I am having a very annoying issue and I don't know what's wrong. I also feel like I am very close to having it working, so there must be something obvious I'm doing wrong.
I am trying to connect to my VPN, and then use my installation as a gateway for other devices on my network so they can all share that single connection.
# echo 1 > /proc/sys/net/ipv4/ip_forward
I enter this, and then on my cellphone (device I'm testing with) I set the gateway to the IP of the installation (192.168.0.250)
Works perfectly - websites open super fast, forwarding is all working properly, can access the internet and all websites as needed and all local devices are contactable on my network.
Then I run this iptables script which I kind of hacked together with help from other people and tried to adapt it to suit what I'm trying to do:
#!/bin/bash
# Flush
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
# Block All
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
# allow Localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Make sure you can communicate with any DHCP server
iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT
iptables -A INPUT -s 255.255.255.255 -j ACCEPT
# Make sure that you can communicate within your own network
iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
# Allow established sessions to receive traffic:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow TUN
iptables -A INPUT -i nordtun -j ACCEPT
iptables -A FORWARD -i nordtun -j ACCEPT
iptables -A FORWARD -o nordtun -j ACCEPT
iptables -t nat -A POSTROUTING -o nordtun -j MASQUERADE
iptables -A OUTPUT -o nordtun -j ACCEPT
# allow VPN connection
iptables -I OUTPUT 1 -p udp --destination-port 51820 -m comment --comment "Allow VPN Connection WireGuard 51820" -j ACCEPT
iptables -I OUTPUT 1 -p udp --destination-port 1197 -m comment --comment "Allow VPN Connection OpenVPN 1197" -j ACCEPT
iptables -I OUTPUT 1 -p udp --destination-port 1194 -m comment --comment "Allow VPN Connection OpenVPN 1194" -j ACCEPT
# Block All
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
# Log all dropped packages, debug only.
iptables -N logging
iptables -A INPUT -j logging
iptables -A OUTPUT -j logging
iptables -A logging -m limit --limit 2/min -j LOG --log-prefix "IPTables general: " --log-level 7
iptables -A logging -j DROP
echo "saving"
iptables-save > /etc/iptables.rules
Then I run this - the concept behind it being that if the VPN goes down then any devices on the gateway will be safe from leaking packets, because it only allows outbound connections on UDP ports 51820,1197,1194 which are the 3 common VPN ports for either OpenVPN or WireGuard.
So far, so good.
I run the script, then I can no longer ping google or any devices on the general internet. I can still reach everything on my local network, no problem
# nordvpn connect canada
Connected!
VPN connects with no problems - allowing their UDP ports worked perfectly.
I can once again reach the full internet with all my traffic going through NordVPN, and I can reach all my internal devices.
Amazing!
Except.... Once I go back to my cellphone now and try using the gateway, I am restricted to ONLY my internal network! It's no longer allowing me to reach the general internet, just 192.168.0.0/24 internal addresses
I know this is extremely close to working. I need your help!
WHY is it not passing packets through the gateway outside the internal network?
Thank you very much
