This is the first section: Write here your text

1. Run the terminal.
2. Type sudo apt-get update to update the package list.
3. Type sudo apt-get install openvpn to install OpenVPN.
4. Navigate to OpenVPN directory, download .ovpn configuration files and unzip.
   Copy

   $ sudo apt-get update
   $ sudo apt-get install openvpn
   $ cd /etc/openvpn/
   $ sudo wget https://nordvpn.com/api/files/zip
   $ sudo unzip zip

1. cd /etc/openvpn
2. Create auth.txt file with your NordVPN credentials as follows.
   Copy

   myusername
   mypassword

3. Select a location VPN file in the desired region. For example, for us:
   Copy

   $ sudo vi us3359.nordvpn.com.tcp443.ovpn

4. Add to auth-user-pass the passwords file auth.txt.
   Copy

   auth-user-pass auth.txt

5. Copy the ovpn file you wish to use at startup, simplify its name as well. For example:
   Copy

   $ sudo cp /etc/openvpn/us3359.nordvpn.com.tcp443.ovpn  /etc/openvpn/us3359.conf

6. Lastly, we need to setup OpenVPN to autostart and to use our file. Enter the following line to edit our config.
   Copy

   $ sudo vi /etc/default/openvpn

7. Find
   Copy

   #AUTOSTART="all"

8. Add above it
   Copy

   AUTOSTART="us3359"

You can use the following shell to replace all ovpn files and set the auth file.

for file in `ls *.ovpn`; do
   echo $file
   cat $file | sed '1,$s/.*auth-user-pass.*/auth-user-pass auth.txt/g' > a.tmp
   cp a.tmp $file
done

Once all files are replace, you can use any of the to setup an VPN. For example, to setup a VPN on France.

$ sudo openvpn /etc/openvpn/fr240.nordvpn.com.tcp443.ovpn

You can determine your current IP extenal address by using:

wget http://ipinfo.io/ip -qO -

91.132.137.76

Or using a browser by connecting to http://ipleak.net

If you wish to disconnect, then simply use ctrl+c on the keyboard. If this doesn’t work, then you can use the following command.

$ sudo killall openvpn

Now we need to enable IP forwarding. It enables the network traffic to flow in from one of the network interfaces and out the other. Essentially creating a router.

$ sudo /bin/su -c "echo -e '\n#Enable IP Routing\nnet.ipv4.ip_forward = 1' > /etc/sysctl.conf"

If you run sudo sysctl -p you should see this printed on the screen:

$ sudo sysctl -p

net.ipv4.ip_forward = 1

Now routing is enabled and traffic can go through the Raspberry Pi, over the tunnel and out on the internet.

Since we will have several clients on the inside accessing the internet over one public IP address we need to use NAT. It stands for network address translation and will keep track on which client requested what traffic when the information returns over the tunnel. We also need to setup some security around the Raspberry Pi it self and the tunnel.

• Enabling NAT.
  Copy

  $ sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

• Allowing any traffic from eth0 (internal) to go over tun0 (tunnel).
  Copy

  sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

• Allowing traffic from tun0 (tunnel) to go back over eth0 (internal). Since we specify the state RELATED,ESTABLISHED it will be limited to connection initiated from the internal network. Blocking external traffic trying to initiate a new connection.
  Copy

  $ sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

• Allowing the Raspberry Pi's own loopback traffic.
  Copy

  $ sudo iptables -A INPUT -i lo -j ACCEPT

• Allowing computers on the local network to ping the Raspberry Pi.
  Copy

  $ sudo iptables -A INPUT -i eth0 -p icmp -j ACCEPT

• Allowing SSH from the internal network.
  Copy

  $ sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

• Allowing all traffic initiated by the Raspberry Pi to return. This is the same state principal as earlier.
  Copy

  $ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

• If traffic doesn't match any of the the rules specified it will be dropped.
  Copy

  $ sudo iptables -P FORWARD DROP
  $ sudo iptables -P INPUT DROP
  $ sudo iptables -L

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -i eth0 -p icmp -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -P FORWARD DROP
sudo iptables -P INPUT DROP
sudo iptables -L

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

First line installs a peace of code that makes the iptable rules we just created persistent between reboots. The second one saves the rules after you changed them. This time it's enough to run the first one.

sudo apt-get install iptables-persistent
sudo systemctl enable netfilter-persistent

If you change the rules run the second one to save. Iptable rules are in effect as soon as you add them if you mess up and lose access just reboot and the ones not already saved will revert.