A confusing iptables rule could help you decipher it


After I almost finished moving in, had a nice fast internet connection and everything was right, I wanted to start my long-awaited VPN gateway project. I would now like to briefly explain what it is, why I think I need it and how it is implemented. I have partially made use of the practical functions of a Fritzbox. If you carry out all the steps manually and without a Fritzbox, this will certainly extend the process a bit.

So first of all for an explanation. The VPN gateway is nothing more than a small computer, it can theoretically even be a virtual machine that directs all traffic via a line of my choice. So I no longer want to allow the provider, NSA, BKA or the colleague who hangs on my phone box to read my traffic without significant obstacles. That's why I hang a computer between my router and my computer (or my smartphone or my notebook) that runs continuously, establishes a connection to a VPN and routes all traffic in the network via the VPN. In addition, there should be leak protection that prevents data from going through the unprotected line if the VPN connection is broken. In addition, it should be made possible that computers in the network are not allowed to access the Internet outside the gateway. Here I use the great child protection from the Fritzbox which I simply switch on for all computers except the gateway - permanently, of course.

Why do I think I need that? I don't quite know… that's a feeling. I also like to do handicrafts. :)

Now for the implementation. For the sake of clarity, I'll divide it up nicely.


In the preparation phase, we install the server, create virtual network adapters and install (if desired) Webmin for easier administration.

My server is running, who would have thought it, with Debian. To do this, I simply performed a normal network installation and deliberately avoided using the desktop, etc. During the installation it is good to install SSH at the same time in order to have easy access to the server from the normal PC. This also enables copy and paste and all the bells and whistles.

Creating a virtual network connection is extremely easy under Linux. We need this connection because two IPs are needed for the gateway. Everything should go in at one, everything should go out at one. We could also work with two network cards, but since I only use a Thinkpad T60 as a server and don't want to buy a plug-in or USB card, I work with virtual connections. Problems can arise in terms of speed, as the same network card has to process the same traffic twice in a row. However, the problem solves itself in my case, since the notebook is connected with 1 gigabit and my internet connection is only 50 megabits anyway. There can be no local false neck.

To permanently create a virtual network card, we edit the file / etc / network / interfaces as follows:

auto eth0 iface eth0 inet static address subnet gateway auto eth0: 0 iface eth0: 0 inet static address

This configuraion allows to use the interface eth0: 0 with the IP The Fritzbox shows this IP as another connected device with the same hardware address (MAC address) and the same name as the standard interface.

Finally, for the sake of convenience, we install Webmin (can also be discarded if a lean system is desired, services can sometimes be set up faster with Webmin than via the command line).

Setup VPN

The most complicated part of VPN is actually paying the VPN provider. Everything else is a no brainer.

To start with, Debian and Ubuntu have to use

apt-get install openvpn

After you have ordered a VPN from the VPN provider of your choice, I resorted to perfect-privacy on the advice of tux, you will receive configuration files. Mostly via a panel that you have to log into. The configuration files should be something like .crt, .key and .ovpn. You put this on your VPN gateway server via SSH or FTP. I've moved them all to / etc / openvpn. (The directory only exists after the installation of openvpn.)

Once all of this is done, there is nothing more to do than navigate in / etc / openvpn and use

openvpn Gigabit-NL.ovpn

Start OpenVPN. During the start you will be asked for access data - just enter what your VPN provider has sent you.
You have to replace “Gigabit-NL.ovpn” with the configuration files received from your VPN provider!

That’s it. After a successful connection, the tunnel interface tun0 exists through which the traffic is routed in the next step. If you want to keep the tunnel open permanently, use screen.

screen openvpn Gigabit-NL.ovpn

Setup gateway

After the gateway is connected to the VPN, we now have to define the rules, which first enable us to forward, then secure the whole thing so that nothing breaks in the event of connection problems and possibly deactivate IPv6 (just for security). We use two smaller setting options of the kernel and iptables for all network matters.

First of all we enable IPv4 forwarding in the kernel with:

sysctl -w net.ipv4.ip_forward = 1

The blocking of the possibility of eth0: 0 to communicate to eth0, i.e. over the connection without tunnel is blocked with:

iptables -A FORWARD -s -i eth0: 0 -o eth0 -m conntrack --ctstate NEW -j REJECT

The forwarding from the virtual connection eth0: 0 to our tunnel tun0 is implemented with:

iptables -A FORWARD -s -i eth0: 0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT

Then there is still a rule to be executed that masks the interface tun0 (is that how you say it?):

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Once this is done, our connection is between port eth0: 0 and tun0. Now it goes to the convenient part in the administration panel of the Fritzbox.

Setup Fritzbox

If our gateway fails or the connection does not work for other reasons, most computers tend to change the gateway. In that case, we would use the Fritzbox as a gateway instead of our server and surf the non-VPN connection. This can easily be avoided using the child safety device built into the Fritzbox. If we don't have a Fritzbox, it makes more sense to use two dedicated network cards in the VPN gateway that operate in different networks. In our solution, however, they all operate in the same network (192.168.178.x).

In the first step we activate the expert view of the Fritzbox so as not to look like a mole while working through my instructions.

Then we navigate under Internet -> Filters. Here we find all devices in the network. The check mark for “Computers for which no access rules are active: do not have Internet access” should be set. (Screenshot 1)

Now we have the option of defining separate shares for each computer. Our gateway appears twice in the overview (once with the real, once with the virtual network adapter). For the real interface, we can tell from the IP (screenshot 2), we enable internet access. We don't do anything for anything else - due to the previous step, they are all blocked.


Finally, each device must be assigned to our server as a standard gateway. This happens differently from device to device and all common devices support manual entry of gateways. In my case my gateway is It always has to be the IP of the virtual interface.

Finally, I recommend checking the IP with the numerous IP check tools available on the Internet before surfing. The IP of the VPN should always be used. Otherwise there is an error.

All that remains to be said is that the iptables rules are temporary settings that will be lost the next time the system is started. How you can define the rules permanently, I'll explain in the next article, which I then link here. I will also explain the automation of the connection to the VPN in one of the following articles and link it here.


Use the comment function if something doesn't work. I am always happy to help and would like you to be able to surf the net without problems and encrypted. :)