This project came off the back of a requirement to create a single gateway which provided an encrypted tunnel which could act as a gateway to all traffic on a network, rather than setting up a client VPN on each endpoint.
There are better ways to do this, I’m a particular fan of pfsense which provides functionality to configure an OpenVPN endpoint inside the application and route all traffic, however at the time I didn’t have a means of deploying pfsense and ended up designing this as a solution instead.
As with most of my builds, this is Linux based and can be run on just about any hardware, mine was done with a VM but can just as easily be done with a RaspberryPi.
Operating System: Ubuntu 16.04
Required Applications: openvpn, openssl, wget
Required Services: A third party VPN provider which supports OpenVPN. I strongly recommend ProtonVPN which provides both free and paid options.
Install Pre-Requisite Software
sudo apt-get update sudo apt-get install openvpn wget openssl
PREPARE FOR VPN CONNECTION:
Create a folder to store your VPN config
cd ~ mkdir vpn
If you already have the .ovpn connection file provided by your VPN provider, place it in ~ directory.
If the file is hosted online, download it using:
cd ~/vpn sudo wget <url_to_your_ovpn_file>
Configure your credentials for automatic connection by creating a connection file
cd ~/vpn nano creds.txt
Edit the file so it has your username on the first line and password on the second with no other content. Save the file using CTR.L+O.
Edit your .ovpn file so the auth-user-pass line is suffixed with creds.txt and save with CTRL+O
sudo nano ~/vpn/*.ovpn ... auth-user-pass creds.txt ...
ALLOW NIC SHARING WITH SYSTEMCTL
NIC sharing allows for your virtual VPN adapter to share the single physical NIC with the system and allows for the firewall to be configured with the virtual interface:
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" nano /etc/sysctl.conf
CONFIGURE THE FIREWALL
These firewall rules will ensure that all traffic destines for the physical NIC will be forwarded to the virtual interface.
My physical interface is named eth0, verify yours by entering ifconfig. tun0 is the default name for the first VPN tunnel brought up on a system.
sudo iptables -A FORWARD -o tun0 -i eth0 -s / -m conntrack --ctstate NEW -j ACCEPT sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A POSTROUTING -t nat -j MASQUERADE cd ~/vpn sudo iptables-save > backup.txt
Initiate the VPN
sudo openvn --config <your_ovpn_file>
Your VPN proxy is now active. Set the default gateway of any devices on your network to the LAN IP address of your server to route traffic through your new proxy.
Should the VPN go down, your device will lose internet connection.
Rebooting the device
REBOOTING THE DEVICE
After a reboot, the VPN will not come online by default and the firewall rules will be lost, to bring back up:
cd ~/vpn sudo iptables-restore backup.txt sudo openvpn --config <your_ovpn_file>