Overview
VPN-AP turns a Raspberry Pi into a portable travel router: it broadcasts its own Wi-Fi access point and tunnels everything that connects to it through a VPN. Join the Pi’s network from a hotel room or other untrusted Wi-Fi and your devices — phones, laptops, even smart TVs and consoles that can’t run a VPN client — get encrypted egress without per-device setup.
Why I built it
Public and hotel Wi-Fi are convenient and untrustworthy. Rather than babysit a VPN client on every device I travel with, a single pocket router authenticates to the upstream network and enforces the VPN for everything behind it — with a kill switch so a dropped tunnel never leaks.
How it works
The built-in Wi-Fi (wlan0) connects upstream while a USB adapter (wlan1) hosts the
access point via hostapd; client traffic is routed through the tunnel with iptables:
- NordVPN over NordLynx (WireGuard), with a kill switch — if the VPN drops, client internet stops (no leaks).
- Captive-portal handling — a web UI at
http://192.168.4.1lets you complete hotel / airport logins, then enable the VPN; login completion is auto-detected. - Flexible backhaul — a priority list (
iphone0 eth0 wlan0) with a gateway-reachability probe, so an iPhone USB tether or even a HaLow (802.11ah) sub-GHz link can be the upstream. - Resilience — a systemd watchdog monitors services every minute and auto-recovers;
Wi-Fi retries, VPN server fallbacks (US/UK/DE/NL/CH), state persistence across reboots,
atomic
iptables-restoretransitions, and MSS clamping to survive cellular PMTU black-holes. - Never locks you out — SSH (port 22) stays reachable in every firewall mode, with web and CLI emergency recovery.
Tech
Shell provisioning on Raspberry Pi 4 / 3B+ with a USB Wi-Fi adapter, hostapd, iptables, systemd, and the NordVPN CLI. Optional HaLow module for long-range backhaul.
Get it
Configuration and setup are on GitHub.