Routing LAN through VPN CLient

I hope you can help me. I have read so many how to’s and also looked into this forum. But I cant get it work.
What I want is to use my Dietpi as gateway for my LAN. On the Dietpi is NordVpn installed. Everything on the Dietpi works fine, the tunnel tun0 is connecting properly.

My LAN is
The gateway of tun0 is

What I have already done is:
net.ipv4.ip_forward = 1

redirect-gateway def1 in .ovpn (I dont know if this is necessary)

I tried with iptables and routings but it didnt work.

I’m not good at networking, but I found a working iptables in this thread and when I compare it to yours, there are some differences:

The working config is like (I edited it to match you IPs / interfaces):

Destination             Gateway             Netmask             Interface
Default route              tun0
Default Route              eth0         	tun0    		none          	tun0                tun0     eth0             none             eth0

So you are missing these two?         	tun0    		none          	tun0

And this entry in your IPtables is wrong?    		none          	tun0

But as I said before, IDK what this is doing, I just compared a working config with yours and somebody should have a qualified look over this!

Question as well, did you set your DietPi device as Gateway on your LAN clients?

Thanks a lot. These are the default routes when vpn is connected.
I dont know if they are correct or not. On dietpi everthing works fine.
I will check your suggestion.

Yes, the IP of dietpi is, so the default gateway is set on LAN clients.

Have you enabled masquerade on the tunnel interface?
iptables-save -c ; ip -4 ad; ip -4 ro; ip -4 ru

Yes masquerade has been enabled:

sudo iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE

Please post all the commands mentioned in my previous post.


Ok here is the result.
I restarted the system. So no iptables are active.

It won’t work without masquerading, that’s for sure. So you’ll need to add the masquerade.
Another thing to try is to capture the packets: apt update; apt install tcpdump
Then run a packet capture on the eth0 interface to verify that the lan hosts use the Pi as a router: tcpdump -i eth0 -evn host
Run a ping to and verify that you can see the packets.
If you can see them, run again the same capture on tunnel interface: tcpdump -i tun0 -evn host

No packets arrives while Iam running tcpdump -i eth0 -evn host and ping to

The default gateway is definitely correct set on the LAN side.
I can see packets when Iam running tcpdump -i eth0 -evn host > ICMP echo request, id 1, seq 152, length 40 > ICMP echo reply, id 1, seq 152, length 40

How can add masquerade?

In this way:?
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Evidently it is not correct, otherwise you’d see them.

Because you are pinging the RPi.

Yes, but you first need to fix the gateway.
What is the routing table of the lan host? route print in windows or ip -4 ro in linux.

I do unterstand. Here is the routing table.

Do a traceroute , the first hop should be the .33
And post the iptables-save -c from RPi.

On my PC tracert gives me “Request timed out” :frowning:
Don’t know why. Rpi has, so at least the first hop should be reachable.

The routing table from rpi:

Something is odd:
In your first post tun0 was in, in another post it was in and now it is in!

Do you have another PC to try?

I tried on another PC, it works :smiley:
I dont know why my PC sucks…

Thanks everyone.

and you are sure the 2nd PC is using the correct gateway?

Yes, I’ve tested on several machines.
I changed the default gateway to manually.
It works.

So what must be done:

net.ipv4.ip_forward = 1
sudo iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT