Raspberry Pi Becomes Secure VPN Router

OpenWRT is a powerful piece of open-source software that can turn plenty of computers into highly configurable and capable routers. That amount of versatility comes at a cost, though; OpenWRT can be difficult to configure outside of the most generic use cases. [Paul] generally agrees with this sentiment and his latest project seeks to solve a single use case for routing network traffic, with a Raspberry Pi configured to act as a secure VPN-enabled router configurable with a smartphone.

The project is called PiFi and, while it’s a much more straightforward piece of software to configure, at its core it is still running OpenWRT. The smartphone app allows most users to abstract away most of the things about OpenWRT that can be tricky while power users can still get under the hood if they need to. There’s built-in support for Wireguard-based VPNs as well which will automatically route all traffic through your VPN of choice. And, since no Pi router is complete without some amount of ad blocking, this router can also take care of removing most ads as well in a similar way that the popular Pi-hole does. More details can be found on the project’s GitHub page.

This router has a few other tricks up its sleeve as well. There’s network-attached storage (NAS) built in , with the ability to use the free space on the Pi’s microSD card or a USB flash drive. It also has support for Ethernet and AC1300 wireless adapters which generally have much higher speeds than the built-in WiFi on a Raspberry Pi. It would be a great way to build a guest network, a secure WiFi hotspot when traveling, or possibly even as a home router provided that the home isn’t too big or the limited coverage problem can be solved in some other way. If you’re looking for something that packs a little more punch for your home, take a look at this guide to building a pfSense router from the ground up.

20 thoughts on “Raspberry Pi Becomes Secure VPN Router

  1. This thing smells fishy. To get half way decent dual-band WiFi bandwidth that is actually supported it seems you have to buy a AC1300 Mbps dual-band WiFi USB 3.0 device named PiFi – The ULTIMATE Pi Router Kit for £34.99 ($46.20 USD). But generic AC1300 dual band USB 3.0 dongles sell on Amazon for like $16.99 USD (ASIN B0D77PM1BS, see link below). Then there is mention of: “Lifetime PiFi Premium – PiFi kit users get early access to future software updates and exclusive in-app features”. But pricing and terms seem missing. So what’s going on here? Look at these pages:

    https://www.pifi.org/pifi-kit

    USB WiFi USB Adapter for PC Laptop Desktop, AC1300M 2.4GHz/5.0GHz Band USB 3.0 WiFi Wireless Network Dongle w/High Gain 5dBi Dual Enhanced Antenna for Computer Windows 11 10 8.1 8 7 XP Vista $16.99.

    https://www.amazon.com/Ziquigoa-Adapter-Wireless-Enhanced-Computer/dp/B0D77PM1BS/

    1. It’s seemingly not just a WiFi adapter but has other features as well which would explain the price, being a custom design also drives the price up compared to high volume modules.
      I have doubts that WiFi speed will be particularly impressive with PCB integrated antennas however.

    2. It’s free and open source, you don’t need to buy the usb. I downloaded it and it works decent certainly easier than using SSH

      I’m going to make an educated guess you’ve never used openwrt before because 99% of wifi adapters don’t have driver support (openwrt is based on linux kernel 5.x atm) so just finding some random one off amazon won’t work

  2. I was discussing routers and WiFi APs once on the internet and someone told me that

    the cheapest x86_64 based mini PC that you can buy (think those Intel NUC things), with a halfway decent USB (or even PCIe) WiFi adaptor will outperform any router/WiFi AP that you can buy for the same price.

    What do you guys think? I think there’s some truth to the thing considering how woefully underpowered most routers and APs are specs wise.

