Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save The-Running-Dev/b5cdf43e24135cab9af7781990821378 to your computer and use it in GitHub Desktop.
Save The-Running-Dev/b5cdf43e24135cab9af7781990821378 to your computer and use it in GitHub Desktop.
Forwarding All LAN Traffic Through a Host Running VPN
Assuming:
VPN interface: nordlynx
Local interface: enp2s0
Local LAN subnet: 192.168.1.0/24
Host IP: 192.168.1.2
DNS server IP: 192.168.1.2:53
๐Ÿ” 1. Enable IP Forwarding
```bash
sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
```
๐Ÿ“œ 2. Routing Table (what you should see)
```text
default via 192.168.1.1 dev enp2s0 # original LAN gateway
10.5.0.0/16 dev nordlynx proto kernel # NordVPN tunnel
default via 10.5.0.1 dev nordlynx # NEW default gateway
192.168.1.0/24 dev enp2s0 scope link # keep LAN reachable
```
Routes:
```bash
sudo ip route replace default via 10.5.0.1 dev nordlynx
sudo ip route add 192.168.1.0/24 dev enp2s0
```
๐Ÿ”ฅ 3. iptables NAT and MASQUERADE
```bash
# Flush old rules
sudo iptables -t nat -F
sudo iptables -F
```
```bash
# Masquerade all outbound traffic via VPN
sudo iptables -t nat -A POSTROUTING -o nordlynx -j MASQUERADE
# Allow LAN
sudo iptables -A INPUT -i enp2s0 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A FORWARD -i enp2s0 -o nordlynx -j ACCEPT
sudo iptables -A FORWARD -i nordlynx -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
```
๐Ÿ“ฆ 4. Route Local DNS Through Local Interface (NOT VPN)
You donโ€™t want DNS to leak via NordVPN, so you bypass it:
```bash
# Make sure DNS requests to 127.0.0.1 (dnscrypt-proxy) go local
sudo ip rule add from 127.0.0.1 lookup main
sudo ip rule add to 127.0.0.1 lookup main
```
Or for the DNS server IP itself:
```bash
sudo ip rule add to 192.168.1.2 table main
(If DNS traffic was going through the tunnel accidentally.)
```
๐Ÿ“ฅ 5. Firewall Rules for DNS
Make sure your DNS service (Pi-hole/dnscrypt-proxy) is listening on LAN and allowed:
```bash
sudo iptables -A INPUT -p udp --dport 53 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 53 -s 192.168.1.0/24 -j ACCEPT
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment