Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Any instructions/tutorial on setting up Double-VPN with OpenVPN?
New on LowEndTalk? Please Register and read our Community Rules.

Any instructions/tutorial on setting up Double-VPN with OpenVPN?

daviddavid Member

Does anybody know of some good instructions or tutorial on setting up a double-vpn with OpenVPN?

Basically, I've got a VPN I want to use that has bad routing to my home (call it vpn #2). I've also got a VPS with an openvpn server that has really good routing to my home (vpn #1). So I'd like to connect from my home system to vpn #1 which is in turn connected to vpn #2.

Comments

  • Use Tinc that would be the easy solution https://www.tinc-vpn.org/examples/redirect-gateway/

    Make your choice on your own But i can help you to make them right.

  • Will Tinc work if the second VPN is still OpenVPN? I have no control over the second server; it's just a VPN service.

  • BeardyUnixGuyBeardyUnixGuy Member
    edited October 2016

    As far as I understand it, one of the things that "Double VPN" implies would be that the connection is relayed through at least one other server before hitting the final endpoint. So, @david's home connection should never make a direct connection to VPN #2.

    I haven't played with tinc much but from reading here I understand that, for performance reasons, the daemon would (or is planned to) drop the star topology restriction and attempt to make direct connections from one peer to another.

    Maybe @simonindia can shed some light on whether it's possible to require/enforce the star topology?

    Other than that, you could also setup a simple port forward on VPN #1 to redirect the traffic to VPN #2's OpenVPN daemon. To secure (in terms of authorization) the hop from your home to VPN #1, you can opt for something like stunnel or spiped.

    While the above two tools will allow add another layer of encryption, the initial relayed connection (from home to VPN #2 will already be under encryption (by the VPN connection to VPN #2's OpenVPN daemon).

    "Double VPN" is also know to imply double encryption, but I'm unsure if that's an actual requirement in your case.

    You can send your dogecoin "thanks" to: DNhnwKWR5vm8ddbWPpWfrpGR8atXH5ZFeP

  • Is there a way to use VPN #1 to port forward UDP?

    I actually had it forwarding over TCP by connecting to VPN #2 via a socks proxy on #1. But OpenVPN configured for TCP was using huge upload bandwidth (at least twice as much or more than UDP) so it's not an option for me (upload restricted since I'm using DSL).

  • BeardyUnixGuyBeardyUnixGuy Member
    edited October 2016

    david said: Is there a way to use VPN #1 to port forward UDP?

    Stunnel and spiped are only for TCP, so you'd have to use socat instead. In addition, you'd need to find an alternative means to enforce some authorization. Maybe firewall rules permitting either an IP range, or permitting a dynamic DNS entry.

    Enforcing some sort of authorization is only to limit the effect that port scans would have on the traffic leaving VPN #1 and destined for VPN #2. If you're comfortable with it, this is a cost that could easily be swallowed.

    david said: OpenVPN configured for TCP was using huge upload bandwidth

    This is the unfortunate truth. TCP over TCP is inefficient.

    Thanked by 1david

    You can send your dogecoin "thanks" to: DNhnwKWR5vm8ddbWPpWfrpGR8atXH5ZFeP

  • I wonder if it could all be done with some iptables port forwarding on #1...

  • BeardyUnixGuy said: Stunnel and spiped are only for TCP, so you'd have to use socat instead. In addition, you'd need to find an alternative means to enforce some authorization. Maybe firewall rules permitting either an IP range, or permitting a dynamic DNS entry.

    Enforcing some sort of authorization is only to limit the effect that port scans would have on the traffic leaving VPN #1 and destined for VPN #2. If you're comfortable with it, this is a cost that could easily be swallowed.

    Holy cow! Thanks @BeardyUnixGuy. That is easier than I thought it would be.

    socat UDP-LISTEN:31234,fork UDP:{remote_ip}:1194

    It works!

    I've got an iptables rule to only let my ip address through, but I need to work on that since it's a dynamic address.

  • google "vpn chains"

Sign In or Register to comment.