My network setup at home is surprisingly pretty common: a DSL modem (VDSL2 actually) followed by a router featuring an ethernet switch and an 802.11n wifi access point, configured as a NAT gateway.
Let’s imagine I’m in a country that doesn’t care about the right to private life of its citizens and performs automated mass surveillance, on the pretext of fighting against terrorism or copyright infringement. A gloomy perspective for sure, but let’s keep that as our work hypothesis.
Of course, I could just set up on every computer a VPN whose gateway happens to be in a foreign and more respectful country. However, multiple VPNs on multiple computers are a highly impractical setup for various reasons:
- VPN configuration has to be done multiple times, and I’m allergic to repetitive tasks
- The maximum number of concurrent connections is restricted by VPN service providers
- Access to resources on a local network at the same time is a hassle and need specific configuration, like DNS settings
So, why not install the VPN once and for all in a privacy-enhancing gateway? We will implement it in a clean, IPv6-compatible manner so we even have public addresses working on the hosts.
Our goal is to get a smart gateway behaving as follows:
- Outgoing connections are routed through the VPN. We have to use Network Address Translation since the VPN provider only attributed us one IPv4 address and one IPv6 address.
- Incoming connections are routed normally to the LAN, so we get IPv4 port forwarding and working IPv6 public addresses.