{"id":30801570,"url":"https://github.com/itzethanus/raspberrypi-nordvpn-gateway","last_synced_at":"2026-04-14T10:33:07.483Z","repository":{"id":313380327,"uuid":"1050352062","full_name":"itzethanus/raspberrypi-nordvpn-gateway","owner":"itzethanus","description":"🌐 Set up a Raspberry Pi as a DNS filtering server with Pi-hole and a NordVPN gateway for secure, selective traffic routing on your network.","archived":false,"fork":false,"pushed_at":"2026-04-11T03:42:51.000Z","size":1986,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-11T05:33:42.273Z","etag":null,"topics":["home-assistant","home-networking","iptables","linux","mqtt","pihole","raspberry-pi","selective-routing","systemd","wireguard"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/itzethanus.png","metadata":{"files":{"readme":"README.en.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-04T10:04:06.000Z","updated_at":"2026-04-11T03:42:58.000Z","dependencies_parsed_at":null,"dependency_job_id":"5be731d5-8a37-48f3-baa2-e2c58383efbe","html_url":"https://github.com/itzethanus/raspberrypi-nordvpn-gateway","commit_stats":null,"previous_names":["itzethanus/raspberrypi-nordvpn-gateway"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/itzethanus/raspberrypi-nordvpn-gateway","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itzethanus%2Fraspberrypi-nordvpn-gateway","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itzethanus%2Fraspberrypi-nordvpn-gateway/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itzethanus%2Fraspberrypi-nordvpn-gateway/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itzethanus%2Fraspberrypi-nordvpn-gateway/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/itzethanus","download_url":"https://codeload.github.com/itzethanus/raspberrypi-nordvpn-gateway/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/itzethanus%2Fraspberrypi-nordvpn-gateway/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31793215,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T02:24:21.117Z","status":"ssl_error","status_checked_at":"2026-04-14T02:24:20.627Z","response_time":153,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["home-assistant","home-networking","iptables","linux","mqtt","pihole","raspberry-pi","selective-routing","systemd","wireguard"],"created_at":"2025-09-05T21:03:12.205Z","updated_at":"2026-04-14T10:33:07.472Z","avatar_url":"https://github.com/itzethanus.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Raspberry Pi: Pi-hole + NordVPN Gateway\n\nEnglish · [🇳🇴 Norsk](README.md)\n\nThis project sets up a Raspberry Pi as a combined DNS filtering server (Pi-hole) and NordVPN gateway with selective routing based on IP and/or ports. It includes robust startup and monitoring via MQTT and systemd.\n\n---\n\n## 🧭 Goals\n\n* Raspberry Pi with a static IP address.\n* Pi-hole for local DNS blocking across the network.\n* NordVPN connection for traffic from selected devices and/or ports.\n* Automatic recovery of VPN connection in case of router/network failure.\n* (Optional) Integration with Home Assistant via MQTT for monitoring.\n\n---\n\n## 📦 Requirements\n\n* Raspberry Pi 3, 4, or 5 (wired network strongly recommended).\n* Raspberry Pi OS Lite (64-bit), Bookworm or newer.\n* NordVPN account.\n* MQTT broker (optional, only for Home Assistant integration).\n\n---\n\n## ⚠️ Important before you start\n- **IPv6**: The setup is IPv4-based. If IPv6 is enabled in your network, traffic may bypass the VPN. Either disable IPv6 on the Pi/clients, or add equivalent IPv6 rules.  \n- **CORRECT_GATEWAY**: In `nordvpn-gateway.sh`, set the variable `CORRECT_GATEWAY` to the IP of your router (e.g. `192.168.1.1`).  \n- **CPU-temp**: Publishing CPU temperature to MQTT is **disabled by default** (`ENABLE_CPU_TEMP=false`). Enable it if you want to use it.\n\n---\n\n## 🔧 Step-by-step setup\n\n### 0. System setup\n\n1. Install Raspberry Pi OS Lite (64-bit).\n2. Connect via SSH.\n3. Update system:\n\n   ```bash\n   sudo apt update \u0026\u0026 sudo apt full-upgrade -y\n   sudo reboot\n   ```\n4. Set a static IP address (adjust to your network):\n\n   ```bash\n   sudo nmcli con mod \"Wired connection 1\" ipv4.method manual\n   sudo nmcli con mod \"Wired connection 1\" ipv4.addresses 192.168.1.102/24\n   sudo nmcli con mod \"Wired connection 1\" ipv4.gateway 192.168.1.1\n   sudo nmcli con mod \"Wired connection 1\" ipv4.dns \"1.1.1.1,8.8.8.8\"\n   sudo nmcli con up \"Wired connection 1\"\n   sudo reboot\n   ```\n\n   \u003e On older systems without NetworkManager, use `dhcpcd.conf` or `systemd-networkd`.\n\n---\n\n### 1. Install Pi-hole\n\n```bash\ncurl -sSL https://install.pi-hole.net | bash\n```\n\n---\n\n### 2. Install iptables-persistent and enable IP forwarding\n\n```bash\nsudo apt install iptables-persistent -y\n```\n\nEdit `/etc/sysctl.conf` and ensure:\n\n```ini\nnet.ipv4.ip_forward=1\n```\n\nActivate:\n\n```bash\nsudo sysctl -p\n```\n\n---\n\n### 3. Install and configure NordVPN\n\nInstall NordVPN client:\n\n```bash\nsh \u003c(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)\n```\n\nGrant user access and reboot:\n\n```bash\nsudo usermod -aG nordvpn $USER\nsudo reboot\n```\n\nAfter reboot, log in and configure:\n\n```bash\nnordvpn login\nnordvpn set killswitch disabled\nnordvpn set dns off\nnordvpn set autoconnect disabled\nnordvpn set firewall disabled\nnordvpn set routing disabled\nnordvpn set technology NordLynx\nnordvpn set analytics disabled\n```\n\n---\n\n### 4. Create dedicated routing table\n\n```bash\ngrep -qE '^\\s*200\\s+nordvpntable\\b' /etc/iproute2/rt_tables || \\\n  echo \"200 nordvpntable\" | sudo tee -a /etc/iproute2/rt_tables\n```\n\n---\n\n### 5. Configure firewall and selective routing (iptables)\n\n```bash\n# STEP 1: Flush existing rules\nsudo iptables -F \u0026\u0026 sudo iptables -t nat -F \u0026\u0026 sudo iptables -t mangle -F\nsudo iptables -X \u0026\u0026 sudo iptables -t nat -X \u0026\u0026 sudo iptables -t mangle -X\n\n# STEP 2: Default policies\nsudo iptables -P INPUT DROP\nsudo iptables -P FORWARD DROP\nsudo iptables -P OUTPUT ACCEPT\n\n# STEP 3: INPUT rules\nsudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\nsudo iptables -A INPUT -i lo -j ACCEPT\nsudo iptables -A INPUT -p icmp -j ACCEPT\nsudo iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT   # SSH\nsudo iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 53 -j ACCEPT   # DNS\nsudo iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT   # DNS\nsudo iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT   # Pi-hole Web\n\n# STEP 4: MANGLE – mark traffic\n# ADAPT: Change IP addresses and port/protocol as needed\nCLIENT_IPS_TO_VPN=\"192.168.1.128 192.168.1.129 192.168.1.130\"\nfor ip in $CLIENT_IPS_TO_VPN; do\n    echo \"Adding MARK rule for $ip (TCP port 8080)\"\n    sudo iptables -t mangle -A PREROUTING -s \"$ip\" -p tcp --dport 8080 -j MARK --set-mark 1\ndone\n\n# Example: UDP instead of TCP\n# sudo iptables -t mangle -A PREROUTING -s 192.168.1.150 -p udp --dport 