Surf the Internet securely with your very own portable WiFi VPN/TOR router. You can configure a Raspberry Pi with Linux and some extra software to connect to a VPN server of your choice. The VPN connection encrypts your internet traffic so that hackers and spies can’t figure out what web sites you are visiting, and the web sites you are visiting can’t tell which computer you are surfing from.
Not sure what board is right for you? Make:’s interactive Board Guide lets you dial into the field to find the best one for your needs.
The router is small and portable, so you can plug it in anywhere, adding secure internet browsing to any occasion, from your room to the café. You can even connect WiFi devices that don’t support VPN, like your Chromecast or Pebl.
The project consists of a Raspberry Pi, two USB WiFi dongles, an SD card, and a power plug.
If you don’t have Ethernet available, your router can connect to a WiFi network in addition to creating its own, acting as a bridge between your personal WiFi access point and an insecure WiFi. The range of this router is just enough to fill a single room.
Once built, any WiFi device has a passive VPN connection. If the VPN connection disconnects, so does your connection to the internet, guaranteeing that unencrypted data is not leaked.
If you are so inclined, we can set it up your router to support TOR, so that you can dive deep into the internet within the internet.
Using open-source software, we can handle WiFi connections from your devices, connect to another WiFi access point, and encrypt your internet through a VPN anywhere you are.
When your friends come over, they will also be on a secure Internet connection, even if they don’t know how to set one up themselves. Additionally, you can access Hulu, Netflix, HBO, or your favorite team’s game while traveling overseas. If you want to take it further, you can add domain-based ad blocking using bind to stop web advertisements dead in their tracks.
Enjoy setting up your very own portable WiFi VPN/TOR router!
- Difficulty: Intermediate
- Cost: $60-80
- Time: 1-4 hours
All images courtesy of NetNinja
Project Steps
Flash SD Card
Plug your SD card (and card reader) into your computer.
We will be using Raspbian Linux for this project. It is a small, Debian-compatible Linux distribution for Raspberry Pi. Go to raspberrypi.org/downloads and download the Raspbian ZIP. When the download is complete, unzip it to reveal an img file. You need to copy this disk image onto the SD card.
The Raspberry Pi website has excellent tutorials for how to install a disk image. Essentially, you can use Terminal on Mac or Linux with a command like this: $ sudo dd if=/path/to/raspbian-image.img of=/dev/name-of-sd-card-disk
On Windows, you can use a program called Win32DiskImager that lets you drag-and drop the Raspbian image file to the destination disk.
When the disk is finished copying, you are ready to assemble. Snap your Raspberry Pi into the case and plug in the WiFi adapters and the SD card. Plug the Pi into a monitor, keyboard, and power adapter, and start it up.
Boot Up the Raspberry Pi
When you boot the Pi for the first time, it will guide you through a setup process called raspi-config. This lets you change your user password, overclock your Pi, and set up the desktop environment.
For this project, you should change your user password, expand the disk, and choose “command line” as your Boot environment. If you live outside of the UK, you should change your internationalization options (keyboard, time zone, and locale) to match.
You may want to enable SSH, so you can access your Pi after you disconnect its monitor and keyboard.
When you exit, you will be brought to a console, ready to go. Log in with the username “pi” and the password you chose for your Pi.
Connect to the Internet
Connecting to Ethernet is simple; simply plug in an Ethernet cable and your Pi will figure out how to connect. Connecting to WiFi is a little more challenging. There are several WiFi network types and encryptions available, and each one is configured slightly differently in Linux.
To tell your Pi how to connect to WiFi, you’ll have to edit the /etc/network/interfaces file.
$ sudo nano –w /etc/network/interfaces
In this file, you can set rules for how to connect to a WPA, WEP, or an open WiFi network.
Depending on the encryption of the WiFi access point, you’ll need to configure this file differently.
[protected-iframe id=”37bc87e7b65f9fcd08c96ae5c3c32bdd-30206320-62929444″ info=”37bc87e7b65f9fcd08c96ae5c3c32bdd” ] For example, if you are connecting to a WPA WiFi network, your /etc/network/interfaces file will contain something like this:
allow-hotplug wlan0 # detect WiFi adapter
iface wlan0 inet dhcp # connect WiFi with DHCP
wpa-ssid "myhostnetwork" # WPA access point name
wpa-psk "myhostpassword" # WPA access point password
Manually restart WiFi to connect the Raspberry Pi to the Internet.
