I just thought I would share a script I’ve created and been using for a while now on IPFire in the event its useful to someone else.
The background is that I’ve wanted for a while now to move the connection for the VPN I was using to my IPFire based firewall from the individual devices themselves. Then, to have certain devices talk to the internet over the VPN tunnel, while having other devices that go out over the standard WAN connection.
To my knowledge, by default IPFire does not support this, and implements Roadwarrior and Net-to-Net style configurations only (which both work very well in my experience).
I’ve always liked the idea of putting privacy hostile devices like Windows 11 machines, Smart TVs, Android/iOS devices on a VPN and removing their control of the VPN. There’s also certain things I would not want on the VPN like a Laptop from my employer talking to their Corporate VPN server when I work from home.
That’s where this script comes in. It’s actually based on the approach linked at the end of this thread:
I’ve expanded it to add the following:
- Take the Config File from the VPN Provider and use it directly with no edits
- Exclude certain devices from the VPN Connection
- Restrict DNS Queries through the Tunnel to certain trusted IPs (I have a custom Bind9 server on my home network I use for all our DNS needs for instance)
- Route the IPFire’s DNS requests into the VPN tunnel if one is using IPFire’s Unbound implementation.
- I’ve also enabled it to run on startup and be stopped on shutdown/reboot of the Firewall.
The script brings up a new Wireguard interface using the VPN providers configuration, adds the necessary firewall rules through IPFire’s custom chains (CUSTOMFORWARD, CUSTOMPOSTROUTING, CUSTOMINPUT, CUSTOMOUTPUT), and sets up Policy Based Routing rules to put certain devices on the VPN connection and have certain others
excluded.
I’ve put it on Github here along with notes and instructions:
Hopefully the script is of use to someone here! I’ve been using it with Mullvad’s servers for a while now, and its been working well for me. I would also be curious to hear from the IPFire team themselves if this is the best way to go about implementing this.