Jump to content
Not connected, Your IP: 18.118.144.50
dagadog

ANSWERED Ubuntu Server as VPN Router/Concentrator

Recommended Posts

I have an Ubuntu Server (14.04 LTS planning upgrade to 16.04 LTS). It currently runs the following services:

  • DHCP
  • DNS (local master and forwarder)
  • Logitech Media Server
  • MiniDLNA Server
  • IMAP Server (collecting mails with fetchmail)
  • SMTP server to relay outbound mail.
  • CalDAV/CardDAV Server
  • Web Server
  • OpenVPN Server to allow mobile devices to access the above services when not within range of my own WiFi.

With the likelihood of the right to privacy being eroded in the short to medium term, I am planning to beef up the measures I take to protect myself from government snooping before it happens.  I plan to turn the server into a router using its second interface connected to my broadband router, and use it to route traffic from the internal  network to the internet via AirVPN.

 

What I'm not so sure about is how to route internet traffic from connected VPN clients through the AirVPN tunnel. Is this possible? Also is it allowed by AirVPN's terms and conditions?

Share this post


Link to post

...

I plan to turn the server into a router using its second interface connected to my broadband router, and use it to route traffic from the internal network to the internet via AirVPN.

...

 

So it is not yet set up as a router? Do that first, leaving OpenVPN out of it.

 

There are lots of sites that talk about how to do this. Google "Linux home router NAT masquerade" for example. This one looks reasonable:

http://www.revsys.com/writings/quicktips/nat.html

 

A key part is setting up IP masquerading with IPTABLES, using commands similar to these (taken from the link above):

# echo 1 > /proc/sys/net/ipv4/ip_forward
# /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
There eth1 is the interface to your LAN and eth0 is the internet-facing side.

 

...

What I'm not so sure about is how to route internet traffic from connected VPN clients through the AirVPN tunnel. Is this possible?

...

 

Once you have a router set up without OpenVPN, it is a matter of using tun0 (the usual VPN interface) in place of eth0 in the IPTABLES set up. You would do this in an OpenVPN "up" script. In an "up" script I use (under Debian 8/Jessie) , I just have this:

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -s 10.77.1.0/255.255.255.0 -o $1 -j MASQUERADE
In the "up" script "$1" will be the VPN interface name. No FORWARD rules needed.

 

If you also want to forward over the outgoing VPN from incoming VPN connections, you will need to do IPTABLES configuration for each incoming connection too.

 

...

Also is it allowed by AirVPN's terms and conditions?

...

 

Many people talk in this forum about using routers in this way. Using pfSense seems to be popular. The guides by pfSense_fan have had a huge number of hits:

 

https://airvpn.org/index.php?app=core&module=search&do=user_activity&mid=102213

Share this post


Link to post

Thanks for the above advice - it has saved me more than a bit of time researching.

 

The bit that I'm struggling with is how to establish a VPN from my phone to my server while it has a VPN established to AirVPN.  Do I need to enable port forwarding, and establish an incoming tunnel through the outbound tunnel?

Share this post


Link to post

All now working thanks to the excellent advice from NaDre and zhang888 above. The biggest challenge was getting my crappy ISP provided Technicolor TG582N to agree with my desire for a subnet change on the internal LAN (now DMZ) interface. I have other tasks to complete, but not relating to routing or VPNs.

 

Thanks.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...