How to Create a Raspberry Pi VPN Hotspot • Sean Thawe

This guide will walk you through setting up a headless Raspberry Pi that acts as a WiFi hotspot. Any device connected to this hotspot will have its internet traffic routed through a secure VPN tunnel. We will interact with the Pi entirely through SSH for configuration and troubleshooting.

This method was tested on a Raspberry Pi 3 running Raspberry Pi OS Bullseye, but it should work on newer models, including the latest Raspberry Pi, with minimal changes.

What You’ll Achieve in This Guide

Set up a headless Raspberry Pi from scratch.

Configure OpenVPN with a ProtonVPN account.

Automate the VPN connection so it runs on boot.

Turn the Raspberry Pi into a WiFi hotspot that routes all traffic through the VPN.

Part 1: Headless Raspberry Pi Setup

1.1 Hardware & Software Requirements

Hardware

Raspberry Pi: Any model with built-in WiFi.
microSD Card: 16GB or larger.
Power Supply: A reliable power adapter for your Pi model.
USB Wi-Fi Antenna: A second Wi-Fi adapter is crucial. The built-in WiFi will create the hotspot, and this second adapter will connect to the internet.
Ethernet Cable (RJ45): Required for initial setup.

Software & Accounts

Raspberry Pi Imager: To flash the OS to the microSD card.
ProtonVPN Account: A free plan is available and works well for this project.
SSH Client: Built into most modern terminals (like PowerShell, Terminal on macOS/Linux).

1.2. Prepare the Operating System

First, we need to flash the Raspberry Pi OS to the microSD card using the Raspberry Pi Imager.

Download and install the imager from the official website. Alternatively, on Debian-based systems, you can install it via the terminal:
Terminal window
```
sudo apt install rpi-imager
```
Open the Raspberry Pi Imager application.
Choose Device: Select your Raspberry Pi model.
Choose OS: Select Raspberry Pi OS (other) > Raspberry Pi OS Lite (64-bit). A “Lite” OS has no graphical user interface (GUI), which is ideal for a server.
Choose Storage: Select your microSD card. Warning: This will erase all data on the card.
Customize Settings: Before writing, you’ll be prompted to customize the OS. This is essential for a headless setup.
- General Tab: Set a username/password, your WiFi credentials, and a hostname for the device.
- Services Tab: Enable SSH using password authentication. This allows remote access.

Once the imager finishes, eject the SD card, insert it into your Pi, and power it on.

1.3. Find Your Pi’s IP Address

To connect to the Pi, you need its IP address on your local network. My favorite tools for this are nmap and arp-scan.

Using Nmap

If you don’t have Nmap, install it with sudo apt install nmap. Then, scan your network:

nmap -sn 192.168.1.0/24

For a more detailed list which includes IP addresses, MAC addresses, and device manufacturer, run:

sudo nmap -sn -PR 192.168.1.0/24

(Note: Your network range might be different, e.g., 192.168.0.0/24 or 10.0.0.0/24)

Using arp-scan

Install with sudo apt install arp-scan if needed. Then, run:

sudo arp-scan --localnet

Look for a device identified as “Raspberry Pi” in the output of either command and note its IP address.

1.4. Connect via SSH

With the IP address, you can now access your Pi’s terminal remotely.

In your computer’s terminal, run:
Terminal window
```
ssh <your_username>@<pi_ip_address>
```
Enter the password you set during the imaging process.
Once connected, update your Pi’s software to ensure everything is current:
Terminal window
```
sudo apt update
sudo apt -y upgrade
```

Part 2: OpenVPN Configuration

Now, we’ll set up the VPN client on the Pi. This guide uses ProtonVPN, but the steps are similar for other providers that support OpenVPN.

2.1. Get Your VPN Credentials

Sign up for a ProtonVPN account.
Download an OpenVPN configuration file from their official guide. Choose a server and download the .ovpn file.
Find your OpenVPN credentials. On your ProtonVPN account page, navigate to Account > OpenVPN / IKEv2 username to find the unique username and password required for the connection. Keep these handy.

2.2. Set Up the Configuration File

Transfer the .ovpn file to your Pi. On your local machine’s terminal, navigate to where you downloaded the file and use scp (Secure Copy) to transfer it:
Terminal window
```
# Example command
scp us-free-01.protonvpn.com.udp.ovpn sean@192.168.1.10:/home/sean/
```
Move the file into place. On the Pi (via SSH), move the file to the OpenVPN directory:
Terminal window
```
sudo mv ~/<config.ovpn> /etc/openvpn/
```
Create a password file. We need to store your OpenVPN credentials securely.
- Create a new file named pass inside the /etc/openvpn/ directory:
  Terminal window
```
sudo nano /etc/openvpn/pass
```
- Add your credentials to this file, with the username on the first line and the password on the second. Save and exit (Ctrl+O, Enter, Ctrl+X).
- Set the file permissions so only the root user can read it:
  Terminal window
```
sudo chmod 400 /etc/openvpn/pass
```
Edit the OpenVPN config. Tell the configuration to use your new password file.
- Open the .ovpn file for editing:
  Terminal window
```
sudo nano /etc/openvpn/<config.ovpn>
```
- Find the line that says auth-user-pass and change it to auth-user-pass pass. Save and exit.
Rename the config file. For systemd to recognize it, rename the file to client.conf:
Terminal window
```
sudo mv /etc/openvpn/<config.ovpn> /etc/openvpn/client.conf
```

2.3. Automate with `systemd`

To ensure the VPN connects automatically on boot, we’ll enable the OpenVPN service.

Edit the default OpenVPN settings:
Terminal window
```
sudo nano /etc/default/openvpn
```
Find the line #AUTOSTART="all" and uncomment it by removing the #. Save and exit.

Enable and start the service:

sudo systemctl enable openvpn@client.service
sudo systemctl daemon-reload
sudo service openvpn@client start

The VPN should now be active and will reconnect automatically if the Pi reboots.

Part 3: Network & Hotspot Configuration

3.1. Turn the Pi into a WiFi Hotspot

For this step, your Pi must be connected to your router via an Ethernet cable. This provides a stable internet connection while we reconfigure the wireless devices.

We will use nmcli, the command-line interface for NetworkManager.

Identify your Pi’s built-in wireless interface name. It’s usually wlan0. You can verify with iwconfig.
Run this command to create the hotspot. Replace the <SSID> and <PASSWORD> with your desired network name and a strong password.
Terminal window
```
sudo nmcli d wifi hotspot ifname wlan0 ssid <YOUR_SSID> password <YOUR_PASSWORD>
```
Verify the hotspot is active by running nmcli con show. You should see your new hotspot connection in the list.

3.2. Connect to the Internet via the USB WiFi Adapter

Now, we’ll use the second WiFi adapter (the USB one) to connect to your main router for internet access.

Plug in your USB WiFi adapter.
Find its interface name. It will likely be wlan1. You can check with nmcli dev status.

Connect it to your home WiFi network:

sudo nmcli d wifi connect "YourHomeSSID" password "YourHomePassword" ifname wlan1

Conclusion

You now have a fully functional Raspberry Pi hotspot. Any device you connect to its WiFi network will have its traffic automatically routed through the secure ProtonVPN tunnel. You’ve successfully created a low-cost, private, and versatile networking tool.

For further reading and troubleshooting, check out the excellent resources that inspired this guide:

PiMyLifeUp: Raspberry Pi Wireless Access Point
Jeff Geerling’s Blog: Working with multiple WiFi interfaces on Raspberry Pi
Jason Patrick Barnes: Setup a Linux Server to run ProtonVPN