NAT OpenVPN client traffic AlpineLinux

AlpineLinux OpenVPN router setup 

In this guide I will be assuming you have a AlpineLinux client which connects to a OpenVPN server, and you want NAT its traffic through a network interface which will act as gw for another subnet.
Keep in mind this is a basic setup and you will need to edit stuff according to your configuration and needs. But all in all, should work!

1. Install the openvpn client, the isc-dhcp-server and iptables
# apk update && apk add openvpn dhcp-server-vanilla iptables

2. Load the tun module and add it to /etc/modules
# modprobe tun
# echo "tun" >> /etc/modules

3. Enable traffic forwarding 
# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
# sysctl -p


4. Rename your .ovpn client config file to something-de4-udp53.conf and move it to /etc/openvpn/

5. Assuming you authenticate with the OpenVPN server through password,
   you want to create a .txt file and store your password there (yes, not safe at all but I don't care), and add the following in something-de4-udp53.conf
>>>
auth-user-pass /etc/openvpn/something-pass.txt
<<<

6. Still in something-de4-udp53.conf, you also want to add the default gateway redirection option 
NB: If the server is not setup to function as your client default gateway then it wont work.
>>>
redirect-gateway def1
<<<

7. Connect with the OpenVPN server at boot
# ln -s /etc/init.d/openvpn /etc/init.d/openvpn.something-de4-udp53

8. Enable the vpn service, ISC dhcp server, syslog and iptables to start at boot
# rc-update add iptables default
# rc-update add dhcpd default
# rc-update add syslog boot
# rc-update add openvpn.something-de4-udp53

9. Start the VPN
# rc-service openvpn.something-de4-udp53 start

10. Onto the network side. I will assume eth2 is the interface we wil be using to route the VPN traffic to. Add the following to /etc/network/interfaces
>>>
auto eth2
iface eth2 inet static
address 10.10.0.1
netmask 255.255.255.0
<<<

11. Add the following to /etc/dhcp/dhcpd.conf
>>>
# dhcpd.conf
#
# This is a basic setup, for more info check /etc/dhcp/dhcpd.conf.example or man ISC dhcp server.

# This is a authoritative DHCP Server. If the DHCP client is either missconfigured or is doing
# something it isn't supposed to do, it will fail obtaining a IP until next lease!
authoritative;

log-facility local0;

subnet 10.10.0.0 netmask 255.255.255.0 {
  range 10.10.0.100 10.10.0.160;
  option domain-name-servers 10.10.0.1, 8.8.8.8, 8.8.4.4;
  option routers 10.10.0.1;
  default-lease-time 3600;                                                 
  max-lease-time 21600; 
}
<<<

12. Configure syslog to log messages from and to the ISC dhcp server
# echo "local0.debug /var/log/dhcpd.log" >> /etc/syslog.conf

13. Start the ISC dhcp server, syslog and iptables
# rc-service dhcpd start
# rc-service syslog start
# rc-service iptables start

14. Lastly the firewall. I will assume that the VPN interface is tun0 and we will be forwarding traffic to and from eth2
# iptables -t nat -I POSTROUTING 1 -o tun0 -j MASQUERADE
# iptables -I FORWARD 1 -i tun0 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -I FORWARD 1 -i eth2 -o tun0 -j ACCEPT

15. Save the firewall rules so that these are loaded at boot time and alongside wit the rest
# /etc/init.d/iptables save

If all went well and your setup is similar to the one described here, the clients connecting through eth2 will now be routed through the VPN.

Replaced default alpine DHCP server with ISC dhcp server and added the syslog configuration.