(Credit: PCMag/James Martin)
A VPN is a service that tunnels your internet traffic through a server located elsewhere in the world. These services can be great if you want a simple solution that works out of the box. They come with a cost, though—around $10 per month on average, not to mention putting your trust in the company on the other end. However, if you're the DIY type, you can set up your own VPN server on a Raspberry Pi. Best of all, it's not difficult, and you can get it up and running in no time.
This article was made possible in part by Proton VPN. It was written and edited independently without partner oversight.
I recently did this using a Raspberry Pi 5 and PiVPN, and the whole process was surprisingly simple. I use it to manage my home media servers and protect myself when accessing sensitive data away from home, and I'm here to show you how to create a similar setup.
What Is PiVPN?
I decided to use PiVPN for this project because it supports OpenVPN and WireGuard, and it allows remote access to your network once it is up and running. Plus, PiVPN simplifies the setup process, saving the advanced configuration options for later, if you need them.
The biggest difference between a basic PiVPN configuration and a paid VPN like Nord, Proton, or TunnelBear is that PiVPN won’t hide your traffic from your internet service provider (ISP). Think of a Raspberry Pi running PiVPN more as a utility with some security benefits rather than a traditional VPN service. It’s an excellent tool for accessing your network and controlling PCs at home from afar. It’s particularly useful for managing remote media servers or other applications that may need adjustments while you’re not home. It also gives you a safe way to access sensitive data instead of having to risk using dubious public networks. You can remotely log in from other countries to access your home catalog of, say, Netflix content, but it won’t work to access other regional catalogs since your VPN will be based on your home network.
You should consider a paid VPN if you require encryption, location spoofing, and/or multi-device coverage.
What You Need to Get Started
PiVPN itself is free, but you will need to buy some hardware to run it on. Any Raspberry Pi model should technically work, but I recommend at least a Pi 4, which supports full gigabit internet. If you don’t mind slower performance (or don’t have a gigabit network), then you can use any older Pi or even a Pi Zero to save on costs. For reference, all of the testing here was performed on a 4GB Raspberry Pi 5. Aside from the Pi, make sure you have the following parts at hand:
- A power supply (Pis can be picky; make sure your unit has the appropriate power delivery)
- An HDMI cable (check your Pi; some take Micro HDMI while others take standard)
- A microSD card (at least 32GB, more if you plan to run other applications)
- A microSD card reader (to flash your operating system of choice to the SD card using Raspberry Pi Imager)
- A Pi case (I’m using a 3D-printed one, credit to addohm on Maker World)
(Credit: PCMag/Justyn Newman)I recommend having a mouse, keyboard, and monitor for the initial setup, though they aren't strictly required.
The following steps can be done on the Pi itself via the terminal, or you can use SSH on Windows to connect to the Pi remotely. Secure Shell (SSH) is a way to remote access a device using another computer on the same network. The process is more technical than interfacing with the Pi directly, so I would only recommend SSH if you are already familiar with the process. Raspberry Pi has a detailed guide that can walk you through SSH configuration. If you SSH into your Pi, then you may have to reconnect in the middle of the process since changing network settings can cause the Pi to lose connection. It’s also a good idea to plug your Pi in with an Ethernet cable if your model supports it.
Set Up Your Pi's Operating System
I won’t be going over every aspect of selecting an operating system (OS) here, so you should refer to our beginner’s guide if you’ve never installed one on a Pi. You can run PiVPN on any Debian, Ubuntu, or Raspbian-based system. It’s recommended that you use the latest Raspberry Pi OS Lite image since you won’t need a desktop interface. I’m using a full Raspberry Pi image with a desktop environment for this article so that I can more easily show you what I’m doing.
If you’re using Raspbian OS, I recommend the settings in the image below to make the initial setup a bit easier. Substitute your own hostname, username, and password.
Also on this screen (although not in the screenshot above) is a setting to enable SSH. Make sure that box is checked if you plan to use SSH to configure your Pi from a different PC. Fill in your SSID and password with your home Wi-Fi network details. Don’t worry if you didn’t configure these settings beforehand. You can set all of this up in the terminal once you’ve flashed the operating system as well.
