You're at a coffee shop using public WiFi. You need a file from your home NAS. With a home VPN server, you connect securely in seconds - encrypted tunnel straight to your home network. Access your files, check your security cameras, print to your home printer, or browse through your home connection instead of the sketchy coffee shop network. No monthly fees. No trusting third parties. Just your hardware, your network, your control. [1]

A home VPN is different from commercial VPNs. Commercial VPNs route your traffic through their servers to mask your location. A home VPN connects you securely to your own network when you're away - letting you access local devices and optionally route your internet traffic through your home connection.

What You'll Get

  • Remote access: Reach any device on your home network from anywhere
  • Secure browsing: Route traffic through your home connection on public WiFi
  • No monthly fees: One-time hardware cost, free forever after
  • Full control: Your server, your logs (or lack of them), your rules
  • Combine with Pi-hole: Ad-blocking even on mobile, anywhere in the world

Two Approaches: Raspberry Pi vs. Old Computer

You have two main options for home VPN hardware:

Option A: Raspberry Pi (Recommended)

A Raspberry Pi is the ideal home VPN server: [2]

  • Low power: 3-5 watts - costs ~$5/year in electricity
  • Silent: No fans, no noise
  • Compact: Tuck it anywhere with ethernet
  • Cheap: Pi 4 or 5 costs $35-80 + power supply + SD card
  • Reliable: Can run 24/7 for years

Recommended: Raspberry Pi 4 (2GB+ RAM) or Raspberry Pi 5. A Pi 3B+ works but is noticeably slower. Don't use a Pi Zero for VPN - too weak.

Option B: Old PC or Laptop

Any Linux-capable computer works:

  • Pros: Likely free (you have one in a closet), more powerful
  • Cons: Uses 30-100+ watts, generates heat, takes up space, potentially noisy
  • Works for: If you already run a home server for other purposes

If running an old laptop, you can close the lid and set it to not sleep. For desktops, consider power consumption - a VPN server is always-on.

Prerequisites

Before starting:

  1. Router access: You need to configure port forwarding
  2. Static local IP: Your VPN server needs a fixed IP on your network (e.g., 192.168.1.100)
  3. Public IP or Dynamic DNS: To reach your home from outside
  4. Basic Linux familiarity: You'll run terminal commands

About Your Public IP

Most home internet connections have dynamic public IPs - they change occasionally. Two solutions: [3]

  • Check if static: Some ISPs offer static IPs (often for a fee)
  • Use Dynamic DNS: Free services like DuckDNS, No-IP, or Dynu update a hostname to your current IP. You connect to "myhome.duckdns.org" instead of an IP address.

DuckDNS is free and works well. We'll cover setup below.

Method 1: PiVPN (Easiest)

PiVPN is a one-command installer that configures WireGuard (or OpenVPN) with secure defaults. Perfect for beginners. [4]

Step 1: Install Raspberry Pi OS

  1. Download Raspberry Pi Imager from raspberrypi.com
  2. Flash Raspberry Pi OS Lite (64-bit) to your SD card
  3. Enable SSH: In Imager, click the gear icon, enable SSH, set username/password
  4. Configure WiFi (optional): Set your network credentials if not using ethernet
  5. Insert SD card, connect ethernet, power on

Step 2: Initial Setup

SSH into your Pi (replace IP with your Pi's address):

ssh [email protected]

Update the system:

sudo apt update && sudo apt upgrade -y

Step 3: Set Static IP

Your Pi needs a static local IP. Edit dhcpcd.conf:

sudo nano /etc/dhcpcd.conf

Add at the bottom (adjust for your network):

interface eth0
static ip_address=192.168.1.100/24
static routers=192.168.1.1
static domain_name_servers=192.168.1.1

Save (Ctrl+O, Enter, Ctrl+X) and reboot:

sudo reboot

Step 4: Install PiVPN

One command does everything: [4]

curl -L https://install.pivpn.io | bash

The installer walks you through:

  1. Choose VPN: Select WireGuard (faster, lighter than OpenVPN)
  2. Default user: Accept or change
  3. Port: Default 51820 is fine (or pick another to be less obvious)
  4. DNS provider: Select your Pi-hole if you have one, otherwise choose a public DNS
  5. Public IP or DNS: Enter your public IP or DuckDNS hostname
  6. Enable automatic updates: Recommended

Step 5: Configure Router Port Forwarding

Log into your router (usually 192.168.1.1). Find "Port Forwarding" or "NAT" settings. Create a rule: [1]

  • External port: 51820 (or whatever you chose)
  • Internal IP: 192.168.1.100 (your Pi's static IP)
  • Internal port: 51820
  • Protocol: UDP

This tells your router to send incoming VPN connections to your Pi.

Step 6: Create Client Profiles

For each device (phone, laptop, etc.):

pivpn add

Enter a name (e.g., "iphone" or "laptop"). PiVPN generates a config file and QR code.

View the QR code:

pivpn -qr

On your phone, install the WireGuard app and scan the QR code. Done - you can now connect to your home network from anywhere.

For laptops, copy the config file:

cat ~/configs/laptop.conf

Import it into the WireGuard desktop app.

Method 2: Manual WireGuard (More Control)

If you want to understand what's happening or customize beyond PiVPN defaults, here's manual setup on any Debian/Ubuntu system. [5]

Step 1: Install WireGuard

sudo apt update
sudo apt install wireguard

Step 2: Generate Server Keys

wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
sudo chmod 600 /etc/wireguard/server_private.key

Step 3: Create Server Config

sudo nano /etc/wireguard/wg0.conf

Add (replace with your private key):

[Interface]
PrivateKey = YOUR_SERVER_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Client configs will be added here

Step 4: Enable IP Forwarding

sudo nano /etc/sysctl.conf

Uncomment or add:

net.ipv4.ip_forward=1

Apply:

sudo sysctl -p

Step 5: Create Client Config

On your client device, generate keys:

wg genkey | tee client_private.key | wg pubkey > client_public.key

Add client to server config (/etc/wireguard/wg0.conf):

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

Client config file:

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 192.168.1.100  # Your Pi-hole or home DNS

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = your.duckdns.org:51820
AllowedIPs = 0.0.0.0/0  # Route all traffic (full tunnel)
# AllowedIPs = 192.168.1.0/24, 10.0.0.0/24  # Route only home network (split tunnel)
PersistentKeepalive = 25

Step 6: Start WireGuard

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Check status:

sudo wg show

Setting Up Dynamic DNS (DuckDNS)

If your ISP gives you a dynamic public IP: [3]

  1. Go to duckdns.org and sign in with GitHub/Google/etc.
  2. Create a subdomain (e.g., myhomevpn.duckdns.org)
  3. Note your token

On your Pi, create an update script:

mkdir -p ~/duckdns
nano ~/duckdns/duck.sh

Add:

#!/bin/bash
echo url="https://www.duckdns.org/update?domains=YOUR_DOMAIN&token=YOUR_TOKEN&ip=" | curl -k -o ~/duckdns/duck.log -K -

Make executable and schedule:

chmod +x ~/duckdns/duck.sh
crontab -e

Add:

*/5 * * * * ~/duckdns/duck.sh >/dev/null 2>&1

This updates DuckDNS every 5 minutes with your current public IP.

Combining with Pi-hole

If you run Pi-hole for network-wide ad blocking, your VPN clients can use it too - getting ad-blocking on your phone even when away from home. [6]

During PiVPN setup, when asked for DNS, select your Pi-hole's IP address. Or in manual setup, set the client's DNS to your Pi-hole's local IP.

This means:

  • Connect to VPN from anywhere
  • All DNS queries go through Pi-hole
  • Ads blocked on your phone at the coffee shop
  • Trackers blocked on hotel WiFi

See our Pi-hole setup guide if you haven't set that up yet.

