I'm wanting to tunnel two VPNs, using OpenVPN. So, the client would connect to the first VPN and would be redirect to the second VPN. (These are all VPSs, I don't have physical access to it as it will be important a little later.)
So, here is the picture:
Client VPN1 VPN2
10.8.0.2[tun0]------10.8.0.1[tun0]
[1.1.1.1][eth0] 10.8.100.2[tun1]----------10.8.100.1[tun0]
45.55.45.55[eth0] 186.186.186.186[eth0]------internet
The server configuration is a pretty standard configuration:
port 1194
auth-user-pass-verify /etc/openvpn/script/login.py via-env
username-as-common-name
script-security 3
proto udp
dev tun
duplicate-cn
sndbuf 0
rcvbuf 0
vca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0 (or 10.8.100.0 in the VPN2)
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
The client configuration is also, pretty standard:
client
dev tun
auth-user-pass login.txt
proto udp
sndbuf 0
rcvbuf 0
remote 45.55.45.55 1194 (or 186.186.186.186 for VPN2)
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
comp-lzo
key-direction 1
verb 3
So, in order to achieve the VPN chaining, I'm connecting to the VPN1 straightforward.
openvpn --config toOpenVPN1.ovpn
If I connect like this from VPN1 to VPN2, I get locked out from VPN1 server, as all the traffic gets redirected to VPN2 and VPN1's public IP is set to VPN2's. So, I reject the pushed route coming from the second VPN with the –route-nopull option.
openvpn --config toOpenVPN2.ovpn --route-nopull
So, this connects fine. I have traffic coming from localhost to VPN1 and my public IP is the VPN1s. I've, also, assigned IP's to the tunX interfaces. However, there is still no traffic coming from localhost (client) to VPN2. I have to create the routes to get this to work. And that's were I'm failing.
As the client doesn't have to care if its traffic is being redirected to another location, I'm assuming that there is no configuration or iptables rules needed to be done in its side (client). The same follows to the VPN2 server, that doesn't need to know if it is coming from VPN1 or other peers. So, all I have to setup is VPN1 configurations.
First of all, I will set iptables rules, as follows. This will just allow the traffic to go by.
iptables -A INPUT -i tun1 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun1 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o tun1 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p udp -m multiport --dports 6880:7000 -j DROP
iptables -A FORWARD -i tun1 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -d 10.8.100.0/24 -i tun0 -o tun1 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -s 10.8.100.0/24 -d 10.8.0.0/24 -i tun1 -o tun0 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
Now, I've to create the routes for one peer see others:
route add 0.0.0.0/0 dev tun0
route add 0.0.0.0/0 dev tun1
### route from the the first tunnel, through the client's IP
route add -net 10.8.0.0/24 gw 10.8.0.2 dev tun0
### same for the 2nd
route add -net 10.8.100.0/24 gw 10.8.100.1 dev tun1
### route all the traffic to the 2nd VPN
### end server's IP and internet's gateway
route add 186.186.186.186 gw 45.55.45.1
route add default gw 10.8.100.1 dev tun1 <<<<<<<<<<<<<<<<<< got locked out of VPN1 server
So, either or I'm creating wrong routes or the iptables rules are not set up correctly, but I can't have traffic coming from one client to the second VPN. And after many tries, I always keep getting locked out from VPN1.
How would be a correct set of routes for VPN1?
Best Answer
So, I figure it out. In order to do so, one have to use custom routing tables and iptables rules to mark all the packages that you want to forward.
For example, to forward one port on TCP, you could use something like:
Then, create an routing table on
/etc/iproute2/rt_tables
for that marked packets: Let's say9999 tableToForward
.Finally, add two rules to forward all marked packets to on that table through the
tun1
interface: