Turn your Raspberry Pi into a VPN Router using Private Internet Access (PIA) as your outbound VPN with the added bonus of a Kill Switch.

Up front, this is not my doing. I'm using the code provided by superjamie as found on the GitHubGist page. I'm placing it on here because I keep loosing the link (not very organized I guess). His page hasn't been updated for some time so there some newer info below too.

superjamie calls for an installation of Raspian Jessie on your RPI, however, I'm using Ubuntu Server 18.04 as my OS without issue. First thing we'll do (after you've updated your system that is) is to install OpenVPN:

sudo apt install openvpn -y

Then install the PIA OpenVPN profiles and move the unziped files to a soon to be created openvpn folder:

wget https://www.privateinternetaccess.com/openvpn/openvpn.zip

sudo apt install unzip

unzip openvpn.zip -d openvpn

Next we're going to copy some important files over to our new folder and create our custom .conf file:

sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/

To create your .conf file you'll want to choose the right one. Myself, I'm on the East Coast of the U.S. so I'll be using the US East profile. However, to make it easier to work with I'm going to change it from US East to USEast (no space) also note the change from .ovpn to .conf:

sudo cp 'openvpn/US East.ovpn' /etc/openvpn/USEast.conf

Next, get your PIA login info and create a file called login via sudo nano /etc/openvpn/login and place your user and password into the file:


Save that file and change it's permissions to be usable via

sudo chmod 600 /etc/openvpn/login

Now we need our new .conf file to talk to/use our login info. So let's edit that via

sudo nano /etc/openvpn/USEast.conf

NOTE: If you're using older .ovpn files you can do a one-for-one swap of the following, remove these lines:

ca ca.rsa.2048.crt
crl-verify crl.rsa.2048.pem

and change them to:

ca /etc/openvpn/ca.rsa.2048.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.rsa.2048.pem

NOTE: If you're using newer .ovpn files (if you're doing this after November 2018 you're using the newer files) you won't see ca ca.rsa.2048.crt or crl-verify crl.rsa.2048.pem. This is what you will see

USEast.conf pre-edit

You'll notice that the only thing in here we need to change is the auth-usr-pass line. Remove that single line and then add these three lines

ca /etc/openvpn/ca.rsa.2048.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.rsa.2048.pem

And it will look like this

USEast.conf post-edit

Save that file. Now, let's test our VPN via

sudo openvpn --config /etc/openvpn/USEast.conf

If all is well you'll see something akin to this

Quit that via Ctrl + c and let's make it load on boot

sudo systemctl enable [email protected]

Next we'll enable IPv4 forwarding via

echo -e '\n#Enable IP Routing\nnet.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf and also call

sudo sysctl -p

Make sure your LAN uses the VPN via

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

Now, we want to make these constant across reboots; install

sudo apt install iptables-persistent  When asked if you want to save the current rules (for both IPv4 and IPv6) select yes.

Let's apply these to start on boot via

sudo systemctl enable netfilter-persistent

Let's now install our kill switch. In short, this will stop all traffic (in and out) if the VPN fails or disconnects. If you find that say, overnight, you no longer have connectivity just reboot your system. For my PIA disconnected me about every 48 hours so I set up a cron job to reboot every 24 hours. At any rate, here's the kill switch;

sudo iptables -A OUTPUT -o tun0 -m comment --comment "vpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p icmp -m comment --comment "icmp" -j ACCEPT
sudo iptables -A OUTPUT -d -o eth0 -m comment --comment "lan" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment "ssh" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -j DROP

Then it's just a matter of keeping this thing on via

sudo netfilter-persistent save

You're done... well, you  need to reboot your machine, then you're done. You now have a PIA enabled VPN. Once your machine reboots you can check your IP anytime via a simple curl command;

curl -s ifconfig.co

This will give you your current IP address on that machine. It shouldn't be your normal IP.

If you want to route your LAN traffic through this please see the GitHub page here.