    1. It’d be reasonable to expect to find a better cpu, but the other attributes would likely be worse. Decent networking hardware will have good enough performance for its core purpose, especially if it’s able to offload certain functions like to dedicated hardware like a built-in ethernet switch, where the mini pc would have to use CPU for everything. And the best wifi adapter for a mini pc would presumably be a m.2 pcie adapter out of a laptop, while a good AP should have a better radio than that. And USB is definitely not as reliable as pcie for various things. The point where I might look at those mini pc’s is if I specifically want them to perform a function that takes a lot of CPU and I don’t mind the hit to latency and reliability. Like VPN, aggressive packet inspection type stuff, hosting some service, etc. I wouldn’t do it for an AP; the AP isn’t going to be doing any complex cpu work anyway. It just needs to get wireless devices onto the network, and it does a fine job of that.
      Well, maybe if I was able to get the latest wifi standard in m.2 and swap it in for cheap, I could see using that for more short range speed with a single client device.

    2. For routing, yes, x86_64 wins, however for WiFi part this is not the case. Normal WiFi card (PCIe or USB) are designed as client so acting as AP might not be working at all (e.g. Intel card is not able to run 5GHz AP mode, Realtek based USB dongle are having shitty driver under Linux as well), also how about dual band? You need AP grade PCIe card to have dual band.

  3. What I like of this is the capability to eventually get a newer dongle, like WIFI-7, or newer without having to change the entire device or equipment. It also keeps the same management interface. Not sure I will set one up, as I already have a very good one, but I will want to try it and see how it can perform using its built-in WIFI adapter.

  4. I used to think OpenWRT and other open, hackable router OSs were great.

    But I wanted a VPN server built into my router. I followed instructions so many times to try to hack a VPN server into so many off the shelf consumer oriented routers. Once I even had it working.. for a couple of days. Then the device bricked. Write limits maybe?

    Way way back.. before those off the shelf router devices were a thing I used a Wingate, a router program that ran on top of Windows. Yes, I know Windows eventually got internet connection sharing but this was before that plus it allowed one to initiate dialup from a client machine.

    Anyway… I didn’t think I would ever go back to using a full desktop PC as a router. Too power inefficient right? Back in those days I was running WinGate, AMD KC-III… you could almost fry eggs on top of those things!

    Well.. I bought a device to measure how much current devices use and it looked like a now-old, but way newer than those old days machine I got free from work was going to cost less than $3 to run all year long.

    So.. I tried OPNSense.

    OMG.. this thing actually works. It’s been going a few years now!

    NEVER going back to the various X-WRTs!

    1. I’ve used this summer Openwrt with WireGuard VPN for a month. Installed it on couple old routers I had laying around. Cisco 1200 with 64MB RAM would work but after while will lock. Then installed it on more modern Buffalo I believe with 128 RAM and more power on CPU and worked for more than month with no interrupts.

    2. OpenWrt can do what OPNsense doing (in fact I moved from pfSense to OpenWrt because something not working with BSD)
      Recently the ~$100 GL-INET Flint 2 (MT6000) is a dual 2.5GbE WiFi 6 router with OpenWrt support, the Wireguard performance can go up to 900Mbps which is really good for home use.

  5. Just giving my thumbs up for pfSense/opnSense

    Raspberry Pis are great if you need low power and tiny Linux machines, but they get pressed into duties that there are simply better solutions for.

    Pretty much any used computer can run pfSense (with comically low resource utilization), and give you almost any feature you would want at home – I’m running my network on not much more than a toaster, and have network wide ad/tracker blocking, 15 subnets, multiple wire guard vpns, a robust firewall between everything… I could go on.
    Multiple NICs is ideal, but you can run everything (wan connection, WAPs, wired LAN) using a single nic with a cheapo managed switch and some trunk ports.

    Even if the cost of a pi-based solution is a little cheaper, the reliability and performance of a pfSense solution is going to be miles better.

    Again, unless size or power is a main design consideration, a used mini PC is always going to beat the pi

  6. This is great, but without adequate security on the device, it is just an open invitation to being attacked.

    I’d strongly suggest putting some serious security on one of these if you’re building one. Start by encrypting the SD Card, at a minimum.

    For better security, use LUKs with a Zymkey HSM (and enable the tamper-resistant features of that device!) so that you can be sure that the device, it’s OS, and all configuration remain secure and unaltered.

    I mean, if you’re making a secure VPN router, make it secure right?

    dg

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.