Ansible playbook to setup a VPN router using OpenWrt 21.02.3 and ProtonVPN on a Raspberry Pi (RPI) 4B with a Realtek RTL8192CU USB WiFi adapter. Based on NetworkChuck, OpenWrt, and ProtonVPN tutorials.

1. Flash OpenWrt to an SD card, see here for the tutorial and here to download the factory image. If your RPI is already running OpenWrt, you can set sysupgrade to yes in roles/common/defaults/main.yml and download a sysupgrade image (named *.img.gz) to roles/common/files to automatically update the RPI in the playbook.
2. Connect to your RPI via ethernet, see here. By default, the IP address of your RPI is configured as static 192.168.1.1.
3. Install Ansible, see here.
4. Install the ansible-openwrt role via ansible-galaxy install gekmihesg.openwrt
5. Download your OpenVPN config files (named *.ovpn) to roles/common/files. If you add multiple configurations, you can specify the default one using default_openvpn_config in roles/common/defaults/main.yml.
6. Edit the secrets in group_vars/openwrt/vault.example.yml, save as group_vars/openwrt/vault.yml, and encrypt using ansible-vault encrypt group_vars/openwrt/vault.yml. If necessary, adapt the default values in roles/common/defaults/main.yml.

1. Run ansible-playbook site.yml -i hosts.yml --ask-vault-pass to setup your RPI.
2. Change the root password: ssh root@192.168.1.1 passwd.

If you set new_lan_ip in group_vars/openwrt/vault.yml the playbook changes the IP address of your RPI and you need to adjust your local ethernet configuration. If you want to re-run the playbook, you will need to pass the new IP address: ansible-playbook site.yml -i hosts.yml --extra-vars "host_ip=<new_lan_ip>" --ask-vault-pass.

After running the playbook, your RPI should be connected to the WiFi specified by vault_sta_interface in group_vars/openwrt/vault.yml. Moreoever, it should provide a hotspot named rpi_vpn with password given by vault_ap_interface_key in group_vars/openwrt/vault.yml. Any device connected to this hotspot should automatically be using the VPN given by the configuration in roles/common/files. Check your device's public IP address and check for DNS leaks!