VPN Chaining

This forum is for general conversation and user-user networking.
Post Reply
anonimou
OpenVpn Newbie
Posts: 4
Joined: Mon Aug 14, 2017 5:45 pm

VPN Chaining

Post by anonimou » Mon Aug 14, 2017 6:59 pm

I'm wanting to tunnel two VPNs, using OpenVPN. So, the client would connect to the first VPN and would be redirect to the second VPN. (These are all VPSs, I don't have physical access to it as it will be important a little later.)

So, here is the picture:

Image

The server configuration is a pretty standard configuration:

Code: Select all

port 1194
auth-user-pass-verify /etc/openvpn/script/login.py via-env
username-as-common-name
script-security 3
proto udp
dev tun
duplicate-cn
sndbuf 0
rcvbuf 0
vca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0 (or 10.8.100.0 in the VPN2)
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
The client configuration is also, pretty standard:

Code: Select all

client
dev tun
auth-user-pass login.txt
proto udp
sndbuf 0
rcvbuf 0
remote 45.55.45.55 1194 (or 186.186.186.186 for VPN2)
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
comp-lzo
key-direction 1
verb 3
So, in order to achieve the VPN chaining, I'm connecting to the VPN1 straightforward.

Code: Select all

openvpn --config toOpenVPN1.ovpn
If I connect like this from VPN1 to VPN2, I get locked out from VPN1 server, as all the traffic gets redirected to VPN2 and VPN1's public IP is set to VPN2's. So, I reject the pushed route coming from the second VPN with the --route-nopull option.

Code: Select all

openvpn --config toOpenVPN2.ovpn --route-nopull
So, this connects fine. I have traffic coming from localhost to VPN1 and my public IP is the VPN1s. I've, also, assigned IP's to the tunX interfaces. However, there is still no traffic coming from localhost (client) to VPN2. I have to create the routes to get this to work. And that's were I'm failing.

As the client doesn't have to care if its traffic is being redirected to another location, I'm assuming that there is no configuration or iptables rules needed to be done in its side (client). The same follows to the VPN2 server, that doesn't need to know if it is coming from VPN1 or other peers. So, all I have to setup is VPN1 configurations.

First of all, I will set iptables rules, as follows. This will just allow the traffic to go by.

Code: Select all

iptables -A INPUT -i tun1 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun1 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o tun1 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p udp -m multiport --dports 6880:7000 -j DROP
iptables -A FORWARD -i tun1 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -d 10.8.100.0/24 -i tun0 -o tun1 -m conntrack --ctstate NEW -j ACCEPT 
iptables -A FORWARD -s 10.8.100.0/24 -d 10.8.0.0/24 -i tun1 -o tun0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
Now, I've to create the routes for one peer see others:

Code: Select all

route add 0.0.0.0/0 dev tun0
route add 0.0.0.0/0 dev tun1
### route from the the first tunnel, through the client's IP
route add -net 10.8.0.0/24 gw 10.8.0.2 dev tun0
### same for the 2nd
route add -net 10.8.100.0/24 gw 10.8.100.1 dev tun1
### route all the traffic to the 2nd VPN
### end server's IP and internet's gateway
route add 186.186.186.186 gw 45.55.45.1
route add default gw 10.8.100.1 dev tun1 <<<<<<<<<<<<<<<<<< got locked out of VPN1 server
So, either or I'm creating wrong routes or the iptables rules are not set up correctly, but I can't have traffic coming from one client to the second VPN. And after many tries, I always keep getting locked out from VPN1.

How would be a correct set of routes for VPN1? Could anyone help me?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3347
Joined: Fri Jun 03, 2016 1:17 pm

Re: VPN Chaining

Post by TinCanTech » Mon Aug 14, 2017 7:39 pm

OpenVPN cannot do a chain like this.. you must use policy based routing (iptables).

anonimou
OpenVpn Newbie
Posts: 4
Joined: Mon Aug 14, 2017 5:45 pm

Re: VPN Chaining

Post by anonimou » Mon Aug 14, 2017 8:38 pm

@TinCanTech, not sure if I understood correctly, but that's exactly what I'm trying to do.

The client on VPN1 wouldn't be connected to the server on the same host machine. The traffic would be forwarded from tun0 to tun1.

MikeHat
OpenVpn Newbie
Posts: 1
Joined: Wed Aug 16, 2017 6:34 am

Re: VPN Chaining

Post by MikeHat » Wed Aug 16, 2017 6:37 am

If you get this working please share how you did it. Sounds like something I'd like to do with OpenVPN and pfSense

anonimou
OpenVpn Newbie
Posts: 4
Joined: Mon Aug 14, 2017 5:45 pm

Re: VPN Chaining

Post by anonimou » Fri Sep 15, 2017 1:56 pm

MikeHat, as TinCanTech pointed out, it was really just a matter of having set the right iptables rules.

The VPN 1 server is running both a server instance and a client instance. The traffic is being redirected with "ip route" command and "iptables".

If you need any help, PM me.

klanimantsi
OpenVPN User
Posts: 13
Joined: Mon Sep 04, 2017 9:00 am

Re: VPN Chaining

Post by klanimantsi » Tue Sep 19, 2017 9:44 am

I'm pretty sure Open VPN can't chain like this

Ramathorn
OpenVpn Newbie
Posts: 3
Joined: Sat Oct 28, 2017 8:00 pm

Re: VPN Chaining

Post by Ramathorn » Tue Oct 31, 2017 12:00 pm

Did anyone find a solution to this?

Ramathorn
OpenVpn Newbie
Posts: 3
Joined: Sat Oct 28, 2017 8:00 pm

Re: VPN Chaining

Post by Ramathorn » Wed Nov 01, 2017 1:05 am

I am having the exact same issue as anonimou. So far the routing tables haven't been enough to force the traffic through tun1. It keeps going through eth0 despite changing default gateways, marking traffic from the tun0 subnet and setting a new default gateway, changing the -o interface to tun1 in /etc/ufw/before.rules, etc. Any insight would be helpful. I've started migrating towards policy based routing but still no success.

User avatar
t.snoball
OpenVpn Newbie
Posts: 2
Joined: Sun Nov 05, 2017 9:51 pm

Re: VPN Chaining

Post by t.snoball » Mon Nov 06, 2017 2:48 am

Ramathorn - did you find a fix? I'm struggling through this same issue. I'm at the point anonimou last posted about where just when I get to something that I think should work, I end up locked out of VPN1. Any luck?

User avatar
t.snoball
OpenVpn Newbie
Posts: 2
Joined: Sun Nov 05, 2017 9:51 pm

Re: VPN Chaining

Post by t.snoball » Sun Nov 12, 2017 2:50 am

So i just got this to work tonight after some advice from forum user Traffic (awesome guy) to Google search for "OpenVPN and policy-based routing". This brought up several pages, but the best one was here:
https://airvpn.org/topic/12774-tutorial ... rotection/

Also - the tables here helped me understand just how the various iptables chains and rules are processed in order:
http://www.iptables.info/en/structure-of-iptables.html

I read several other pages and the iptables manual in order to understand it enough to stumble through it all.

I still have to manually add one route entry as I'm setting this up each time, but will try and post a guide for how to set this up once I get this last problem scripted. the short version of how I got it to work is: combine iptables (use of the mangle table to mark packets), and policy-based routing applied through user-defined routing tables, ip rules to recognize marked packets and route them to the right table and ip routes.

dfcs
OpenVpn Newbie
Posts: 1
Joined: Mon Nov 27, 2017 7:03 am

Re: VPN Chaining

Post by dfcs » Mon Nov 27, 2017 7:05 am

VPN1 needs:

Code: Select all

iptables -A FORWARD -s 10.8.100.0/24 -j ACCEPT
iptables -A FORWARD -d 10.8.100.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.100.0/24 -j SNAT --to-source 10.8.0.2
ip route add default via 10.8.0.2 table 120
ip rule add from 10.8.100.0/24 table 120

Post Reply