Configure a Raspberry Pi as a Secure WiFi Access Point with OpenWrt

I recently found myself in a situation where I wanted to have a small WiFi access point allowing me to route all the Internet traffic through a VPN with a kill-switch, and decent performance. As I had an unused Raspberry Pi, I decided to make use of it with OpenWrt to achieve my goal. In this article, I will document the procedure to have everything properly configured. The instructions are valid for OpenWrt 21.02.3.

Getting OpenWRT Running

The first step is to flash OpenWRT into a microSD card. Raspberry has software to do so, but you can also use dd, or whatever software you are comfortable with. The image can be found on OpenWrt's website.

Once this is done, you can plug your Raspberry Pi and your computer into a switch, and boot the machine. You will then be able to access the LuCI interface at 192.168.1.1 and to log in as root with no password.

ℹ️
Note that by default, your microSD card will only be formatted with partitions of a few hundred MBs, so at some point, you might want to reformat your partitions if you want to go into advanced use of OpenWrt.
The various instructions on the Internet did not work for me, and I had no time or need to investigate further, but I'll leave references at the end of the article.

Once we access the administration interface, we first want to go to System/Administration and set a decent password. I also recommend changing the SSH settings to only allow logging in with an SSH Key.

Basic Network Configuration

Now that OpenWrt is up and running, we want to enable the Wifi and do some basic network configuration.

In Network/Wireless, edit the wireless network interface:

  • You can choose the frequency that suits your needs best. I used N mode with a 5 GHz band and an automatic channel. If you want to set things manually, you can use the Channel Analysis in the Status menu
  • Mode: Access Point
  • Network: lan
  • Encryption: anything that is WPA2 or WPA3, auto cipher, and a strong key
  • In the advanced settings, there is also an option to prevent client-to-client communications

Then, enable the interface, and you should see your WiFi network. You might notice that you can add an extra WiFi AP in the radio0 configuration. Doing so will only make OpenWRT unhappy, and your changes will be automatically un-applied.

The final step before being able to use the WiFi is to configure the interfaces in Network/Interfaces. By default, you should have a single Interface br-lan, or something of the kind. We will edit this interface to have the following:

  • Protocol: Static address
  • Device wlan0
  • Bring up boot checked
  • IPV4 address 192.168.1.1
  • Netmask: 255.255.255.0
  • Firewall-zone: lan
  • Make sure that the DHCP service is not disabled

Then, we will add an interface for eth0 with the following settings:

  • Protocol DHCP Client
  • Device eth0
  • Bring up on boot enabled
  • Firewall zone: wan

When all of this is done, the final step before being able to use the WiFi to access the Internet is to check the firewall settings in Network/Firewall. You should have two zones:

  1. lan => wan should have lan as a Covered networks, allow forward to the wan destination, and have Input, Output, and Forward as accepted
  2. wan => DROP should have eth0 as Covered networks, drop Input and Forward, and accept Output

You can now click on Save & Apply, and connect to your WiFi.

Configuring the VPN

Basic Configuration

In the final step of this walkthrough, we will use ProtonVPN with OpenVPN, but you can use pretty much any provider, and other protocols such as WireGuard are also usable.

First, we need to install some packages. Go to System/Software, update the lists if nothing pops up in the available packages, and install openvpn-openssl and luci-app-openvpn. Refresh your UI, and you should see a menu VPN/OpenVPN.

We will then use the OVPN configuration file upload, and give it the configuration file provided by ProtonVPN. The configuration will then appear in the list of OpenVPN instances, and we will edit it. You should add the path of the auth-user-pass file in the top text field, and put your username/password in the second one.

Editing the OpenVPN Configuration on OpenWrt

Once this is done, you can go back to the list of instances, check the Enabled checkbox, and Save & Apply. At this point, the screen should show the VPN as started.

Then, we will configure a new interface for the VPN. In Network/Interface, add a new Interface tun0, with protocol as Unmanaged, Bring up on boot, and tun0 as the device. In Firewall Settings, create a firewall-zone VPN. We will then configure this zone in Network/Firewall with the same settings as wan => DROP, with the difference that we will use lan in Allow forward from source zones, and accept the Forward. We will also go to the lan => VPN zone, and add the VPN zone in the Allow Forward. You should now have the following:

Network Interfaces after VPN Configuration
Zones Screen after VPN Configuration in Network/Firewall

Now, the connection will go through the VPN if it is on, but will still be able to reach the Internet if the VPN is down. One final thing that we want to do to avoid DNS leaks is to use custom DNS servers with the eth0 interface, and to disable the option Use DNS servers advertised by peer.

Kill Switch

If you want to configure a 'kill switch' for the VPN (i.e., stop allowing Internet traffic to go through if the VPN is down), you can do that easily by changing the lan => VPN zone in the firewall configuration. You only have to remove lan from the Allow forward to destination zones.

⚠️
If you have multiple WiFi networks at home, you need to configure your machines to only auto-connect to your OpenWrt network. Otherwise, they might connect to another WiFi, and you will connect to the Internet without VPN.

Disable VPN for a Device

If you are not using the kill-switch, and want to have a device connect to the Internet without using the VPN, you can install the package vpnbypass, set your device to have a static DHCP lease in the landing page of OpenWRT, and add a Local IP Address to Bypass in VPN/VPN Bypass.

To Go Further

Now, you have a router allowing all the connected devices to access the Internet via VPN, but there are still some things that you can improve in the configuration. For example:

  • There is a snort package that you could install to improve the security of your network
  • You could connect an external WiFi AP, and make it so that devices connected to this AP can access the Internet without VPN, for example, if you want to use Netflix (I'm sure that you can do that with a single AP by playing with the firewall rules, but I personally like simplicity)
  • Install an adblock package and configure it so that all the connected devices can also have the benefit of no ads (e.g. if you have iOS-based devices, there is no possibility to install adblock extensions in the browser)

References and Credits

References

Resources Change Partitions

Credits