RaspAP Wireless Access Point

Why RaspAP?

The standard approach to turning a Pi into an access point involves configuring hostapd, dnsmasq, and iptables rules separately. Each has its own config format, its own quirks, and they all have to agree with each other or nothing works. I've done it the manual way and it's doable but tedious — you end up with a pile of config files and no easy way to change settings later without SSHing in. RaspAP wraps all of that behind a web UI and an install script that handles the plumbing.

Out of the box it gives you:

• Web dashboard for AP settings, DHCP, and DNS
• VPN client support (OpenVPN, WireGuard)
• DNS-level ad blocking through dnsmasq
• Captive portal for guest networks
• Live connection and throughput monitoring

Requirements

• Raspberry Pi 3, 4, or Zero W/2 W — needs built-in WiFi
• Fresh Raspberry Pi OS Lite (Bookworm or later)
• Ethernet connection for initial setup (you really want this — configuring WiFi over WiFi is asking for trouble)
• Optional: USB WiFi adapter if you want simultaneous client + AP mode

Installation

Flash Raspberry Pi OS Lite to your SD card and boot. Make sure you can SSH in or have a keyboard attached.

# Update system first
sudo apt update && sudo apt upgrade -y

# Install RaspAP
curl -sL https://install.raspap.com | bash

The installer asks a bunch of yes/no questions. Here's what I'd pick:

• Install Ad Blocking? — Yes, unless you already run Pi-hole on the same network
• Install OpenVPN? — Yes if your VPN provider ships .ovpn files
• Install WireGuard? — Yes for a faster, lighter VPN tunnel

Reboot when it asks.

Default Access

After the reboot, a new WiFi network appears:

• SSID: raspi-webgui
• Password: ChangeMe
• Web Interface: HTTP://10.3.141.1
• Admin user: admin
• Admin password: secret

Change every one of these defaults before you do anything else. The admin password ships as secret, and anyone connected to your AP can reach the dashboard. I left it as secret for about a day during testing and then realized any device on the network could pull up the admin page and reconfigure everything.

Basic Configuration

Change WiFi Settings

Hotspot → Basic

• Pick a unique SSID
• Set a strong WPA2 or WPA3 passphrase
• Choose a channel — 1, 6, or 11 for 2.4 GHz to minimize overlap

Change Admin Password

Authentication → Change Password. Do this first.

Configure Internet Source

By default RaspAP bridges its ethernet interface to WiFi. Two common topologies:

Ethernet to WiFi (default):

• Plug in an ethernet cable
• The onboard WiFi radio broadcasts the AP

WiFi to WiFi (repeater mode):

• Needs a USB WiFi adapter — one radio for the AP, one for the upstream connection
• Built-in WiFi handles AP duties, USB adapter connects as client
• Set this up under WiFi client in the dashboard

Fair warning on the adapter: I went through three USB WiFi adapters before finding one that actually supported AP mode on Linux. The packaging says "Linux compatible" but that doesn't mean hostapd compatible. Two of them used Realtek chipsets that needed out-of-tree drivers, and one of those drivers flat-out didn't support AP mode. The Panda PAU09 worked on the first try. If you're buying an adapter specifically for this project, check the RaspAP docs before you order anything.

WiFi Client Mode

To join an existing upstream WiFi network from the dashboard:

WiFi client → Scan

1. Pick the network
2. Enter its password
3. Save and connect

Traffic from devices on your AP now routes through that upstream network. On hotel or conference WiFi, this means only the Pi itself needs to deal with the captive portal login page — every other device just connects to your SSID.

One thing that tripped me up here: I left RaspAP's DHCP range at the default 10.3.141.x and then plugged the Pi into a friend's router that also used a 10.3.141.x subnet. Devices kept getting duplicate IP addresses and nothing could reach the internet. Took me about 20 minutes of staring at iptables output before I realized both DHCP servers were handing out addresses in the same range. If your upstream network uses a 10.x scheme, change RaspAP's DHCP range to something like 192.168.50.x under DHCP Server in the dashboard before you connect.

VPN Integration

OpenVPN

Navigate to VPN → Upload your .ovpn file.

Toggle it on and save. From that point, every device on the AP has its traffic routed through the tunnel.

WireGuard

WireGuard → Upload a config file or paste the keys manually.

Lower overhead than OpenVPN. On a Pi Zero 2 W, WireGuard adds roughly 2-3 ms of latency versus 8-12 ms for OpenVPN in my testing.

The reason I like running the VPN on the access point instead of on each device: you connect the Pi to hotel WiFi, the tunnel encrypts everything, and none of your other devices need a VPN client installed.

