Raspberry Pi 4 as VPN Router (having trouble)

I checked the openwrt versions etc. The info is:

firmware version: OpenWrt SNAPSHOT r16357-f8669c174e / LuCI Master git-21.088.74150-ba4e214
kernel version: 5.4.108
local time: 2021-04-03 02:48:25

  • does this mean i need to update?

Regardless, I did try the kmod install. I had previously installed the kmod-usb-net-asix-ax88179 (and so the kmod-usb-net is already there). I downloaded the kmod-usb-net-rtl8152 file to my pc (although the full filename is kmod-usb-net-rtl8152_5.4.110-1_aarch64_cortex-a72.ipk). I moved this file into the /tmp directory on the pi (I assume not the /tmp/tmp directory). I connected via putty and executed commands as you suggested and got the following result:

root@OpenWrt:~# cd /tmp
root@OpenWrt:/tmp# opkg install kmod-usb-net-rtl8152
Installing kmod-usb-net-rtl8152 (5.4.108-1) to root...
Downloading https://downloads.openwrt.org/snapshots/targets/bcm27xx/bcm2711/kmod           s/5.4.108-1-5082ee74a25df4a3fe07454eb1c5689b/kmod-usb-net-rtl8152_5.4.108-1_aarc           h64_cortex-a72.ipk
Failed to send request: Operation not permitted
Collected errors:
 * opkg_download: Failed to download https://downloads.openwrt.org/snapshots/tar           gets/bcm27xx/bcm2711/kmods/5.4.108-1-5082ee74a25df4a3fe07454eb1c5689b/kmod-usb-n           et-rtl8152_5.4.108-1_aarch64_cortex-a72.ipk, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_install_pkg: Failed to download kmod-usb-net-rtl8152. Perhaps you need t           o run 'opkg update'?
 * opkg_install_cmd: Cannot install package kmod-usb-net-rtl8152.

Maybe I needed to provide the full name of the kmod file? Or maybe as you say I need to update Open WRT?

Yes, you’ll need the full file name, sorry about that, wasn’t paying enough attention, and yes, you’ll need to install the latest snapshot, my pi snapshot is about a week old and it’s on kernel 5.4.109 and the kernel has most likely changed again since then, so your 5.4.108 snapshot kernel won’t match the 5.4.109 or later kernel ( openwrt snapshot kernels usually advance/change every day or two).

So what you are saying is once you install openwrt you basically have to install any of the additions you want immediately or you won't be able to add them without reinstalling from scratch again?

On snapshot (development) builds yes, stable releases are ‘frozen’ for lack of a better word, so you can install packages at anytime without reinstalling from scratch and it looks like the pi 4 will be in the next stable release.

Thanks Mike. Ok, so here is what I have done..

  • downloaded and flashed the most recent image for pi (rpi-4-ext4-factory.img.gz)
  • executed some uci set commands for ipaddr (, gateway ( and dns (
  • installed luci
  • added a number of packages (as per the original instructions I followed before from 'instructables') - fdisk, resize2fs, kmod-fs-ext4, block-mount, kmod-usb-net-asix-ax88179, kmod-usb-net-rtl8152 (the one you suggested), curl, git-http, ntpd.
  • made a minor change to the opkg.conf (as per instructions I had)
  • increased max connections in the conntrac.conf (as per instructions I had)
  • disabled ipv6 (placed ipv6.disable=1) in the cmdline.txt (as per instructions I had)
  • plugged usb/eth adapter into pi - although not connected to anything yet (as per instructions I had)
  • added a new interface for WAN (DHCP, eth1) and set firewall as WAN

I have now changed the wiring so that rather than router going directly to modem I have the pi (usb/eth) adapter plugged to to modem and left the router connected to pi only). At this point my router no longer provides internet access for my connected pc. however, i can still putty into the pi via the router and at the pi command line a ping command indicates connection to internet. So it looks like what is missing is that the router is not offering up the internet even though it is connected to pi (which does have internet access). I suppose once I get the internet access via router working then I can look at final step of installing the vpn on the pi. But I assume we should be able to make the connection to internet work through through router/pi without vpn as a start?

Mike, I just tried something on the router settings. I went in and changed the gateway under network setup from to (the ip of the pi). the router is now providing access to internet it seems. I'm not sure if I did the appropriate thing but it appears to have worked. Any comments on how I have set this up?

No, if your setup is modem>pi>router then the pi is the gateway for your router, so that's correct, I'd just point out that there's no need to change anything about opkg as far as I know, but if you have a specific reason for doing so I don't see how it could hurt (as long as you're sure you're still pulling from the official OpenWrt repository).

Thanks. One thing I believe you mentioned before was the reg ethernet port from the pi should go to modem and the usb port (via the adapter) should go to router. I have it the other way around (pi ethernet port to router, pi usb port to modem). Is there a reason/need for me to switch this?

Also, I just of setting up the protonvpn within openwrt. Fairly straightforward - had to install openvpn-openssl and luci-app-openvpn to the pi. Then uploaded a config file from protonvpn (and made a few additions to the file as per protonvpn instructions - including putting in my username/pw). Protonvpn also advised to go into pi and add a dns updater script (which I did).

Then I started the vpn via luci, however, it doesn't alter my computers IP (via whatsmyip) so it doesn't appear to be doing anything. Further instructions from protonvpn say that you must setup a vpn interface and make public otherwise the pc's won't have internet access. Well, mine have internet access - it just doesn't seem to be going through vpn. Anyways, it says to setup a new interface of type "tun0", however, when i go to setup such an interface via luci it doesn't give me the "tun0" option - it only has eth0, eth1, br-lan, wireless network. No tun0 is there to select. Am i missing something?

