Easily create a VPN Gateway with a Raspberry Pi (or similar board)

I don't have an OpenVPN-capable router, but I needed to create an always-on openvpn CLIENT that would connect to my VPN service, so that it could be used as a gateway for other devices in my LAN. Using this gateway to access the internet, the internet traffic of those devices would be protected by the secure VPN connection.

I've looked around and I have found a great tutorial to achieve this: it was written by Superjamie for the Raspberry Pi and you can find it here.

Unfortunately I didn't have a Raspberry Pi available at the time, so I thought it would be interesting to do the same for what board I had available, which was an Orange Pi Zero.

I used DietPi as the base operating system for this project, and tried following Superjamie's tutorial, but since it didn't work on my Orange Pi / DietPi combo, I made a few adjustments, which I share with you here.
All credits for this still go to Superjamie, because that's where all the huge work comes from.

Please follow Superjamie's tutorial (again, you can find it here) with the following exceptions:

1. Install DietPi instead of Raspbian Jessie
2. Since DietPi's user already has root capabilities, you should write any commands from Superjamie's tutorial without typing the 'sudo' at the beginning of the command.
3. I've found out that the section of the tutorial called "Enable VPN at boot" was useless and harmful, as it would prevent OpenVPN to be launched correctly, therefore it must be skipped.
4. The VPN Kill Switch section of the tutorial didn't work for me. I have found out that it had to be modified a little bit to make it work, so I'm re-writing it below, in a version that makes it work:

VPN KILL SWITCH 

This will block outbound traffic from the Pi so that only the VPN and related services are allowed.
Once this is done, the only way the Pi can get to the internet is over the VPN.
This means if the VPN goes down, your traffic will just stop working, rather than end up routing over your regular internet connection where it could become visible.

[Note by Tech Delirium: please adjust IP addresses by using the correct ones for your network and the port numbers by checking the ports used by your VPN service]

iptables -A OUTPUT -o tun0 -m comment --comment "vpn" -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp -m comment --comment "icmp" -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment "ssh" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment "dns" -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment "dns" -j ACCEPT
iptables -A OUTPUT -o eth0 -j DROP
iptables -I FORWARD -i eth0 ! -o tun0 -j DROP

[Note by Tech Delirium: Superjamie's tutorial didn't work for me, but adding the last line above does the trick and makes the kill-switch work]

And save so they apply at reboot:

sudo netfilter-persistent save

If you find traffic on your other systems stops, then look on the Pi to see if the VPN is up or not.

You can check the status and logs of the VPN client with:

sudo systemctl status openvpn@Japan
sudo journalctl -u openvpn@Japan

That's it! Now the board will connect to your VPN service at startup and if you set up you devices to use the Pi's as their gateway, that device's internet traffic will be tunneled via the VPN and will be protected. If the connection to the VPN service goes down, NO TRAFFIC will be allowed through, so you will have no leaks.