Portal
nmcli con modify portal 802-11-wireless.mode ap 802-11-wireless.band bg ipv4.method shared
nmcli con modify portal wifi-sec.key-mgmt wpa-psk
nmcli con modify portal wifi-sec.psk "your_password_here"
nmcli con modify portal wifi-sec.proto wpa
nmcli con modify portal wifi-sec.pairwise ccmp
nmcli con modify portal wifi-sec.group ccmp
Activate the hotspot:
nmcli con up portal
If you need to modify the IP address range:
nmcli con modify portal ipv4.addresses 192.168.10.1/24
nmcli con modify portal ipv4.gateway 192.168.10.1
nmcli con modify portal ipv4.dns "8.8.8.8 8.8.4.4"
nmcli con down portal
nmcli con up portal
Step 4: Setting up WireGuard VPN
Now, let’s set up our VPN using WireGuard:
Install WireGuard:
sudo dnf install wireguard-toolsCreate and edit the WireGuard configuration file:
sudo nano /etc/wireguard/wg0.confAdd the following content (replace with your actual WireGuard configuration):
[Interface] PrivateKey = OFSAfC9sLnj1RedAgDcfNgj0hdAgDcfcN++E+DE72A= Address = 10.2.0.2/32 DNS = 10.2.0.1 [Peer] PublicKey = S4sou/kWKF1tDtbdAgDcf5DIOXONZrL0E9lI5lWEI= AllowedIPs = 0.0.0.0/0 Endpoint = 149.34.244.174:51820 PersistentKeepalive = 25Set the correct permissions:
sudo chmod 600 /etc/wireguard/wg0.confEnable and start WireGuard:
sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0
Step 5: Setting Up Routing and Firewall Rules
Create a script to set up the routing and firewall rules:
sudo nano /usr/local/bin/setup-vpn-routing.sh
Add the following content:
#!/bin/bash
# Enable IP forwarding
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
# Flush existing iptables rules
sudo iptables -F
sudo iptables -t nat -F
# Set up NAT for the WireGuard interface
sudo iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
# Allow forwarding from hotspot to WireGuard
sudo iptables -A FORWARD -i wlu1u5 -o wg0 -j ACCEPT
# Allow forwarding from WireGuard to hotspot for established connections
sudo iptables -A FORWARD -i wg0 -o wlu1u5 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Ensure all traffic from hotspot goes through WireGuard
sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o wg0 -j MASQUERADE
# Set default policies
sudo iptables -P FORWARD ACCEPT
sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT
# Save the iptables rules
sudo iptables-save | sudo tee /etc/iptables.rules
echo "VPN routing setup complete."
Make the script executable and run it:
sudo chmod +x /usr/local/bin/setup-vpn-routing.sh
sudo /usr/local/bin/setup-vpn-routing.sh
Step 6: Making Changes Persistent
To ensure our setup survives reboots, create a systemd service:
sudo nano /etc/systemd/system/iptables-restore.service
Add the following content:
[Unit]
Description=Restore iptables rules
Before=network-pre.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables.rules
[Install]
WantedBy=multi-user.target
Enable and start the service:
sudo systemctl enable iptables-restore.service
sudo systemctl start iptables-restore.service
Step 7: Verifying the Setup
Now that everything is set up, let’s verify that it’s working correctly:
Check Wi-Fi hotspot status:
nmcli con show portalCheck WireGuard status:
sudo wg showCheck routing table:
ip route showTest connectivity:
ping -c 4 8.8.8.8Test DNS:
nslookup google.com
Troubleshooting
If you encounter any issues, here are some troubleshooting steps:
Check Wi-Fi hotspot logs:
journalctl -u NetworkManagerCheck WireGuard logs:
sudo journalctl -u wg-quick@wg0Verify iptables rules:
sudo iptables -L -v -n sudo iptables -t nat -L -v -nRestart Wi-Fi hotspot:
nmcli con down portal nmcli con up portalRestart WireGuard:
sudo wg-quick down wg0 sudo wg-quick up wg0
Conclusion
Congratulations! You’ve successfully set up your Raspberry Pi as a Wi-Fi hotspot that routes all traffic through a VPN. This setup provides an extra layer of security and privacy for all devices connected to your Raspberry Pi’s hotspot.
Remember to replace interface names (like wlu1u5), the Wi-Fi password, and any specific IP addresses or network configurations to match your particular setup. Also, ensure you’re using a reputable VPN service and have properly configured your WireGuard settings.
Happy secure browsing!