Ansible playbook to setup a VPN router using OpenWrt 21.02.3 and ProtonVPN on a Raspberry Pi (RPI) 4B with a Realtek RTL8192CU USB WiFi adapter. Based on NetworkChuck, OpenWrt, and ProtonVPN tutorials.
- Flash OpenWrt to an SD card, see here for the tutorial and here to download the factory image. If your RPI is already running OpenWrt, you can set
sysupgrade
toyes
inroles/common/defaults/main.yml
and download a sysupgrade image (named*.img.gz
) toroles/common/files
to automatically update the RPI in the playbook. - Connect to your RPI via ethernet, see here. By default, the IP address of your RPI is configured as static
192.168.1.1
. - Install Ansible, see here.
- Install the ansible-openwrt role via
ansible-galaxy install gekmihesg.openwrt
- Download your OpenVPN config files (named
*.ovpn
) toroles/common/files
. If you add multiple configurations, you can specify the default one usingdefault_openvpn_config
inroles/common/defaults/main.yml
. - Edit the secrets in
group_vars/openwrt/vault.example.yml
, save asgroup_vars/openwrt/vault.yml
, and encrypt usingansible-vault encrypt group_vars/openwrt/vault.yml
. If necessary, adapt the default values inroles/common/defaults/main.yml
.
- Run
ansible-playbook site.yml -i hosts.yml --ask-vault-pass
to setup your RPI. - Change the root password:
ssh root@192.168.1.1 passwd
.
If you set new_lan_ip
in group_vars/openwrt/vault.yml
the playbook changes the IP address of your RPI and you need to adjust your local ethernet configuration. If you want to re-run the playbook, you will need to pass the new IP address:
ansible-playbook site.yml -i hosts.yml --extra-vars "host_ip=<new_lan_ip>" --ask-vault-pass
.
After running the playbook, your RPI should be connected to the WiFi specified by vault_sta_interface
in group_vars/openwrt/vault.yml
. Moreoever, it should provide a hotspot named rpi_vpn
with password given by vault_ap_interface_key
in group_vars/openwrt/vault.yml
. Any device connected to this hotspot should automatically be using the VPN given by the configuration in roles/common/files
. Check your device's public IP address and check for DNS leaks!