A bit of background before I dive into the problem I’m trying to solve. Even though I spend my days working in marketing, I hate how the adtech industry has hijacked privacy. I’m all for monetization but when Facebook complains that small businesses will be hurt IF the user is asked whether they want to be tracked, it’s blatantly obvious they don’t care about their users. When a company wants to hide how it makes money, why should anyone trust it?

If a publisher or app cannot make money without advertising, that’s fine. They have the right to turn me away as a reader or user. If that is scary, how about providing a limited amount of content or functionality without tracking and asking for opt-in afterwards? That model already exists: read 3 articles per month for free or freemium.

To avoid being tracked at home, I run Pi-hole which filters DNS. All my browsers have ad blocking extensions. Or I just use Tor.

Back to the specific problem I was trying to solve. I don’t want my location data being used to profile me, especially when I’m not at home. That solution sounds obvious: funnel all the traffic home with a VPN. Yup. But I also don’t want trackers to know where home is. So I want all the traffic that is funneled home to go out using another VPN.

Overkill? Maybe.

Interesting problem to solve? Definitely.

There are plenty of tutorials out there for setting up a VPN server at home or a VPS. There are plenty of tutorials out there for setting up VPN clients as well. DuckDuckGo-away. But funneling traffic between the two? Not so much.

Essentially, this is a routing issue. How do you tell the server to send all incoming traffic to the client VPN on the server?

Since it’s routing, Iptables to the rescue.

One assumption here: we want all traffic heading out to go over the client VPN. An OpenVPN configuration would probably include AllowedIPs = 0.0.0.0/0,::0/0.

Let’s assume tun0 is the incoming VPN server tunnel and tun1 is the outgoing VPN client tunnel.

  5 iptables -t nat -I POSTROUTING 1 -o tun0 -j MASQUERADE
  6 iptables -t nat -I POSTROUTING 1 -o tun1 -j MASQUERADE
  7 ip rule add from 192.168.1.135 lookup 10         # server IP
  8 ip route add default via 192.168.1.1 table 10    # gateway or router

POSTROUTING lets us alter the packets after the system is doing whatever it needs to and MASQUERADE is used for dynamic IPs. The third line says this server should use a custom table we are randomly numbering as 10. Line 4 states that all traffic should know go through the gateway or router. tun1 is looking for outgoing packets and will send it through the upstream VPN.

As a first check, doing a ‘curl ifconfig.co’ on a terminal directly on the server should return the IP assigned by the external VPN. For second and main check, do a ‘curl ifconfig.co’ or pull up one of the many sites from ‘what is my ip’ search results from a mobile device connected to the server VPN, it should return the external VPN IP address as well.