You're at a coffee shop using public WiFi. You need a file from your home NAS. With a home VPN server, you connect securely in seconds - encrypted tunnel straight to your home network. Access your files, check your security cameras, print to your home printer, or browse through your home connection instead of the sketchy coffee shop network. No monthly fees. No trusting third parties. Just your hardware, your network, your control. [1]
A home VPN is different from commercial VPNs. Commercial VPNs route your traffic through their servers to mask your location. A home VPN connects you securely to your own network when you're away - letting you access local devices and optionally route your internet traffic through your home connection.
What You'll Get
- Remote access: Reach any device on your home network from anywhere
- Secure browsing: Route traffic through your home connection on public WiFi
- No monthly fees: One-time hardware cost, free forever after
- Full control: Your server, your logs (or lack of them), your rules
- Combine with Pi-hole: Ad-blocking even on mobile, anywhere in the world
Two Approaches: Raspberry Pi vs. Old Computer
You have two main options for home VPN hardware:
Option A: Raspberry Pi (Recommended)
A Raspberry Pi is the ideal home VPN server: [2]
- Low power: 3-5 watts - costs ~$5/year in electricity
- Silent: No fans, no noise
- Compact: Tuck it anywhere with ethernet
- Cheap: Pi 4 or 5 costs $35-80 + power supply + SD card
- Reliable: Can run 24/7 for years
Recommended: Raspberry Pi 4 (2GB+ RAM) or Raspberry Pi 5. A Pi 3B+ works but is noticeably slower. Don't use a Pi Zero for VPN - too weak.
Option B: Old PC or Laptop
Any Linux-capable computer works:
- Pros: Likely free (you have one in a closet), more powerful
- Cons: Uses 30-100+ watts, generates heat, takes up space, potentially noisy
- Works for: If you already run a home server for other purposes
If running an old laptop, you can close the lid and set it to not sleep. For desktops, consider power consumption - a VPN server is always-on.
Prerequisites
Before starting:
- Router access: You need to configure port forwarding
- Static local IP: Your VPN server needs a fixed IP on your network (e.g., 192.168.1.100)
- Public IP or Dynamic DNS: To reach your home from outside
- Basic Linux familiarity: You'll run terminal commands
About Your Public IP
Most home internet connections have dynamic public IPs - they change occasionally. Two solutions: [3]
- Check if static: Some ISPs offer static IPs (often for a fee)
- Use Dynamic DNS: Free services like DuckDNS, No-IP, or Dynu update a hostname to your current IP. You connect to "myhome.duckdns.org" instead of an IP address.
DuckDNS is free and works well. We'll cover setup below.
Method 1: PiVPN (Easiest)
PiVPN is a one-command installer that configures WireGuard (or OpenVPN) with secure defaults. Perfect for beginners. [4]
Step 1: Install Raspberry Pi OS
- Download Raspberry Pi Imager from raspberrypi.com
- Flash Raspberry Pi OS Lite (64-bit) to your SD card
- Enable SSH: In Imager, click the gear icon, enable SSH, set username/password
- Configure WiFi (optional): Set your network credentials if not using ethernet
- Insert SD card, connect ethernet, power on
Step 2: Initial Setup
SSH into your Pi (replace IP with your Pi's address):
ssh [email protected] Update the system:
sudo apt update && sudo apt upgrade -y Step 3: Set Static IP
Your Pi needs a static local IP. Edit dhcpcd.conf:
sudo nano /etc/dhcpcd.conf Add at the bottom (adjust for your network):
interface eth0
static ip_address=192.168.1.100/24
static routers=192.168.1.1
static domain_name_servers=192.168.1.1 Save (Ctrl+O, Enter, Ctrl+X) and reboot:
sudo reboot Step 4: Install PiVPN
One command does everything: [4]
curl -L https://install.pivpn.io | bash The installer walks you through:
- Choose VPN: Select WireGuard (faster, lighter than OpenVPN)
- Default user: Accept or change
- Port: Default 51820 is fine (or pick another to be less obvious)
- DNS provider: Select your Pi-hole if you have one, otherwise choose a public DNS
- Public IP or DNS: Enter your public IP or DuckDNS hostname
- Enable automatic updates: Recommended
Step 5: Configure Router Port Forwarding
Log into your router (usually 192.168.1.1). Find "Port Forwarding" or "NAT" settings. Create a rule: [1]
- External port: 51820 (or whatever you chose)
- Internal IP: 192.168.1.100 (your Pi's static IP)
- Internal port: 51820
- Protocol: UDP
This tells your router to send incoming VPN connections to your Pi.
Step 6: Create Client Profiles
For each device (phone, laptop, etc.):
pivpn add Enter a name (e.g., "iphone" or "laptop"). PiVPN generates a config file and QR code.
View the QR code:
pivpn -qr On your phone, install the WireGuard app and scan the QR code. Done - you can now connect to your home network from anywhere.
For laptops, copy the config file:
cat ~/configs/laptop.conf Import it into the WireGuard desktop app.
Method 2: Manual WireGuard (More Control)
If you want to understand what's happening or customize beyond PiVPN defaults, here's manual setup on any Debian/Ubuntu system. [5]
Step 1: Install WireGuard
sudo apt update
sudo apt install wireguard Step 2: Generate Server Keys
wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
sudo chmod 600 /etc/wireguard/server_private.key Step 3: Create Server Config
sudo nano /etc/wireguard/wg0.conf Add (replace with your private key):
[Interface]
PrivateKey = YOUR_SERVER_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# Client configs will be added here Step 4: Enable IP Forwarding
sudo nano /etc/sysctl.conf Uncomment or add:
net.ipv4.ip_forward=1 Apply:
sudo sysctl -p Step 5: Create Client Config
On your client device, generate keys:
wg genkey | tee client_private.key | wg pubkey > client_public.key Add client to server config (/etc/wireguard/wg0.conf):
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32 Client config file:
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 192.168.1.100 # Your Pi-hole or home DNS
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = your.duckdns.org:51820
AllowedIPs = 0.0.0.0/0 # Route all traffic (full tunnel)
# AllowedIPs = 192.168.1.0/24, 10.0.0.0/24 # Route only home network (split tunnel)
PersistentKeepalive = 25 Step 6: Start WireGuard
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0 Check status:
sudo wg show Setting Up Dynamic DNS (DuckDNS)
If your ISP gives you a dynamic public IP: [3]
- Go to duckdns.org and sign in with GitHub/Google/etc.
- Create a subdomain (e.g., myhomevpn.duckdns.org)
- Note your token
On your Pi, create an update script:
mkdir -p ~/duckdns
nano ~/duckdns/duck.sh Add:
#!/bin/bash
echo url="https://www.duckdns.org/update?domains=YOUR_DOMAIN&token=YOUR_TOKEN&ip=" | curl -k -o ~/duckdns/duck.log -K - Make executable and schedule:
chmod +x ~/duckdns/duck.sh
crontab -e Add:
*/5 * * * * ~/duckdns/duck.sh >/dev/null 2>&1 This updates DuckDNS every 5 minutes with your current public IP.
Combining with Pi-hole
If you run Pi-hole for network-wide ad blocking, your VPN clients can use it too - getting ad-blocking on your phone even when away from home. [6]
During PiVPN setup, when asked for DNS, select your Pi-hole's IP address. Or in manual setup, set the client's DNS to your Pi-hole's local IP.
This means:
- Connect to VPN from anywhere
- All DNS queries go through Pi-hole
- Ads blocked on your phone at the coffee shop
- Trackers blocked on hotel WiFi
See our Pi-hole setup guide if you haven't set that up yet.
