Initially, I used OpenVPN to get this set up going, but switched over all WireGuard. Regurgitating, what I’m trying to do here: one to VPN into a home machine and have all the traffic funnel out a second VPN using a third-party provider. What is the use case? The primary reason is I have hate in my heart for adtech that abuses privacy. This is a small way of showing the industry the middle finger…even though I know everyone is mining personal data.

A second reason, I don’t get any value from having personal data sitting in the cloud. Of course hosting is a PITA and there is a loss of convenience, but a lot of it is set and forget.

My alpha setup involved spinning up docker containers for each service, like calendar, contacts, notebooks, git, file sync, read it later, RSS reader, and on and on, and then exposing them to the Internet.

In the back of my mind, I kept thinking “Do I really need these services available on the Internet?” It seemed like an obvious yes if I wanted to access them from outside of home. How else would I be able to get to them?

Relatedly, I use VPNs to access the Internet from all my devices. Why? If I confuse adtech for a nanosecond, that’s a good enough reason.

So if I have services reaching out to the Internet to pull in content (like the RSS reader and read it later app), they should be going through a VPN tunnel as well.

The most difficult use case scenario is being away from home, accessing normal websites over a VPN, accessing services residing in home LAN, and forcing the LAN services to access the Internet over a VPN.

To do this, a machine on the home LAN must run a VPN server which can be used to access LAN services and a VPN client for outgoing traffic.

The tricky part is connecting the VPN server to the client, allowing me to access to LAN services and external world all through VPN tunnels.

There are 4 sets of configuration: (1) devices to access home VPN; (2) WireGuard server to handle (1); (3) WireGuard client to access the outside world from inside the LAN; (4) connecting the server and client.

There are plenty of WireGuard tutorials out there so I won’t go into the nuances.

Let’s start by looking at the WireGuard server configuration:….

  5 iptables -t nat -I POSTROUTING 1 -o tun0 -j MASQUERADE
  6 iptables -t nat -I POSTROUTING 1 -o tun1 -j MASQUERADE
  7 ip rule add from lookup 10         # server IP
  8 ip route add default via table 10    # gateway or router

POSTROUTING lets us alter the packets after the system is doing whatever it needs to and MASQUERADE is used for dynamic IPs. The third line says this server should use a custom table we are randomly numbering as 10. Line 4 states that all traffic should know go through the gateway or router. tun1 is looking for outgoing packets and will send it through the upstream VPN.

As a first check, doing a ‘curl’ on a terminal directly on the server should return the IP assigned by the external VPN. For second and main check, do a ‘curl’ or pull up one of the many sites from ‘what is my ip’ search results from a mobile device connected to the server VPN, it should return the external VPN IP address as well.