initial commit
This commit is contained in:
commit
00743462e8
|
@ -0,0 +1,39 @@
|
||||||
|
## How to setup a VPN router
|
||||||
|
|
||||||
|
This guide assumes the following configuration:
|
||||||
|
A WAN interface called: `eth0`
|
||||||
|
A LAN interface called: `eth1` with a static ip address of `192.168.1.1`
|
||||||
|
A VPN interface called: `wg0-mullvad`
|
||||||
|
|
||||||
|
### Install and configure your VPN client
|
||||||
|
In this example I am using the official Mullvad client which sets up a network interface called: **wg0-mullvad**
|
||||||
|
Make sure it is configured to run at startup.
|
||||||
|
|
||||||
|
### Enable packet forwarding
|
||||||
|
Uncomment the following lines in: `/etc/sysctl.conf`
|
||||||
|
`net.ipv4.ip_forward=1`
|
||||||
|
`net.ipv6.conf.all.forwarding=1`
|
||||||
|
And apply the new kernel parameters with: `sudo sysctl -p`
|
||||||
|
|
||||||
|
### Configure iptables to route traffic through the VPN
|
||||||
|
```
|
||||||
|
sudo iptables -t nat -A POSTROUTING -o wg0-mullvad -j MASQUERADE
|
||||||
|
sudo iptables -A FORWARD -i eth1 -o wg0-mullvad -j ACCEPT
|
||||||
|
sudo iptables -A FORWARD -o wg0-mullvad -j ACCEPT
|
||||||
|
sudo iptables -A FORWARD -i wg0-mullvad -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
sudo iptables -A INPUT -i wg0-mullvad -j ACCEPT
|
||||||
|
```
|
||||||
|
|
||||||
|
To make these changes persist through a reboot, install **iptables-persistent**:
|
||||||
|
`sudo apt install iptables-persistent`
|
||||||
|
and click "Yes" when prompted to save current IPv4 rules.
|
||||||
|
If you make any further changes to the iptables rules, don't forget to run `sudo dpkg-reconfigure iptables-persistent` to make them persist as well.
|
||||||
|
|
||||||
|
### Install and configure a DHCP server
|
||||||
|
**dnsmasq** is a good lightweight DHCP (and DNS, but we won't be using that function) server. To install it run:
|
||||||
|
`sudo apt install dnsmasq`
|
||||||
|
And configure the following options in: `/etc/dnsmasq.conf`
|
||||||
|
`port=0` will disable the built-in DNS server
|
||||||
|
`interface=eth1` sets which interface to respond to DHCP requests on
|
||||||
|
`dhcp-range=192.168.1.151,192.168.1.254,255.255.255.0,12h` sets the ip range of the DHCP ip address pool and **12h** is the lease time
|
||||||
|
`dhcp-option=6,10.64.0.1` sets the DNS server address that will be sent to the DHCP clients (this should be the DNS server supplied by your VPN provider)
|
Loading…
Reference in New Issue