Raspberry Pi VPN with PiVPN: Access Your Home Network from Anywhere

So, you’ve got a bunch of cool stuff on your home network: smart home devices, a NAS full of… ahem, totally legal Linux ISOs, maybe a home automation server. You want to access all this goodness from anywhere, not just when you’re sitting on your couch. A VPN is the answer, and PiVPN makes setting one up on a Raspberry Pi incredibly easy. Forget those commercial VPN services that log everything you do and sell your soul to the highest bidder. This is your network, your data, and your VPN.

This guide walks you through setting up PiVPN, configuring both WireGuard (for speed) and OpenVPN (for compatibility), generating client configuration files (including those nifty QR codes), and even setting up dynamic DNS so you don’t have to remember a constantly changing IP address. We’re focusing on accessing your stuff, not hiding from the NSA (though, hey, added benefit!).

Why PiVPN?

PiVPN is a set of scripts that simplifies the installation and management of a VPN server on a Raspberry Pi. It supports two popular VPN protocols:

• WireGuard: A modern, extremely fast, and cryptographically secure VPN protocol. It’s generally the preferred choice if your client devices support it.
• OpenVPN: A more established, highly configurable, and widely compatible VPN protocol. It’s a good fallback if WireGuard isn’t an option.

PiVPN handles all the messy configuration and certificate management, making the setup process a breeze.

Prerequisites

Before you begin, you’ll need:

• A Raspberry Pi (any model should work, but a Pi 3 or 4 is recommended for better performance). A Pi Zero W will work, but expect slower speeds.
• A microSD card (8GB or larger) with Raspberry Pi OS installed. We recommend using the Raspberry Pi Imager for a clean install. Lite is fine, you don’t need a desktop.
• A power supply for your Raspberry Pi.
• An internet connection (obviously).
• Basic familiarity with the command line.

Step 1: Install PiVPN

First, update your Raspberry Pi:

sudo apt update && sudo apt upgrade -y

Then, install PiVPN using the following command:

curl -L https://install.pivpn.io | bash

This command downloads the PiVPN installation script and executes it. You’ll be guided through a series of prompts. Here’s a breakdown of the key choices:

1. Static IP or DHCP Reservation: You must have a static IP address for your Raspberry Pi on your local network. You can either set a static IP directly on the Pi (during the PiVPN installation or manually later) or configure a DHCP reservation on your router. DHCP reservation is generally recommended, as it’s easier to manage centrally. Consult your router’s documentation for instructions on how to do this. Note the ip address assigned to your Pi, as you will need it later.
2. User: Select the user you want to use for managing the VPN (usually your default user).
3. Installation Mode: Choose either “Unattended” or “Custom”. Unattended is fine for most users.
4. VPN Protocol: Here’s where you choose between WireGuard and OpenVPN, or both. If you’re unsure, install both. You can always add/remove protocols later. We’ll show configurations for both.
5. WireGuard/OpenVPN Port: The default ports (51820 for WireGuard, 1194 for OpenVPN) are usually fine. Change them if you have a specific reason, but remember to update your firewall rules accordingly.
6. DNS Server: This is crucial. You’ll be prompted to choose a DNS server. For accessing your local network, you should use a DNS server that can resolve your local hostnames. If you have a local DNS server (like Pi-hole), use its IP address. Otherwise, you can use your router’s IP address (usually 192.168.1.1 or similar). If you also want to use the VPN for general internet browsing and want ad-blocking, you can use a public DNS server like Cloudflare (1.1.1.1) or Google (8.8.8.8), but you may have trouble accessing your local devices by name. Consider setting up a Pi-Hole, it’s awesome, and you can easily use your Pi-Hole address here.
7. Public IP or DNS Entry: You can choose to use your public IP address or a DNS entry. We’ll cover setting up a dynamic DNS entry later, so for now, you can select your public IP.
8. Unattended Upgrades: Enable this to keep your VPN server secure.

After the installation completes, reboot your Raspberry Pi:

sudo reboot

Step 2: Create Client Configurations

Once your Pi reboots, you can start creating client configurations. This is where PiVPN shines.

WireGuard Configuration

To create a WireGuard configuration, use:

pivpn add

You’ll be prompted to enter a name for the client (e.g., “phone,” “laptop”). PiVPN will generate a .conf file in the /home/pi/configs directory (assuming your username is pi). This file contains all the necessary information for your client device to connect to the VPN.

To generate a QR code for easy configuration on mobile devices, use:

pivpn -qr

Select the client configuration you want to use, and PiVPN will display a QR code on the terminal.

