How to Make a Raspberry Pi VPN Server(electromaker.io)
The author suggests the following use cases: Mask your IP address, Hide from snooping ISPs, Extra security on public Wi-Fi, Unblock geo-restricted content, Connect to your home network from anywhere
Snooping ISPs, public IP, and geoblocking are not prevented by a VPN server in your home network, which the author does not warn about.
The other two cases work if you make your VPN server accessible from the internet, which the author also does not expand upon or even mentions.
It's a good tutorial but the question about VPN servers is often now how, but where. And this question is not asked.
Other than DNS or other traffic filtering, do you gain anything by using a VPN on a Raspberry Pi on your home network?
If you use your own VPN to home then you can access everything on your home network without setting up port forwarding, if you have stuff like that. I used to but not these days.
You could also have the PI run a VPN client and connect to a privacy-promising VPN service, effectively ‘bouncing’ off home.
Not sure if that is even technically possible without pain, or why you wouldn’t connect directly to the privacy-promising VPN.
This has some possible use for using streaming devices when traveling abroad.
On a recent trip I tried using IPvanish with a FireTV stick and Amazon detected the VPN, most likely from a blacklisted set of IP addresses.
Using your own home IP should hopefully prevent that from happening.
Some streaming devices. My IP TV service doesn't work through a VPN back to my home. It acquires location information from GPS (or other location sources), not the IP address. I had wanted to watch something from my home town broadcast channel while visiting family in another state. Turns out that wasn't possible.
Wait, someone bothered to put GPS checking? Awful, that's absolutely not required to license a channel, AFAIK only regular IP-based checks are enforced by channel networks to the distributing ISPs.
Was this on a smart phone / tablet or TV/STB? I used a similar thing to let my parents watch TV from my account -- https://news.ycombinator.com/item?id=22052333
I'm not sure why an ISP would limit the physical location, and also how would that work if they have users in another state?
I've heard about WISPs putting GPS locks on their CPE devices, but that's pretty useless too, they're setup to connect to one tower only, if you move it, it won't see the tower and won't connect to anything, so ... ??
This was using my phone and (I think) my laptop.
The specific about it are that I was trying to watch content on a broadcast channel. It was probably a local sports game. But, I was in a different city with a different affiliate. So, the geographic region does actually play into the licensing for these channels. I could otherwise watch whatever (and the local affiliate for the city I was in), but regardless of what my IP address was, I couldn’t watch the affiliate for my city.
It makes sense, but I’m not sure I was expecting the TV provider to be that detailed.
In the U.K. this is done by BT for users of their sport app, so the channels can only be streamed in the U.K. I think this was a requirement of the rights holder (the sports bodies).
Yes, sports are a different thing altogether, the rights holders have draconian rules because piracy is so widespread.
Ironically, a TV show that my ISP's content division made, which is free for it's users, was the most downloaded torrent (in Serbia) in the second half of 2019. I did an analysis of the IPs of everyone who downloaded it, a significant percentage (~20%) were from that ISP.
Basically, people risk fines and warning letters by pirating a TV show that is free for them (cable ISP that doesn't sell Internet without TV, any and all TV packages come with a smart phone app and website where you can watch your channels + a free VOD catalog) because the restrictions on device type, bootloader integrity, IP address are so draconian.
The ISP, of course, looses in the end, because it's users were also uploading the TV show to other torrent clients of non-users, which is lost potential revenue.
If it is android then in developer options there's option to spoof location system wide without root user.
How does the TV get a GPS signal indoors?
I set up a VPN after installing pihole on my rpi, so that I could get the benefits away from home as well.
For port forwarding, I just SSH into my Raspberry Pi and then tunnel through that. Are there any benefits to using a VPN instead, other than not having to configure individual ports to forward? The only one I ever find myself using is VNC.
The only meaningful difference is probably ease. You setup a VPN once but you have to handle SSH every time you want to connect.
Phones all have VPN settings these days, whereas the SSH tunnel would be harder to accomplish.
Remote troubleshooting machines on your home network.. esp if you have parents/family who aren't tech savvy...
I did this for my parents. I got a RasPi 3 and a 3G modem, and setup remote management so I can check modem parameters remotely, even if the Internet is completely dead (using the 3G modem as an out of band connection).
I setup a VPN client on the 3G interface since there's no public IP address, and I connect to it from my own home network as a local IP address (which can't actually access my network due to explicit firewall rules I setup).
