I wanted a VPN endpoint that would allow me to:
- access my network (say, my home network or my VPC)
- browse the internet anonymously (such as through a commercial VPN like ExpressVPN, CyberGhost, PIA, or Mullvad)
That way when traveling I didn't have to choose between accessing my internal network and browsing the internet anonymously. The solution I chose was Wireguard running on a GNU/Linux computer.
Configuring External VPN
Start by configuring the external VPN - you'll need to first download this from your commercial VPN provider. Once downloaded, add the line
FwMark = 45 under
[Interface] and store the file as
Test that this works with
wg-quick up wg-ext and run
curl api.ipify.org to make sure you're routing traffic through the VPN.
You can run
wg-show to see the active wireguard connections.
Configuring Private VPN
Now you'll need to set up your own internal VPN.
I won't go into the details of generating keys - but the ArchWiki has a great guide on this.
I will assume you followed that guide, generated the appropriate private/public and preshared keys and shared those with some client (e.g., an iPhone) so you can test access.
After following the ArchWiki guide you'll need to make minor modifications
set PostUp rules to:
- Forward traffic to
- Forward DNS traffic from the tunnel
set up route to
- allow local network connections
Link this tunnel with
wg-ext by placing
FwMark = 45 under
- 192.168.0.0/24 is your "home/vpc" network
- 10.5.0.1 is the DNS server of the "external vpn"
FwMark = 45 is some unique number in both tunnels - this allows local traffic to be excluded
- without this the request comes in correctly, but the response is still send out over wg-ext!
And then run
sudo systemctl enable firstname.lastname@example.org to launch the private VPN and have your internet traffic routed through your commercial VPN!
The three biggest snags I had run into that made a huge difference were
- not being aware of
- not realizing I had to route local traffic back to
- not realizing I had to add an iptable rule to forward dns requests
No internet access from server?
- The issue is probably with the commercial VPN
No domain resolution on the server?
- The issue is probably in dns requests not making it to the commercial VPN (i.e.,
ping 22.214.171.124works but
ping google.comdoes not)