Created
June 27, 2025 13:26
-
-
Save The-Running-Dev/b5cdf43e24135cab9af7781990821378 to your computer and use it in GitHub Desktop.
Forwarding All LAN Traffic Through a Host Running VPN
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Assuming: | |
VPN interface: nordlynx | |
Local interface: enp2s0 | |
Local LAN subnet: 192.168.1.0/24 | |
Host IP: 192.168.1.2 | |
DNS server IP: 192.168.1.2:53 | |
๐ 1. Enable IP Forwarding | |
```bash | |
sudo sysctl -w net.ipv4.ip_forward=1 | |
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf | |
``` | |
๐ 2. Routing Table (what you should see) | |
```text | |
default via 192.168.1.1 dev enp2s0 # original LAN gateway | |
10.5.0.0/16 dev nordlynx proto kernel # NordVPN tunnel | |
default via 10.5.0.1 dev nordlynx # NEW default gateway | |
192.168.1.0/24 dev enp2s0 scope link # keep LAN reachable | |
``` | |
Routes: | |
```bash | |
sudo ip route replace default via 10.5.0.1 dev nordlynx | |
sudo ip route add 192.168.1.0/24 dev enp2s0 | |
``` | |
๐ฅ 3. iptables NAT and MASQUERADE | |
```bash | |
# Flush old rules | |
sudo iptables -t nat -F | |
sudo iptables -F | |
``` | |
```bash | |
# Masquerade all outbound traffic via VPN | |
sudo iptables -t nat -A POSTROUTING -o nordlynx -j MASQUERADE | |
# Allow LAN | |
sudo iptables -A INPUT -i enp2s0 -s 192.168.1.0/24 -j ACCEPT | |
sudo iptables -A FORWARD -i enp2s0 -o nordlynx -j ACCEPT | |
sudo iptables -A FORWARD -i nordlynx -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT | |
``` | |
๐ฆ 4. Route Local DNS Through Local Interface (NOT VPN) | |
You donโt want DNS to leak via NordVPN, so you bypass it: | |
```bash | |
# Make sure DNS requests to 127.0.0.1 (dnscrypt-proxy) go local | |
sudo ip rule add from 127.0.0.1 lookup main | |
sudo ip rule add to 127.0.0.1 lookup main | |
``` | |
Or for the DNS server IP itself: | |
```bash | |
sudo ip rule add to 192.168.1.2 table main | |
(If DNS traffic was going through the tunnel accidentally.) | |
``` | |
๐ฅ 5. Firewall Rules for DNS | |
Make sure your DNS service (Pi-hole/dnscrypt-proxy) is listening on LAN and allowed: | |
```bash | |
sudo iptables -A INPUT -p udp --dport 53 -s 192.168.1.0/24 -j ACCEPT | |
sudo iptables -A INPUT -p tcp --dport 53 -s 192.168.1.0/24 -j ACCEPT | |
``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment