Create Your Own Residential Proxy With A Raspberry Pi
This tutorial will show you how to build yourself your own high-quality yet very cheap residential proxy on your home internet connection using a method called port forwarding.
This is indeed my personal setup at home that I use every day for automation.
Contrary to what most people say, you can do this securely, as explained on Raspberry PI's official site. But if you miss one tiny step in this tutorial or don't know what you're doing, or have never practiced the command line before, please don't do this.
Because doing so will expose an open port on your home connection visible from the outside internet, making any hacker able to scan for open ports and access your home router with all devices connected to it if not properly secured. So be very cautious here.
If you know what you're doing or have basic IT skills, then follow along and proceed at your own risk.
Before doing anything else, I strongly recommend you to read this tutorial in full first, then proceed through each step.
This is an exclusive tutorial for the group that won't be published elsewhere or on the official site. Again, if you think this is out of your league and capabilities, don't do this. TexAu support team will give you zero support at all for this. So do not even contact us for queries related to this. No one will answer you. This is not officially supported, and you are on your own here. So please think twice if you are unsure of how it works.
A Raspberry Pi is a computer made by the Raspberry Pi Foundation in England. It's a non-profit
education foundation promoting learning programming for all. A Raspberry Pi is open source and
uses Linux distribution as its operating system (Raspbian Operating System). It is small in the
form factor of the size of a PCB (circuit board) card and portable.
You can connect a keyboard, and a screen, play video games, or stream videos with it too!
The 4Go RAM version is enough. Same for the SD Card, 8 or 16 Go.
Port forwarding has some security implications on your network. So it's wise to use an additional
router to create a separate subnet to isolate your internet-connected devices from the main
That way, your proxy will be on its own dedicated network isolated from the rest.
To do so, we will do what's called "cascading routers", simply put it just means connecting
another router plugged behind a LAN port of your main router, creating another subnetwork (subnet).
- We will open a port in your Home router that will be forwarded to:
- ... another WIFI router to which we will forward the same port number to:
- ... the Raspberry PI
You will end up having 2 separate networks:
- the home router with your internet-connected devices
- the wifi router only for port forwarding to your Raspberry PI proxy
A good primer that doesn't hurt is to watch this video by the one and only Eli, the Computer Guy. Still valid 10 years after.
You can find those mini WIFI routers on Amazon for $30 here:
If you bought a similar Raspberry PI 4 B Kit like the one above, they usually come with a mini USB to microSD card adapter. We will use this to facilitate the install process.
Put the SD Card in it and plug it into any USB port of your computer.
First download the Etcher image flasher for your OS here:
Then download the Raspberry Pi OS Lite here:
Finally, flash your SD Card with Etcher selecting "Flash from File" pointing to the Raspberry PI OS Lite you just downloaded before:
Once flashed, your Raspberry PI SD Card will mount on your Desktop.
Now we will create and add 2 text files at the root of the SD Card. This will allow us to configure our Raspberry Proxy 100% remotely without requiring us to connect the PI to a keyboard, mouse, and screen. All from your computer via SSH.
- Open your text editor of choice, create an empty text file, and save it without any extension to the root of the SD Card: "ssh".
- Open and create another text file you will save as "wpa_supplicant.conf" after pasting this piece of code. Just modify it with your own:
- replace country=by your own country (US, UK, DE, FR, etc....)
- replace ssid="internet ISP box name" (the same that pops up in your computer network prefs).
- psk="internet ISP box password"
💡 Note: be careful to keep "" for the two above lines (except country code).
Once done, save the file and copy it with the ssh file to the root of the flashed SD Card.
Finally, save both files at the root of the Raspberry PI SD Card.
Now, eject the USB adapter from your computer, remove the SD Card and insert it into the PI.
Then plug in the Raspberry PI power supply next to your ISP router or in an isolated place to avoid its noisy fans’ annoyance.
If you bought the mini router above, you would be able to follow these steps. The process is very similar to other router brands or if you choose to do it on your main ISP router.
First, connect to your router admin console URL. Alternatively, connecting the internal IP address 192.168.1.1 works in most cases. You will find the credential in your ISP contract papers, or sometimes typing admin:admin as login:password just works.
It's recommended to change the pass and SSID name to a custom and long secure pass and save it to a key locker like Lastpass.
For the TP-Link mini router above, you will have to:
- Connect your computer to the WIFI network of your 2nd router (the mini router we bought)
- then connect its admin panel through this URL:
First, we will assign a static internal IP to our secondary router:
- Go to DHCP Settings
- Enable DHCP server
- Change Start IP address to this Subnet Class C (don't bother what a Class C subnet mask means for now): 192.168.2.100
- hit Save and reboot your mini router.
This will be the internal IP address of your 2nd router from which all the connected devices' IP will be derived, including your Raspberry PI proxy.
Go back to DHCP Settings, and you should see all your connected devices on the same network of your mini router, beginning with the internal IP address 192.168.2.xxx
Listed below is the Raspberry PI internal IP address:
Copy-paste that IP address to a text editor. We will use it in the next step.
Now we will make that internal IP address static so it will never change, no matter if your main ISP router is rebooted (if you have a Dynamic IP, i.e., your ISP IP change at each router reboot).
- Go to DHCP Settings again
- Go to Address Reservation
- Click Edit
- Keep the Raspberry Mac Address as-is, paste the IP address you copied before, and tick Enable. Hit Save.
Now your Raspberry PI proxy will have an internal static IP, and the Lease Time will consequently be "permanent", meaning your Raspberry will always be assigned the same fixed internal IP on your mini router.
Note that the default Raspberry PI MAC Address will remain as-is, all along with this tutorial, no need to change or modify it.
Now, we will choose a defined port to open in our secondary network. This will be the fixed port of our Raspberry PI residential proxy.
You can use any port above 1023 as usual. However, most system OS ports in use are below this value. If you are unsure what port to use or check which port isn't used by your computer OS, you can do a quick check with this terminal command:
- Mac OS X:
- Windows (using PuTTy):
In this tutorial, you can use any port between [3120-3140] safely.
Choose your proxy port that will forward to your router port.
- Go to DHCP settings again.
- Go to Edit.
- Set "Service Port" and "Internal Port" with the same value you choose above.
- Hit Save.
Last, the port forwards the same port number from your main ISP router to your mini router (cf. Fig.1 at the top of this tutorial):
- port forward from the main ISP router box -------> to the mini router
- port forward mini router --------> to Raspberry
Now let's connect to our secondary router WIFI network.
To access our Raspberry PI remotely from our secondary network, we will need a command-line tool. Depending on your computer OS, different choices are available.
If you are on Mac OS X, Terminal App will be your best friend:
On Windows, you can download PuTTy or Bitvise Client here:
If you are unfamiliar, you can check this tutorial:
Note that you can also install puTTy on Mac OS X too, as it had some convenient features like easier SSH key storage, but honestly, Terminal is more than enough in most cases.
If you are unfamiliar with Bitvise, you can refer to their well-made documentation here:
The terminal looks scary, but it's not if you understand what you are doing. Just follow these steps carefully and think twice by checking every command you type before hitting ENTER. All this will be very useful for other purposes like doing sysadmin (system administration) on your hosting, VPS, or servers, for instance. Additionally, this will bring you a greater knowledge of Linux, which shares many commands in common.
For this tutorial, we will use 3proxy:
Many other proxy servers are also popular choices among Raspberry PI enthusiasts like and .
Open a terminal window and connect to your PI via SSH.
In my setup, my Raspberry PI fixed internal IP was 192.168.2.102
💡 SSH connection uses port 22 as default. Later on, we will change this port to harden security.
Type "ssh firstname.lastname@example.org.IP.address" (the same static IP as shown in your router) like this below:
Type your computer admin password :
Type "yes" to all:
Now type your Raspberry PI default admin password for the default user PI, "raspberry". We will change this default password later on for security reasons.
Update all Linux packages to keep your Raspberry OS up-to-date. This will have to be done regularly.
Edit DHCP configuration file located at /etc/dhcpd.conf with default nano editor:
To save your modification with the nano editor, you will have to hit "CTRL+O" (overwrite) and then "CTRL+X" to save and exit. Here, even on Mac OS X, it's C
Add this if your secondary router is a wired network:
OR this below if like me you have a WIFI router only:
OR both if your router does both:
Now instead of using the nano editor, we will install and use the popular Raspberry OS Joe Editor:
Then we will install fail2ban, which like its name implies, will ban all unauthorized IPs from the outside who try to connect to your proxy. After few attempts, these IPs will be automatically be jailed. We will also install the most common jail rules:
Then we will install 3proxy server from their Github repo:
Now, let's edit the proxy configuration file:
To save your modification after editing, you will use "CTRL + K" then "CTRL +X" in Joe Editor.
Then add this piece of code above all the lines beginning by #define. This should be at the top.
Then hit "CTRL+K" then "CTRL+X" to save your modifications.
Then compile and install the 3proxy with this configuration:
Download 3proxy.cfg (configuration file):
Edit the 3proxy.cfg with Joe Editor:
Change those lines with the desired login/pass of your proxy.
For example: if your proxy is:
- root will be replaced by the name you will choose for "login"
- passwd will be replaced by the password you will choose for your proxy
- proxy -p with your forwarded port number you chose as defined in your router (here 3130 or whatever port you choose)
Note here that "root" has nothing to do with your Raspberry PI root user. It's only related to your proxy server. Also, AVOID the use of Caps for your login and special characters like "$" or "#" for your proxy password. You can still use special characters like "!" or "%" in your pass. I experienced this myself being unable to connect to the proxy, and I assume that these characters do conflict because they correspond to coding characters.
Once the config file is opened, copy-paste over this whole configuration below, changing the above values according to your setup:
Once done, save your modifications by hitting "CTRL + K" then "CTRL= X".
Note that the 2 name servers in the config file above are just OpenDNS nameservers. You could perfectly use Google nameservers here instead.
Now, let's change the file permission of this configuration file to make it writable and accessible only by your PI admin user:
Download the following proxy configuration script file:
This will simply install 3proxy autorun script below:
Finally, let's start the proxy server:
The output should print “Starting 3Proxy”. Otherwise, go back and check if you didn't miss any steps.
Now allow the autorun to start even after a reboot by editing
Then add this line above exit 0 :
It will look like this:
As before, to save your modifications in Joe Editor, hit "CTRL + K" then "CTRL +X".
Now reboot your PI to check if these changes stick:
Almost there? Not yet! Some of you may have a Dynamic IP assigned to your ISP router.
What does it mean?
The problem with a dynamic IP is that whenever your internet box is rebooted (manually, power outage, etc...), your home network will have a new IP.
And since our residential proxy MUST be available from the outside WAN network (the internet), you must manually make that dynamic IP accessible.
So if you cannot make it static, you can use a DNS service provider. This will allow assigning a domain to your dynamic IP, making it available to your other tools (scrapers, social media automation, etc...) even in case of IP change.
To do so, we will use the free No-IP DNS service:
- create a free account
- check your external IP address and copy/paste it on a text editor
Once your email account is verified, go to your No-IP dashboard and click "Create Hostname":
- enter any hostname name and domain you want
- add the public IPv4 address you just copied the step before
- click Create Hostname
Now, we will have to install the No-IP Dynamic Update Client (DUC) on our Raspberry PI so our residential proxy can benefit from No-IP DNS Service and be accessible from the outside anytime.
Read this guide to learn how to install the Dynamic Update Client onto Raspberry Pi.
Open Terminal and SSH your PI like we did before, then type the following.
After each entry line, press Enter.
After creating the folders for the DUC, it is time to download the software.
Within the Terminal window, type the following. After each entry, you will press “Enter”.
Next, navigate to the directory you created to locate the downloaded files.
Now install the program.
After typing “sudo make install” you will be prompted to log in with your No-IP account username and password. This is the log/pass used to connect to your No-IP account.
- the first prompt will ask for your login, then press ENTER
- then your password
After logging into the DUC, answer the questions to proceed.
When asked how often you want the update to happen, you must choose 5 minutes intervals or more.
The interval is listed in minutes. For example, if you choose 5, the update interval will be 5 minutes. If you choose 30, the interval will be 30 minutes.
To confirm that the service is working properly you can run the following command.
You can also do the same on your secondary WI FI router and enter your No-IP DNS credentials. The good thing doing this will allow to port the whole setup (mini WI FI router + Raspberry proxy) on another primary ISP router away from home, for instance.
Very Important: Please, keep in mind that you will have to verify your No-IP DNS every 30 days. Otherwise, it will be deleted! So check your mailbox when it sends you the reminder and validate your account! You can also subscribe for a cheap, paid plan and avoid the hassle.
Now we should be all set! Time to have the final confirmation and test if your proxy is available from the outside and working.
For this, we will download and install this nifty cross-platform tool: FOGLDN Proxy tester.
Once installed, open the app, click "IMPORT PROXIES" and paste your proxy credential like this:
- The first part is the domain provided by No-IP we just created
- The second part is the port we choose to forward on our mini router to access the PI proxy
- The third part is the login we define earlier
- The fourth part is our proxy password
All 4 parts are separated by ":"
If all the above works as it should FOGLDN proxy tester will output "Status OK" and show the speed latency to access the destination URL, here below with LinkedIn.com.
Now you got yourself a nice, high-quality residential proxy for life! And compared to a BrightData subscription ($110/month and over depending on the monthly bandwidth), here it will only cost you the price of the Raspberry PI kit + mini router FOR LIFE ($150).
The best part is that it's easily replicable, and you can bring this proxy device anywhere, whether to access the sites you want at work or school (be careful of what you do with it) or automate all your social network personal accounts away from home.
You can also install this setup for your clients on their network. Providing their IT service allows it and helps you do so. You could also clone the SD Card install you made to another one and change only the config files to port it to create another proxy instead of doing this install every time.
Additionally, you can remote access your client device via ssh by installing a Cloud Proxy service like remote.it to create a private network and easily access your residential proxies to maintain and update them.
If you want to scale, building your own 4G proxy farm or Cloud Residential Proxies is the way to go. Companies like proxidize.com and their sister company Proxy Know can help you scale to become your own quality proxy provider and even sell those.
Last, you can also build your 4G proxies the cheap by stacking multiple Raspberry PI zero boards like described in this awesome tutorial found on Blackhat World Forum:
Ok, now that we have our own private proxy, it won't hurt to harden its security, and be sure only you can access it no matter what. It has to be secure like Fort Knox.
So far, we have only installed Fail2Ban, but we can do more.
Here we will harden our proxy security by doing:
- changing the default pi user password to a long secure password (32 characters and above) so no one can remember it, even you, and we will store it on Lastpass (or similar) encrypted pass locker. Along the process, keep a text editor open to document ALL your login/pass you used all along, then you will paste and secure it in your pass locker.
- disable root login for good
- generate and add a private encrypted key stored on our computer (hope your hard drive is already encrypted and behind your OS firewall 😉 )
- add a password to encrypt the key
- change the ssh default port 22 to something else
- install ufw firewall to filter all traffic except ssh and proxy port
We will configure and harden our Raspberry PI security following most of this guide:
Enter our Raspberry PI options by typing this command in the terminal:
Here, navigation is like in a computer BIOS. You will need to use up and down ↑↓ arrow keys to navigate the menus and left/right ←→ to go back or leave the menu.
First, let's change the default "pi" user password. Go to "System Options" ----> Password
Change the default pi user password by a long secure password and hit Save.
To force sudo to require a password, enter:
Then change the pi entry (or whichever usernames have superuser rights) to:
1) Mac OS X and Linux
On your machine, open a new Terminal window, then type:
It will prompt you where you want to save the key.
The above command will create a private key saved to /home/user/.ssh/id_rsa and a public key in /home/user/.ssh/id_rsa.pub.
If you don't specify where you want to save it, it will save the key to this default path.
Alternatively, you can save to another location. However, for convenience, we will stick with the default location.
Next, it will prompt for a passphrase. While optional, it is strongly advised to put one easy to remind password that only you can know and remember without writing it down and learning it by heart?
Putting an encrypted passphrase, and each time you attempt to connect your raspberry PI via SSH, it will ask for that passphrase.
2) Windows users
For Windows users, you can follow this tutorial using PuTTy on the official ssh.com website, the inventors of the SSH protocol. No less than that 😀 .
Note that you can copy your private key to another machine if you want to access your PI from another computer on the same network. In fact, you can use the same key to access other devices or remote servers. This is a convenient and very secure way for password-less login. That way, no one else other than you will be able to connect those devices. So keep that key in a secure place and preferably on your encrypted drive.
To securely connect our Raspberry PI using our encrypted SSH key, we will have to make a copy of our public key and upload it to our Raspberry Pi:
So in the context of this tutorial, we will use the pi default user and install the key on our Raspberry PI, which has the following internal IP address: 192.168.2.102
Open your sshd config file by typing this command:
Uncomment the line where you see:
... and change it to whatever non-system or non-app reserved port (see the first part above). Let's say port 2045:
Like before, to save your modifications in nano editor, hit "CTRL + O" then "CTRL+X" and hit ENTER.
The next time you will connect to your PI, instead of typing ssh pi@yourRaspberryIPaddress, you will type this:
... followed by our SSH key passphrase:
Let's install ufw firewall:
Enable ufw at boot:
Allow our forwarded port used by our proxy (let's say 3130) and the newly open port 2045 for ssh access:
Since we changed the default port 22 for ssh access, we will now deny it and close it in ufw:
Then set PasswordAuthentication to "no"
To make changes effective, reboot the ssh service with:
We could have gone on a more extreme path by disabling root login, but the issue here is if you do so, you won't be able to SSH your Raspberry remotely anymore and will have to connect directly through it using a keyboard, mouse, and screen. If you go through all this tutorial, believe me, your setup is pretty secure by now.