This way I can reboot the modem remotely even if the Internet is dead, and I also setup the Pi to reboot itself every night at 3am, in case something goes wrong and the VPN client crashes.
Hi Milan, would you be able to share more about how you setup the VPN client on the 3G interface?
Yes, since it's a "modern" modem, it appears as a RNDIS ethernet interface. My VPN server's IP is constant, so I just set a default route to my VPN server's IP over 192.168.8.1 which is default Huawei mobile broadband gateway IP.
If you trust your home network / ISP / Government more than you trust the Starbucks (or any public) network, you get to at least transfer your risk.
But you also don't get much more than that for using a paid-VPN, you just transfer the risk of being snooped on to their network/ISP as opposed to your own. Same with running a node on AWS/Digital Ocean.
VPNs do not make you anonymous. A shared VPN might give you some plausible deniability but it's hard to trust that your specific traffic isn't being logged.
> VPNs do not make you anonymous. A shared VPN might give you some plausible deniability but it's hard to trust that your specific traffic isn't being logged.
That's true. But unfortunately, a lot of product placements on YouTube suggest exactly that. The claims of companies like NordVPN are highly misleading if not simply wrong. But especially on non-tech related channels, the audience is unlikely to know how VPNs work and what they do.
> the audience is unlikely to know how VPNs work and what they do.
How many people really understand the difference between a VPN and a proxy server? Even among the tech literate.
> A shared VPN might give you some plausible deniability
It might, but it's very feasible to correlate encrypted VPN traffic to outgoing traffic with netflow logs, which the underlying network operator is almost certainly storing.
Prevents snooping by your mobile provider and on public networks. If you self-host other services, access to those services without opening them up to the wider internet. Access to "personal cloud" storage.
Possibly, depending on your use-case.
I have a VPN, which is there to tie everything onto one network, regardless of what "real" network its attached to.
This means that if I'm out and about I can still push and pull to my local gitserver, or access the home control systems.
I have it on my phone as well, so I can control localnetwork things even if I'm on 4G
But unless you have machines running on different networks, or you want to access internal things from outside your home, running a VPN may be mostly pointless(save for the fun learning).
Can you elaborate on how to access your home VPN network from phone and laptop?
I imagine connecting to your home network when on public wifi might be a valid use case, but I haven't investigated how to achieve this effectively.
I did this with an RPI. Setup openVPN server on pi, forward port 1194 to your pi. Run client on phone/laptop to $homeip:1194.
My hope IP almost never changes, fortunately. Otherwise you would have to do some sort of dynamic DNS.
This is a very good starting point.
Digitalocean's DNS is free, so you can, at a push create a script to do dynamic DNS, should other systems fail you.
For me, I have a dedicated VPN node, Which depending on what I'm doing is either hosted on a VPS, or a physical box. (depending if I can find somewhere with decent network) that is called something like vpn.mydomain.com
All other nodes are connected to that. I then use Anisble to manage the keys, DNS and installing of packages. This makes things nice and dynamic, and simple to re-create/backup/redeploy.
However, I should add, I'm an SRE by profession, so this is 85% more work than most people would want or need.
Well, for one, if you have any intranet services that you want to access from outside of the network, but aren't sure in their bulletproof security, it's better to firewall everything other than one port on one device for the VPN, and connect via the VPN to access intranet services.
Second, some ISPs offer TV service on mobile devices and even set top boxes, but only inside your LAN on your assigned IP address. My ISP offers up to 3 TV STB devices (that run Android TV) per contract for free (mandated by law, because I can't buy my own STB and get a smart card!), but they only work on my LAN.
Since I live away from my parents, I wanted to have TV in their house without paying twice (that same ISP is not available at my parents' house at all, anyway)
My solution was to install OpenVPN Connect on the set top box, set it to auto start on boot, and to auto connect to my VPN.
From the TV app's point of view, I'm in my LAN, and it can talk to my modem on it's fake "virtual" IP address, and also reach the ISP's servers with proper authorization (they authorize users based on the IP address that was assigned to that user, which is stupid if you share your WiFi without having VPN on the guest SSID, but whatever).
My cable provider lets you watch all the channels over the internet... but only on your home network. This would allow that to work remotely.
Also, services like NBA League pass black out the games for your local teams, based on your IP address. One time I was visiting the in-laws, who happened to be in the market for the game I wanted to watch. VPN to home let me stream the game.
I have a rp2 as a home server and VPN.
I connect to it from work to access files.
Mainly, my family all use the VPN on our mobiles with openVPN. From my mobiles we can stream and/or download our music and movies from the rp2 server using Kodi+Yatse with trivial set up. It's like having your own Netflix+spotify for your own digital collection.
You can access your own files when you're away. But, personally, that's the only reason I run a VPN on my own network. I use a VPN service when I want a foreign IP or when I'm sitting in a coffee shop.
I don't have a use for a "virtual private network" that just connects me to the public internet. My primary use case is to connect to stuff on my home network (or my work network).
I use my VPN to access devices in my home whose manufacturers want me to pay a monthly fee for remote (or commonly, delayed cloud) access.
Encryption. But then again most everything on the web is already encrypted so I honestly can't think of anything.
A VPN to connect to when using untrusted Wi-Fi networks, without having to pay for it
>> Snooping ISPs, public IP, and geoblocking are not prevented by a VPN server in your home network, which the author does not warn about.
It helps for these things when abroad, e.g. when travelling I can stream Netflix content and live TV that are region-locked to where I live. Having the VPN on all the time while not on home WiFi also makes it impossible for sites/services to figure out when I'm moving around and where, and basically thwarts any attempt to derive where I am at any point in time.
Then the second part applies, that your VPN server needs to be reachable from the internet, which the author does not expand upon.
I think that will vary based on ISP, etc.. Opening up ports on your home router is not a hugely difficult thing but I can see why it's not in scope of the tutorial..
Mentioning that it's a required step could have been helpful though.
Ah ok, I didn't actually read the article (or all of your comment, apparently ;-). I just assumed it would explain at least that much. What's the point of a VPN server that isn't reachable from the internet?
> What's the point of a VPN server that isn't reachable from the internet?
The tutorial only explains how to set up a VPN server but nothing of the surrounding infrastructure to make it useful for any of the use cases the author mentions.
>Snooping ISPs, public IP, and geoblocking are not prevented by a VPN server in your home network
It really depends...
If you are connecting to that VPN from remote location it does. Whatever is your actual physical location your IP will appear to be your home IP.
Geoblocking might also be solved if you happen to be in a country that has the content blocked while your home location can access that content.
However, as you pointed out, making a VPN accessible from outside is not covered.
I would never suggest OpenVPN when there is something like Wireguard. I switched to WG few years ago and the performance boost on a old Raspberry Pi v1 was astonishing since it has much lower requirements wrt to the CPU.
It's also way easier to setup, and it covers all basic VPN needs for almost all home-VPN use cases.
I remember spending a whole day configuring OpenVPN, lots of packages, certificates, key files, no clue what half of the things I was doing were for. I also didn't particularly like the OpenVPN iOS client. Setting up WireGuard took less than an hour, every step of the process made sense, and it allowed me to remove a whole lot of cruft from my server.
I have the opposite experience. Setting up OpenVPN is as easy as:
wget https://git.io/vpn -O vpn.sh
* inspect the file manually for malware etc.*
sudo bash ./vpn.sh
You enter your IP, port, protocol, client name and it generates a .ovpn file that you import into any client and it just works.
If you need to revoke a client or add another one, re-run the script and it will ask you what to do. It can also uninstall itself safely.
I still haven't managed to setup WireGuard.
OpenVPN gets about 40 Mbps for me on the Pi, but my upload is less, so I don't need more. On a VPS, it gets about 90 Mbps.
For things that run on my home server I like to at least have the impression I know what I'm installing and how it is configured, so a magic script like you referred to is not really an option.
I used this guide to configure OpenVPN , which you could almost publish as a paperback ;-)
Well, you could always open the script.
It's magic in that it does everything itself, it's not a black box.
It's only 460 lines with whitespace and comments, including the files it's writing to the filesystem.
I agree that setting up OpenVPN for the first time might be quite messy, so such script can be useful - it is quite simple and lets you do standard setup.
What I am wondering - it is using a pregenerated dh param file (I can understsand why - to make the initial process faster). I am not much into crypto, with all the other elements being created during the setup process, how big no-no is having a predefined dh file?
For me OpenVPN server was not that hard to manually set up, but clients were really messy. I had various problems with both OpenVPN for Android and Tunnelblick (for macOS), where the latter were problematic enough for me to switch to WireGuard with no regret.
I had no problems with OpenVPN Connect which is the "official" client for Android. For a short time I used Mac OS X (before rebranding), Tunnelblick never worked properly. I forgot the exact problems, but mainly crashing of the software that locks up all network interfaces until reboot, constant disconnecting, and one text field which was unfillable.
Would you have a link to a good reference/tutorial for Wireguard?
These are pretty easy to follow (if you don't use something like dietPi):
Note https://github.com/adrianmihalko/raspberrypiwireguard has some outdated script responses in it. I learned this the hard way.
Are you able to submit a PR with the updated information? Thanks!
See trailofbits algo. If you can setup using that, things are super easy to get working after that.
Do you know if WireGuard supports DHCP yet? I can only find wg-dynamic but it doesn't look like it's functional.
OpenVPN can work over TCP 443 and that is sometimes necessary for really dumb wifi networks (like a café in my area). wireguard does not.
Only thing stopping me from setting up an Rpi on wireguard as a VPN bridge (I'm using mullvad's excellent application) is that so far I haven't been able to successfully set up the firewall so that all traffic gets into wg0 except for ssh, with which I connect to in SOCKS5 proxy (from work). Some sort of split tunnel.
Unfortunately Wireguard doesn't work on PFsense/FreeBSD otherwise I would be using it.
OpenVPN is generally well supported.
Its available in ports and works fine https://www.freshports.org/net/wireguard/
Seconding this, and that is one of my main points of irritation about the tech world, and the world in general. That we keep permeating outdated solutions in new articles and blog posts and elsewhere, when other actually superior solutions have been found.
Shouldn't this article be called How To Make A Debian VPN Server? I don't see anything particularly raspberry pi specific in the article.
This has irritated me for about a decade! Probably unreasonably.
Rasberry Pi was not the first ARM dev board with linux, and most of the "Make your Pi do X!" recipes out there would more reasonably be described as "How to set up your linux server do X", but that's not cool, and had no Pi, so ...
Grrrr mumble mumble, yes I know I'm an old curmudgeon.
I think the reason is that is that Pi has brought Linux in the flavour of Debian to the general public, many won't understand the concept or importance of an OS or how it can be portable; It's Raspberry Pi's "Software".
The second and more likely reason is that Raspberry Pi are keywords that help get you in the hands of your target audience, I'm guilty of it on my blog. If you're running a Debian server on x86, you're probably not the target audience for a "simple" VPN tutorial.
A while ago someone had a "how to set up your own Alexa on a Pi". It was just using Java, so I tried it on Windows, and it worked. I commented so on the guide, which was hosted on Github, and I got many many replies asking "Can you tell us how to do it?".
It annoyed me that these folks have a Github account but can't figure out things without step-by-step instructions...
curl -L https://install.pivpn.dev | bash
fuck fuck fuck no. this whole site should be blacklisted
Plus, even if not malicious, this script messes with a bunch of system config:
* installed unattended-upgrades (from a random github repo instead of apt repos
* passes --yes to apt-get, which may remove important packages
* reconfigures /sbin/iptables to link to /usr/sbin/iptables-legacy
* saves the current iptables rules (some of which may have been set temporarily by root)
* overwrites existing dhcpd config if it already exists
* overwrites existing openvpn-related config if it already exists (including syslog)
Can you elaborate for a terminal/linux layman?
It immediately runs a script from a site in a bash instance. The script could do anything like exploit some zero day like shellshock or other vulnerability. They would prefer the user read the script first. Most people won't read it either way, but if people don't just pipe it to bash other people will feel like it is more secure. If the script is served over http then there are also ways of replacing it by some mechanisms without you knowing as well which can add danger.
Running untrusted code without even looking at the code first. For all you know, the script asks for root access, and if granted, installs a rootkit, and if not, deletes all the files in your home directory.
Random scripts from the internet should always at least be casually reviewed. Posting something like this just encourages people to trust random scripts on the internet, which is going to end poorly eventually.
At least it's well commented.
Was surprised I had to scroll to the bottom to find this comment
Not everyone is harbouring top secret data on their ubuntu install. It's a bad idea sure, but worse crimes have been known to happen
What if the script turns your computer to a server serving the type of content you know the FBI will bust down your door for?
Sigh... Not this again.
curl into a shell, because YOLO.
For the love of $deity, at least pass the -o option or do something like the following before running this - substitute in your editor of choice.
`curl -L https://install.pivpn.dev | bbedit`
What kind of speed can one expect? I've got gigabit fiber and really do get > 950Mbps in both directions. Would this throttle me to 200Mbps? I can't imagine I would be getting full-speed connectivity.
> Would this throttle me to 200Mbps?
RPi4 is plenty fast for full gigabit VPN performance. Its ethernet interface should also easily reach 950 Mbps. Although it's a different matter whether current VPN software can take full advantage of it. My guess is not.
There's some handicap due to lack of useful crypto HW in RPi4. But if multiple cores are used, it should easily reach 1 Gbit speeds. VideoCore VI could theoretically also be used for crypto acceleration, although I haven't heard anyone doing it — yet.
Edit: Just tried "openssl speed -multi 4 aes-256-cbc" on RPi4.
aes-256 cbc 224787.70k 243743.77k 250572.29k 251253.42k 253684.39k 252919.81k
In other words, 2 Gbit/s CPU based AES-256 performance.
>RPi4 is plenty fast for full gigabit VPN performance.
Even if it could do a theoretical gigabit...you'd still be sharing that up & down.
I suspect you could get a good 700ish with a USB 3 gigabit dongle though. I ran a rpi4 as router/fw that way for a couple months (250 internet so never found out where the limits are)
With OpenVPN, yes, you'd get around 200 mbit tops - the thing is OpenVPN is single-threaded and a 1.5 GHz ARM core just isn't enough to cut it. I have an 1.8Ghz ARMv8 in a router and it peaks at ~240mbit, pegging a single core at 100%. Similarly clocked x86 core would fare much better and that's what I'm thinking of upgrading to.
With Wireguard you should have a much better performance however as it's multithreaded and rpi4 offers you 4 cores.
With the RPi 4, the architecture changed and you shouldn't be throttled. With earlier ones you'll be limited, even with a USB gigabit adapter. https://www.jeffgeerling.com/blogs/jeff-geerling/getting-gig...
I use a small pc instead of an rpi for tunneling vpn connections:
An i7 4500U with 8GB ram and 128GB SSD costs around $300, but you can get a decent setup for $180
Yeah, these micro pcs are really nice, thinking of getting one like that myself. But rpi4 costs an order of magnitude less ($35), it's in a different price class I'd say.
Micro PCs also still have higher power requirements. For running costs, you can't beat a small ARM board (like Pi or its clones)
>keep your ISP from snooping
So that someone else's ISP can snoop. It's a tradeoff I guess but just to be clear that someone is able to snoop that traffic, you're just moving from your provider to someone elses provider.
Not applicable in this case, since it's talking about using the RasPi on the home network as a VPS when you're on a different network. It will hide activity from the ISP of the network you're using, but not from the ISP of your home network.
By all means then, let's do nothing, because someone else might do something.
That's a race to the bottom.
If you find that necessary, feel free to do that, but do it as a conscious choice.
I've worked in datacenters that hosted VPS providers, that had Verizon and Centurylink/L3 as their cross connects. Here's a nice list of Tier1 internet providers, these guys are going to do the bulk of transit for most data centers. https://en.wikipedia.org/wiki/Tier_1_network#List_of_Tier_1_...
There's still going to be direct connect at the various peering points, so in this case, you'll get a direct connect from your provider to say google, but that's already in a TLS connection and google already has your IP address or probably your specific street address as does your VPN provider. So I'm not sure what the point is. You'll get the same thing for amazon and netfilx and facebook but again, all TLS and I don't know that you're gaining much since you've already got a positive ID on you with the tracking these days. If, in fact, they don't have a positive id, They'll have one pretty quickly and perhaps tag you to a VPN IP which they will know is a VPN because the positive tracking has matched you with your CC and your real address as well as all the other people connecting through said VPN from geographically disparate locations. Basically if you sign into a single account over your VPN, then the cats out of the back and if you don't then the cat is PROBABLY out of the bag.
I check out these VPS providers that pop up here and there but there's never a mention of their transit, they are just using whatever the datacenter has, and most of them have the same backbone providers as the last mile. So, while this may be necessary for some people, You'll often see people make this decision thinking it grants the privacy when it doesn't really change that part of their situation.
I think it can be a dangerous part of discussion since it's not clear to most people what's actually happening.
We are using this at the office. We and our clients often use IP restriction to servers as first line defense, so Pi in the office lets us access office static IP while outside.
This has helped tremendously and is super easy to set up.
Bonus is while traveling we can access services without firewalls from our home country and everyone sees us as "still in the office". This includes clients, government, banks, etc. Additionally while using it we are not detected to be using VPN so far.
I'm so glad I setup my own vpn as a backup before going to China. NordVPN didn't work there on any WiFi network.
It is against their law to use vpn. Hence 1 person “solution” is not a real solution dealing with totalitarian state. But as any individual you should do two. One this. The other one somehow get a political solution if available to you.
Or go with something that can do a bunch of different solutions: https://github.com/StreisandEffect/streisand Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
I'm not sure this is what they meant by political solution?
If you open up your home using vpn server, would it be more danger as every server on the net is hacked continuously.
If that's the extent of your knowledge about server security, then, yes, this is not for you.
You need to understand firewalls and routing first.
For better performance and more flexibility I'd recommend an ESPRESSObin v7 over a Pi. 3xGbE ports and a dedicated topaz switch offer something much more akin to a true router than the Pi.
Do you know if Debian/Armbian is working on Espressobin? Last time I played with one, I couldn't get Armbian loading and went with Arch instead, following this tutorial:
Noob question, but is it possible to run both a VPN server and continue running Pihole on a RPi 4?
I have a pihole instance with DHCP running too, on a Pi4 with DSVPN (my preferred lightweight VPN) no worries. and my load averages are like 0,0,0
If you use dietPI on your raspberryPi you can easily install VPN, pihole, and much more.
I run Pihole on my openHAB instance, so I don't see why not.
almost certainly. You'd just want to run the DNS out through the VPN tunnel.
Pihole is basically just a "pimped" dns server.
So, to rephrase your question: "is it possible to run both a VPN server and continue running a dns server?"
It works like a charm indeed, I run the WireGuard client on all my devices (laptop, phone, tablet) in on-demand activation mode (VPN activates whenever I leave my home WiFi), and configured them them to use the PiHole server as DNS, so I have ad-blocking on all my devices, all the time. I don't perceive any kind of negative effect on network performance (it helps to have fiber with symmetric up/down speeds for this setup)
Is it possible to set it up like this: I want to use mullvad VPN, so my IP/location is obfuscated, but still to have PiHole? So something like I connect my laptop and mobile to my router -> RPi -> mullvad VPN -> internet. If it is, how can I achieve it?
With Wireguard you set DNS server IP directly in the config file, it is not negotiable over the connection. So you can edit the config to set it to your pihole's ip. Or remove the DNS line altogether and then it won't touch your DNS settings at all.
I had a raspberry pi vpn server. serveed traffic over UDP, used port knocking to open it up. blocked everything else, worked pretty good, but damn SD cards kept dying. :-/
The Pi is notorious for murdering SD cards, but if you use an "endurance" card, which are often sold for use in dashcams, you should find it lasts a lot longer.
If you 'dd' the sd card over to a usb key, and add 'program_usb_boot_mode=1' to the config.txt, you'll get a more robust filesystem and a speed-up bonus as well.
This does not yet work on the Pi 4. However you can keep /boot on the SD card and move / to an external USB SSD.
>The Pi is notorious for murdering SD cards
Not really a pi issue. SD cards just aren't made for 24/7
The author barely mentions anything about security of the server setup. I would at least run some online security checks for open ports, etc.
> On public, unprotected Wi-Fi, a VPN adds a layer of security by masking your IP address.
Haha, WTF did I just read?
To be fair. The claim that it makes you more secure by masking your IP is wrong. But securing you connection in public Wi-Fi networks is probably the main VPN use-case for the average user.
Dont follow this. Set up Wireguard on your Pi. The best way to do it.
I use a VPN to "go home", regardless of where I am in the world.
There are many uses for VPNs and we have to be careful about why we use them.
Why not just use the ready-made OpenVPN server package?
apt update && apt -y install ca-certificates wget net-tools gnupg
wget -qO - https://as-repository.openvpn.net/as-repo-public.gpg | apt-key add -
echo "deb http://as-repository.openvpn.net/as/debian buster main">/etc/apt/sources.list.d/openvpn-as-repo.list
apt update && apt -y install openvpn-as