How to set up a VPN router using Meshnet

Learn how to transform a Linux device into a VPN router using Meshnet’s traffic routing capabilities.

Introduction

VPN routers are quite common items in many households. This popularity stems from the ease of use and management — they offer full network protection without installing VPN apps on individual devices. Additionally, you can protect devices that don’t natively support VPN apps, such as SmartTVs running TizenOS or WebOS.

In a standard situation, to set up a VPN on a router, you have to upload a VPN server’s configuration file to the router. This keeps the connection restricted to a single server and changing it can be tedious. If you already have a Linux device like a Raspberry Pi, you can configure your own VPN router instead. This keeps you in full control of the configuration, allows swift management of the connection, and provides insight into the world of networking.

By using Meshnet and its traffic routing capabilities, you can create your own VPN server and connect the router to it at no additional cost. Such a setup allows you to reap the benefits of traffic routing on devices that cannot run Meshnet directly.

This guide showcases how you can use a Linux device as a VPN router with the help of Meshnet.

Before you begin

Make sure that you have:

Note

In this article, a Raspberry Pi 4 running Raspberry Pi OS Lite 64-bit will be used as the router device.

Update the system and set your WLAN country

Ensure that your system is up to date and that the correct wireless local area network (WLAN) country is selected. From the router device’s terminal:

  1. Fetch and install all available updates for your system by running the following command:

    sudo apt update && sudo apt full-upgrade -y

  2. Once the process is finished, reboot your device. You can use the sudo reboot now command for this.

  3. Upon reboot, open the Raspberry Pi configuration tool with this command:

    sudo raspi-config

  4. Navigate to Localisation options > WLAN country.

  5. Choose the country you are currently in and press Enter.

    United States selected in the WLAN country selection dialog.

  6. Select Finish to exit the configuration tool.

Your device is now ready to create a new Wi-Fi network.

Note

The steps for setting the WLAN country may differ depending on the device and Linux distribution you are using. Consult your system’s documentation for detailed instructions.

Create a hotspot connection

To share a VPN connection, you need to create a new Wi-Fi network that your client devices could connect to. Below you can find two distinct methods for doing so — one using an all-in-one utility called RaspAP, and the other using NetworkManager. Choose whichever one fits your setup better.

Method 1: Using RaspAP

RaspAP is a simple tool that turns your Linux device into a wireless access point. It is compatible with most Debian-based systems and can be installed on bare metal or run as a Docker container. This section will focus on installing RaspAP directly onto the system.

Install RaspAP

You can install RaspAP by using the quick installation script via this command:

curl -sL https://install.raspap.com | bash

You will be asked if you want to install certain add-ons during the installation. Provide your answer by using the Y and N keys and pressing Enter.

Once the installation is complete, you will be prompted to reboot your device.

Note

If you prefer to do the installation by yourself rather than using the installation script, you can follow the manual installation steps from the RaspAP documentation.

Access the RaspAP web interface

After rebooting, your device will create a new wireless network called raspi-webgui.

Available Wi-Fi network titled "raspi-webgui".

To access the RaspAP web interface from another device, connect to the created network using the password ChangeMe. Once connected, take these steps:

  1. Open your internet browser.

  2. In the URL bar, enter 10.3.141.1 and press Enter.

  3. In the login prompt, enter the default RaspAP web interface credentials.

    • Username: admin

    • Password: secret

Now you can control your new router right from the web browser.

RaspAP dashboard visible in a browser window.

Tip

Remember to change the default web login password to a different, secure one. To do so, from the menu on the left, select Authentication, enter your old and new passwords, and click Save settings.

Secure the Wi-Fi connection

To secure your new Wi-Fi network, change the default SSID and password.

  1. On your RaspAP web interface, from the menu on the left, select Hotspot.

  2. In the SSID field, enter a custom name for your Wi-Fi network.

    SSID field with a custom name highlighted.

  3. Switch to the Security tab.

  4. In the PSK field, replace the pre-filled password with your preferred password for the Wi-Fi network.

    PSK field with a new password highlighted.

  5. Click Save settings and Restart hotspot.

You should now see a new Wi-Fi network with the custom SSID instead of the previous raspi-webgui network.

Available Wi-Fi network titled "meshnet-router".

Connect the devices that will use the VPN connection to your newly created Wi-Fi network and proceed to the Set up Meshnet section below.

Tip

If your device is compatible, consider using the 5 GHz wireless band for improved connection speeds. Select it from the Wireless mode dropdown list on the Hotspot settings menu.

Method 2: Using NetworkManager

NetworkManager offers a quick and easy method to create a Wi-Fi network. It can be controlled through nmcli, a command line tool for managing all aspects of the networking service.

Follow the steps below to create a new wireless network using nmcli:

  1. Open Terminal.

  2. Check whether NetworkManager recognizes your Wi-Fi adapter by running the following command:

    nmcli device

    Under the Devices column, you should see wlan0.

    Terminal output of the 'nmcli device' command and the 'wlan0' entry underlined.

  3. Create a new hotspot network with the command provided below. Replace <NAME> with a custom SSID, and <PASSWORD> with a secure password to access the Wi-Fi network.

    sudo nmcli device wifi hotspot ssid <NAME> password <PASSWORD> ifname wlan0

    Example

    sudo nmcli device wifi hotspot ssid meshnet-wifi password s3cur3-w1f1-p4ssw0rd ifname wlan0

  4. Verify that the new network has been created with the nmcli connection command.

    Terminal output of the 'nmcli connection' command and the "Hotspot" entry underlined.

Your nearby devices should now see the newly created Wi-Fi network with the custom name.

Available Wi-Fi network titled "meshnet-wifi".

This network will share your router device’s internet connection. All you need to do is start routing traffic, and NetworkManager will take care of all the network forwarding to begin transmitting the VPN connection. Continue to the Set up Meshnet section below for further guidance.

Set up Meshnet

With the networking configurations taken care of, you can install NordVPN and enable Meshnet to finalize the setup.

Install NordVPN

Follow these steps to install NordVPN on your Linux router device:

  1. Download and install the NordVPN Linux client by running the command below.

    sh <(wget -qO - https://downloads.nordcdn.com/apps/linux/install.sh)

  2. Log in to your NordVPN account.

Log in to NordVPN

You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways:

  • By running the nordvpn login command with the --token flag

  • By running the nordvpn login command with the --callback flag

Instructions for both methods are outlined below.

Log in using a token
  1. On any device, log in to your Nord Account dashboard and select the Meshnet (by NordVPN) card.

    "Meshnet (by NordVPN)" card highlighted.

  2. Under Manual setup, select Set up NordVPN manually.

    Clicking the 'Set up NordVPN manually' button.

  3. Enter the verification code sent to your email address.

  4. Under Access token, click Generate new token.

    Clicking 'Generate new token'.

  5. In the dialog that appears, choose either a token that expires in 30 days or one that never expires, and then select Generate token.

    Selecting the token expiry option.

  6. Select Copy and close.

  7. On your router device, run the nordvpn login --token <your_token> command, replacing <your_token> with the copied token. Example

    nordvpn login --token 3fe460cefb8dcf1478c92e45908cec9f9bdbadf7a456a6dfb35dc2c58ee39d5b

You should now see a welcome message.

Log in using a URL
  1. Run the following command:

    nordvpn login

  2. Open the provided link on any device in your browser.

  3. Complete the login procedure.

  4. Right-click the Continue button and select Copy link address.

  5. Run the nordvpn login --callback "<URL>" command, replacing <URL> with the previously copied link address. Example

    nordvpn login --callback "nordvpn://login?action=login&exchange_token=MGFlY2E1NmE4YjM2NDM4NjUzN2VjOWIzYWM3ZTU3ZDliNDdiNzRjZTMwMjE5YjkzZTNhNTI3ZWZlOTIwMGJlOQ%3D%3D&status=done"

You should now see a welcome message.

Note

If you encounter the error message Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock, enter sudo usermod -aG nordvpn $USER. Then, reboot your device and log back in.

Tip

To preserve your token when logging out of the NordVPN app, use the nordvpn logout --persist-token command. Otherwise, your token will be revoked.

Enable Meshnet

Upon logging in, you can enable Meshnet on Linux by typing this command:

nordvpn set meshnet on

To check your server’s Nord name and the Meshnet IP address, enter the following command:

nordvpn meshnet peer list

Example

You will also see your Meshnet peer devices with their corresponding permissions.

Share the VPN connection

Note

Ensure that the device you want to route traffic through has granted your device the traffic routing permission.

Lastly, you should modify the app’s settings to allow connections from local devices and establish a traffic routing connection to share it with nearby devices.

  1. On the router device, add the IP range of your new wireless network to the NordVPN firewall’s allowlist.

    • If you set up the Wi-Fi network using RaspAP, use this command:

      nordvpn allowlist add subnet 10.4.0.0/16 #For RaspAP

    • If you configured the hotspot using NetworkManager, run the command below:

      nordvpn allowlist add subnet 10.42.0.0/16 #For NetworkManager

  2. To retain local access to the router device, add your local network’s IP range to the allowlist with the following command, where <network> is your local area network (LAN) subnet:

    nordpvn allowlist add subnet <network>

    Example

    nordvpn allowlist add subnet 192.168.0.0/16

  3. Locate your VPN server device's Nord name using the nordvpn meshnet peer list command.

  4. Initiate a traffic routing connection by running the following command, replacing <server> with your VPN server’s Nord name.

    nordvpn meshnet peer connect <server>

    Example

The configuration is now fully complete. All devices connected to your Linux router’s Wi-Fi network will gain the public IP address of the traffic routing VPN connection.

Last updated

© 2024 Nord Security. All Rights Reserved.