Get AI summaries of any video or article — Sign up free
my SUPER secure Raspberry Pi Router (wifi VPN travel router) thumbnail

my SUPER secure Raspberry Pi Router (wifi VPN travel router)

NetworkChuck·
5 min read

Based on NetworkChuck's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Use two Wi‑Fi interfaces: onboard Wi‑Fi connects to public Wi‑Fi upstream, while the USB Wi‑Fi adapter broadcasts the router’s SSID for client devices.

Briefing

A Raspberry Pi can be turned into a travel router that connects to public Wi‑Fi as a client while broadcasting its own secure Wi‑Fi for a family—then forces all traffic through a NordVPN connection. The payoff is straightforward: phones and laptops can use the Pi’s network anywhere (coffee shops, hotels, Airbnbs) without exposing their traffic to the risks of the original public hotspot.

The build starts with hardware choices and a key networking requirement: the Pi needs two Wi‑Fi interfaces. The onboard Wi‑Fi connects to whatever public network is available, while a USB Wi‑Fi adapter broadcasts the Pi’s own SSID for devices to join. For best performance, the project recommends a Raspberry Pi 4 (including the built-in Wi‑Fi and Ethernet), plus a compatible USB Wi‑Fi adapter that OpenWrt can support. After gathering the Pi, power supply, microSD (or a microSD reader), Ethernet cable, and a USB Wi‑Fi adapter, the next step is installing OpenWrt.

OpenWrt is flashed onto the microSD using Raspberry Pi Imager with a downloaded OpenWrt firmware image matched to the Pi model. Once the Pi boots, it can be accessed over SSH on the default address (commonly 192.168.1.1). The setup requires temporarily configuring the computer’s Ethernet interface to the same subnet so SSH works. Early access is intentionally insecure in the default state (no password prompt), so the root password is changed immediately.

Configuration then shifts into OpenWrt’s system files and later into its web GUI. The network settings are adjusted to use a non-default LAN IP range, and configuration files for network, wireless, and firewall are backed up before edits. The firewall is tweaked so the WAN zone accepts traffic (a necessary step for the router to function as intended). After rebooting, the Pi’s LAN IP changes, so the computer must return to DHCP (and matching DNS settings) to reconnect.

The USB Wi‑Fi adapter requires driver support and wireless radio tuning. The process includes updating package lists, installing a batch of packages/drivers, and then bringing up the new interface (e.g., via ifconfig). Wireless settings are corrected in /etc/config/wireless—changing channel, hardware mode, and HT/VHT parameters—so the adapter can actually broadcast. In the OpenWrt web interface, the onboard Wi‑Fi is scanned and joined to the user’s home (or any target) Wi‑Fi, using DHCP to obtain an address.

Once the router provides internet, the security layer is added: OpenVPN client configuration for NordVPN. A NordVPN OpenVPN UDP client profile is downloaded, uploaded to the Pi, and then used to generate the OpenVPN configuration with NordVPN credentials (username/email and password). The OpenWrt GUI is used to enable the OpenVPN client and verify that the public IP changes to a NordVPN IP range—confirming that traffic is being routed through the VPN. Finally, a hotplug-style restart hook is added so the VPN service comes back automatically if the WAN interface drops, which matters for travel.

By the end, the Pi acts as a “secure travel router”: devices connect to the Pi’s SSID, the Pi joins public Wi‑Fi upstream, and all traffic is tunneled through NordVPN for encryption and privacy while on the road. The tutorial also notes that the same OpenWrt Pi approach can replace a home router, though it won’t match the speed of higher-end dedicated router hardware.

Cornell Notes

The project turns a Raspberry Pi into a travel router by installing OpenWrt, configuring it to join public Wi‑Fi as a client, and broadcasting its own Wi‑Fi for local devices. A crucial requirement is two Wi‑Fi interfaces: onboard Wi‑Fi connects upstream to public networks, while a USB Wi‑Fi adapter provides the LAN for phones and laptops. After basic routing works, the setup adds NordVPN using an OpenVPN client profile so the Pi routes all client traffic through the VPN tunnel. Verification is done by checking that the router’s public IP changes to a NordVPN IP range. A restart hook helps keep the VPN running when the upstream connection drops—important for travel.

Why does the router need two Wi‑Fi interfaces, and what does each one do?

One Wi‑Fi interface is used to connect to the outside network (public Wi‑Fi) as a client. The other Wi‑Fi interface broadcasts the Pi’s own SSID so family devices can connect to it for internet access. The Ethernet port is treated as part of the same LAN, so wired devices (like a Pi NAS for Plex streaming) can also join the network.

