How to Use Linux Virtual Machine instead of router for VPN

Connecting Your Home Devices To The Internet Via A VPN Service, Without A VPN Client Capable Router

I’ve just been through this process at home for a “project” I was working on. Those attempting similar “projects” will understand why you’d do it. Those asking the question “But my computer connects fine to the internet already?” can probably stop reading. To give you a hint, I’m in Australia and I’ve just purchased a Roku Media Player from Amazon.
I wanted to set up my computers at home to access the internet through a VPN service. What HMA suggest is to configure the VPN at the router. The router being the gateway between the Internet and my home network. This is fine if your router supports acting as a VPN client. Mine, a TP-Link w8960N, does not support such functionality. So what to do?
The Synology supports acting as a VPN server for connecting back home, and with some tweaking, can be made to support being a VPN client. However, I prefer not to hack my Syno box unless I really have to though. After a quick try (thanks to Greg Hughes blog for the tips), I decided it’d be safer to break something else.
I could have purchased a router that supports VPN client connectivity. There are some articles over at VPNFreedom.com such as this one by Thomas Fals that explain how to set it up. I already have a NAS, Gigabit Switch and Router in the Home theatre cabinet though so the thought of adding another box doesn’t appeal. I also thought there must be a way to do it using software and without spending more money.
In the end, I decided to attempt it using a Ubuntu Linux Virtual Machine running an openVPN cilent and using IPTables to configure routing between the home network and VPN. Sound hard? Well, I wouldn’t recommend it to a novice user but if you have some Linux experience you should be able to manage.

Ubuntu Linux VM
Firstly you’ll want to set up a Linux VM. For those unfamiliar with Virtual Machines, it’s basically just a virtual computer running on another computer. Sticking with the ‘free’ theme of this thread. I decided to go with VirtualBox from Oracle. It’s a freely available Virtualization platform that you can install at home. Unlike VMWare Player or others, it will run on any platform, Windows / Mac / Linux.
I have a MacMini at home that I use as a Plex Media Client. I already had VirtualBox installed. It’s quite a simple download and install from VirtualBox. I won’t cover the install here.
I already had a Ubuntu 10.04 Linux VM configured that I’d used for another project. I’d tried out PS3 Media Server a while ago. So I decided to use that. If you need to install Ubuntu, there are several ways to do it as detailed on the Ubuntu website. You can also just download a pre-built VM image. Oracle have them available here.
I’ll leave it up to you how you want to do it.

OpenVPN Client
I’ll assume you’ve signed up with HMA already. If not, you should sign up for an account if you plan to use it before going any further.
Log on to your Ubuntu VM with root privileges. Whether that’s as root or if you want to sudo each command I’ll again leave that up to you. There are a few packages that you need to install in order to run the openVPN client and connect to HMA. Run the following:
sudo apt-get install openvpn curl unzip dnsmasq-base wget
This installs the OpenVPN client for connecting to HMA plus some tools you’ll need.

HMA Config
Create a directory where you would like to install HMA. HMA will run self contained out of this directory. Then download and unzip the HMA config to that directory.
mkdir /opt/hma
cd /opt/hma
wget http://vpn.hidemyass.com/linux.zip
unzip linux.zip
You are now ready to test your HMA connection. As per the HMA README file you just downloaded. Run the following to connect.
/opt/hma/hma-start -l
This will list the available servers. Choose one in the country you wish to connect via and start the VPN connection e.g.
/opt/hma/hma-start "USA, California, Los Angeles (DC1 S1)"
You will be prompted for your HMA username and password. This should then establish your connection.
If you get time out errors, try a different location. You should see some entries starting with /sbin/ifconfig and /sbin/route add. These entries should be on consecutive lines, if there are errors reported. Kill the process using ctrl+c and try again.

Routing Traffic Via Your VPN Connection
The goal here is to tell our clients to connect to the internet via our Linux VM instead of out directly through the router. We also need to make sure the VM is configured to forward IP packets out to through the VPN instead of bouncing them back to the client.
Firstly, make sure you configure your Ubuntu Linux VM with a Static IP address outside your DHCP range on your local network and that the gateway of your VM is pointing to the address of your router. e.g.
IP: 192.168.1.10
Subnet Mask: 255.255.255.0
Gateway: 192.168.1.1
DNS: 192.168.1.1 assuming your router is providing DNS information.
There’s an excellent Ubuntu doc here on configuring Internet connection sharing. I really recommend reading it. Basically, this document assumes you have two network cards (NICs) or at least two interfaces configured and that your clients are connected to one and that the Internet is connected to the other. This is exactly what we’re doing here. Your local network interface is normally eth0. What we would normally do is set up another interface on eth1 and route traffic between eth0 and eth1. The difference here is that we’re using a openVPN client. When it’s running, this client creates a vpn tunnel interface called tun0. So we will be routing traffic to eth0 out via tun0. We do that using IP tables. For the how’s and why’s check out the Ubuntu doc. In command line form though, it’s the following commands.
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo iptables -A FORWARD -o tun0 -i eth0 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo iptables-save | sudo tee /etc/iptables.sav
You may also have to modify the /etc/sysctl.conf file to uncomment the line
net.ipv4.ip_forward=1
Done, assuming you’ve established a VPN connection, you’ve now set up routing on the Linux VM.

Client Config
Connecting clients will vary based on what type of client it is. Computers are the easiest because they’re the most configurable. Basically, you now just change the Gateway or Router address in your network config of your computer to point to your Linux VM. In this case it would be 192.168.1.10. That’s it. If you go to google.com and type in “what is my ip address” it will now show you the IP address of the VPN connection. It will also probably ask if you’d like to stop connecting to google.com.au and use google.com instead as it now thinks you’re in the U.S.

DHCP Only Clients (Optional)
There are some clients. Notably the Roku Media Player, that don’t support static IP addresses or changing the gateway. This is a bit of a pain. Normally, DHCP addresses are provided by your router. In my case this was the TP-Link w8960N at 192.168.1.1. The problem with this is that it also tells your client that the gateway address is 192.168.1.1. This is a problem because then your client uses that for the internet connection and not your fancy new VPN software router. To get around this, I turned off the DHCP function on my router and installed a DHCP server on the Linux VM.
sudo apt-get install dhcp3-server
Then put the following in a file called /etc/dhcp3/dhcpd.conf
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.10;
option domain-name-servers 192.168.1.1;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.100 192.168.1.200;
}
Then start the dhcp server using
/etc/init.d/dhcp-server start
Reboot your clients and they should pick up an IP address from the Linux VM and be provided with the new gateway address of 192.168.1.10.
Done.

Conclusion
It looks harder than it is and it’s a bit of messing around. You might decide it’s cheaper and easier to just buy a new router that supports VPN connections. I already had VirtualBox installed and a Linux VM so the whole process only took about an hour or so. It also avoids the need for another box in your setup, and it doesn’t cost anything except your time.
Big thanks to the info in everyone’s articles I read putting that helped put this together. I’ve linked where possible.