I’m building a Raspberry Pi 3B as a Wi-Fi AP/gateway. The specs are:
Raspberry Pi OS 64-bit (Debian Trixie-based), kernel 6.12.47+rpt-rpi-v8
The Goal:
Route Wi-Fi clients only through a VPN interface (NordVPN, interface name nordlynx).
What I did:
Installed and configured hostapd and dnsmasq. Both are working, once I connect a device to the pi’s wifi, it receives an IP address.
Generally allowed IPv4 forwarding:
sudo sysctl -w net.ipv4.ip_forward=1
After connecting to nordvpn added the following IPtables rules:
VPNIF="nordlynx"
LANIF="wlan0"
LANNET="10.42.0.0/24"
# Allow established/related back in
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow Wi-Fi clients out ONLY via VPN
sudo iptables -A FORWARD -i "$LANIF" -o "$VPNIF" -s "$LANNET" -j ACCEPT
# NAT (masquerade) clients behind VPN
sudo iptables -t nat -A POSTROUTING -s "$LANNET" -o "$VPNIF" -j MASQUERADE
Also (because client’s didn’t get an IP address assigned after nordvpn connected):
sudo nordvpn set firewall off
Set an explicit route:
echo "200 wifivpn" | sudo tee -a /etc/iproute2/rt_tables
sudo ip route add default dev nordlynx table wifivpn
sudo ip rule add from 10.42.0.0/24 table wifivpn priority 1000
sudo ip route flush cache
Problem: WiFi clients cannot connect to the internet. What is wrong here? Do I need different routing or other IPtables?