How is OpenWrt installed and accessed for the first configuration?

OpenWrt is flashed to the microSD using Raspberry Pi Imager with a downloaded OpenWrt firmware image matched to the Pi model. After boot, the Pi is accessed over SSH on the default LAN IP (commonly 192.168.1.1). The computer’s Ethernet interface must be set to a matching static IP in the same subnet (example used: 192.168.1.10 with gateway 192.168.1.1) so SSH works.

What early security step is performed after SSH access?

The default SSH access is described as not prompting for a password, making it insecure. The root password is changed immediately using the Linux password-change command (the transcript uses passwd). This prevents leaving the router in a default, vulnerable state.

What changes are made to networking and firewall before adding wireless and VPN?

The LAN IP range is changed away from the common 192.168.1.x default to reduce predictability. Network configuration files are edited in /etc/config, with backups created first for network, wireless, and firewall. The firewall is adjusted so the WAN zone input policy is changed from reject to accept, enabling the router to pass traffic correctly between zones.

How does the setup ensure the USB Wi‑Fi adapter actually works as an access point?

After installing drivers/packages, the wireless radio configuration is tuned in /etc/config/wireless. The transcript specifically changes the radio0 channel (example: 36 to 7), switches hardware mode (example: 11a/n to 11g), adjusts HT mode (example: VHT80 to HT20), and adds a short GI setting. Then the configuration is committed and the interface is enabled so the Pi broadcasts an SSID (confirmed by scanning from a phone).

How is NordVPN enforced, and how is it verified?

A NordVPN OpenVPN UDP client profile is downloaded and uploaded to the Pi, then used to generate an OpenVPN client configuration with NordVPN credentials. In the OpenWrt GUI, the OpenVPN client is enabled and verified by checking the router’s public IP: it should change to an IP that begins with the NordVPN range (the transcript contrasts an AT&T IP starting with 107.x vs a NordVPN IP starting with 105.x). A hotplug-style restart hook is added so OpenVPN restarts if the WAN interface disconnects.

Review Questions

  1. What are the roles of the onboard Wi‑Fi vs the USB Wi‑Fi adapter in the travel-router design?
  2. Why is changing the LAN IP range and adjusting firewall WAN input policy important before adding VPN?
  3. What two checks confirm that NordVPN is actually routing traffic through the tunnel?

Key Points

  1. 1

    Use two Wi‑Fi interfaces: onboard Wi‑Fi connects to public Wi‑Fi upstream, while the USB Wi‑Fi adapter broadcasts the router’s SSID for client devices.

  2. 2

    Flash OpenWrt to the Pi’s microSD with Raspberry Pi Imager, then access the router via SSH on the default LAN IP (commonly 192.168.1.1) after setting the computer’s Ethernet to the same subnet.

  3. 3

    Change the root password immediately after first SSH access to avoid leaving the router in an insecure default state.

  4. 4

    Edit /etc/config/network, /etc/config/wireless, and /etc/config/firewall carefully—backup files first and reboot when LAN settings change.

  5. 5

    Tune the USB Wi‑Fi radio settings (channel, hardware mode, HT/VHT parameters) so the adapter can reliably broadcast the Pi’s Wi‑Fi network.

  6. 6

    Join upstream Wi‑Fi using the OpenWrt web GUI (scan, join, save/apply) so the Pi can obtain internet via DHCP.

  7. 7

    Enforce privacy by enabling an OpenVPN client for NordVPN in OpenWrt, verify by checking the public IP range, and add a restart hook so VPN recovers after WAN drops.

Highlights

The travel-router design hinges on two Wi‑Fi roles: one interface joins public Wi‑Fi, the other broadcasts a private SSID for devices.
OpenWrt is configured so the router’s LAN IP range is changed from the common default, and firewall WAN input policy is adjusted to keep routing functional.
NordVPN is validated by confirming the public IP shifts into a NordVPN IP range after enabling the OpenVPN client in the OpenWrt GUI.
A hotplug restart mechanism is added so the VPN service automatically comes back when the upstream connection fails—critical for travel reliability.

Topics

  • OpenWrt Installation
  • Raspberry Pi Router
  • Travel VPN
  • NordVPN OpenVPN
  • Wi‑Fi Access Point Setup

Mentioned

  • VPN
  • SSH
  • DHCP
  • LAN
  • WAN
  • SSID
  • OpenVPN
  • UDP
  • UCI
  • HT
  • VHT
  • GI

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library