OpenVPN Support Forum

Hi all,

anyone know how configure correctly VPN that will connect to other VPN?

I will try to explain my scenario:

I have the first firewall connect to internet; this firewall have an openvpn server configured inside...when i connect through Vpn is assigned to my device a virtual tunnel ip 192.168.11.0/24 that connect me to LAN (192.168.10.0/24).

so, i configured a second firewall inside LAN with ip 192.168.10.50, tunnel network 192.168.51.0/24 and LAN network 192.168.50.0/24.

when i connect to vpn of second firewall from my LAN (192.168.10.0/24) i can obviously reach network 192.168.50.0/24.

when i connect to Vpn (of primary firewall) from external internet connect and subsequently connect to second Vpn firewall, i can't reach 192.168.50.0/24 network but second vpn stay connected and create a new tun device.

i also enabled ip_forwarding ( /proc/sys/net/ipv4/ip_forward ) on my machine and try many and many manual routing but i can't reach the goal!

I think that i must force my internal (second) vpn to use tunnel interface of first vpn as gateway but when i try it, the second vpn goes down!

Can you help me?

Thank you very much!

My research key terms are 'multihop vpn', 'vpn chaining', 'vpn chain linking' and 'vpn cascading' and so far I have found only one script with full code to study. My goals are to get it to work through openvpn and nmcli eventually. I'm not sure nmcli can do it though. Share what you find.

Did you try Policy Based Routing yet ?

FYI: I believe the script you have linked to above will fail.

The issue is that the tunnel of second firewall, it configure gateway as gateway of phisycal interface and should be configure gateway as gw of first tunnel (vpn of first firewall).
I also configured rules of vpn on second firewall to go through gw of "first vpn tunnel gw" but when i try to estabilish the second vpn the result it's the same (configure gateway as gateway of phisycal interface)

tonon.matteo wrote: ↑

Mon Jul 01, 2019 12:18 pm

i configured a second firewall...
i connect to vpn of second firewall...
i connect to Vpn (of primary firewall)...
i also enabled ip_forwarding...
force my internal (second) vpn...when i try it...

Provide actual code of how you did the above for me to learn from.

Possible accidental tunnel within tunnel discovery. Is the following a working tunnel within a tunnel--from ip route?

0.0.0.0/1 via 10.8.0.1 dev tun1
default via 8.7.9.5 dev tun0 proto static metric 50
10.8.0.0/24 dev tun1 proto kernel scope link src 10.8.0.19
10.8.3.0/24 dev tun0 proto kernel scope link src 10.8.3.6 metric 50
10.50.150.150 via 192.168.0.1 dev eth1 proto static metric 100
100.200.100.10 via 8.7.9.5 dev tun0
127.0.0.0/8 dev lo scope link
128.0.0.0/1 via 10.8.0.1 dev tun1
192.168.0.0/24 dev eth1 proto dhcp scope link src 50.50.50.50 metric 208
192.168.0.1 dev eth1 proto static scope link metric 100

I changed some IP's for online posting.

I can't tell as I don't know much about networking.

I suspect it is working because I logged in into another vpn while connected to a preexisting vpn connection then deleted one of my active default routes with, 'ip route del default via [my address]' and I'm still able to browse the web. I'll post actual code if true.

Is there any other method other than displaying the results of 'ip route' to tell if a tunnel within a tunnel is working?

There is a long established way of chaining 2 servers. Server1 runs 2 openvpn sessions (Tun0 and Tun1), of which Tun0 is a point-to-point connection to Server2, and Tun1 is a client-to-server(as server) session which provides normal service to all other clients. I have been using this scheme to break the great wall for years. hope this helps. @tonon.matteo, I think your case, the 2 servers shall talk in p2p way.
@d2t93y7c thank you for your shared links.