$ sudo ifdown wlan0
$ sudo ifup wlan0
You can validate that you have a WiFi connection by pinging a website or running the command: $ ifconfig wlan0
Create an Access Point
Before proceeding further, update apt-get. $ sudo apt-get update
An access point allows a computer to connect to a network over WiFi. On our Pi we will be using hostapd to create the access point and isc-dhcp-server to give IP addresses to computers that connect to our access point.
Install access point: You will need a custom version of hostapd, the access point software that supports the Edimax cards you have. Installing hostapd takes about 10 minutes.
$ wget https://github.com/jenssegers/RTL8188-hostapd/archive/v1.1.tar.gz
$ tar -zxvf v1.1.tar.gz
$ cd RTL8188-hostapd-1.1/hostapd
$ make
$ sudo make install
Tell hostapd the name and password of our access point and the name of the device we are using to host WiFi connections: $ sudo nano –w /etc/hostapd/hostapd.conf
Change three lines in /etc/hostapd/hostapd.conf to: interface=wlan1
ssid=mySecureRouter
wpa_passphrase=mySecurePassword
Finally, start hostapd and add it as a service on boot: $ sudo service hostapd start
$ sudo update-rc.d hostapd enable
Install DHCP server
Install dnsmasq:
$ sudo apt-get install dnsmasq
We will tell our DHCP server that it controls an IP address range between 192.168.0.10 and 192.168.0.200, with our Pi router having the IP of 192.168.0.1. It will be configured as an “authoritative” server acting on the wlan1 device, meaning that it will force clients to discard expired IP addresses.
$ sudo nano –w /etc/dnsmasq.d/dnsmasq.custom.conf
Add the following to /etc/dnsmasq.d/dnsmasq.custom.conf: interface=wlan1
dhcp-range=wlan1,192.168.10.10,192.168.10.200,2h
dhcp-option=3,192.168.10.1 # our router
dhcp-option=6,192.168.10.1 # our DNS Server
dhcp-authoritative # force clients to grab a new IP
Configure the DHCP server to use wlan1 as the device that manages DHCP requests: $ sudo nano -w /etc/resolv.conf
In the file /etc/resolv.conf, add the following this line, pointing DNS to the Google public DNS servers: nameserver 192.168.1.1
nameserver 8.8.8.8
nameserver 8.8.8.4
Now configure the wlan1 device to load at boot with a static IP address of 192.168.0.1.$ sudo –w nano /etc/network/interfaces
Add the following lines for wlan1: iface wlan1 inet static
address 192.168.0.1
netmask 255.255.255.0
Finally, restart the wlan1 WiFi adapter: $ sudo ifdown wlan1
$ sudo ifup wlan1
Now start the DHCP server and add it as a service at boot: $ sudo service dnsmasq start
$ sudo update-rc.d dnsmasq enable
You should now be able to see “mySecureRouter” as a WiFi access point from your computer. You can connect to it with WPA2 encryption and the password “mySecurePassword.”
Connect to a VPN or TOR
Now we are getting to the meat of this project – the encrypted connection to the internet! VPN and TOR are both encryption technologies that hide your browsing activities from prying eyes. It’s not easy to use TOR and VPN on the same network connection, so you should choose which one you want to use on your Pi.
TOR vs VPN:
TOR, or The Onion Router, is an encryption technology that encrypts and distributes your internet data across a network of computers on the way back and forth to a website, like in image 1.
Tor is very easy to install. To use it, you need to also surf on a special TOR-enabled web browser. TOR is relatively slow because it encrypts and routes your Internet traffic over several random nodes on the network before connecting your computer to a web site. TOR also gives you access to a hidden layer of the internet, called the Dark Web, which is unavailable over VPN.
VPNs, or Virtual Private Networks, work passively in the background by creating a single encrypted tunnel between your computer and a website, like in image 2.
VPNs can be more secure than TOR if you trust your VPN server. A VPN is harder to configure, but don’t require any other special software to use correctly. To use them you must have an account on the VPN server and several files generated on the VPN server that validate your account. You should trust that your VPN server is not recording you or publishing your private information.
If you don’t want to pay for a VPN service or you just want to learn to make your own, you can Roll Your Own OpenVPN Server here.
