OpenVPN Support Forum

Helll. I hope you're having a good time.
I live in Iran and as you might have heard our access to the internet has been pretty limited lately. To be able to connect to the internet I have managed to access a Windows Server 2016 VPS inside of Iran (which has censored access to the internet - but my home devices do not have any access to the internet)

So I can now run a VPN application on my VPS and have uncensored access to the internet.
Also my home devices are able to connect to my VPS.
Now I want to be able to connect my home devices to said VPS through a VPN connection.
And that means my VPS is going to be both a client for a VPN app, and a VPN server for my home devices.
Is it possible to configure such a setup using OpenVPN? If so I would really appreciate if you can guide me through as I am fairly new to these things and getting connected to the internet becomes more of a hassle every day for us in Iran.
Kind regards

Hello AmirReza2012,

It is possible to do multiple tunnels whereby you run a VPN client from your Windows Server 2016 VPS to some VPN service provider, and then from your home run a VPN client to your Windows Server 2016 VPS that also runs a VPN server. That's quite a bit of work and you would have to be careful with routing as normally if you redirect all the Internet traffic, that means the VPN tunnels themselves are caught in that too. And in an ordinary 1 tunnel scenario OpenVPN accounts for that, but with multiple it gets trickier and you have to do some of your own routing.

But I was thinking of something a little simpler. Ultimately all this Windows Server 2016 VPS will be used for is to relay the OpenVPN tunnel traffic from your home network through the Windows Server 2016 VPS to some VPN service provider. So instead of terminating the OpenVPN tunnel and creating a new one, you can just redirect the traffic.

See this page:
http://woshub.com/port-forwarding-in-windows/

It describes how to set up port forwarding in such a way that if you send traffic to a port and IP on the Windows Server 2016 VPS, it gets forwarded to another address. So you take the VPN service provider OpenVPN client configuration, and you alter the 'remote' line to point to your Windows Server 2016 VPS instead, on a particular port of your choice, let's say 1234. When OpenVPN connects to your Windows VPS on port 1234, netsh portproxy (see the link I posted) will forward traffic coming in on that port to another IP address and port that you configured - in this case the original address that your VPN service provider is expecting an incoming connection on. That way the traffic will be bounced from your home server to your Windows VPS and finally to the VPN provider. Because NAT is used on the Windows VPS it should in theory handle return traffic as well.

Please note that I've tested none of this on Windows. But I have done port redirection on Linux like this and that worked. The theory seems sound. I would suggest that you try this as it is easier than managing 2 VPN clients and a VPN server and additional routing to relay traffic.

Kind regards,
Johan

In fact, Windows cannot do this because Windows does not support Policy Routing.

Hello TinCanTech,

Can you elaborate on which part is not doable on Windows? The port forwarding idea or the two-step VPN idea?

Kind regards,
Johan

openvpn_inc wrote: ↑

Thu Sep 29, 2022 4:52 pm

Can you elaborate

Sure.

openvpn_inc wrote: ↑

Thu Sep 29, 2022 12:16 pm

It is possible to do multiple tunnels whereby you run a VPN client from your Windows Server 2016 VPS to some VPN service provider, and then from your home run a VPN client to your Windows Server 2016 VPS that also runs a VPN server

When the Windows Server connects to the VPN service provider that connection will redirect the gateway of the client, the Windows Server. When a client tries to connect to the Windows Server, replies from the Windows Server will be sent to the VPN service provider.

Hi Tin/Johan,

I suspect Tin is right about policy routing on Windows; if it is possible at all, I doubt anyone outside of Redmond would know how to do it.

But from looking at the link above, it appears that Windows is not routing, but rather acting as a proxy for the forwarded packets? I have not tried it, but it looks like it should work as described.

regards, rob0

Hi guys,

TinCanTech, thanks for elaborating on that. I was thinking to avoid that by adding a route to target the public IP of the VPN client going to the default gateway in the routing table on the Windows Server. Imperfect but that's what I meant by adding additional routing. So policy routing would not be necessary (but would be better).

rob0, yes I believe the port forwarding idea should work. You just leave the VPN tunnel a single tunnel that ultimately terminates at the VPN service provider. You just bounce it off the Windows Server. Theory is good. Haven't tried it though.

Regards,
Johan

Hello, thanks for all your replies Johan, TinCanTech and rob0.

Forgive me for asking such newbie questions but let's say my VPN service provider is nordvpn.
Now for the port forwarding idea what I need to do is choose a port like 1234 and setup my VPN such that my home devices connect to the VPS through port 1234 with the IP address of the VPS.
Then what I need to do is redirect that port via netsh portproxy to the IP address of my target nordvpn server? If so will I have to connect to nord servers through an openvpn connect client on the VPS?

Hello AmirReza2012,

Almost - you don't need the OpenVPN client on the VPS itself. You need the OpenVPN client only on your home network. You just use netsh portproxy on your Windows VPS to redirect the incoming connection from your home network to your VPN service provider. It basically just redirects the traffic. And yes that does require changing where the OpenVPN client connects to by editing the .conf or .ovpn connection profile.

Kind regards,
Johan

Hi Johan,
Thanks for your help.
How exactly should I redirect the traffic to the VPN servers of my provider (nordvpn in this case)?
I don't know if the VPN tunnel uses a specific port or it just captures the traffic from all my windows programs

Hello AmirReza2012,

You don't have to concern yourself with the ports of your applications. You only need to concern yourself with the OpenVPN tunnel traffic that goes from your home network through your Windows VPS to the port and IP of the nordvpn OpenVPN server. You only need to redirect the OpenVPN tunnel itself. Once the OpenVPN tunnel is up, all your applications and stuff will go through that OpenVPN tunnel to the nordvpn server.

Kind regards,
Johan