51820 -j MARK --set-mark 1\n\n# STEP 5: FORWARD rules\nsudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\nsudo iptables -A FORWARD -i eth0 -o nordlynx -m mark --mark 1 -j ACCEPT\nsudo iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT\n\n# STEP 6: NAT rules\nsudo iptables -t nat -A POSTROUTING -o nordlynx -j MASQUERADE\n# Optional: only if Pi should NAT further via eth0\n# sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n\n# STEP 7: Save\nsudo netfilter-persistent save\n```\n\n---\n\n### 6. Download and customize main script\n\n```bash\nsudo wget -O /usr/local/bin/nordvpn-gateway.sh https://raw.githubusercontent.com/Howard0000/raspberrypi-nordvpn-gateway/main/nordvpn-gateway.sh\nsudo chmod +x /usr/local/bin/nordvpn-gateway.sh\nsudo nano /usr/local/bin/nordvpn-gateway.sh\n```\n\n---\n\n### 7. Create systemd service\n\n```bash\nsudo nano /etc/systemd/system/nordvpn-gateway.service\n```\n\nPaste in the following content:\n\n```ini\n[Unit]\nDescription=NordVPN Gateway Service\nAfter=network-online.target nordvpnd.service\nWants=network-online.target\n\n[Service]\nType=simple\nUser=root\nEnvironment=LANG=C LC_ALL=C\nExecStart=/usr/local/bin/nordvpn-gateway.sh\nRestart=always\nRestartSec=15\n# (Optional hardening – test in your environment first)\n# CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW\n# AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW\n# NoNewPrivileges=yes\n# ProtectSystem=full\n# ProtectHome=true\n# PrivateTmp=true\n\n[Install]\nWantedBy=multi-user.target\n```\n\nEnable the service:\n\n```bash\nsudo systemctl daemon-reload\nsudo systemctl enable nordvpn-gateway.service\nsudo systemctl start nordvpn-gateway.service\n```\n\n---\n\n### 8. Configure your router\n\n* Set **Default Gateway** to the Raspberry Pi (e.g. `192.168.1.102`).\n* Set **DNS Server** to the same address.\n* Restart clients.\n\n---\n\n### 9. Testing and verification\n\n```bash\nsudo systemctl status nordvpn-gateway.service\njournalctl -u nordvpn-gateway -f\nip rule show\nip route show table nordvpntable\n```\n\nInstall tcpdump:\n\n```bash\nsudo apt install tcpdump\n```\n\nRun verification script:\n\n```bash\nwget https://raw.githubusercontent.com/Howard0000/raspberrypi-nordvpn-gateway/main/verify_traffic.sh\nchmod +x verify_traffic.sh\nsudo ./verify_traffic.sh\n```\n\nAdapt variables at the top of the script:\n\n```bash\nPORT=8080\nIFACE=\"nordlynx\"\nPROTO=\"tcp\"\n```\n\n---\n\n## 💾 Backup and Maintenance\n\n* Backup `/etc/iptables/rules.v4`, `nordvpn-gateway.sh`, and the systemd unit file.\n* Set up logrotate if you use file logging.\n\n---\n\n## 📡 MQTT and Home Assistant\n\nMQTT is **disabled** by default (`MQTT_ENABLED=false`).\nSet to `true` and fill in broker/user/password in `nordvpn-gateway.sh` to enable.\n\nThe script supports Home Assistant discovery for status, last\\_seen, and CPU temperature.\n\n---\n\n## 🙌 Acknowledgements\n\nThe project is written and maintained by @Howard0000. An AI assistant has helped simplify explanations, clean up the README, and polish the scripts. All suggestions were manually reviewed before inclusion, and all configuration and testing was done by me.\n\n---\n\n## 📝 License\n\nMIT — see LICENSE.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitzethanus%2Fraspberrypi-nordvpn-gateway","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fitzethanus%2Fraspberrypi-nordvpn-gateway","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitzethanus%2Fraspberrypi-nordvpn-gateway/lists"}