Full Tunnel vs. Split Tunnel

You have two routing options: [2]

Full Tunnel (AllowedIPs = 0.0.0.0/0)

All traffic goes through your home network:

  • Pros: Your browsing uses your home IP, ISP sees encrypted traffic only, works with Pi-hole
  • Cons: Slower (traffic goes home then out), uses your home bandwidth
  • Best for: Public WiFi, wanting home IP address, using Pi-hole

Split Tunnel (AllowedIPs = 192.168.1.0/24)

Only home network traffic goes through VPN:

  • Pros: Faster for general browsing, less home bandwidth use
  • Cons: Public sites see your current IP, no Pi-hole for general browsing
  • Best for: Just accessing home resources, good current network connection

You can create different client profiles for different use cases.

Security Considerations

What This Protects

  • Encrypted connection between you and home - public WiFi can't snoop
  • Secure access to home devices without exposing them to the internet
  • Your home IP for services that block commercial VPNs

What This Doesn't Protect

  • Anonymity - you're connecting to your home, which is tied to your identity
  • If your home network is compromised, VPN connects you to a compromised network
  • Your ISP at home still sees your traffic (unless you chain to another VPN)

Hardening Tips

  • Use a non-standard port: Instead of 51820, use something like 443 or 53 (looks like HTTPS or DNS)
  • Keep software updated: Run updates regularly on your Pi
  • Use fail2ban: Protect SSH access
  • Firewall everything else: Only expose the VPN port

Troubleshooting

Can't Connect

  1. Port forwarding: Verify the rule is correct and active in your router
  2. Firewall: Check UFW or iptables isn't blocking 51820/UDP
  3. WireGuard running: Verify with sudo systemctl status wg-quick@wg0
  4. Public IP correct: Check whatismyip.com matches your config
  5. DuckDNS updating: Check ~/duckdns/duck.log for errors

Connected But Can't Access Home Devices

  1. IP forwarding: Verify cat /proc/sys/net/ipv4/ip_forward returns 1
  2. iptables rules: Check PostUp rules are applied with sudo iptables -L -t nat
  3. Subnet mismatch: Ensure AllowedIPs includes your home subnet

Slow Speeds

  • Home upload speed limits VPN throughput - check with speedtest
  • Raspberry Pi 3B+ can bottleneck at ~100Mbps; Pi 4/5 handles gigabit
  • Switch to split tunnel if you don't need full tunnel

Related Projects

Once you have home VPN running, consider:

  • Pi-hole: Network-wide ad blocking, works through VPN - Setup guide
  • Nextcloud: Self-hosted file sync accessible via VPN - Setup guide
  • Home Assistant: Smart home control, securely accessed via VPN
  • Jellyfin/Plex: Stream your media library from anywhere

Cost Comparison

SolutionUpfront CostMonthly Cost5-Year Total
Raspberry Pi 4 (2GB)~$60 (Pi + power + SD)~$0.50 electricity~$90
Old laptop$0 (you have one)~$3-5 electricity~$180-300
Commercial VPN$0$5-12$300-720

A Raspberry Pi home VPN pays for itself within a year versus commercial VPN subscriptions - and gives you capabilities no commercial VPN can match.

Related Guides

References

  1. Jeff Geerling. "Build your own private WireGuard VPN with PiVPN." 2023. jeffgeerling.com
  2. Pi My Life Up. "Setting up a WireGuard VPN on the Raspberry Pi." pimylifeup.com
  3. Jan's Hobbies. "Full personal home VPN server on a Raspberry Pi." July 2024. wielenga.co.uk
  4. PiVPN. "The simplest way to setup a VPN." pivpn.io
  5. LinuxBabe. "Set Up Your Own WireGuard VPN Server on Ubuntu." linuxbabe.com
  6. GitHub - pihole-wireguard-stack. "Raspberry Pi-based DNS and VPN setup." github.com