Justine
Interfaces
enp1s0
- HOME VLAN; untagged
ip link set enp1s0 up
ip addr replace 192.168.0.2/24 dev enp1s0
ip route add default via 192.168.0.1 dev enp1s0mgmt@enp1s0
- MGMT VLAN; tagged VLAN 100
ip link add link enp1s0 name mgmt type vlan id 100
ip link set mgmt up
ip addr replace 192.168.100.2/24 dev mgmtdocker0
- 172.18.0.1/16
Set up automatically by docker.
Docker namespaces use virtual interface that gets bridged with docker0.
Routing
Forwarding
Enabled but packets dropped by default on firewall.
sysctl net.ipv4.ip_forward=1
iptables -P FORWARD DROPMullvad
Mullvad VPN outgoing traffic is MASQUERADEed for it to get Mullvad assigned internal IP.
# Mullvad gateway
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o mullvad -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.17.1.0/24 -o mullvad -j MASQUERADEWhen Mullvad VPN is up/down additional firewall rules are added:
PostUp = iptables -A FORWARD -o mullvad -i enp1s0 -j ACCEPT && iptables -A FORWARD -i mullvad -o enp1s0 -j ACCEPT
PreDown = iptables -D FORWARD -o mullvad -i enp1s0 -j ACCEPT && iptables -D FORWARD -i mullvad -o enp1s0 -j ACCEPTThis will allow forwarding between mullvad (VPN) and enp1s0 (HOME) networks.
Docker
Allow traffic from Docker (IPHole) to be originating from justine IP if routed through default HOME VLAN gateway (caroline) - this is when VPN is turned off to keep DNS working.
# VPN gateway (used if mullvad is stopped)
iptables -t nat -A POSTROUTING -s 172.17.1.1/24 -o enp1s0 -j MASQUERADEPIHole uses Mullvad's hosted DNS server at: 193.138.218.74. It is accessible over VPN and also without it.
Any DNS port 53 packet going over Mullvad VPN will be SNAT'ed to Mullvads DNS server transparently to prevent DNS leaks. This means that running DNS resolved (unbind) makes no sense since all DNS requests will end up on Mullvad's server anyway.
Local networks
Allow access to other local networks via caroline:
ip route add 192.168.0.0/16 dev enp1s0 via 192.168.0.1