Using NordVPN and a Raspberry Pi to Create a Secure Internet Gateway

Do you ever wish you could route all your internet-connected devices through a VPN, even the ones that don’t support VPN clients natively? Using a Raspberry Pi and a NordVPN subscription (if you don’t have a subscription yet, you can use my affiliate link¹ to get one), you can set up a personal VPN gateway that encrypts all outbound traffic—great for privacy, security, or accessing region-locked content.

In this post, I’ll walk you through how to turn a Raspberry Pi into a NordVPN-powered gateway. I’ll also cover relevant concepts like how VPNs work, what a gateway is, and why this setup can benefit you.

---

🌐 What Is a VPN Gateway?

A VPN Gateway is a device that connects your local network to a remote VPN server. When your device sends data, the gateway encrypts it and sends it to the VPN server before it reaches the wider internet. This way, all your traffic appears to come from the VPN server—not your home IP.

In our case, the Raspberry Pi (¹) acts as the gateway.

graph LR
device["Device (phone / laptop / IoT)"] -->|"Connect to Pi"| pi["Raspberry Pi VPN Gateway"]
pi -->|"Encrypt & tunnel"| nord["NordVPN Server"]
nord -->|"Forward"| internet["Internet"]
pi -->|"Local LAN access"| router["Home Router"]

---

💻 Why Use a Raspberry Pi?

The Raspberry Pi is:

• 💸 Affordable
• ⚡ Energy-efficient
• 🧰 Easy to configure
• 🕒 Perfect for 24/7 use

You can set it up as a router or DHCP server, but for simplicity, we’ll configure it as a VPN gateway that sits between your router and your device.

---

🧾 What You’ll Need

Before we get started, make sure you have:

• A Raspberry Pi 3 or later (Pi 4 recommended)
• 💾 A microSD card with Raspberry Pi OS installed
• 🔐 A NordVPN account
• 🌐 (optional) A second network interface (e.g., USB Wi-Fi adapter or Ethernet)
• 🧑‍💻 Basic command-line knowledge
• 📱 A device (laptop/phone) to connect through the Pi

---

⚙️ Step 1: Set Up Raspberry Pi OS

Start by flashing Raspberry Pi OS (Lite or Full) onto your SD card using the Raspberry Pi Imager. After initial boot:

sudo apt update && sudo apt upgrade -y

Then, set a static IP for your Pi (you’ll need it as a gateway). Edit the DHCP config file:

sudo nano /etc/dhcpcd.conf

Add something like this at the end:

interface eth0
static ip_address=192.168.1.2/24
static routers=192.168.1.1
static domain_name_servers=1.1.1.1 8.8.8.8

---

🔐 Step 2: Install and Configure NordVPN

Install the NordVPN CLI:

sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)

Then log in and connect:

nordvpn login
nordvpn set technology nordlynx  # Use WireGuard
nordvpn connect

To make sure the VPN starts on boot and stays active:

nordvpn set autoconnect on

Check your connection with:

nordvpn status

---

🔁 Step 3: Enable IP Forwarding and Configure NAT

Your Pi needs to forward traffic from other devices to NordVPN.

1. 📝 Enable IP forwarding:

sudo nano /etc/sysctl.conf

Uncomment or add:

net.ipv4.ip_forward=1

Apply immediately:

sudo sysctl -p

1. 🔀 Set up NAT with iptables:

sudo iptables -t nat -A POSTROUTING -o nordlynx -j MASQUERADE
sudo iptables -A FORWARD -i wlan0 -o nordlynx -j ACCEPT
sudo iptables -A FORWARD -i nordlynx -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Replace wlan0 with the interface your devices will connect to.

1. 💾 Save the rules:

sudo apt install iptables-persistent
sudo netfilter-persistent save

---

📶 Step 4: Configure Raspberry Pi as a Wi-Fi Access Point (Optional)

If you want to connect other devices via Wi-Fi:

1. 📦 Install required packages:

sudo apt install hostapd dnsmasq

1. ️️✍️ Configure hostapd:

sudo nano /etc/hostapd/hostapd.conf

Example:

interface=wlan0
driver=nl80211
ssid=VPN-Gateway
hw_mode=g
channel=7
wmm_enabled=0
auth_algs=1
wpa=2
wpa_passphrase=YourSecurePassword
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP

Then point hostapd to this config:

sudo nano /etc/default/hostapd

Set:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

1. 🛠️ Set up DHCP server using dnsmasq:

sudo nano /etc/dnsmasq.conf

Add:

interface=wlan0
dhcp-range=192.168.4.2,192.168.4.20,255.255.255.0,24h

1. ⚓ Assign static IP to wlan0:

sudo nano /etc/dhcpcd.conf

Add:

interface wlan0
    static ip_address=192.168.4.1/24
    nohook wpa_supplicant

Then enable services:

sudo systemctl enable hostapd
sudo systemctl enable dnsmasq

🔁 Reboot the Pi.

---

🧪 Step 5: Test Your VPN Gateway

Connect your laptop or phone to the Raspberry Pi’s Wi-Fi network (or via Ethernet). Visit https://whatismyipaddress.com to check if your traffic is going through the VPN.

You should see the NordVPN server’s IP address instead of your ISP’s.

---

🆕 UPDATE: Important Changes in NordVPN Linux Client (November 2025)

Critical Update (Nov 2025): NordVPN changed the Linux client behavior in ways that affect gateway setups. The important bit is that LAN-originating traffic is blocked by default on recent NordVPN releases — you must explicitly allow LAN traffic for a Pi-based gateway to work.

LAN traffic and allowlisting

On current NordVPN Linux releases the client blocks LAN->VPN forwarding by default. To restore gateway functionality either enable LAN discovery or add your LAN subnets to NordVPN’s whitelist.

Option A — enable LAN discovery:

nordvpn set lan-discovery enable

Option B — whitelist your local subnets (example):

# For devices on the Pi-hosted Wi‑Fi (192.168.4.0/24)
nordvpn whitelist add subnet 192.168.4.0/24

# For devices on your main LAN (192.168.1.0/24)
nordvpn whitelist add subnet 192.168.1.0/24

Installation (notes)

The installer command is unchanged. If curl isn’t available use wget instead:

# Primary
sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)

# Fallback (no curl)
sh <(wget -qO - https://downloads.nordcdn.com/apps/linux/install.sh)

Permission fix for socket access

If you see Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock add the user to the nordvpn group and reboot:

sudo usermod -aG nordvpn $USER
sudo reboot

New Features Available

Post-Quantum Encryption (for enhanced security):

nordvpn set pq on

Meshnet Support (for connecting devices across networks):

nordvpn set meshnet on

Enhanced Threat Protection:

nordvpn set threatprotectionlite on

Updated complete setup (summary)

1. Install NordVPN.
2. Configure NordVPN and enable LAN support (one of the options above):

nordvpn login
nordvpn set technology nordlynx
nordvpn set autoconnect on
# either enable LAN discovery
nordvpn set lan-discovery enable
# or add your subnets to the whitelist
# nordvpn whitelist add subnet 192.168.4.0/24
nordvpn connect

1. Verify LAN access:

nordvpn settings   # confirm LAN Discovery is enabled (or whitelist entries present)
ip link show       # check for the nordlynx interface

1. Continue with IP forwarding and NAT/iptables rules as documented above.

Troubleshooting

If devices still can’t access the internet through your Pi:

1. Confirm NordVPN LAN discovery or whitelist: nordvpn settings / nordvpn whitelist list
2. Check the nordlynx interface is up: ip link show nordlynx or ip a
3. Verify iptables rules reference the correct interfaces (wlan0, eth0, nordlynx)
4. Confirm IP forwarding is enabled: sysctl net.ipv4.ip_forward
5. Check that iptables-persistent restored rules after reboot: sudo netfilter-persistent status

Migration for Existing Setups

If you have an existing setup that stopped working:

1. Update NordVPN:

   sudo apt update
   nordvpn --version  # Check current version
   

2. Enable LAN discovery:

   nordvpn set lan-discovery enable
   

3. Restart NordVPN connection:

   nordvpn disconnect
   nordvpn connect
   

This change significantly improves security by preventing unintended LAN access, but it requires explicit configuration for gateway setups.

---

✅ Quick checklist — verify your gateway

Use this checklist to validate the core pieces after setup; you asked for a review checklist you can run through quickly.

• Confirm NordVPN is installed and updated: nordvpn --version
• Ensure NordVPN is connected and LAN access is configured (either lan-discovery enabled or whitelist entries present): nordvpn settings
• Check the VPN tunnel interface is present (usually nordlynx): ip link show nordlynx or ip a
• Verify IP forwarding is enabled: sysctl net.ipv4.ip_forward (should be 1)
• Verify NAT rules are applied and reference the correct interfaces: sudo iptables -t nat -S and sudo iptables -S
• Check that iptables-persistent loaded rules after reboot: sudo netfilter-persistent status
• Test from a client device: visit https://whatismyipaddress.com and confirm the visible IP matches the NordVPN server (or use curl ifconfig.me from the device)

---

🧠 Final Thoughts

Setting up a Raspberry Pi as a VPN gateway using NordVPN is a powerful way to secure all your devices—even ones that don’t support VPNs. With the recent security improvements in NordVPN’s Linux client, the setup requires a bit more configuration but provides better control over network access.

The addition of LAN discovery controls means your gateway setup is more secure by default, while still allowing you to explicitly enable the traffic forwarding needed for a VPN gateway. This project teaches essential networking skills like NAT, routing, and working with iptables, while also demonstrating modern VPN client security features.

Whether you’re privacy-conscious, a traveler trying to beat geo-blocks, or someone who enjoys DIY network projects, this updated approach gives you both functionality and security. The key is understanding and properly configuring the new LAN discovery features to work with your specific network topology.

---

1. Affiliate link - if you make a purchase through this link, I may earn a small commission. There are no additional costs for you. Of course, when, where, and how you buy a product is entirely up to you. ↩︎ ↩︎²

Want to help fuel more posts? You know what to do: