Configure nested VPN connection

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
exocore
OpenVpn Newbie
Posts: 2
Joined: Wed Sep 15, 2021 2:03 pm

Configure nested VPN connection

Post by exocore » Wed Sep 15, 2021 3:21 pm

Hi all,

I' quite new to configuring OpenVPN and struggling to set up a nested VPN connection between my work laptop when doing home office and a workstation in our laboratory in a subnet of our university network. The network topology looks as follows:

Code: Select all

                          +--------------------+       +--------------+
                +---------| Home network       | --+-- | Work Laptop  |
               /          | Router             |   |   +--------------+
              /           +--------------------+   |
                                                   |   +--------------+
          .-~~-.                                   +-- | Private PC   |
  .- ~ ~-(       )_ _                                  +--------------+
 /                     ~ -.
|         Internet          \
 \                         .'
   ~- . ____________ . -~

              \
               \          +--------------------+       +--------------+       +---------------------+
                +---------| University network | --+-- | Lab network  | --+-- | Lab Workstation     |
                          | Router             |   |   | Router       |   |   +---------------------+
                          +--------------------+   |   +--------------+   |
                                                   |                      |   +---------------------+
                                                   |                      +-- | Other lab equipment |
                                                   |                          +---------------------+
                                                   |   +--------------+
                                                   +-- | Office PC    |
                                                   |   +--------------+
                                                   |
                                                   |
                                                   +-- ...
Let's start with giving a few more details on the situation: Our universities network is managed by our central IT department, so I have no chance to make any changes on what I called the university network router. However, they offer the opportunity to connect to the campus network. While I believe this should be possible with an OpenVPN client, the default way of doing so is using Cisco Anyconnect.

Once this connection is established I can reach our lab router which is under my control and has port forwarding configured on ports 22 (SSH) and 1194. Since stuff in our lab change on a regular basis and tried to set up connection following this minimal tutorial. It basically suggests to use the same certificate on both machines and to start the server with:

Code: Select all

sudo openvpn --dev tun --ifconfig 172.16.0.1 172.16.0.2 --cipher AES-256-CBC --secret static-OpenVPN.key
and the client with:

Code: Select all

sudo openvpn --remote YOUR-OPENVPN-SERVER-IP-OR-HOST --dev tun --ifconfig 172.16.0.1 172.16.0.2 --cipher AES-256-CBC --secret static-OpenVPN.key
though I feel the two parameters of --ifconfig should by switched in the client part.

The described setup works nicely, when I'm connection from my work laptop to a server on my private PC in the same network, but it fails when I trying to reach the lab workstation. I also noticed that Anyconnect loses connection for a second, the moment I launch the OpenVPN client on my laptop. My guess is, that I somehow need to tell my client that it needs to establish the new connection through the existing tunnel instead of replacing it. However, from what I saw in the documentation, it feels that I would need to specify the --route settings on the outer tunnel, managed by Anyconnect...
Am I correct in that assumption, and is there any other way of making it work, without having to mingle with the "outer" VPN tunnel?

If it helps, here is also the output of ifconfig for both interfaces:

Code: Select all

cscotun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1350
        inet 123.456.78.9  netmask 255.255.255.0  destination 123.456.78.9
        inet6 xxxx::xxxx:xxxx:xxxx:xxxx  prefixlen 64  scopeid 0x20<link>
        inet6 xxxx:xxxx:xxxx:x::xxx  prefixlen 64  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 83566  bytes 32795906 (32.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 80094  bytes 13179455 (13.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 192.168.2.2  netmask 255.255.255.255  destination 192.168.2.1
        inet6 fe80::a380:14a3:f078:2a0b  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
Thanks for any help!

exocore
OpenVpn Newbie
Posts: 2
Joined: Wed Sep 15, 2021 2:03 pm

Re: Configure nested VPN connection

Post by exocore » Tue Sep 21, 2021 6:31 am

Hi all,

after talking to our IT dept. I learned there is also an OpenVPN server for the university network available. Using that one as an "outer layer" works out of the box, so I guess that OpenVPN and Cisco Anyconnect are simply incompatible when it comes to nesting VPN connections.

Post Reply