Share VPN on local network

gregg_a_g · Post by **gregg_a_g** » Thu Dec 05, 2019 3:32 am

I have a low power Debian box that I have set up as a Router/Firewall, Asterisk PBX, NFS file server and print server. I am also running Pihole to minimize ad traffic. I have 2 ethernet cards on the box and subscribe to VyprVPN. I want to share the VPN connection with all the devices (couple of desktops, a laptop and a couple of Android phones) on my internal network so I only have 1 VPN connection.

Centurylink Modem -------> Debian router --------> enp4s0 (192.168.0.10) ----------> PoE Switch ------> Voip Phone (192.168.0.20)
--------> enp6s0 (link, no IP, ppp0) -------> Desktop (192.168.0.30)
E900 Wifi AP ------> Laptop (192.168.0.51)
-------> Android (192.168.0.52)

So my internal network is 192.168.0.0/24, the Debian router has enp6s0 connecting to the modem over ppp, and the second NIC card
on the Debian router is enp4s0 with IP 192.168.0.10. Pihole is the DNS server running on the router, so it also has 192.168.0.10.
The old Cisco/Linksys E900 is configured as "router" (not gateway) and is used as the wireless AP for the laptop and phones.
isc-dhcpcp-server s running on the Debian router, but I have reserved static addresses for most of the devices. Mostly the phones
get dynamic address from the DHCP server. So far so good, I think.

I got a lot of conflicting/complicated Google stuff regarding sharing the VPN, but I think I have distilled the important items.

UFW firewall rules

To Action From
-- ------ ----
[ 1] Anywhere ALLOW IN 192.168.0.0/24
[ 2] 53 ALLOW IN 192.168.0.0/24
[ 3] 4711/tcp ALLOW IN 192.168.0.0/24
[ 4] 80/tcp ALLOW IN Anywhere
[ 5] 22/tcp ALLOW IN Anywhere
[ 6] 443/tcp ALLOW IN Anywhere
[ 7] 123/udp ALLOW IN Anywhere
[ 8] 67:68/tcp ALLOW IN Anywhere
[ 9] Anywhere ALLOW OUT Anywhere on tun0 (out)
[10] 53,1197/udp ALLOW OUT Anywhere on enp6s0 (out)
[11] 192.168.0.0/24 ALLOW OUT Anywhere on enp6s0 (out)
[12] 443/tcp ALLOW OUT Anywhere (out)
[13] 192.168.0.0/24 ALLOW OUT Anywhere on enp4s0 (out)

If I start the VPN on the Debian router, then I lose internet connection on all my local devices. So then I use this iptables
command to get the local network running through tun0 on the Debian router.

Code: Select all

iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o tun0 -j MASQUERADE

(not sure yet how to make this permanent)

This seems to work, but is this a safe configuration - am I leaving something open that is a firewall issue?

This is what iptables looks like:

Code: Select all

gregg@k-deb:/etc/openvpn/client$ sudo iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 21244 packets, 1390K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2012  124K MASQUERADE  all  --  any    enp4s0  192.168.0.0/24       anywhere            
  854 52840 MASQUERADE  all  --  any    tun0    192.168.0.0/24       anywhere            

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Thanks for any input/advice, especially regarding UFW/iptables!

Gregg G.