Raspberry PI VPN Gateway with ExpressVPN

Although I run a OPNsense box as a firewall, I still use a raspberrypi connected to my LAN as my VPN gateway for my devices. The PI is a low cost hardware and delivers decent VPN performance for my LAN (~30Mbps).  Alternatively I could have the OPNsense box run a VPN client but I decided against it keeping my requirements in mind. Part of it was also because ExpressVPN provides a very easy PI package to connect to VPN servers. If you are out to configure the PI to act as a VPN client for you LAN devices read on.

Assuming you already have the PI setup with an IP address and connected to the network (I have PI connected to the local network through a wire – eth0). You would do the following configuration.

Part 1 – Setup PI to Forward traffic to VPN.

Enable IP Forwarding for the PI to forward packets

nano /etc/sysctl.conf
net.ipv4.ip_forward = 1

Enable NAT for packets received on LAN to the tunnel.

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

To make the rules persistent use

sudo apt-get install iptables-persistent

Apply the rules at startup

sudo apt-get install iptables-persistent

Part 2 – Setup Express VPN

Download the ExpressVPN installer file to pi. Install and activate using the command

sudo dpkg -i expressvpn_1.2.0_armhf.deb
expressvpn activate

You get the activation code from the Downloads page on ExpressVPN when you download the ExpressVPN installer for PI.

List servers to connect to

expressvpn list

Connect to a particular server and to check the status

expressvpn connect ussc
expressvpn status

Disconnect from server

expressvpn disconnect

Connect to the last connected server

expressvpn connect

At this point, you should have the PI connected to the VPN and ready to accept connections from your LAN devices. All that is left to do is to use the PI’s IP as the default gateway for devices that need a VPN connection (in my case, I point the Apple TV to use the VPN)

Lan is - 192.168.1.0/24
Firewall - 192.168.1.1
PI - 192.168.1.5
Apple TV - 192.168.1.10; Default GW 192.168.1.5

You could also set the PI to provide your the ExpressVPN DNS to your LAN devices by

sudo apt-get install dnsmasq

This ensures your DNS queries do not go leaking to your ISP. Don’t forget to set the DNS on your devices that need a VPN connection to the PI IP.

End – for now 🙂