Terms: 
1. Network gateway: local computer (ethernet layer) that routes outgoing packets.
2. VPN hotspot: wireless network with outgoing packets through a VPN.

Synopsis: The challenge was to create a VPN hotspot on the Raspberry Pi 3 without effecting the networking of the existing services. My solution was to create a network gateway inside a docker container and route the WiFi traffic to that gateway from the RPI host os.

In an ideal world it should of been easy, just open the tunnel interface with OpenVPN and route traffic from the wifi subnet through the vpn gateway route, however I am using a consumer VPN that doesn't have static routes (OpenVPN pulls new routing information with each connection). Leading to the obivous thought why not create a local network VPN gateway inside a container?  

This way if the VPN dies, the container won't route through the normal internet (due to iptables masquerade).

One dissapointment is that due to the Raspberry Pi 3 wifi drivers it isn't possible to pass control of the wifi adapter to the container in order to host the Wifi itself (the entirety of it could of been self contained)

Part 1: Creating the container

This will require you to use Windscribe and have your credentials easily accessible (You could easily change the script)

Dockerfile

Create directory vpngateway with the Dockerfile and type:

 docker build vpngateway -t chris:vpngateway
 

After that run it with:

 docker run -itd --name vpngateway --restart unless-stopped --privileged chris:vpngateway

 ip route add 46.101.9.128 via DOCKERIP

Part 2:  Routing only Wifi traffic through the local network gateway

Now we need to start the Wifi, you will need to download create_ap (make sure you have the dependencies dnsmasq and iptables).

Start create_ap

create_ap wlan0 eth0 vpnhotspot --no-dnsmasq

echo "10 vpn" >> /etc/iproute2/rt_tables

/bin/ip rule add from 192.168.12.0/24 table vpn

/bin/ip route add default via 172.17.0.2 table vpn