Any self respecting glibertarian has heard of a VPN before. Maybe you know some of the major providers like NordVPN and ProtonVPN. Where people often get confused, though, is about that little program on their work computers that they have to connect to in order to access certain apps on their corporate network. They’re both VPNs, but they seem very different.

The confusion is in what kind of thing a VPN is. A VPN isn’t a solution. It’s a technology used to build solutions. VPN stands for Virtual Private Network, and it does exactly that. It takes devices that aren’t plugged into (with a wire or through a Wi-Fi signal) a certain private network and connects them as if they were plugged into the network. As you can imagine, giving such access to a device halfway across the Internet is a security threat. From a corporate perspective, you can end up exposing very sensitive data if the wrong person is able to VPN into your network or even if the wrong person is able to read the information being transacted between your network and a remote employee. From a personal perspective, a malicious person could access the Internet posing as you, take your photos and financial docs, and more.

VPN technologies solve this through encryption. Your device, when configured properly, exchanges some authentication with a VPN server and then builds an encrypted tunnel between the two. You then have e2e (end to end) encryption between your device and that VPN server. Nobody in the middle can figure out what you’re sending between one another. In a corporate setting, this is ideal. A sales rep can, during a site visit to a customer, access confidential documents from their corporate network via the customer’s guest network without the customer being able to see those documents. This also has benefits in the personal setting. The NordVPN and ProtonVPNs of the world allow you to connect your device to their servers, preventing your ISP from knowing how often you click refresh waiting for Bro to finally catch up with the latest article and post his First. Of course, you have to trust NordVPN or ProtonVPN if you use them, but there’s no getting around that*. Somebody has to know what site you are visiting in order to actually serve that site to you.

*Tor improves on this issue, but it’s a bit outside the scope of this article

This article focuses on a use case that’s kinda in between the corporate and the privacy use cases, and it gets some of the benefits of both. When I’m out and about with my cell phone, I want to route my traffic through my home network so that I get the benefit of the security, anti-tracking, and ad filtering appliances on my network even when I’m connected to a cell tower or a coffee shop wi-fi. I also have a couple network appliances (and would like to add more) that would be useful to have access to remotely. For example, my antenna DVR can technically be configured to stream remotely, but it’s much easier and robust to access via VPN. Eventually, I want to rip all of our DVDs and BluRays and store them on network attached storage. The ability to queue up any movie in my library from anywhere in the world is a huge perk. I also eventually want to get some home automation set up. I refuse to buy into these massive cloud based automation systems, but with a VPN, I can run an app connected to my automation hub on my local network and get all the benefits (remote management) of the cloud systems without my light bulb having to check in with Chinese communist party headquarters before turning on.

I already have a Raspberry Pi hooked up to my network. In fact, due to where the fiber comes in from AT&T, the Raspberry Pi resides on my nightstand in my bedroom. Given that my wife and daughter are currently relaxing in there after a long morning, it’s a good thing I’ve enabled remote access via SSH. SSH is just a way to get access the command line terminal of a device from a different device. In this case, I’m typing on my laptop in the living room while the Raspberry Pi is hooked up  in my bedroom.

The Blackberry Pi had a colored pcb and was fond of female to female adapters

Raspberry Pi 4 – It’s a fully functional computer that fits in your hand.

I’m following this article, which walks through setting up the VPN server on the Raspberry Pi. I’ll also have to configure the client app on my phone, but the hard part is getting the server set up. Employing my lawyerly issue spotting skills, there are a few hurdles that I’ll have to overcome, including the fact that I don’t have a static IP address, so I’ll have to enable dynamic DNS. This will allow me to use a URL (e.g., just to make one up) to connect to my home network, even when AT&T changes my IP address from time to time. I also need to punch a hole in my router’s firewall to allow the VPN traffic into the local network.

Dynamic DNS

Your main IP address from your Internet Service Provider is much like the address on the front of your house. If you send or receive a letter, the address tells the postal service where the letter is going to or coming from. However, unlike the USPS, your ISP may come tear the numbers off the front of your house and replace them with different ones. There are reasons for this, but it’s a bit of a pain in the ass if you want to access your home network from afar. The ISP doesn’t notify you or change things on a known schedule. Therefore, we have to find a different way to access our home networks from the Internet. The way to do this is through the Domain Name System. At the very simplest, DNS is a rolodex. You give it a name (e.g., and it returns an address (e.g. Dynamic DNS is a service that periodically (every few minutes) updates that address . For example, if is associated with my network, some device on my network sends a Christmas card every once in a while to the Dynamic DNS server. If the return address on the card has changed, the Dynamic DNS server knows to update the rolodex. Then, when I use my cell phone to connect to, I get the latest address, even if the ISP has changed the numbers recently.

I’m using the free tier of to setup my dynamic DNS. I registered for an account including the 1 free hostname, and I wrote down my credentials and the hostname for the next step. I’ve sort of hinted at what I did next, but I’ll explain in more detail. Many routers are able to be configured to plug into the most common dynamic DNS systems. Mine is not. It runs a firewall, and that’s it. Everything else is passed over to the Raspberry Pi or to my Aruba managed switch because fuck AT&T. It doesn’t really matter which device is used to send the Christmas cards, so I chose to set up the domain update client (DUC – i.e. glorified Christmas card sender) on my Raspberry Pi. The main requirement is that the device be running all the time, which my Pi is. I followed the instructions No-IP provided.

Well, except for one thing. I own a custom domain that I use for my email, and I wanted to use that domain instead of the default one provided by No-IP. It’s much easier to remember than to remember or whatever domain No-IP gave me. I entered my custom domain when configuring the DUC, and then I edited the DNS records on my custom domain to redirect (obviously this isn’t my real domain) to (obviously this isn’t the real domain given to me by No-IP). None of this paragraph really matters for the purposes of this article, but it’s a useful feature if you own a custom domain.

VPN Server

The next step was to install the VPN server. PiVPN is a project that’s out there for doing exactly this task on a Raspberry Pi board.

This looks like it should be made in stained glass at my church

PiVPN incorporates the best of Raspberry Pi and OpenVPN

It walks you through an installation process, which I didn’t bother to screenshot because the linked instructional article already screenshotted it. I made sure that the installer properly detected that the Pi board had a static IP address (which is important when we punch a hole in the firewall in the next step).

As an aside, the Pi board only has a static IP address within the local network. My entire local network accesses the Internet using a single, dynamic IP address provided by AT&T, but through the magic of a technology called Network Address Translation (NAT), each of my devices has its own IP address within the local network. Think of NAT as a mail stop at an office building. The USPS delivers the mail to the office building, but the local mailroom then converts to using a different address (the mail stop number) to make sure it gets to the right cubicle. It’s important that the VPN tunnel, once it makes it to the office building (my local network), is able to be tied to the correct cubicle (local network IP address). That’s done by setting a static IP for the Raspberry Pi board. Mine is set to

There was also some configuration to be done to connect the PiVPN software with the Pi-Hole software. Pi-Hole does a few things for me, but for the purposes of this article, I’m going to describe it as an ad-blocker. By plugging PiVPN into Pi-Hole, I can get ad-blocking even when I’m not connected to my home network.

Shut your Pi-hole!

Pi-hole is worth setting up even if this VPN stuff isn’t for you

I didn’t have to do anything except select “yes” when prompted about connecting the two software packages. Easy peasy, ad-blocking is a breezy.

Port Forwarding

This is the part that can be a bit tricky. I didn’t screen shot this section either, because it’s very router/firewall specific. Taking a broad view, one of the main purposes of firewalls is to keep weird requests from the Internet from actually making it into your home network. By and large, you’re sending requests from the home network, and if there’s a request coming to you from the Internet out of the blue, something untoward is going on. Of course, a VPN connection request from your cell phone is exactly that kind of request that comes from the Internet out of the blue. As a result, we need to open up a limited hole in the firewall. The main parameters in a port forwarding request are the port being used (this is just a number. Default for VPN is 1194), a protocol type (this was configured when we set up the VPN server. UDP is faster), and a destination IP address inside your home network ( to point the VPN requests to the Raspberry Pi). Once I applied that change to my router, it took hold immediately. I had done the next two steps before I came back to do this one, and once I hit “Apply”, it took all of 5 seconds to connect my phone to my home network.

Client Addition

There are more sophisticated ways to manage who is able to access the home network via VPN, but for a simple home network like this one, manual provisioning is fine. The command to issue is “pivpn add”.

As of the writing of this article, I haven't broached the topic of installing this on my wife's iPhone for fear of her hitting me with her phone.

Give the client a name, provide a password, and it generates a configuration file.

Then you can send the generated .ovpn file to the client device and the OpenVPN client software (downloadable from the app store) will ingest that file to make the VPN connection. All you have to do is enter the client password.

It's alive!!!

Connected via OpenVPN client on my phone

Once the client is connected, you should be able to access your your devices on your home network as if you’re at home.

Care to hazard a guess how many of the 4.48 million blocked domains are porn sites?

I can access my Pi-hole admin page with my Wi-Fi turned off. This means the VPN is functioning properly.


This may not be the most impressive thing ever done on a computer, but it is a good foundation for more private and secure Internet usage. Now, instead of my phone having to rely on its own security and privacy features, it establishes a pipe back to my home network and uses my dedicated ad-blocking/privacy appliance to reduce my exposure. I also have access to everything behind my home network’s firewall, which opens up a whole new world of possibilities. Currently, the only useful service I have is being able to watch my DVR from anywhere, but my next project may be to buy another Pi and add a cloudless home automation hub to my home network.

This was an intermediate level project, IMO. You can just accept the defaults on everything without understanding what’s going on, but if your setup deviates from the script, you really need to know what you’re messing with. Particularly, pointing my custom domain to my home network and setting up the port forwarding were a bit off-script for me. The rest of the steps had good installation guides a search away. I don’t think I encountered anything that threatened to break my network, but I did end up having to endure a few annoying network resets as I investigated whether my particular equipment supported dynamic DNS. I eventually determined that it didn’t, at least not in the way I wanted it to, so I pursued the Pi option described above.

Next step for this particular project is to set up an outgoing VPN from my home network to NordVPN or ProtonVPN. I’ll wait until I’m motivated to pay for one of those services and then I’ll start experimenting.