Rpi3 VPN Router


Is it possible to build a VPN (Client) Router of a RPi3 with LEDE (openwrt)?
My goal is:

  1. Install/Setup LEDE (openwrt) firmware on a RPi3
  2. Create a Subnet for this router (is it wise to create a subnet for a VPN router?)
  3. Setup a OpenVPN Client of my VPN provider on the Rpi3 LEDE Router

Features of the setup:

  1. One of the Clients of the Rpi3 VPN Router would be another Rpi3. Mobile devices (GSM and Tablets) and a NAS connected to my home network (main router), should be able to communicate with the Rpi3 client.
  2. VPN Kill switch (iptables), so that the only way the RPi3 can get to the internet is over the VPN Router.

Do I need an extra LAN Port on the Rpi3?
I ask this because i found a video tutorial to create a VPN (Client) Router of an RPi, which uses only the LAN port for incoming/outgoing)



Yes... this can be done.

See this thread which is the most recent one on the topic.

1 Like

Thanx man I'll study this page. I already did the same with an old TP-Link (2543) router with DD-WRT , but I got slow speeds (10mbps) due to the 400mhz single processor. But I have a spare Rpi3 which has dual core 1.2ghz...this should give better performance

1 more thing, Since I want to create a subnet for the VPN router, Do I need an extra LAN interface on the Pi (because the build in LAN interface becomes the WAN port)? or can I config all incoming/outgoing traffic trough one interface? (like in the video tutorial)

There are a lot of ways to do this, but what I have done with my MR3020 router (kinda similar to a pi -- 1 ethernet port + wifi) is to configure the system as a standard router (WAN + LAN). The LAN services all of the downstream clients as it would normally. The WAN can also work normally with masquerade NAT or it can be overridden by the VPN tunnel, in which case all the LAN traffic is directed through the tunnel. The routing stack handles all of this, so that everything that is egress from the WAN is encrypted through the tunnel and destined for a specific VPN server/service.

OK nice to know! And if you take my end goal of the VPN Router into account, would you suggest your setup or the one MK24 describes (which looks more like the video tutorial link I have added)

I really like my config -- it is reliable and makes sense for my usage. If your end goal resembles what I describe here, then: yes, of course I'd recommend my method.

Based on the contributions to this forum, it is clear that @mk24 is very knowledgeable and has good reasons for various approaches to networking (and/or opinions when considering alternatives/options). I haven't really digested the specific reasons for the different configuration and philosophy with respect to the VPN client device, so I can't comment on the strengths and weaknesses of that approach vs mine.

The guy in the video has an interesting setup, though I wouldn't say it's very good, The PI is a device on the LAN at for example with the main router at If someone gateways through the Pi, it will take that connection and send it over the VPN, maintaining the encrypted link to the VPN server through the main router. In other words only the Pi uses as a gateway. Users gateway through and find their connections are VPN'd.

So he manually configured a client PC to use that gateway instead of the main router. In a family setting this would be a real pain, and defeats one of the best features of a central VPN client device-- zero configuration for the users. You could probably do this with a custom setting in the network's DHCP server, or even turn off the main router's DHCP and use the Pi. You can't have two DHCP servers on the same network offering conflicting information.

I agree with @mk24 about the video and other comments in the above response. This is a large part of the reason I approached my VPN client router the way I did.

Where @mk24's advice differs from mine (at least in that other thread) is the idea of bridging the Pi's LAN and not using a WAN, and then using a vpnuser network for the VPN users. This is quite different than my config which uses a more traditional WAN+LAN construct (and in the process, generating a double-NAT most of the time when connecting to hotel/cafe networks while traveling), and forwarding outbound LAN traffic through the tunnel. This is where I didn't quite digest the reasoning, but I think that it has to do with a trusted network environment and forwarding only certain client's traffic through the tunnel (vs working in an untrusted environment and pushing everything through the VPN).

Thanx for the useful comments. I understand this video example has security & easy to use issues. My main goal is shown in the attached diagram. The blue line is my current connection of the RPi3/Kodi device. But I would like to create a setup like in red, because this device also connects to the internet. However I am a newby in networking/vpn....the question marks show my 2 main questions:

  1. Which (open)VPN Router Setup would you advise?
  2. How will the Rpi3/Kodi device connect to the VPN Router, with an extra physical LAN interface or is there another way?

Network Setup

I think that my general config description could work well for you in general.

You could use wifi to connect the PiKodi device to the PiVPN, assuming bandwidth is sufficient. Then either use firewall rules or policy based routing to make sure that internet-bound traffic from the Kodi goes through the PiVPN and not the normal LAN.

There are a bunch of alternative physical connection options, but if wifi isn't working or preferable, you could add additional wired ethernet ports via USB-ethernet adapters on the two Pi's.

Another method would be using VLANs, assuming that your main router supports them (most consumer routers with stock firmware don't expose this capability, even if the hardware supports it; OpenWRT/LEDE can do this as can routers aimed at network-savvy users such as the EdgeRouter line).

One other way to approach this (assuming you're using an appropriate main router/OS) would be to configure your main router with OpenVPN (basically using the same general method as for the Pi) but set it up as a split-tunnel where only certain traffic goes through the VPN tunnel... this would be PBR or firewall based.

I prefer connection through LAN, which performs more stable during internet or local streams. My main router is an atheros based TP-Link WR-1043ND v2....with DD-WRT :roll_eyes: for a while now. For a basic router setup this firmware is fine to me. I read on the DD-WRT forum that atheros devices do not support port-based VLAN's...but I don't know if port-based is needed for this setup? If this is not possible I would probably purchase a USB-ethernet adapter.

I have read that only dual processor +1ghz routers will have descent throughput with openvpn, mine is single 900mhz...I know this processor will not stream 40mbps HD (youtube) movies...
I configured My WR-2543ND 400mhz AP as a VPN router and I got only 10mbps.
The Pi3 in the video had a 50mbps download...which beats a whole bunch of routers

1 Like

MHz for MHz, dual core ARM is going to significantly outperform single core MIPS.

You could run your main router as a managed switch (and possibly dumb wifi AP) and run two or more VLANs on the cable from the main router to the PiVPN. One would simply be switched to the ISP. So then the PiVPN becomes the main router, being the only device with access to the ISP, as well as a VPN client. ISP goes into the Pi on one VLAN and LAN comes out on another. This would let you VPN or not with basically unlimited flexibility.

You never said what your ISP speed was, but obviously running everything through the 100 Mb port on the Pi is going to limit your Internet to less than 100 Mb. However, LAN to LAN links like a WiFi user to the NAS would still be switched by hardware in the 1043 at gigabit speed.

My ISP speed is 200mbps (and probably increasing this year)...so Rpi as main router is not really an option for me, i mainly want a VPN client for my rpi3/kodi device...this can be done in this device as well with a nice addon, however a lot of processor power is taken away, which limits the VPN client to max. 20-25mbps

So my main question is: is it possible tot create a VPN router with vlan of should i purchase An usb-to-ethernet adapter?

Hi there.

Try adding network zones (squares with dotted lines indicating a certain IPv4 subnet) as well as individual IPv4 addresses on each network interface. Every router has not only one IP address but one for each interface.

Where does your VPN on the RPi/Router go to? Are there different VPN protocols you can pick, or are you limited to a single one?

Is the RPi/Router fixed or can you replace it with something stronger? I tried a RPi myself and replaced it with a BananaPi, which is more powerfull on one hand and comes with a GBit network interface on the other. It's within the same price range.

I feel you create a couple of multi homed devices in your network. RPi/Kodi, NAS, mngt computer. I have the impression you end up with a couple of hosts with multiple interfaces or at least multiple IP addresses.

Try to create very distinct subnets. Make sure there's only one router from one subnet to another and make sure every device that is not a router has only a single IP address.

Then the very device creating the VPN will come up naturally. If the best point to span the VPN is the RPi, then you might need to change that one with something stronger. If the best point to span the VPN is not the RPi but the main internet connection router, then you might need to replace that one with something stronger.

Just to give you a short hint of what I'm doing:

  • I have a single BananaPi being the main internet router.
  • I have 7 vlans going through the single GBit port of the BananaPi
  • One of them is the WAN interface
  • I have 5 different LEDE based APs
  • All are regular routers but no routing configured
  • So all of those 5 APs are 5-port vlan aware switches as well
  • My main router is on the 2nd floor
  • My ISP input is in the basement
  • There are two VPN connections to two different locations (one being a VPS in a datacenter, the other one is a friend of mine)
  • All VPNs are terminated at the one BananaPi
  • All routing and firewalling (including making my smart tv only connect to a limited number of hosts through a very defined route) is done at a single point: Within the BananaPi
  • There's up to 800MBit through my BananaPi, but VPN with TincVPN is only at 40MBit


Wow, that is a lot of info and questions !Here we go:

I ordered already an extra Pi3...still waiting for it sadly so I can't really test yet.
Is there a openwrt image for a bananapi? (and what bananapi version do you have?)
What I don't understand is Raspberry/Banana pi have one ethernet port, how can it be used as main router
and have one AP attached? Does the bananapi has an extra ethernet port then? Or is the WAN virtual and physically connected from one of the AP's to the ISP input? I am not familiar with vlans

I have an ExpressVPN account...for security openvpn would be most suitable...i guess?
Goal is to setup a VPN Client on a (more) powerful Router device (Rpi3/Router for now) and mainly the Rpi/kodi device will be using the VPN Client (As shown in diagram). The Rpi/Kodi device also acts as a spotify connect speaker and audio/video content on my NAS is played by the Rpi/Kodi device as well, both controlled by mobiles.

All my devices have a fixed IP, except mobiles/tablets and laptop.
All devices are on groundfloor, except AP router and Desktop (2nd floor)

What do you suggest (with the current hardware)?

Hey there!

You should get used to the concept of vlans, hence "tagged ports".

Just like you do in LEDE, the interface LAN isn't bound to eth0 but eth0.1, and WAN isn't bound to eth1 but eth0.2.
This means: There's only one network interface connected to the CPU (eth0), and its vlan 1 is LAN and its vlan 2 is WAN.

In regular SoHo router setups, there's a vlan aware switch which makes Port0 to expose "vlan 2 untagged" and Port1 through Port4 to expose "vlan 1 untagged".
This results in having one WAN port an 4 LAN ports.

If you make a single port not "vlan n untagged" but "vlan 1 tagged as well as vlan 2 tagged", then you have a stream of all TCP packages for both, LAN and WAN going through the same port.

And that's it. You create a "tagged" backbone (which means every vlan is transported).

Clearly this means you can't just plug a computer to the BananaPis network interface and start configuring, since the computer won't understand tagged packages. But if you use a vlan aware switch to pull the vlans apart you can. And anyway, the first configuration of my BananaPi (as well of my RPi, back wen I tried it) wasn't done through network but through TTL serial interface.

The hardware I use is the BPI-M1.

I'd still put the OpenVPN to the one and only main router. If, due to performance reasons, you decide to make a RPi your mean router: Go for it, should be fine. Having multiple routes and multiple firewall settings on multiple devices is just painful to maintain.

Use a single device that has them all, VPN connections, ISP uplink, firewall rules and routing table.

All other devices in the network are

  • either considered being clients (computers, NAS, TV, Hifi, whatever) and therefore should not be bothered with any routing or VPN stuff
  • or dumb APs and switches that might do vlan, but not a single bit of routing nor any actual "computing".

That's, imho, the best way to set things up and not get a huge headache in a couple of month if you try to change a tiny bit need several days just to understand what you configured today.

That's the best advice I can give: Single point of configuration for VPN, routing and firewall.