# How to set up a VPN router using Meshnet ## Introduction [VPN routers](https://nordvpn.com/flashrouters/) are quite common items in many households. This popularity stems from the ease of use and management — they offer full network protection without installing VPN apps on individual devices. Additionally, you can protect devices that don’t natively support VPN apps, such as SmartTVs running TizenOS or WebOS. In a standard situation, to [set up a VPN on a router](https://nordvpn.com/blog/setup-vpn-router/), you have to upload a VPN server’s configuration file to the router. This keeps the connection restricted to a single server and changing it can be tedious. If you already have a Linux device like a [Raspberry Pi](https://www.raspberrypi.com/), you can configure your own VPN router instead. This keeps you in full control of the configuration, allows swift management of the connection, and provides insight into the world of networking. By using [Meshnet](https://nordvpn.com/meshnet/) and its [traffic routing](https://meshnet.nordvpn.com/features/routing-traffic-in-meshnet) capabilities, you can create your [own VPN server](https://meshnet.nordvpn.com/how-to/traffic-routing) and connect the router to it at no additional cost. Such a setup allows you to reap the benefits of traffic routing on devices that cannot run Meshnet directly. This guide showcases how you can use a Linux device as a VPN router with the help of Meshnet. ## Before you begin Make sure that you have: * A Linux device with an ethernet connection and a Wi-Fi adapter. * Access to the Linux device’s command line (can be an [SSH connection](https://meshnet.nordvpn.com/how-to/remote-access/access-remote-systems-over-ssh)). * A traffic routing [host device](https://meshnet.nordvpn.com/features/routing-traffic-in-meshnet#feature-availability) that will act as [your VPN server](https://meshnet.nordvpn.com/traffic-routing/set-up-your-own-vpn-server#using-your-own-device-as-a-vpn-server). {% hint style="info" %} **Note** In this article, a Raspberry Pi 4 running Raspberry Pi OS Lite 64-bit will be used as the router device. {% endhint %} ### Update the system and set your WLAN country Ensure that your system is up to date and that the correct [wireless local area network](https://nordvpn.com/cybersecurity/glossary/wireless-local-area-network/) (WLAN) country is selected. From the router device’s terminal: 1. Fetch and install all available updates for your system by running the following command:

sudo apt update && sudo apt full-upgrade -y

2. Once the process is finished, reboot your device. You can use the `sudo reboot now` command for this. 3. Upon reboot, open the Raspberry Pi configuration tool with this command:

sudo raspi-config

4. Navigate to **Localisation options** > **WLAN country**. 5. Choose the country you are currently in and press **Enter**.

United States selected in the WLAN country selection dialog.

6. Select **Finish** to exit the configuration tool. Your device is now ready to create a new Wi-Fi network. {% hint style="info" %} **Note** The steps for setting the WLAN country may differ depending on the device and Linux distribution you are using. Consult your system’s documentation for detailed instructions. {% endhint %} ## Create a hotspot connection To share a VPN connection, you need to create a new Wi-Fi network that your client devices could connect to. Below you can find two distinct methods for doing so — one using an all-in-one utility called [RaspAP](https://raspap.com/), and the other using [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager). Choose whichever one fits your setup better. ### Method 1: Using RaspAP RaspAP is a simple tool that turns your Linux device into a wireless access point. It is compatible with most [Debian-based systems](https://docs.raspap.com/#compatible-operating-systems) and can be installed on bare metal or run as a [Docker container](https://docs.raspap.com/docker/). This section will focus on installing RaspAP directly onto the system. #### Install RaspAP You can install RaspAP by using the quick installation script via this command: ```bash curl -sL https://install.raspap.com | bash ``` You will be asked if you want to install certain add-ons during the installation. Provide your answer by using the **Y** and **N** keys and pressing **Enter**. Once the installation is complete, you will be prompted to reboot your device. {% hint style="info" %} **Note** If you prefer to do the installation by yourself rather than using the installation script, you can follow the manual installation steps from the [RaspAP documentation](https://docs.raspap.com/manual/). {% endhint %} #### Access the RaspAP web interface After rebooting, your device will create a new wireless network called `raspi-webgui`.