Install OpenVPN or WireGuard
PiVPN is a set of scripts that make OpenVPN and WireGuard configuration a breeze by streamlining the process with a guided setup. Plug your Pi in, make sure everything is connected, and head to your terminal. If you installed Raspbian OS Lite, then it should be the first thing you are greeted with. Full Raspbian OS users can navigate there using the GUI or hit CTRL+ALT+T to open a window. Run the following command in your terminal: curl -L https://install.pivpn.io | bash
Hit Enter and wait for the command to finish. You’ll know it is done when an installation wizard appears in place of the standard terminal. Use the arrow keys and the Enter key to navigate the menus that appear.
Recommended by Our Editors
PiVPN will prompt you to either set up a static IP address or to use a Dynamic DNS service (DDNS). You can do this step without any fancy configurations, but you might run into issues down the line if your ISP uses dynamic IP addresses (it probably does). A dynamic IP address changes for security reasons, and it will break your PiVPN connection if it happens. You can check this on Windows by typing the following command into the terminal: Ipconfig /all
If your IP address shows DHCP as enabled, you have a dynamic IP address. One way around this is to use a DDNS from NoIP. Sign up for a free account and choose a hostname. During PiVPN setup, choose the dynamic option instead of static. Enter your chosen hostname. After that, you can continue with the steps as normal.
Next, you’ll be asked to choose a user. I configured my user ahead of time when writing the OS to my SD card. If you skipped that step, now is the time to select the default Pi user.
After selecting your user, you’ll be asked which protocol you want to use: WireGuard or OpenVPN. I’m using WireGuard, as it is more secure and less resource-intensive. I recommend you do the same unless you have a specific need for OpenVPN.
For the next few steps, the default settings are fine for most users. You'll be asked what port you want to use (51820 is fine unless something else is using it; for OpenVPN, select 1194), and what DNS provider you want to use (any are suitable).
Finally, you will be asked if you want to enable automatic security updates. Select Yes. Since your VPN is open to the internet, it is best to make sure it is updated even when you’re not there to manually do so.
Once that's done, you'll be prompted to reboot your Pi.
Before you continue, it’s important to ensure that your Pi is secure. Run the update command below to make sure that all important fixes and files are up to date: Sudo apt-get upgrade
Configure Your VPN Client
If everything went smoothly, then you should have an OpenVPN or WireGuard instance running on your Pi. Now, you need to be able to connect to it from any device. A client will let you do just that. I recommend OpenVPN Connect for OpenVPN and the official WireGuard app for WireGuard. When your Pi is done rebooting, hop back into the terminal and run: pivpn add
Give the client a name. It can be anything; just make sure it’s something that you will remember. The same goes for the password (and keep it in a password manager on your devices). Once you plug that information in, an .ovpn (.conf for WireGuard) file will be generated. Copy it to your PC and keep it somewhere safe. You will use that file to access your Pi remotely.
Set Up Port Forwarding
From here, your Pi should be all set, but you'll need to do one more thing before you can connect: Forward your VPN's port on your router. This process varies from router to router, but it goes like this: Log in to your router's configuration page, find the port forwarding option, and forward port 51820 for WireGuard or 1194 for OpenVPN to the internal IP address of your Pi. You can find more detailed instructions for specific routers at portforward.com.
Connect to Your VPN
You should now be all set to connect to your VPN. As long as you leave it running, it will remain available for you to remotely log into.
Go to the WireGuard app or OpenVPN Connect on your platform of choice. This should be the device that you want to be protected by your PiVPN, not the Pi itself.
- Click the Upload File button on OpenVPN or the Import Tunnel(s) from File on WireGuard to add a new profile
- Get that .conf/.ovpn file and copy it over
- Now, click the Add button and input your PiVPN password to connect
Congratulations! Your traffic is now encrypted and routed through your home internet connection, where the Pi resides. Your traffic will be secure from prying eyes on that coffee shop Wi-Fi, and you'll be able to access any resources on your home network as if you were there—no subscription fee necessary.