Previously, I used Surfshark VPN, which is a software-based solution installed on a PC. What I’m now trying to do is replicate this setup on a Raspberry Pi at the network level, so that any device connecting to my network routes through the VPN. This would reduce the chances of security issues or hacking attempts.
Nope. Hacking attempts will be blocked by your firewall (on the local machine and your router) all using a VPN does is make you reliant on someone else's firewall. A firewall you have no control over.
On "security issues" what kind of those do you think a VPN for outgoing traffic will protect you from? That your current router doesn't? IT won't help with things like malicious websites, downloaded viruses, etc.
There are three primary reasons for use a VPN for all outgoing traffic:
- To get a secure connection to another private network over the public internet (e.g. to access your work servers without needing a direct, wired connection)
- To mask your traffic from your ISP (so they can't block some types and log everything) or others who may want to log everything.
- To make it harder to trace an IP address back to you (though arguably ToR does a better job of that).
- To access geo blocked sites and services (e.g. watch UK netflix from South Africa).
With the Raspberry Pi, is it possible to change the virtual location like we can with software-based VPNs? Or is that not possible in this setup?
It's a software VPN running on a different box. Most things you can do in one on your existing machine can be done on a Pi. The primary difference is it's one configuration not one per machine.
Since the Raspberry Pi only has one Ethernet port, how would this be configured?
I've only experience of two VPN proctocls/software stacks: OpenVPN and Wireguard. Both present to Linux as one network adapter for each outgoing connection.
Currently, I have an ISP modem/router (combined), which connects to the phone line. It has four Ethernet ports, one of which is connected to an additional Netgear switch that provides eight more Ethernet ports. In total, I have about 11 devices using Ethernet connections.
Just plug it into one of the existing ethernet ports on the switch or the router. With a combined modem/router it isn't likely to be possible to put it physically between the router and the phone/adsl/fibre line.
Carefully.With the Raspberry Pi acting as a VPN gateway, how should I set this up? I assume I’d need to connect the ISP box directly to the Pi—but since the Pi only has one Ethernet port, how do I then route traffic back out to the switch/router?
I don't have that server running any more and don't have my notes either. And some of it will depend on the software on your router. From memory, this is what I did:
- Get an outbound VPN configured and working on the Pi. For sake of discussion I'll assume wireguard with a wg0 interface.
- Configure routing on your Pi such that traffic over wg0 routes via your modem/router and all other internet traffic routes via wg0.
- Setup NAT from eth0 to wg0.
- Give you Pi a static IP address
- Install and configure dnsmasq* to act as both DNS and DHCP server for your network. When configuring it make sure it tells client to use its own IP address (from eth0) for both DNS and their default route.
- Disable the DNS and DHCP servers on your modem/router.
- Reboot clients.
If you want the Pi to be physically between your other machines and the modem/router, add a USB ethernet interface, only connect the pi to the modem/router via one interface and connect everything else via a switch linked to the other ethernet interface on the Pi. That won't cover WiFi clients though if they're still using an AP provided by the modem/router. And you'll end up with the rest of the machines on your network going through two levels of NAT (once on the Pi, once on your router) before it get out into the wild.
One other thing I strongly advise: don't start messing wiith network settings and configuration unless you have a way into the Pi that doesn't depend on having a working network.
*: That's what I used. There are other options.
Statistics: Posted by thagrol — Tue Jun 03, 2025 11:38 pm