ANSWERED Ubuntu Server as VPN Router/Concentrator

[dagadog 5]

I have an Ubuntu Server (14.04 LTS planning upgrade to 16.04 LTS). It currently runs the following services:

• DHCP
• DNS (local master and forwarder)
• Logitech Media Server
• MiniDLNA Server
• IMAP Server (collecting mails with fetchmail)
• SMTP server to relay outbound mail.
• CalDAV/CardDAV Server
• Web Server
• OpenVPN Server to allow mobile devices to access the above services when not within range of my own WiFi.

With the likelihood of the right to privacy being eroded in the short to medium term, I am planning to beef up the measures I take to protect myself from government snooping before it happens.  I plan to turn the server into a router using its second interface connected to my broadband router, and use it to route traffic from the internal  network to the internet via AirVPN.

 

What I'm not so sure about is how to route internet traffic from connected VPN clients through the AirVPN tunnel. Is this possible? Also is it allowed by AirVPN's terms and conditions?

[NaDre 154]

...

I plan to turn the server into a router using its second interface connected to my broadband router, and use it to route traffic from the internal network to the internet via AirVPN.

...

 

So it is not yet set up as a router? Do that first, leaving OpenVPN out of it.

 

There are lots of sites that talk about how to do this. Google "Linux home router NAT masquerade" for example. This one looks reasonable:

http://www.revsys.com/writings/quicktips/nat.html

 

A key part is setting up IP masquerading with IPTABLES, using commands similar to these (taken from the link above):

# echo 1 > /proc/sys/net/ipv4/ip_forward
# /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

There eth1 is the interface to your LAN and eth0 is the internet-facing side.

 

...

What I'm not so sure about is how to route internet traffic from connected VPN clients through the AirVPN tunnel. Is this possible?

...

 

Once you have a router set up without OpenVPN, it is a matter of using tun0 (the usual VPN interface) in place of eth0 in the IPTABLES set up. You would do this in an OpenVPN "up" script. In an "up" script I use (under Debian 8/Jessie) , I just have this:

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -s 10.77.1.0/255.255.255.0 -o $1 -j MASQUERADE

In the "up" script "$1" will be the VPN interface name. No FORWARD rules needed.

 

If you also want to forward over the outgoing VPN from incoming VPN connections, you will need to do IPTABLES configuration for each incoming connection too.

 

...

Also is it allowed by AirVPN's terms and conditions?

...

 

Many people talk in this forum about using routers in this way. Using pfSense seems to be popular. The guides by pfSense_fan have had a huge number of hits:

 

https://airvpn.org/index.php?app=core&module=search&do=user_activity&mid=102213

[dagadog 5]

Thanks for the above advice - it has saved me more than a bit of time researching.

 

The bit that I'm struggling with is how to establish a VPN from my phone to my server while it has a VPN established to AirVPN.  Do I need to enable port forwarding, and establish an incoming tunnel through the outbound tunnel?

[zhang888 1065]

You will need to forward a port, and make your local OpenVPN server listen on that port.

Then clients will be able to connect to your server at the airvpn_exit : port.

[dagadog 5]

All now working thanks to the excellent advice from NaDre and zhang888 above. The biggest challenge was getting my crappy ISP provided Technicolor TG582N to agree with my desire for a subnet change on the internal LAN (now DMZ) interface. I have other tasks to complete, but not relating to routing or VPNs.

 

Thanks.