You can scan this QR code with a WireGuard client app on your phone or tablet.

OpenVPN Configuration

To create an OpenVPN configuration, use:

pivpn add -o

This will generate a .ovpn file in the same /home/pi/configs directory. This file is used with OpenVPN client applications.

There’s no built-in QR code generation for OpenVPN configurations in PiVPN. You can, however, use a third-party QR code generator. Copy the contents of the .ovpn file, paste them into a QR code generator (many are available online), and then scan the generated QR code with your OpenVPN client app. Be careful when using online QR code generators, only generate them from your .ovpn after you download the file.

Step 3: Getting the Configuration Files Off Your Pi

You need to get the generated configuration files (.conf for WireGuard, .ovpn for OpenVPN) onto your client devices. Here are a few ways:

• QR Code (WireGuard only): As mentioned above, the easiest way for mobile devices.

• SCP (Secure Copy): Use an SCP client (like WinSCP on Windows, or the scp command on Linux/macOS) to copy the files from your Raspberry Pi to your computer. For example:

  scp pi@your_pi_ip:~/configs/laptop.conf .
  

  This command copies the file laptop.conf from your Raspberry Pi to your current directory. Replace your_pi_ip with the IP address of your Pi.

• USB Drive: Copy the files to a USB drive and then to your client devices.
• Network Share: Set up a network share (e.g., Samba) on your Raspberry Pi and access the files from your other devices.

Step 4: Setting up Dynamic DNS (Optional but Recommended)

Your home IP address probably changes from time to time. Dynamic DNS (DDNS) solves this problem by giving you a hostname (like vpn.yourdomain.com) that automatically updates to point to your current IP address.

1. Choose a DDNS Provider: Several free DDNS providers are available, such as No-IP, DuckDNS, and FreeDNS. Choose one and create an account.
2. Create a Hostname: Follow the DDNS provider’s instructions to create a hostname (e.g., yourname.duckdns.org).

3. Install a DDNS Updater on your Pi: Many DDNS providers offer scripts or software to automatically update your IP address. For example, DuckDNS provides instructions for setting up a cron job on your Raspberry Pi: https://www.duckdns.org/install.jsp

   Follow their instructions, which typically involve creating a simple script and scheduling it to run regularly using cron. This script will periodically check your public IP address and update your DDNS hostname if it changes.

Step 5: Port Forwarding on Your Router

To allow incoming VPN connections, you need to forward the appropriate ports on your router to your Raspberry Pi.

1. Log in to your router’s configuration page: This is usually done by entering your router’s IP address (e.g., 192.168.1.1) in a web browser. Consult your router’s documentation if you’re unsure how to do this.
2. Find the Port Forwarding section: This might be called “Port Forwarding,” “Virtual Servers,” “NAT,” or something similar.
3. Create port forwarding rules:
   • WireGuard: Forward UDP port 51820 (or the custom port you chose) to the local IP address of your Raspberry Pi.
   • OpenVPN: Forward UDP port 1194 (or the custom port you chose) to the local IP address of your Raspberry Pi.

The exact steps will vary depending on your router model, but the general concept is the same.

Step 6: Connect to Your VPN!

Now, install a WireGuard or OpenVPN client on your device (phone, laptop, etc.). Import the configuration file you created earlier (either by scanning the QR code or manually importing the .conf or .ovpn file).

Connect to the VPN, and you should now be able to access your home network devices as if you were connected directly to your home Wi-Fi. Try accessing your NAS, smart home devices, or anything else on your network.

Troubleshooting

• Can’t connect? Double-check your port forwarding rules, your Raspberry Pi’s static IP address, and your DDNS configuration (if you’re using it). Make sure your firewall isn’t blocking the VPN ports. Ensure you have a static IP or DHCP reservation set.
• Slow speeds? If you’re using a Raspberry Pi Zero W, consider upgrading to a Pi 3 or 4. WireGuard is generally faster than OpenVPN.
• Can’t access local devices by name? Make sure you’re using a DNS server that can resolve your local hostnames (see step 1, point 6).
• Connectivity issues with certain devices? Try both OpenVPN and Wireguard. One may be more stable than the other.

Conclusion

PiVPN makes setting up a home VPN server on a Raspberry Pi incredibly straightforward. By following these steps, you can securely access your home network from anywhere in the world, giving you control over your data and access to your devices. Now go forth and remotely access your… totally legal stuff! And don’t forget to sudo apt update && sudo apt upgrade -y regularly to keep your VPN server secure.