Available Wi-Fi network titled "raspi-webgui".

To access the RaspAP web interface from another device, connect to the created network using the password `ChangeMe`. Once connected, take these steps: 1. Open your internet browser. 2. In the URL bar, enter `10.3.141.1` and press **Enter**. 3. In the login prompt, enter the default RaspAP web interface credentials. * Username: `admin` * Password: `secret` Now you can control your new router right from the web browser.

RaspAP dashboard visible in a browser window.

{% hint style="success" %} **Tip** Remember to change the default web login password to a different, secure one. To do so, from the menu on the left, select **Authentication**, enter your old and new passwords, and click **Save settings**. {% endhint %} #### Secure the Wi-Fi connection To secure your new Wi-Fi network, change the default SSID and password. 1. On your RaspAP web interface, from the menu on the left, select **Hotspot**. 2. In the **SSID** field, enter a custom name for your Wi-Fi network.

SSID field with a custom name highlighted.

3. Switch to the **Security** tab. 4. In the **PSK** field, replace the pre-filled password with your preferred password for the Wi-Fi network.

PSK field with a new password highlighted.

5. Click **Save settings** and **Restart hotspot**. You should now see a new Wi-Fi network with the custom SSID instead of the previous `raspi-webgui` network.

Available Wi-Fi network titled "meshnet-router".

Connect the devices that will use the VPN connection to your newly created Wi-Fi network and proceed to the [Set up Meshnet](#set-up-meshnet) section below. {% hint style="success" %} **Tip** If your device is compatible, consider using the 5 GHz wireless band for improved connection speeds. Select it from the **Wireless mode** dropdown list on the **Hotspot** settings menu. {% endhint %} ### Method 2: Using NetworkManager NetworkManager offers a quick and easy method to create a Wi-Fi network. It can be controlled through [nmcli](https://networkmanager.dev/docs/api/latest/nmcli.html), a command line tool for managing all aspects of the networking service. Follow the steps below to create a new wireless network using `nmcli`: 1. Open **Terminal**. 2. Check whether NetworkManager recognizes your Wi-Fi adapter by running the following command: ```bash nmcli device ``` Under the **Devices** column, you should see `wlan0`.

Terminal output of the 'nmcli device' command and the 'wlan0' entry underlined.

3. Create a new hotspot network with the command provided below. Replace `` with a custom SSID, and `` with a secure password to access the Wi-Fi network.

sudo nmcli device wifi hotspot ssid <NAME> password <PASSWORD> ifname wlan0

\ **Example**

sudo nmcli device wifi hotspot ssid meshnet-wifi password s3cur3-w1f1-p4ssw0rd ifname wlan0

4. Verify that the new network has been created with the `nmcli connection` command.

Terminal output of the 'nmcli connection' command and the "Hotspot" entry underlined.

Your nearby devices should now see the newly created Wi-Fi network with the custom name.

Available Wi-Fi network titled "meshnet-wifi".

This network will share your router device’s internet connection. All you need to do is start routing traffic, and NetworkManager will take care of all the network forwarding to begin transmitting the VPN connection. Continue to the [Set up Meshnet](#set-up-meshnet) section below for further guidance. ## Set up Meshnet With the networking configurations taken care of, you can install NordVPN and enable Meshnet to finalize the setup. ### Install NordVPN Follow these steps to install NordVPN on your Linux router device: 1. Download and install the NordVPN Linux client by running the command below.

sh <(wget -qO - https://downloads.nordcdn.com/apps/linux/install.sh)

2. Log in to your NordVPN account. ### Log in to NordVPN You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways: * By running the `nordvpn login` command with the `--token` flag * By running the `nordvpn login` command with the `--callback` flag Instructions for both methods are outlined below.

