VPN access on my local network - sharing VPN with failsafe (iptables) plus SSH (in) and samba server access (out) on LAN

Please load up the diagram from this pastebin before trying to understand the explanation below: [login to view URL] (it doesn't post correctly in freelancer).

I'm running Ubuntu 12.04 and I have a laptop plus 2-4 physical server machines plus KVM VMs on the local network. I need someone to show me how to set up sharing of my office VPN connection in a safe way on a local server at home, specifically:

1) Secure OpenVPN connection from my local server (e.g. [login to view URL]) to a remote server (10.8.0.x - remote server that I do not control, runs VPN on tun, not tap) -> tested and works

2) Sharing local server([login to view URL])'s VPN connection(10.8.0.x) with other computers (including KVM virtual machines) on the local network(192.168.0.x)

3) Ensuring that specific other computers on the network (192.168.0.x) *only* have connectivity via the VPN(10.8.0.x), i.e. when the VPN connection drops / goes down, they are not exposed to the raw internet (they *only* have access to the internet via the connection to the remote VPN network 10.8.0.x).

4) Ensuring that the blocking of access to the outside world is "failsafe", e.g. if the command "sudo iptables -F" was run on the local server([login to view URL]), the other local machines(192.168.0.x) would *still* not be able to use the local server's internet access if the local server was not connected to the VPN (10.8.0.x). The local machines would only be able to access other local machines - 192.168.0.x 192.168.0.x . For this to work the rules should be forwarding rules that enable access when the VPN is connected, not blocking rules that disable access when the VPN is disconnected (i.e. it needs to be failsafe).

I'm not sure whether the local machines need to be on a different subnet. I'm also not sure which machine or machines should perform the function of the DHCP server ([login to view URL] is the gateway router).

The output I require is the list of commands that set this up (from a clean 12.04 install with KVM virtual machines installed).

This project has been posted some time ago, but some issues have been discovered (probably due to my inadvertent changing of a setting, but could be due to a solution that didn't quite work properly in the first place; it is unclear). Micro project selected because it is "almost working" already.

Linux Training

Project ID: #4854990

About the project