No that's right, if I said otherwise I misspoke.

For openWrt 19.07 and up you can use these instructions for the tun0 interface, just make sure you've started the vpn first or the tun0 interface won't be present.

thanks. yes, those were the instructions I was following. i have started the vpn (says its running) but the instructions indicate that those connected won't have internet access until you setup this add'l interface. I do have access which leads me to believe the vpn isn't running properly? I do get a message at top of screen when in setting up the vpn (Insufficient permissions to read UCI configuration), however, the vpn settings i made appear to have saved. Also, even though it says the vpn is running when i try to add that additional interface I do not see that tun0 option.

I have the insufficient permissions message too and it's not affecting my vpn, so it's probably just a luci bug that's not relevant. Have you entered the Proton vpn dns in the wan of the pi? If not try that (stop the vpn first, then start again after entering the dns) and check again for the tun0 interface, it's been a while since I've used proton vpn, but I remember that being necessary to get it running.

Thanks for all your help - couldn't do this without it. Anyways, I followed the protonvpn instructions exactly - uploaded the vpn config file and updated it in 3 places as specified. Namely...

  1. add to the auth-user-pass line the path to my auth file (which it seemed to create for me)
  2. add my userid/pass that protonvpn has available on their site when i login
  3. add a few lines of code to their config section (the code references the client.sh file

The interesting thing is though when I go to look at these files in the /etc/openvpn directory the auth file is empty as is the ovpn file. the client.sh file has a few lines that my the instructions had directed me to add which I see now is called - the dns updater script. The directions and what I put in was as follows..

cat << "EOF" > /etc/openvpn/client.sh
env | sed -n -e "
" | sort -u > /tmp/resolv.conf.vpn
case ${script_type} in
(up) uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.vpn" ;;
(down) uci revert dhcp ;;
/etc/init.d/dnsmasq restart &
chmod +x /etc/openvpn/client.sh

Anyways, in the instructions I didn't see any reference to a specific dns number that i needed to put anywhere. Does the above code take care of it? If i wanted to, where do I find the dns in question and where/how do I specify it in the pi?

Are the config/certificates and username/password showing in luci? I just checked my /etc/openvpn/* and everything is there even though I'm getting the same insufficient permission message in luci.

well i can see the openvpn instance that was setup and i can go into edit it and see the protonvpn config information. But i see now that this config information is just telling me what it was supposed to place into the ovpn and auth files? Is that right? Because none of this information is in those files - I guess it is supposed to put/copy it there? So maybe that msg I was getting was stopping it from successfully putting the info into those 2 files? I looked up that error and i could see that others on openwrt had gotten it and I could see where it was logged as an issue but it seemed to be closed (issue 4653) - but not understanding what the resolution was. Anyways, could i just cut paste the config information i see under the vpn settings into those 2 files? Only problem is, there doesn't seems to be a way to paste into the terminal window.

Ok, I managed to paste all that config info into the the ovpn and auth files. Unfortunately, after I did that and went back into luci I still don't see the option of creating a tun0 interface. Also, now in my /etc/openvpn folder I have 2 auth files (with same content) and 2 opvn files (with same content). The names of the files are the same except that one set has cap letters in the name (as I had named them in my vpn config on the luci side and other set is the same name but only entirely in lower case.

Yes, those files should have been created automatically when you uploaded your ovpn config and entered your username/password, mine are there even though I have that same message, so I don't know what the problem is unfortunately.

Ok, I managed to paste all that config info into the the ovpn and auth files. Unfortunately, after I did that and went back into luci I still don't see the option of creating a tun0 interface. Also, now in my /etc/openvpn folder I have 2 auth files (with same content) and 2 opvn files (with same content). The names of the files are the same except that one set has cap letters in the name (as I had named them in my vpn config on the luci side and other set is the same name but only entirely in lower case.

You can go ahead and remove the files you created (rm -r /etc/openvpn/name of file you created) and try using the dns from proton vpn, the ones I used were from the ddwrt instructions, there's different ones for paid/free and tcp/udp, I don't know if they're the servers that are meant to be used with OpenWrt, but they did work when I used them.

the dns # appears to be do i note this on the pi via luci somewhere

In luci>network>interface>wan>edit>advanced settings uncheck use DNS advertised by peer and enter the proton vpn dns in Use custom dns servers. Before you do that though it would probably be best to just go ahead and delete your current vpn instance, create a new one and check if the /etc/openvpn files were created properly, if there's still a problem there the dns won't fix it.

I got somewhere. i deleted the vpn setup and redid then entire thing. although i got that msg again the setup worked and it created the auth and opvn files as expected. and then i had lost internet as expected until i created the tun0 interface. so went in and was able to create the tun0 interface (it was there). This then gave me access to the internet - great. now i go to check my ip and it is as per the vpn. great again. only problem is the internet speed test is quite slow compared to without vpn. it is similar to what it was when i had the vpn installed directly on the router. I was hoping would run faster if installing vpn on pi rather than router. maybe it is a bit better, an maybe i can find way to speed it up. only other thing is - it looks like the tun0 interface doesn't start on boot - i'm sure there is a way to fix that.

On the openvpn instance make sure the Enabled box is checked (and that openvpn is enabled in luci>system>startup). You can also look into overclocking the pi and decide if that's something you want to do to improve speed, although there's really no downside from what I've seen, I have mine clocked at 2100 and haven't had any problems with cooling and I get twice the speed of what I was getting on my router. You can also look into wireguard, I haven't tried it yet, but from what I've seen here in the forum the performance is vastly better than openvpn.