To install TOR, install the TOR software: $ sudo apt-get install tor
Start TOR and set it up as a service at boot: $ sudo service tor start
$ sudo update-rc.d tor enable
Lastly, on the computer you will be browsing on, you will have to install the TOR web browser from torproject.org.
Installing VPN: Linux supports OpenVPN easily. Many VPN providers also support the OpenVPN protocol. To connect to a VPN, you will need some information from your VPN provider. This may include a CA certificate, and possibly a username and password. You will also need to know the domain name of the VPN server, the port (typically 1194) and protocol (typically UDP).
Install OpenVPN: $ sudo apt-get install openvpn
If you were provided a CA certificate by a VPN service, save it as /etc/openvpn/ca.crt. If your VPN service provides you with a username and password, put it in /etc/openvpn/auth.txt. auth.txt will look like this: myVPNUserName
myVPNPassword
Configure the OpenVPN settings to connect to your VPN server. $ sudo nano –w /etc/openvpn/client.conf
Although your VPN configuration will depend on your server’s settings, your /etc/openvpn/client.conf should look something like this: client # client mode
dev tun
proto udp # this must match the server’s protocol
remote vpn-server.example.com 1194 # must match the server
resolv-retry infinite # reconnect when disconnected
nobind
persist-key
persist-tun
ca ca.crt # this file is given by the server
#cert client.crt # uncomment if the VPN server requires a client.crt
#key client.key # uncomment if the VPN server requires a client.key
ns-cert-type server
#comp-lzo # uncomment if the server supports lzo compression
#auth-user-pass auth.txt # uncomment if your server requires a username and password
script-security 3 # must match the server’s script security setting
keepalive 5 30 # keep connection alive
verb 3
log-append /var/log/openvpn-client.log
OpenVPN will not work without a matching timestamp. Since Raspberry Pis don’t have a real-time clock, you’ll need to use the Network Time Protocol (NTP) service. $ sudo service ntp start
$ sudo update-rc.d ntp enable
Start the OpenVPN client and set it up as a service at boot: $ sudo service openvpn start
$ sudo update-rc.d openvpn enable
Once you are connected, you can use traceroute to test out your connection by mapping your Internet connection’s path to makezine.com. The first step should show that you are connecting to your VPN server on 10.0.0.1.
Set up Routing
Routing is what connects your computer to the internet. It takes packets of data that your computer sends to the Pi, then forwards it on to a website. When the web site responds, packets of data are sent back to your Pi across the internet. Your Pi figures out which WiFi client the response is intended for, and passes it forward to your computer.
If you have VPN or TOR configured, these packets will also pass through an encrypted service within the internet. This is done using software called iptables. We must enable and configure the rules that allow our Pi to know how to route packets of data the right way.
Let’s enable routing: $ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
Tell Linux to remember this change: $ sudo nano /etc/sysctl.conf
In this file, uncomment the line: net.ipv4.ip_forward=1
Depending on how you are connecting to the Internet on your Pi (VPN, TOR, Ethernet, or WiFi), you will be routing through one of several devices. Choose the device to route through based on the connection method: [protected-iframe id=”65ac4502bc06dd3c23837be5405ed3e6-30206320-62929444″ info=”65ac4502bc06dd3c23837be5405ed3e6″ ]
Tell Linux to masquerade as your computer on the internet: $ sudo iptables –t nat –A POSTROUTING –o tun0 -j MASQUERADE
Tell it to forward all traffic to the Internet: $ sudo iptables –A FORWARD –i wlan1 –o tun0 -j ACCEPT
Finally, tell it to forward returning Internet data to the appropriate client: $ sudo iptables –A FORWARD –i tun0 -o wlan1 –m state --state RELATED,ESTABLISHED –j ACCEPT
Save these settings for the next reboot:$ sudo sh –c “iptables-save > /etc/iptables.restore”
$ echo “up iptables-restore < /etc/iptables.restore” | sudo tee --append /etc/network/interfaces
Connect a WiFi client
Go on your computer and try to connect to your WiFi access point.
Access point: mySecureRouter
Password: mySecurePassword
You’ll be able to see the computer that just connected on your Pi using the arp command: $ sudo arp –i wlan1
If you set up TOR on your Pi, you’ll have to also install the TOR browser on your computer.
