| HN Mirror

For setting it up as a router first, I recommend this[1] guide

I usually build the software from source so I don't know if every thing will work fine for you. Nevertheless here are the package names I remember from when I first set it up.

pdnsd - for DNS caching read the manual so you can write a good config, and don't forget to change the bind IP to an interface so that it is accessible to the local network

openvpn, easy-rsa - Initial setup[2] there is a bug which for which there is a temporary fix[3]. Might be fixed by now.

Port forwarding: I currently use iptables, but I've been trying to move to nftables, which I recommend. Here's how I do it for now (this must be done on the OpenVPN server):

tun0 is the openvpn interface

eno1 is the public ethernet interface of your VPN

Say the IP addr of openvpn CLIENT (router in this case) is 10.8.0.2 - eno1 port you want to forward to is 1234

say the client port (the router port to be forwarded) is 6789

#iptables -t nat -A PREROUTING -p tcp -i eno1 --dport 1234 -j DNAT --to-destination 10.8.0.2:6789

#iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 6789 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

The above commands are not persistent so save them to /etc/iptables.conf

I always choose very conservative settings for firewall. Only a single port is forwarded to the VPN. Rest are closed, spoof open ports, and have a honeypot if you want.

There are many guides on iptables, but I would again recommend nftables. You're going to have to dig deep sometimes since it is still new.

If you have questions about anything, just google. Chances are, it has already been covered several times.

[1]: https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-bui...

[2]: https://www.digitalocean.com/community/tutorials/how-to-set-...

[3]: https://bugs.launchpad.net/serverguide/+bug/1504676