Why build a VPN router on Raspberry Pi instead of using a regular VPN

Which devices cannot be protected with a VPN app

Many devices, such as Smart TV, gaming consoles (PS5, Xbox), Apple TV, and various IoT devices, do not support installing VPN clients. This means they cannot directly connect to a VPN server, which creates problems when trying to bypass blocks or secure your home network.

Pros and cons of a DIY router vs a commercial VPN router

Building a VPN router based on Raspberry Pi gives full control and flexibility. You can configure it to your needs and use various protocols. But it requires time and skills. Commercial routers such as GL.iNet are easier to set up and have a ready-made interface, but they are less flexible and often more expensive.

When Raspberry Pi is an overkill solution

Raspberry Pi can be overkill if your needs are simple — for example, protecting only one device. In such cases it is better to use a ready-made solution or a VPN client on the device, if supported.

What you will need: hardware, firmware, and protocol choice

Which Raspberry Pi to choose: Pi 4, Pi 5, or Pi Zero 2W

Raspberry Pi 4 with 2GB RAM is the optimal choice for a VPN router. It is powerful enough to handle traffic at speeds up to gigabit and costs around $40. Pi 5 is faster but more expensive and overkill for most home networks. Pi Zero 2W is too slow for encryption, suitable only for speeds up to 50 Mbps.

Do you need a second network adapter (USB Ethernet or Wi-Fi)

If the Pi will sit between the ISP router and your network, a second network adapter such as USB Ethernet will be required. This allows you to separate the WAN and LAN interfaces, ensuring a stable connection.

OpenWrt vs Raspberry Pi OS: what to install on the router

Raspberry Pi OS Lite is the best choice for those who want maximum control and are comfortable working with the command line. OpenWrt offers a convenient web interface and is better suited for less experienced users.

WireGuard vs OpenVPN vs Shadowsocks: what works in Russia in 2026

WireGuard is a fast and efficient protocol, but is often blocked by DPI in Russia. Shadowsocks and VLESS/XRay are more resistant to blocking because they disguise traffic as HTTPS.

Step-by-step WireGuard installation on Raspberry Pi OS

Initial Raspberry Pi OS Lite setup

Install Raspberry Pi OS Lite on a microSD card. Connect the Pi to the network and run a system update:

sudo apt update&& sudo apt upgrade.Installing WireGuard and generating keys

Install WireGuard:

sudo apt install wireguard. Generate keys:wg genkey | tee privatekey | wg pubkey > publickey.Configuring IP forwarding and iptables NAT

Enable IP forwarding:

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf. Configure iptables:sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE.wg0.conf configuration: client side

Create the file

/etc/wireguard/wg0.conf with the settings. Include your keys and IP addresses. Example:

:51820Auto-starting WireGuard at system boot

Add WireGuard to autostart:

sudo systemctl enable wg-quick@wg0.Verification: all traffic goes through the VPN

Make sure all traffic goes through the VPN:

curl ifconfig.me should show your VPN's external IP. Check for DNS leaks usingnslookup google.com.Setting up Pi as a router: DHCP, DNS, and routing for the entire network

Installing dnsmasq: DHCP and DNS server on Pi

Install dnsmasq to manage DHCP and DNS:

sudo apt install dnsmasq. Configure the file/etc/dnsmasq.conf to distribute IP addresses.Distributing IP addresses to devices through Pi

Configure the IP address range:

dhcp-range=192.168.1.10,192.168.1.100,12h. This will allow Pi to assign IP addresses to all devices on the network.Setting up DNS over HTTPS or DNS over TLS to protect against ISP surveillance

DNS over TLS or DoH will protect your DNS queries. Use 1.1.1.1 from Cloudflare or 8.8.8.8 from Google as servers.

Split tunneling: some traffic through VPN, some direct

Configure iptables for split tunneling:

iptables -A PREROUTING -t mangle -s 192.168.1.50 -j MARK --set-mark 1. This will allow specific devices to bypass the VPN.How to connect Pi between the ISP router and the home network

Connect the Pi to the ISP router and your network using two network interfaces. This allows the Pi to control all traffic.

Alternative path: OpenWrt on Raspberry Pi

Installing OpenWrt on a microSD card

Download the OpenWrt image from the official website and write it to a microSD card. Insert the card into Raspberry Pi and boot the system.

Configuring VPN through the LuCI web interface

In LuCI, configure VPN through the corresponding section. This is easier than working with the command line.

WireGuard in OpenWrt: packages and configuration

Install the required WireGuard packages:

opkg update&& opkg install luci-proto-wireguard. Configure the interface and routes through the web interface.Advantages of OpenWrt: ready-made web interface, firewall, DDNS

OpenWrt provides a convenient management interface, supports firewall and DDNS, making it ideal for beginners.

Bypassing blocks: configuring Shadowsocks and VLESS/XRay instead of WireGuard

Why WireGuard is blocked by DPI of Russian ISPs

Russian ISPs use DPI to block WireGuard. This is due to characteristic traffic signatures that are easy to identify.

Shadowsocks-rust on Raspberry Pi: installation and configuration

Install Shadowsocks-rust:

cargo install shadowsocks-rust. Configure the settings to disguise traffic.VLESS + XRay: the most block-resistant protocol in 2026

VLESS with XRay is virtually indistinguishable from HTTPS traffic, making it resistant to blocking. It requires more resources but offers excellent protection.

Amnezia VPN: ready-made solution with obfuscation for Pi

Amnezia VPN is a Russian open-source project designed for bypassing blocks. It supports obfuscation and is easy to set up on Pi.

Speed test: WireGuard vs Shadowsocks vs VLESS on Pi 4

On Raspberry Pi 4, WireGuard delivers speeds of 300-400 Mbps, Shadowsocks — 150-250 Mbps due to encryption overhead. VLESS is close in performance to Shadowsocks but more resistant to blocking.

Troubleshooting and common issues

Internet works but VPN won't come up: what to check

Check the WireGuard service status:

journalctl -u wg-quick@wg0. Make sure you have the correct keys and route.Devices on the network cannot access the internet through Pi

Check iptables and DNS settings. Make sure IP forwarding is enabled:

cat /proc/sys/net/ipv4/ip_forward.DNS leaks: how to detect and fix them

Check for DNS leaks using

tcpdump -i eth0 port 53. Use DNS over TLS for protection.Pi overheats under load: is a cooler needed

Raspberry Pi 4 can overheat during intensive encryption. Install a heatsink or cooler to improve heat dissipation.

VPN disconnects at night: configuring keepalive and watchdog

Use keepalive in the WireGuard configuration and create a watchdog script to automatically restart the VPN when it disconnects.

Which Raspberry Pi is best suited for a VPN router?