My setup: I route all traffic through WireGuard to my home network. Mostly for DNS ad-blocking through Pi-hole at home, but also so hotel WiFi can't see what I'm browsing. The nice side effect is that streaming services think I'm at home, so I don't get region-locked out of my own library when I'm traveling. WireGuard adds almost no perceptible lag and keeps your traffic private on networks you do not control.

Ad Blocking

If you said yes to ad blocking during install, toggle it on under Ad Blocking in the dashboard.

It works through dnsmasq blocklists. Not as granular as Pi-hole, and you cannot easily add custom filter lists, but it runs on the same Pi with no extra software.

One thing the docs don't really prepare you for: RaspAP's DNS settings page is confusing if you're already running Pi-hole. They both want port 53, and RaspAP doesn't make it obvious how to defer to an external DNS server. I spent a while going back and forth before I figured out I needed to point RaspAP's upstream DNS at Pi-hole's IP and then tell Pi-hole to listen on a non-standard port. It works, but you won't find that workflow spelled out anywhere in the RaspAP interface.

Captive Portal

If you want a splash page for guest access — useful at events or shared spaces — RaspAP has a built-in portal. I've used it at a small meetup where I didn't want to shout the WiFi password across the room. People just connected, got a landing page with the event schedule, clicked through, and they were online.

System → Portal

• Enable the portal
• Edit the landing page HTML
• Set how long a session lasts before re-authentication

The landing page editor is basic HTML, so don't expect a drag-and-drop builder. But for a simple "welcome, here are the rules, click to connect" page it does the job.

Performance Tips

Some real numbers so you know what to expect: on a Pi 4 with the built-in WiFi, I get about 40 Mbps on a good day. With a USB adapter in 5 GHz mode, it's closer to 90 Mbps. Still not going to replace a real router for a household, but it's more than enough for a hotel room where you're sharing a 50 Mbps connection anyway.

• Use a 5 GHz channel if your adapter supports it — far less congestion than 2.4 GHz in apartments and hotels
• Place the Pi near the center of the area you want to cover
• An external antenna on a USB adapter makes a noticeable difference in range compared to the Pi's onboard chip antenna
• Keep the Pi dedicated to routing; running other services (containers, media servers) will tank throughput

Travel Router Build

I originally put this together for a trip where the hotel had WiFi that dropped its captive portal session every 30 minutes. Only the Pi needed to re-authenticate, and my other devices stayed connected to my own SSID the entire time. That sold me on carrying it everywhere.

The Pi Zero 2 W is small enough to fit in a cable pouch, but its WiFi range tops out around 5 meters. Fine for a hotel room. For home or office use, a Pi 4 paired with a USB WiFi adapter like the Panda PAU09 (~$15) gives much better coverage. RaspAP picks up the PAU09 automatically.

A practical travel kit:

• Pi Zero 2 W — runs off any USB port or power bank
• USB-C power bank, shared with the phone
• Short USB ethernet adapter for captive portals that refuse to cooperate over WiFi
• WireGuard config pointed at a home VPN endpoint

Total cost around $25 for the Pi and an SD card. The whole kit fits in a pouch smaller than a paperback.

Troubleshooting

Can't Connect to AP

• Check whether hostapd is actually running: sudo systemctl status hostapd
• Look for conflicting services — NetworkManager sometimes fights with hostapd over the wireless interface
• Reboot. Seriously. A surprising number of hostapd issues resolve after a clean restart.

No Internet Through AP

• Confirm the upstream link is up (ethernet cable seated, or client WiFi connected)
• Verify NAT rules exist: sudo iptables -t nat -L
• Check dnsmasq: sudo systemctl status dnsmasq

Slow Speeds

• The Pi's onboard radio is 2.4 GHz only — theoretical max around 72 Mbps, real-world closer to 30
• A USB 3.0 adapter with 5 GHz support will roughly double your throughput
• Fewer clients means more airtime per device

Hardware Selection Notes

• Pi Zero 2 W for travel — compact, runs off any USB port, but limited WiFi range
• Pi 4 for stationary use at home or office — better radio, USB 3.0 ports for faster adapters
• Whichever board you pick, pair it with WireGuard rather than OpenVPN if latency matters to you

Next Steps

1. Set up WireGuard on your home network and point the Pi's tunnel config at it — this gives you encrypted routing from any hotel or coffee shop back through your own connection.
2. Install Pi-hole on a separate Pi (or the same one, if you are not pushing heavy traffic) for network-wide ad blocking with more granular filter lists than RaspAP's built-in blocker.
3. Automate the captive portal login with a script that detects redirect pages and submits the form — useful for hotels that drop sessions every 30 minutes.