Configuring OpenVPN on Raspberry Pi: A Comprehensive Guide
Set up your Raspberry Pi as an OpenVPN client that routes all connected devices through a VPN tunnel, with persistent iptables rules and NAT configuration.
This guide configures your Raspberry Pi as a VPN gateway: it connects to an OpenVPN server and routes traffic from other devices on your network through the VPN tunnel. This is useful for giving multiple devices VPN coverage without configuring VPN software on each one.
Prerequisites
- Raspberry Pi running Raspberry Pi OS or Ubuntu Server
- OpenVPN configuration files (
.ovpn) from your VPN provider - A static IP on your Pi (or a known IP for the gateway setup)
Step 1: Update and Install OpenVPN
sudo apt update && sudo apt upgrade -y
sudo apt install openvpn iptables-persistent -y
Enable OpenVPN to start at boot:
sudo systemctl enable openvpn
Step 2: Install VPN Configuration Files
Copy the .ovpn file and certificates from your VPN provider to /etc/openvpn/. You can transfer them via SCP:
scp vpn-config.ovpn pi@<your-pi-ip>:/home/pi/
On the Pi:
sudo mv /home/pi/vpn-config.ovpn /etc/openvpn/vpn.conf
If your VPN provider gave you separate certificate files, move them too:
sudo mv /home/pi/*.crt /home/pi/*.key /etc/openvpn/
Edit vpn.conf to use absolute paths for certificates:
sudo nano /etc/openvpn/vpn.conf
Update or verify these lines point to the correct files:
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
auth-user-pass /etc/openvpn/auth.txt
Step 3: Store VPN Credentials
Create an authentication file with your VPN username and password:
sudo nano /etc/openvpn/auth.txt
Add two lines:
your_vpn_username
your_vpn_password
Restrict permissions so only root can read it:
sudo chmod 600 /etc/openvpn/auth.txt
Step 4: Test the VPN Connection
sudo systemctl start openvpn@vpn
sudo systemctl status openvpn@vpn
Verify the VPN is working by checking your public IP:
curl -s https://ipinfo.io/ip
The IP should match your VPN provider's server, not your home IP.
Step 5: Enable IP Forwarding
Enable IP forwarding so the Pi can route traffic between your LAN and the VPN tunnel:
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Step 6: Configure NAT and Firewall Rules
These iptables rules perform Network Address Translation (NAT) so devices on your LAN can send traffic through the VPN tunnel on tun0:
# Masquerade LAN traffic going out through the VPN tunnel
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
# Allow forwarded traffic between LAN (eth0) and VPN (tun0)
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow local SSH and ICMP access
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p icmp -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Set default DROP policies (after allowlist rules are in place)
sudo iptables -P FORWARD DROP
sudo iptables -P INPUT DROP
Verify the rules:
sudo iptables -L -v
Step 7: Make iptables Rules Persistent
sudo netfilter-persistent save
sudo systemctl enable netfilter-persistent
This saves your rules to /etc/iptables/rules.v4 and restores them at boot.
Step 8: Configure Client Devices
To route a device's traffic through the Pi's VPN tunnel, change that device's default gateway to your Raspberry Pi's LAN IP address (e.g., 192.168.1.100).
On a Linux device:
sudo ip route add default via 192.168.1.100
On Windows/macOS, change the default gateway in your network adapter settings to the Pi's IP.
Troubleshooting
VPN not connecting: Check logs with sudo journalctl -u openvpn@vpn -f. Common causes are wrong certificate paths or authentication failures.
Traffic not routing after reboot: Ensure netfilter-persistent is enabled and that openvpn@vpn is in the enabled services (sudo systemctl enable openvpn@vpn).
DNS leaks: Your DNS queries may still go through your ISP. Add push "dhcp-option DNS 1.1.1.1" to your OpenVPN config or configure /etc/resolv.conf on the Pi.
Conclusion
With this setup, any device that uses your Raspberry Pi as its default gateway will route its traffic through the VPN tunnel automatically. The Pi handles the VPN connection and NAT so individual devices don't need VPN software installed.