Full Tunnel vs. Split Tunnel
You have two routing options: [2]
Full Tunnel (AllowedIPs = 0.0.0.0/0)
All traffic goes through your home network:
- Pros: Your browsing uses your home IP, ISP sees encrypted traffic only, works with Pi-hole
- Cons: Slower (traffic goes home then out), uses your home bandwidth
- Best for: Public WiFi, wanting home IP address, using Pi-hole
Split Tunnel (AllowedIPs = 192.168.1.0/24)
Only home network traffic goes through VPN:
- Pros: Faster for general browsing, less home bandwidth use
- Cons: Public sites see your current IP, no Pi-hole for general browsing
- Best for: Just accessing home resources, good current network connection
You can create different client profiles for different use cases.
Security Considerations
What This Protects
- Encrypted connection between you and home - public WiFi can't snoop
- Secure access to home devices without exposing them to the internet
- Your home IP for services that block commercial VPNs
What This Doesn't Protect
- Anonymity - you're connecting to your home, which is tied to your identity
- If your home network is compromised, VPN connects you to a compromised network
- Your ISP at home still sees your traffic (unless you chain to another VPN)
Hardening Tips
- Use a non-standard port: Instead of 51820, use something like 443 or 53 (looks like HTTPS or DNS)
- Keep software updated: Run updates regularly on your Pi
- Use fail2ban: Protect SSH access
- Firewall everything else: Only expose the VPN port
Troubleshooting
Can't Connect
- Port forwarding: Verify the rule is correct and active in your router
- Firewall: Check UFW or iptables isn't blocking 51820/UDP
- WireGuard running: Verify with
sudo systemctl status wg-quick@wg0 - Public IP correct: Check whatismyip.com matches your config
- DuckDNS updating: Check ~/duckdns/duck.log for errors
Connected But Can't Access Home Devices
- IP forwarding: Verify
cat /proc/sys/net/ipv4/ip_forwardreturns 1 - iptables rules: Check PostUp rules are applied with
sudo iptables -L -t nat - Subnet mismatch: Ensure AllowedIPs includes your home subnet
Slow Speeds
- Home upload speed limits VPN throughput - check with speedtest
- Raspberry Pi 3B+ can bottleneck at ~100Mbps; Pi 4/5 handles gigabit
- Switch to split tunnel if you don't need full tunnel
Related Projects
Once you have home VPN running, consider:
- Pi-hole: Network-wide ad blocking, works through VPN - Setup guide
- Nextcloud: Self-hosted file sync accessible via VPN - Setup guide
- Home Assistant: Smart home control, securely accessed via VPN
- Jellyfin/Plex: Stream your media library from anywhere
Cost Comparison
| Solution | Upfront Cost | Monthly Cost | 5-Year Total |
|---|---|---|---|
| Raspberry Pi 4 (2GB) | ~$60 (Pi + power + SD) | ~$0.50 electricity | ~$90 |
| Old laptop | $0 (you have one) | ~$3-5 electricity | ~$180-300 |
| Commercial VPN | $0 | $5-12 | $300-720 |
A Raspberry Pi home VPN pays for itself within a year versus commercial VPN subscriptions - and gives you capabilities no commercial VPN can match.
Related Guides
- Pi-hole Network Ad Blocking - Combine with your VPN for mobile ad-blocking
- Build Your Own VPN on Cloud - For hiding your location, not home access
- VPN Strategy Guide - When to use what type of VPN
- Self-Hosted Cloud Storage - Access files via your home VPN
- Supply Chain Attacks - Why self-hosting beats trusting third parties
References
- Jeff Geerling. "Build your own private WireGuard VPN with PiVPN." 2023. jeffgeerling.com
- Pi My Life Up. "Setting up a WireGuard VPN on the Raspberry Pi." pimylifeup.com
- Jan's Hobbies. "Full personal home VPN server on a Raspberry Pi." July 2024. wielenga.co.uk
- PiVPN. "The simplest way to setup a VPN." pivpn.io
- LinuxBabe. "Set Up Your Own WireGuard VPN Server on Ubuntu." linuxbabe.com
- GitHub - pihole-wireguard-stack. "Raspberry Pi-based DNS and VPN setup." github.com