Re: [PLUG] Outgoing VPN for Entire Network

[Rich Freeman via plug <plug@lists.phillylinux.org>]

On Mon, Sep 11, 2023 at 2:47 PM Keith C. Perry via plug
<plug@lists.phillylinux.org> wrote:
>
> You're on the right track...  regardless of how complex the internals of your net are, eventually you need to leave your network via a router so it that device is where you would set up OpenVPN so traffic flowing through it is sent to your VPN end point.

You can certainly do that, but there is no requirement that your VPN
gateway be on the router you use to connect to the internet.  I run
mine on a separate host.

My DHCP server advertises the VPN gateway as the default network
gateway.  The VPN gateway has a default route to my network gateway.
So traffic is sent to the VPN gateway, and it sends it via the router.

Implementation of the VPN gateway itself depends a bit on what VPN
you're using.  I'm using wireguard.  Once it is running I have an
interface on the gateway that goes to the VPN.
I then have a script that does:
iptables -A FORWARD -i vpn -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o vpn -j MASQUERADE
iptables -A FORWARD -i eth0 -o vpn -j ACCEPT

eth0 has a default route that goes to my actual router.  The iptables
setup is basically no different from what you'd have on any gateway,
except that your "WAN" interface is the VPN, and it actually ends up
going out over the same interface as your LAN.

Some router-oriented distros have support for VPN gateways built-in,
and that is a much easier way to go about it.  The only issue you
might run into is that your router might not have much CPU power,
which could limit your bandwidth due to the encryption.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug