F5 VPN Client from Raspberry Pi

Did you know that F5 has a VPN client that can run on a Raspberry Pi? You may already know that we can run on iOS, Android, Windows, Mac, and Linux, but we can also run on a little device that is smaller than a credit card.

In this article we will use a Raspberry Pi to connect my home network to AWS.

Raspberry Pi

A Raspberry Pi is a small device that uses ARM processors. These processors are similar to what you would find on a mobile phone. F5 provides a VPN client that can run on “armhf” architectures (not arm64).


A BIG-IP can provide end-user or device VPN access. This could provide remote access for a worker in the field or an IoT device that needs to phone home to a data center.

The Setup

In my home network I wanted a method to connect to my AWS resources without having to setup SSH tunnels, allocate EIPs, and/or create an IPSec tunnel.

The desired flow of traffic is to be able to connect from my laptop, through a Raspberry Pi VPN connection to a BIG-IP in AWS. 


To facilitate this architecture I configured my home router (Verizon Fios) to send all AWS traffic through my Raspberry Pi.


I’ve created the following demo video of the architecture.

Note that you can also reverse the flow if you would like to have AWS instances access on-premises resources or use different cloud providers (BIG-IP can also run in Azure, GCP, etc…).

Pi Tastic

Hope you enjoyed this article. Now I’m hungry! Note this is not my first Pi around.

Published Dec 11, 2019
Version 1.0

Was this article helpful?

1 Comment

  • Note in the article I omitted some details:


    1. This will work for username/password based auth and/or certificate, but not if you have a custom login page (i.e. for the F5 folks this will not work for our corporate VPN)
    2. I have configured my Raspberry Pi to forward packets and rewrite the source address through the tunnel interface (left as an exercise to the reader on how to configure on raspbian).


    The VPN setup is fairly basic. The certificate authentication is handled by a clientssl profile that requires my CA.


    The VPE is configured with a resource assign for network access and webtop (minimal requirements for VPN).


    The network access is setup with split tunnel and a range of IPs for the clients. SNAT is enabled.