A smart VPN gateway

My network setup at home is surprisingly pretty common: a DSL modem (VDSL2 actually) followed by a router featuring an ethernet switch and an 802.11n wifi access point, configured as a NAT gateway.

My home network setup before modifications
My home network setup. Nothing fancy here.

Let’s imagine I’m in a country that doesn’t care about the right to private life of its citizens and performs automated mass surveillance, on the pretext of fighting against terrorism or copyright infringement. A gloomy perspective for sure, but let’s keep that as our work hypothesis.

Of course, I could just set up on every computer a VPN whose gateway happens to be in a foreign and more respectful country. However, multiple VPNs on multiple computers are a highly impractical setup for various reasons:

  • VPN configuration has to be done multiple times, and I’m allergic to repetitive tasks
  • The maximum number of concurrent connections is restricted by VPN service providers
  • Access to resources on a local network at the same time is a hassle and need specific configuration, like DNS settings

So, why not install the VPN once and for all in a privacy-enhancing gateway? We will implement it in a clean, IPv6-compatible manner so we even have public addresses working on the hosts.

Our goal is to get a smart gateway behaving as follows:

  • Outgoing connections are routed through the VPN. We have to use Network Address Translation since the VPN provider only attributed us one IPv4 address and one IPv6 address.
  • Incoming connections are routed normally to the LAN, so we get IPv4 port forwarding and working IPv6 public addresses.
Packet streams inside the smart gateway
Routing inside the gateway: outgoing connections through VPN

Continue reading A smart VPN gateway