{"id":410,"date":"2019-01-08T17:16:55","date_gmt":"2019-01-08T17:16:55","guid":{"rendered":"http:\/\/kiphaynes.com\/?p=410"},"modified":"2025-08-28T15:33:50","modified_gmt":"2025-08-28T15:33:50","slug":"vpn-based-wifi-hotspot-with-2-raspberry-pis-works-with-netflix","status":"publish","type":"post","link":"https:\/\/kiphaynes.com\/?p=410","title":{"rendered":"VPN based wifi Hotspot with 2 Raspberry Pi’s – Works with Netflix!"},"content":{"rendered":"

This is a guide to setting up a free Netflix Compatible VPN based wifi hotspot for expats.<\/p>\n

Like many of you, I am from the US living abroad. And, chances are, if you are reading this, you have quickly found that Netflix and other streaming services offer much less content outside of the US. Also many websites in the US are blocked for users in Europe due to the new GDPR laws. Additionally, some US based websites like southwest.com just don\u2019t work at all for some reason. I wanted to share here some of the lessons I\u2019ve learned in getting around this issue, and how to set up a free VPN that can be used by any device including Roku, Firestick or your smart TV.<\/p>\n

First thing you will need are:<\/p>\n

2 raspberry Pi\u2019s (your local should be a Pi3 with wifi).<\/p>\n

A family member or friend back in the US with a good internet connection that will let you host your VPN server.<\/p>\n

\"\"<\/a><\/p>\n

At first I tried rolling a AWS server and watching Netflix on my laptop using a SSH tunnel and socks setting on my browser. This works sometimes, but most of the AWS server IPs are blacklisted by Netflix and won\u2019t always work. Plus, I wanted my Roku and Firestick to connect seamlessly to a US based IP using a local wifi hostpot. After much trial and error, and reading many other how to guides, this setup works rock solid for me.<\/p>\n

The final setup will look like this:<\/p>\n

\"Wifi<\/a>
Wifi VPN Raspberry Setup<\/figcaption><\/figure>\n

Note that the following instructions are probably not for a total newbie. You should have some basic networking and Linux skills in order to get past any unexpected issues.<\/p>\n

Set up SSH Server on your Remote Pi and remote access<\/p>\n

First, you need to install SSH service on your remote raspberry pi and make sure you can access it from the internet.<\/p>\n

1. Enter sudo\u00a0raspi-config in a terminal window.
\n2. Select Interfacing Options.
\n3. Navigate to and select\u00a0SSH.
\n4. Choose Yes.
\n5. Select Ok.
\n6. Choose Finish.
\n7. Reboot.<\/p>\n

While you are at it, change your default pi password, or better yet, remove the default pi account and create a new username and complex password.<\/p>\n

Make sure you can ssh into your pi from the local lan, then get on a plane, go to your friend\u2019s house in the USA and plug in to his router. Go to your friend\u2019s router and reserve the mac ip of your remote pi and set up SSH routing to it (UDP Port 22). Also pick a port for your VPN service (lets say port 5150 for fun) and make sure your router is fording that one also. More on this later\u2026<\/p>\n

Now unless your friend has a static real world IP assigned to his router, you will have to use a service like DynDNS so that whenever the IP changes you will still be able to access your Pi. Fortunately, my friend\u2019s router is a netgear, and includes a free service using xxxx.mynetgear.com. Be sure that you can ssh into your pi from the outside world before getting back on that plane!<\/p>\n

If the above language is confusing, you can read a nice article about port forwarding at https:\/\/www.cyberpratibha.com\/blog\/ssh-port-forwarding-in-router\/<\/p>\n

Install PIVPN Server on your remote Pi<\/p>\n

I can tell you that installing a VPN server and connecting to it can be a horrible experience. With PIVPN Server (and OPENVPN on your client) it\u2019s pretty easy.<\/p>\n

To install pivpn, ssh into your remote pi and enter:<\/p>\n

curl -L https:\/\/install.pivpn.io\/ | bash\n<\/code><\/pre>\n
I recommend you consult this guide for more information on installing PIVPN<\/a>:<\/p>\n
Note that you need to use the VPN port that you have set up above (in the example I used 5150). Also you will need to create a VPN user. I suggest that you not use a passphrase because you will be downloading a keyfile that takes the place of a passphrase (just hit enter when it asks for a passphrase). They suggest using FTP to download your xxx.ovpn file. However there is no need, if you are accessing your pi with another linux based system (such as a mac or another pi) just pull it down using scp (Secure CoPy) like so:<\/p>\n
scp @: \n<\/code><\/pre>\n
example<\/p>\n
scp pi@remotemachine.mynetgear.com:mykeyfile.ovpn .\n<\/code><\/pre>\n
Install OpenVPN on your client (the Pi at your out of the country location)<\/p>\n
sudo apt-get install openvpn\n<\/code><\/pre>\n
by now you should have your key file that you copied from your vpn server. Assuming it is in your home directory, look at the headers and be sure that the dns name is correct on the 4th line (or the static public IP of your friend\u2019s router)<\/p>\n
cat mykeyfile.ovpn\n\nclient\ndev tun\nproto udp\nremote yourcoolserver.mynetgear.com 5150\nresolv-retry infinite\nnobind\npersist-key\npersist-tun\nkey-direction 1\nremote-cert-tls server\ntls-version-min 1.2\nverify-x509-name server_jMx58knymDexHXFv name\ncipher AES-256-CBC\nauth SHA256\nauth-nocache\nverb 3\n\n-----BEGIN CERTIFICATE-----\nxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxx\n\u2026\n<\/code><\/pre>\n
Try making a connection:<\/p>\n
sudo openvpn mykeyfile.ovpn\n<\/code><\/pre>\n
You should see a bunch of routing debug info, then the line:
\nInitialization Sequence Completed<\/p>\n
You should note that if everything has connected you should see your vpn connection as a new network interface called tun0<\/p>\n
Open another termainal connection or put your process in the bkground by typing ctrl-Z then bg and now run<\/p>\n
ifconfig\n<\/code><\/pre>\n
You should see all your network interfaces:<\/p>\n
eth0 \u2026\nlo\u2026 \ntun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500\n        inet 10.8.0.3  netmask 255.255.255.0  destination 10.8.0.3\n        inet6 fe80::4192:fe9c:7dc7:a00e  prefixlen 64  scopeid 0x20\n        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)\n        RX packets 2  bytes 331 (331.0 B)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 3  bytes 175 (175.0 B)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n\nAnd wlan0\u2026\n<\/code><\/pre>\n
Type fg to bring your vpn session to the terminal Kill the vpn connection with crtl-C and now enable openvpn as a service so that it starts up every time:<\/p>\n
First copy your mykeyfile.ovpn file as follows and note the filename extension change:<\/p>\n
sudo cp mykeyfile.ovpn \/etc\/openvpn\/mykeyfile.conf\n\nsudo systemctl enable openvpn\n\nsudo systemctl start openvpn\n<\/code><\/pre>\n
Restart and check that you have tun0 as an interface. Yaay.<\/p>\n
Setup Wifi Hotspot and DHCP on your local Pi 3:<\/p>\n
You will need 2 more programs on your local pi, hostapd for the wifi hotspot, and a dhcp server so that you can serve up local ips to your clients on the wifi:<\/p>\n
sudo apt-get install hostapd isc-dhcp-server\n<\/code><\/pre>\n
Configure the DHCP Server on your Pi:<\/p>\n
Nano \/etc\/dhcp\/dhcpd.conf\n<\/code><\/pre>\n
Be sure the following is uncommented:<\/p>\n
default-lease-time 600;\nmax-lease-time 7200;\n\nddns-update-style none;\n\nauthoritative;\n<\/code><\/pre>\n
and set up your subnet ip\u2019s:<\/p>\n
subnet 192.168.42.0 netmask 255.255.255.0 {\n    range 192.168.42.10 192.168.42.50;\n    option broadcast-address 192.168.42.255;\n    option routers 192.168.42.1;\n    default-lease-time 600;\n    max-lease-time 7200;\n    option domain-name \"local\";\n    option domain-name-servers 8.8.8.8, 8.8.4.4;\n}\n<\/code><\/pre>\n
Tell the dhcp server what interface you want it to serve up IPs on:<\/p>\n
sudo nano \/etc\/default\/isc-dhcp-server\n<\/code><\/pre>\n
make sure you include the following line:<\/p>\n
INTERFACESv4=\"wlan0\"\n<\/code><\/pre>\n
I am on Raspbian Stretch 9, and The method of setting a static ip below is somewhat old school using static changes (and a post network up iptables configuration setting) in \/etc\/network\/interfaces. I tried do do this project using the proper way by configuring \/etc\/dhcpcd.conf but failed. I\u2019m sure someone out there knows what I was doing wrong, but this is the way it works for me.<\/p>\n
Disable dhcpd client: (if you are doing it my way)<\/p>\n
sudo update-rc.d dhcpcd disable\n<\/code><\/pre>\n
Give wan0 and eth0 static ip\u2019s (note eth0 should be reserved on your router, and use your own reserved ip)<\/p>\n
sudo nano sudo cp \/etc\/network\/interfaces\n\n# Include files from \/etc\/network\/interfaces.d:\nsource-directory \/etc\/network\/interfaces.d\nauto lo\niface lo inet loopback\n#iface eth0 inet dhcp\nallow-hotplug eth0\niface eth0 inet static\n  address 192.168.0.87##NOTE this should be your reserved IP on your lan\n  netmask 255.255.255.0\n  gateway 192.168.0.1 ##NOTE This should be your gateway and may be different!\nallow-hotplug wlan0\niface wlan0 inet static\n  address 192.168.42.1\n  netmask 255.255.255.0\n  post-up iw dev $IFACE set power_save off\ndns-nameservers 8.8.8.8 8.8.4.4\n<\/code><\/pre>\n
turn on IP forwarding:<\/p>\n
sudo nano \/etc\/sysctl.conf\n\n# Uncomment the next line to enable packet forwarding for IPv4\nnet.ipv4.ip_forward=1\n<\/code><\/pre>\n
———————
\nsetup your hotspot by configuring hostapd:<\/p>\n
sudo nano \/etc\/hostapd\/hostapd.conf\n<\/code><\/pre>\n
Modify ssid with a name of your choice and wpa_passphrase below to a password that you will remember<\/p>\n
# ...\nWiFi authen\ninterface=wlan0\ndriver=nl80211\nssid=WiPi\nhw_mode=g\nchannel=6\nmacaddr_acl=0\nauth_algs=1\nignore_broadcast_ssid=0\nwpa=2\nwpa_passphrase=1212121212\nwpa_key_mgmt=WPA-PSK\nwpa_pairwise=TKIP\nrsn_pairwise=CCMP\n<\/code><\/pre>\n
Test your hotspot<\/p>\n
sudo \/usr\/sbin\/hostapd \/etc\/hostapd\/hostapd.conf\n<\/code><\/pre>\n
You should see your new wifi network and be able to connect with a wireless client, but you won\u2019t have any internet access if your vpn is running until you configure your routing.<\/p>\n
If its working, enable the hostapd daemon:<\/p>\n
sudo nano \/etc\/default\/hostapd\n<\/code><\/pre>\n
uncomment the following<\/p>\n
DAEMON_CONF=\"\/etc\/hostapd\/hostapd.conf\"\n<\/code><\/pre>\n
All that is left to do is set up your routing tables.<\/p>\n
Forward incoming and outgoing traffic between wifi0 and tun0:<\/p>\n
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE\nsudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT\nsudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT\n<\/code><\/pre>\n
Save your current iptables<\/p>\n
sudo iptables-save > \/etc\/iptables.ipv4.nat\n<\/code><\/pre>\n
Now we want iptables to be restored on boot, so add this line to the bottom of \/etc\/network\/interfaces<\/p>\n
up iptables-restore < \/etc\/iptables.ipv4.nat\n<\/code><\/pre>\n
Note, there are many ways to set and restore iptables on reboot, but the \u201crecommended\u201d methods did not work for me.<\/p>\n
If everything went ok, you should have a rock solid VPN that reconnects on reboot and establishes a usable secure wifi that connects directly to your home country (or other remote network) seamlessly. Good luck and enjoy a small taste of home!<\/p>\n","protected":false},"excerpt":{"rendered":"
This is a guide to setting up a free Netflix Compatible VPN based wifi hotspot for expats. Like many of you, I am from the US living abroad. And, chances are, if you are reading this, you have quickly found that Netflix and other streaming services offer much less content outside of the US. Also<\/p>\n
…<\/span>Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":416,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,1],"tags":[],"class_list":["post-410","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","category-uncategorized","xf__entry"],"_links":{"self":[{"href":"https:\/\/kiphaynes.com\/index.php?rest_route=\/wp\/v2\/posts\/410","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kiphaynes.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kiphaynes.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kiphaynes.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/kiphaynes.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=410"}],"version-history":[{"count":10,"href":"https:\/\/kiphaynes.com\/index.php?rest_route=\/wp\/v2\/posts\/410\/revisions"}],"predecessor-version":[{"id":620,"href":"https:\/\/kiphaynes.com\/index.php?rest_route=\/wp\/v2\/posts\/410\/revisions\/620"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kiphaynes.com\/index.php?rest_route=\/wp\/v2\/media\/416"}],"wp:attachment":[{"href":"https:\/\/kiphaynes.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kiphaynes.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=410"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kiphaynes.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}