1. On any device, log in to your [Nord Account](https://my.ndaccount.com/) dashboard and select the **Meshnet (by NordVPN)** card.

"Meshnet (by NordVPN)" card highlighted.

2. Under **Advanced settings**, select **Get access token**.

Clicking the 'Set up NordVPN manually' button.

3. Enter the verification code sent to your email address. 4. Under **Access token**, click **Generate new token**.

5. In the dialog that appears, choose either a token that expires in 30 days or one that never expires, and then select **Generate token**.

6. Select **Copy and close**. 7. On your router device, run the `nordvpn login --token ` command, replacing `` with the copied token.\ \ **Example**

nordvpn login --token 3fe460cefb8dcf1478c92e45908cec9f9bdbadf7a456a6dfb35dc2c58ee39d5b

You should now see a welcome message.

1. Run the following command: ``` nordvpn login ``` 2. Open the provided link on any device in your browser. 3. Complete the login procedure. 4. Right-click the **Continue** button and select **Copy link address**. 5. Run the `nordvpn login --callback ""` command, replacing `` with the previously copied link address.\ \ **Example**

nordvpn login --callback "nordvpn://login?action=login&exchange_token=MGFlY2E1NmE4YjM2NDM4NjUzN2VjOWIzYWM3ZTU3ZDliNDdiNzRjZTMwMjE5YjkzZTNhNTI3ZWZlOTIwMGJlOQ%3D%3D&status=done"

You should now see a welcome message.

{% hint style="info" %} **Note** If you encounter the error message `Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock`, enter `sudo usermod -aG nordvpn $USER`. Then, reboot your device and log back in. {% endhint %} {% hint style="success" %} **Tip** To preserve your token when logging out of the NordVPN app, use the `nordvpn logout --persist-token` command. Otherwise, your token will be revoked. {% endhint %} ### Enable Meshnet Upon logging in, you can [enable Meshnet on Linux](https://meshnet.nordvpn.com/getting-started/how-to-start-using-meshnet/using-meshnet-on-linux#enable-meshnet-on-linux) by typing this command: {% code overflow="wrap" %} ```bash nordvpn set meshnet on ``` {% endcode %} To check your server’s Nord name and the Meshnet IP address, enter the following command: {% code overflow="wrap" %} ```bash nordvpn meshnet peer list ``` {% endcode %} **Example**

You will also see your Meshnet peer devices with their [corresponding permissions](https://meshnet.nordvpn.com/features/explaining-permissions). ## Share the VPN connection {% hint style="info" %} **Note** Ensure that the device you want to route traffic through has granted your device the [traffic routing permission](https://meshnet.nordvpn.com/features/explaining-permissions/traffic-routing-permissions). {% endhint %} Lastly, you should modify the app’s settings to allow connections from local devices and establish a traffic routing connection to share it with nearby devices. 1. On the router device, add the IP range of your new wireless network to the NordVPN firewall’s allowlist. * If you set up the Wi-Fi network using RaspAP, use this command:

nordvpn allowlist add subnet 10.4.0.0/16 #For RaspAP

* If you configured the hotspot using NetworkManager, run the command below:

nordvpn allowlist add subnet 10.42.0.0/16 #For NetworkManager

2. To retain local access to the router device, add your local network’s IP range to the allowlist with the following command, where `` is your [local area network](https://nordvpn.com/blog/what-is-lan/) (LAN) subnet:

nordpvn allowlist add subnet <network>

\ **Example**

nordvpn allowlist add subnet 192.168.0.0/16

3. Locate your VPN server device's Nord name using the `nordvpn meshnet peer list` command.

4. Initiate a traffic routing connection by running the following command, replacing `` with your VPN server’s Nord name.

nordvpn meshnet peer connect <server>

\ **Example**

The configuration is now fully complete. All devices connected to your Linux router’s Wi-Fi network will gain the public IP address of the traffic routing VPN connection.