In this post we’re going to use a Raspberry Pi and 4G LTE dongle to create a VPN Gateway for your devices.
Why? You may have devices that aren’t capable of connecting directly to a VPN like Smart TV’s and games consoles. Using a Raspberry Pi and mobile broadband dongle also lets you take it to hotels or on holidays.
Prerequisites and Kit
- A Raspberry Pi 4+
- USB Mobile Dongle – I’m using a SIM7600G-H 4G from WaveShare.
- Power, MicroSD and peripherals.
- Battery pack if you want to use the Pi without mains.
- Relevant mobile data plan and SIM.
- Familiarity with Debian/Ubuntu linux and the command line will be a huge help.
Pi Setup
All of this configuration is done using the latest Raspbian OS and a Pi 5. I used the Raspberry Pi disk writer to write the default installer to an SD Card. There’s an easy install guide here. You will need root privileges.
LTE Mobile Dongle Setup
We’ll need to set up the and enable the dongle. You may need to install the minicom packages.
Doing this changes the operating mode, the dongle will need reconfiguring to use on a Windows machine
sudo apt install minicomNow plug the dongle into the Pi and look for USB
Find the USB Device ID
ls /dev/ttyUSBConnect to the dongle using minicom replace the ‘2’ with the relevant device number shown in the previous command.
sudo minicom -D /dev/ttyUSB2You should be connected to the dongle and you will need to run the following to enable LTE and modem mode for our Pi.
AT+CUSBPIDSWITCH=9011,1,1In order to actually call the dongle as an interface you should then run the following commands
ip -aNow use the usb interface name to start the dhclient
sudo dhclient -v usb0 #replace 0 if required, (unless you're already running a USB network device it will almost always be 0)You should now be able to browse the net on your pi with the mobile dongle!.
Setting up the Pi as an Access Point
We need to setup the Wifi Access Point. It’s important to note we are using Bookworm Raspbian and it defaults to network manager. The following commands will set up an access point using the onboard WiFi card on the Pi.
Create a connection called ‘vpn-gateway’ with the SSID nrfs-ap1
nmcli con add con-name vpn-gateway ifname wlan0 type wifi ssid \"nrfs-ap1\"Set the connection to use a Pre Shared Key to authenticate
nmcli con modify vpn-gateway wifi-sec.key-mgmt wpa-pskSet the Pre Shared Key (Password)
nmcli con modify vpn-gateway wifi-sec.psk \"123456789\"Set the wireless mode and IP version to 4. We are just going to share the IP for internet access.
nmcli con modify vpn-gateway 802-11-wireless.mode ap 802-11-wireless.band bg ipv4.method sharedTo bring the connection up you can run
nmcli con up vpn-gatewayThe password here is set to 123456789, obviously you should change this to something good!.
Iptables forwarding
Use iptables to forward all the traffic to your modem. This is the bare minimum and ‘should just work’ option. We can lock down the rules later if we need too. You will need to match the 0 to your usb device.
sudo iptables -t nat -A POSTROUTING -o usb0 -j MASQUERADEConnect to AP to test You should be able to see your network SSID from your phone or other device, you should be able to connect and all being well you should be able to browse the internet!
In Part 2 we will set up the VPN connection and route the traffic down the vpn tunnel.