How to set up a VPN router using Meshnet
Learn how to transform a Linux device into a VPN router using Meshnet’s traffic routing capabilities.
Last updated
Learn how to transform a Linux device into a VPN router using Meshnet’s traffic routing capabilities.
Last updated
© 2024 Nord Security. All Rights Reserved.
VPN routers are quite common items in many households. This popularity stems from the ease of use and management — they offer full network protection without installing VPN apps on individual devices. Additionally, you can protect devices that don’t natively support VPN apps, such as SmartTVs running TizenOS or WebOS.
In a standard situation, to set up a VPN on a router, you have to upload a VPN server’s configuration file to the router. This keeps the connection restricted to a single server and changing it can be tedious. If you already have a Linux device like a Raspberry Pi, you can configure your own VPN router instead. This keeps you in full control of the configuration, allows swift management of the connection, and provides insight into the world of networking.
By using Meshnet and its traffic routing capabilities, you can create your own VPN server and connect the router to it at no additional cost. Such a setup allows you to reap the benefits of traffic routing on devices that cannot run Meshnet directly.
This guide showcases how you can use a Linux device as a VPN router with the help of Meshnet.
Make sure that you have:
A Linux device with an ethernet connection and a Wi-Fi adapter.
Access to the Linux device’s command line (can be an SSH connection).
A traffic routing host device that will act as your VPN server.
Note
In this article, a Raspberry Pi 4 running Raspberry Pi OS Lite 64-bit will be used as the router device.
Ensure that your system is up to date and that the correct wireless local area network (WLAN) country is selected. From the router device’s terminal:
Fetch and install all available updates for your system by running the following command:
Once the process is finished, reboot your device. You can use the sudo reboot now
command for this.
Upon reboot, open the Raspberry Pi configuration tool with this command:
Navigate to Localisation options > WLAN country.
Choose the country you are currently in and press Enter.
Select Finish to exit the configuration tool.
Your device is now ready to create a new Wi-Fi network.
Note
The steps for setting the WLAN country may differ depending on the device and Linux distribution you are using. Consult your system’s documentation for detailed instructions.
To share a VPN connection, you need to create a new Wi-Fi network that your client devices could connect to. Below you can find two distinct methods for doing so — one using an all-in-one utility called RaspAP, and the other using NetworkManager. Choose whichever one fits your setup better.
RaspAP is a simple tool that turns your Linux device into a wireless access point. It is compatible with most Debian-based systems and can be installed on bare metal or run as a Docker container. This section will focus on installing RaspAP directly onto the system.
You can install RaspAP by using the quick installation script via this command:
You will be asked if you want to install certain add-ons during the installation. Provide your answer by using the Y and N keys and pressing Enter.
Once the installation is complete, you will be prompted to reboot your device.
Note
If you prefer to do the installation by yourself rather than using the installation script, you can follow the manual installation steps from the RaspAP documentation.
After rebooting, your device will create a new wireless network called raspi-webgui
.
To access the RaspAP web interface from another device, connect to the created network using the password ChangeMe
. Once connected, take these steps:
Open your internet browser.
In the URL bar, enter 10.3.141.1
and press Enter.
In the login prompt, enter the default RaspAP web interface credentials.
Username: admin
Password: secret
Now you can control your new router right from the web browser.
Tip
Remember to change the default web login password to a different, secure one. To do so, from the menu on the left, select Authentication, enter your old and new passwords, and click Save settings.
To secure your new Wi-Fi network, change the default SSID and password.
On your RaspAP web interface, from the menu on the left, select Hotspot.
In the SSID field, enter a custom name for your Wi-Fi network.
Switch to the Security tab.
In the PSK field, replace the pre-filled password with your preferred password for the Wi-Fi network.
Click Save settings and Restart hotspot.
You should now see a new Wi-Fi network with the custom SSID instead of the previous raspi-webgui
network.
Connect the devices that will use the VPN connection to your newly created Wi-Fi network and proceed to the Set up Meshnet section below.
Tip
If your device is compatible, consider using the 5 GHz wireless band for improved connection speeds. Select it from the Wireless mode dropdown list on the Hotspot settings menu.
NetworkManager offers a quick and easy method to create a Wi-Fi network. It can be controlled through nmcli, a command line tool for managing all aspects of the networking service.
Follow the steps below to create a new wireless network using nmcli
:
Open Terminal.
Check whether NetworkManager recognizes your Wi-Fi adapter by running the following command:
Under the Devices column, you should see wlan0
.
Create a new hotspot network with the command provided below. Replace <NAME>
with a custom SSID, and <PASSWORD>
with a secure password to access the Wi-Fi network.
Example
Verify that the new network has been created with the nmcli connection
command.
Your nearby devices should now see the newly created Wi-Fi network with the custom name.
This network will share your router device’s internet connection. All you need to do is start routing traffic, and NetworkManager will take care of all the network forwarding to begin transmitting the VPN connection. Continue to the Set up Meshnet section below for further guidance.
With the networking configurations taken care of, you can install NordVPN and enable Meshnet to finalize the setup.
Follow these steps to install NordVPN on your Linux router device:
Download and install the NordVPN Linux client by running the command below.
Log in to your NordVPN account.
You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways:
By running the nordvpn login
command with the --token
flag
By running the nordvpn login
command with the --callback
flag
Instructions for both methods are outlined below.
Note
If you encounter the error message Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock
, enter sudo usermod -aG nordvpn $USER
. Then, reboot your device and log back in.
Tip
To preserve your token when logging out of the NordVPN app, use the nordvpn logout --persist-token
command. Otherwise, your token will be revoked.
Upon logging in, you can enable Meshnet on Linux by typing this command:
To check your server’s Nord name and the Meshnet IP address, enter the following command:
Example
You will also see your Meshnet peer devices with their corresponding permissions.
Note
Ensure that the device you want to route traffic through has granted your device the traffic routing permission.
Lastly, you should modify the app’s settings to allow connections from local devices and establish a traffic routing connection to share it with nearby devices.
On the router device, add the IP range of your new wireless network to the NordVPN firewall’s allowlist.
If you set up the Wi-Fi network using RaspAP, use this command:
If you configured the hotspot using NetworkManager, run the command below:
To retain local access to the router device, add your local network’s IP range to the allowlist with the following command, where <network>
is your local area network (LAN) subnet:
Example
Locate your VPN server device's Nord name using the nordvpn meshnet peer list
command.
Initiate a traffic routing connection by running the following command, replacing <server>
with your VPN server’s Nord name.
Example
The configuration is now fully complete. All devices connected to your Linux router’s Wi-Fi network will gain the public IP address of the traffic routing VPN connection.