You are on the go, connected to the Wi-Fi of a hotel or coworking space, and you realize that some sites are blocked – or worse, your traffic could be intercepted. The solution? A personal VPN, hosted at home on a Raspberry Pi, using the WireGuard protocol. Unlike commercial VPN services, you keep full control of your data and configuration. And above all, it's much simpler to set up than you think.
Why a personal VPN instead of a paid service?
Commercial VPNs promise anonymity and geo-unblocking, but they have two major drawbacks: they see all your traffic, and they are often blocked by the strictest firewalls. By setting up your own VPN server on a Raspberry Pi at home, you benefit from an encrypted connection to your home, as if you were on your local network. As highlighted in a blog post by Jeff Geerling, this allows you to access your NAS, editing server, or any other local service from outside without exposing sensitive ports. Moreover, this type of personal VPN, based on WireGuard, is much harder to block because it uses a single UDP port and can even be disguised as HTTPS traffic.
Required hardware and preparation
To get started, you need:
- A Raspberry Pi (model 3B+ or higher, a Pi 4 or 5 is recommended for better performance)
- A microSD card (16 GB is sufficient)
- A stable power supply
- A wired internet connection preferably (Wi-Fi can work, but Ethernet is more reliable)
- A domain name or public IP address (static if possible, otherwise a DDNS)
Install Raspberry Pi OS Lite (without graphical interface) on the SD card, enable SSH, and connect. Update the system with `sudo apt update && sudo apt upgrade -y`.
Installing PiVPN: the tool that simplifies everything
Rather than configuring WireGuard manually, use PiVPN, an installation script that automates the creation of the server and the generation of client configuration files. The advantage? It also handles firewall rules, routing, and even integration with dynamic IP addresses via a DDNS service. The Level1techs forum also reminds of the importance of properly configuring iptables so that the VPN can access the internet while restricting access to the local network if necessary.
Run the command: `curl -L https://install.pivpn.io | bash`
Follow the on-screen instructions: choose WireGuard as the protocol, select the network interface (preferably eth0), set a port (the default 51820 works), and configure your DNS (e.g., 1.1.1.1 or your ISP's). Once the installation is complete, generate a client profile with `pivpn add` and export the `.conf` file.
Router configuration: the crucial step
For your VPN to be accessible from outside, you need to open UDP port 51820 on your router and forward it to the local IP address of the Raspberry Pi. This step is often the trickiest, as each router has a different interface. Consult your equipment's documentation or use UPnP if you trust your local network. Without this forwarding, incoming traffic cannot reach your VPN server.
> Pitfall to avoid: if your ISP uses CGNAT (shared IP address), you cannot open a port directly. In this case, use a cheap VPS as a relay or a tunneling service (like Tailscale, which uses WireGuard under the hood).
Connecting from anywhere
Once the profile is exported, install the WireGuard app on your smartphone, tablet, or laptop. Import the `.conf` file and activate the connection. You should now have access to your home network as if you were there. Reddit users confirm that this method works even in very restrictive environments like universities, where commercial VPNs are often blocked. The lightweight and fast WireGuard protocol allows for near-instant connection.
Myths and realities of the home VPN
Myth: It's too complicated for a non-IT person.
Reality: With PiVPN, installation takes about twenty minutes. The hardest part is router configuration, but once in place, everything works without intervention.
Myth: A Raspberry Pi is not powerful enough to serve as a VPN.
Reality: WireGuard is extremely lightweight. Even a Pi 3 can handle multiple simultaneous connections without slowing down. A Pi 4 or 5 can achieve speeds close to gigabit, more than enough for personal use.
Myth: Personal VPNs are less secure than commercial services.
Reality: With WireGuard, you benefit from state-of-the-art encryption (Curve25519, ChaCha20, Poly1305). The main risk comes from your own configuration: not exposing the port unnecessarily, using strong keys, and regularly updating the system.
Troubleshooting and advanced tips
- Connection problem: Check that the port is open with a tool like `canyouseeme.org`. Also test that the Pi's firewall allows WireGuard traffic.
- Local network access: By default, PiVPN allows access to the local subnet. If you want to isolate the VPN client from the rest of your LAN, modify the iptables rules as discussed on the Level1techs forum.
- Multiple clients: Generate one profile per device with `pivpn add`. Each client has its own private key, allowing you to revoke access individually.
- Performance: Use an Ethernet cable for the Pi and avoid Wi-Fi for the server. On the client, Wi-Fi can be used without issue.
Additional security
To enhance security, you can:
- Disable SSH access to the Pi from outside (only use the VPN for remote administration)
- Set up a firewall with `ufw` or `iptables` to limit incoming connections to only the WireGuard port
- Enable automatic updates with `unattended-upgrades`
- Use a reverse proxy like Nginx if you want to expose web services behind the VPN
What if you don't have a fixed connection?
If your home does not have a public IP address (CGNAT), two options are available:
- Use a VPS: Rent a server from a provider (DigitalOcean, Linode) and install WireGuard on it. You'll have a fixed IP, but traffic will pass through a third party. Scripts like Algo (mentioned on the GL.iNet forum) automate this installation.
- Use Tailscale: This free service for personal use creates a mesh network based on WireGuard, without requiring port opening. It's an intermediate solution between the home VPN and commercial service.
The future of the personal VPN
With the rise of network restrictions (censorship, geo-blocking, filters in companies and universities), the personal VPN is becoming an essential tool for nomadic professionals and privacy-conscious individuals. WireGuard, now integrated into the Linux kernel, is set to become the de facto standard for VPN connections. And thanks to projects like PiVPN, its democratization is underway.
So, are you ready to take back control of your internet access? The setup time is minimal, but the freedom it offers is immense.
To go further
- Build your own private WireGuard VPN with PiVPN - Jeff Geerling - Complete guide and feedback
- IPTables & Wireguard Connection to Internet, restricted Local Lan - Forum Level1techs - Technical discussion on routing
- Do any commercial VPN services support Wireguard? - GL.iNet Forum - Comparison of personal vs commercial VPN
- EasyTether and WireGuard on a Raspberry Pi 4 - DataBurst Medium - Configuration with shared connection
- Traveling while working. Need to hide location. Is this vpn method ... - Reddit - Feedback from digital nomads
- How can I bypass extreme website restrictions in my university wifi? - Reddit - Use in restrictive environments
- 3rd Party VPN provider - Reddit - Discussion on local network access
- Best way for remote access to homelab - Reddit - Recommendations for remote access