Setting up a Raspberry PI as an OpenVPN Router without additional NICs

During one of my latest shopping sprees I decided to buy myself a new Raspberry PI. These credit-card sized computers have always intrigued me for their endless potential. Many use them as set-top boxes, others for pentesting (my favorite use of the Pi so far), others simply use them as cheap computers.


The Raspberry PI Model B+

One thing I wanted from some time to use a rPI for was certainly protecting my network against attackers. I’m a fan of OpenVPN and all my devices have a client installed, but I wanted something better.

Commercial routers sometimes do have OpenVPN support, however they lack enough speed for the strong crypto required by it. This was the case for my old WRT54GL that would max out at barely 300kbps with OpenVPN on. I figured that a rPI would handle that traffic in a far more efficient way.

Also: I do not have an USB NIC or WiFi card available, so I decided to use the single ethernet NIC integrated in my Model B+.

So, let’s begin with the OS image. I decided to go with Raspbian, in particular with this image because of it’s light weight. After you get that on a MicroSD card, boot it up and hook up a mouse, a keyboard and an HDMI cable to your rPI.
Root password will be “raspberry” by default. Be sure to change this, as SSH will be available and attackers will be able to SSH in with a very simple dictionary attack.

Once you get to a shell, we need to set up everything we need in order to get our setup working. A DHCP server is not required, but in order to correctly VPNify your traffic you will have to specify a different gateway on your devices, pointing to the Raspberry PI’s IP.

apt-get update

apt-get install isc-dhcp-server openvpn

After you’re done installing, put your VPN files in /etc/openvpn/ and rename your .ovpn configuration file into config.ovpn. Proceed by removing /etc/init.d/openvpn since it looks like it won’t work at boot.

Routing is going to be pretty simple. My setup works like this: I have a WiFi router with a 4-port switch and a WAN port. I connected the WAN port to my internet modem and my iMac and Raspberry PI to one of the switch ports. The router connects to WAN and creates a LAN on the subnet. The router’s IP is and I disabled DHCP to let the Raspberry handle it. The Raspberry is configured so eth0 has as a static ip and eth0:0 (an alias of eth0) has as a static ip.
The VPN connects using (as an example) as server. Since the Raspberry needs a time source, I decided to let NTP traffic flow unencrypted on the network. Pinging gave me as an address, and I decided to use that as my NTP server IP.

cat > /etc/ntp.conf << EOF


driftfile /var/lib/ntp/ntp.drift

statistics loopstats peerstats clockstats

filegen loopstats file loopstats type day enable

filegen peerstats file peerstats type day enable

filegen clockstats file clockstats type day enable

restrict -4 default kod notrap nomodify nopeer noquery

restrict -6 default kod notrap nomodify nopeer noquery


restrict ::1


This requires us to route and to the gateway (which is my WiFi router), (aka “default”) to the VPN’s gateway. To achieve this, just use post-up in /etc/network/interfaces.

cat > /etc/network/interfaces << EOF

auto lo

iface lo inet loopback

auto eth0

iface eth0 inet static



 auto eth0:0

iface eth0:0 inet static


     post-up route del -host || :

     post-up route del -host ||:

     post-up route add -host eth0 ||:

     post-up route add -host gateway eth0 ||:

     post-up route add -host gateway eth0 ||:



To run OpenVPN at boot, but only after NTP sets the correct date, simply do:

cat > /etc/rc.local << EOF


while [[ “$(date +’%s’)” -lt 1400000000 ]]; do sleep 1; done

openvpn /etc/openvpn/config.ovpn >> /etc/openvpn/ovpn.log

) &


To correctly configure routing after OpenVPN starts, you’ll have to add two lines to your config.ovpn file, by doing something along the lines of:

cat >> /etc/openvpn/config.ovpn << EOF

script-security 2

up /etc/openvpn/


And then create the /etc/openvpn/ script with these contents, without forgetting to chown +x it:


route del -host gateway

route add default gateway “$5”

iptables –table nat -F POSTROUTING

iptables –table nat -A POSTROUTING -o eth0 -s -j MASQUERADE

iptables –table nat -A POSTROUTING -o tun0 -j SNAT –to-source “$4”

echo 1 > /proc/sys/net/ipv4/ip_forward

This should do the trick, but DHCP is still not configured. Simply run:

cat > /etc/dhcp/dhcpd.conf << EOF

ddns-update-style none;

option domain-name-servers;

default-lease-time 600;

max-lease-time 7200;

log-facility local7;

subnet netmask {


  option domain-name-servers;

  option routers;

  default-lease-time 600;

  max-lease-time 7200;



Now, run “sync” a couple times to write everything down to the SD card and reboot. Things should “just work”.

10 thoughts on “Setting up a Raspberry PI as an OpenVPN Router without additional NICs

  1. Hi Luck, amazing to see how many steps you had to take to get the JB alive. Sad to here you are going to leave the JB community and I want to thank you sincerely for all your hard work from the last couple of years, RESPECT!! Greetings from a fan in the Netherlands🙏👏🙏

  2. This blog was a good read and its amazing how much work goes into what you do, keep it up and you have many fans like myself from Trinidad & Tobago

  3. You are a very hard worker , But there is one major bug , my phone is now stuck on apple logo because of this jailbreak.

  4. Hey Luca, I think you’re great man!! I want to thank you for releasing Yalu to the public. YOU ROCK!! I have been your fan since even before the release, and even when people questioned your legitimacy, I corrected them. I completely respect your decision to not work on future jailbreaks. I personally think you are way to great to quit though, but that is your choice man, you’ve already done so much for everybody!! I admittedly did want to see you keep giving Apple some more competition!! I also loved that you used Kim Jong Un as the Yalu icon hahaha I think Apple is communist, I felt like you made a great statement! 😀

  5. Thanks to hell for the jailbreak of iOS 10-10.2. That you chose to link it means so damn much for me, and there are not many like you who had managed it !! Love you ❤️

  6. Well I guess we part ways from here, and I just joined the jb community, xD ( I have been trying to get in since last year, but my bro upgraded on ios 9 to 9.2 then I got the storage bug, which took all my storage so I was forced to upgrade to 9.2.1 a few weeks later you released a jailbreak which also fixed this… then I had lost track of the community due to exams. Now I’m in college and I got up to date, sucks to be me my device was 32 bit so the pangu jb didn’t work… after getting a new device this year on my birthday on Feb, I finally was on the right firmware and right hardware… that was my first jb experience on 10.2… it was great your work was amazing… until I decided to use Icleaner and targeted the library… plus it was only targeting .temp files… well as expected I crashed my iPhone in one month dfu mode did fix it, which was lucky but I was upgraded to 10.2.1… o well that’s a lesson learnt don’t mess with system files, xD but I still miss the freedoms) anyhow your work is what led me to the amazing freedoms of jailbreak and the experience was definitely worth while even though the risk of messing up my device… thanks man, as a learning coder myself, I wish to take your methods one day and use them to create something as great as you, though this will be along time away probs 3 yrs avg, but that’s fine… thank you for everything and I hope you succeed in life, xD

Leave a Reply

Your email address will not be published. Required fields are marked *