by jiml8 » Oct 18th, '20, 03:34
I am doing something substantially similar to what you want to do, though I put together a dedicated system (running on a raspberry Pi) to do it. My system, on startup, configures itself and starts the VPN all through systemd. It normally runs headless, though I usually have an SSH connection to it from my workstation.
All devices on my LAN that I want to go through the VPN will be given the raspberry pi's network address as the gateway to use and thus their traffic automatically goes to the VPN. If the VPN should go down, all internet connectivity for those devices is lost, therefore I don't have any inadvertant leaks to the internet.
My phone uses this system, accessing it via my in-house wifi hotspot. The raspberry pi has a built-in wifi, so it could be used for this purpose. I have the raspberry pi's wifi disabled because I am not using it.
Actually, I have 2 of these VPN gateways set up. One is on my LAN and the other is on my IOT VLAN. The one on the IOT VLAN exists primarily to prevent my smart TV from spying on me and, in conjunction with my local DNS server (running on another raspberry PI) I keep my TV from selling me out. That RPI also has a firewall configuration to block DNS over HTTPS connections, which are being used more and more to spy from IOT devices.
If you like, I can post the various scripts used to configure this here. The RPI devices are all running a variant of Debian, so the setup is not identical to what it would be on a mageia system. Also, there are several different scripts to make it all work, and many people would find the setup to be daunting.
It does, however, work quite well as an unattended appliance on my network. I use SSH to keep an eye on it just because, and to occasionally restart the VPN or point it at a different target. I am using a commercial VPN service, specifically ProtonVPN, so some of the setup is specific to that provider. That, however, is the minor portion of the setup; I could change providers without any particular trouble.
So, if you or anyone else wants to see the scripts, just say so and I'll go to the trouble to copy them over and explain them.