• using OpenVPN, see wiki.debian.org OpenVPN on how to set up
• For NAT, using iptables, and the script from debian-administration.org

iptables

For iptables, I'm using this /etc/init.d/iptables script:

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin
EXT=eth0
INT=tun1
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X


case $1 in
  start|restart)
    # Always accept loopback traffic
    iptables -A INPUT -i lo -j ACCEPT
    
    
    # Allow established connections, and those not coming from the outside
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -m state --state NEW ! -i  $EXT -j ACCEPT
    iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Allow outgoing connections from the LAN side.
    iptables -A FORWARD -i $INT -o $EXT -j ACCEPT
    
    # Masquerade.
    iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
    
    # Don't forward from the outside to the inside.
    iptables -A FORWARD -i $EXT -o $EXT -j REJECT
    
    # Enable routing.
    echo 1 > /proc/sys/net/ipv4/ip_forward
    ;;
  stop)
    echo 0 > /proc/sys/net/ipv4/ip_forward
    ;;
esac

openvpn

Using openvpn android app. This apparently doesn't work with the static config, but it does work with the TLS certificated generated by wiki.debian.org OpenVPN. The certs are in /etc/openvpn on my nexus 7