Linux – How to open VPN connection inside other VPN connection under Linux/Ubuntu

linuxnat;pptproutingvpn

Is it possible to have two VPN connections on top of each other under Ubuntu?

Scenario:

  1. My organization is quite large and has its own large network.
  2. Each group inside the organization has its own subnetwork.
  3. All subnets go through a router. The subnets may have public or private IP addresses, but in any case the central router will not route any PPTP or other useful traffic useful for building a VPN to them.
  4. The network of our group is, again, behind a switch/router. The switch has a public static IP address, the computers in our subnet have private IP addresses. I cannot reach the switch/router with a VPN connection from outside of our organization's network.
  5. The organization offers VPN access to the organization network through a dedicated access node.
  6. Our switch/router has "VPN passthough" to a computer system having a VPN server on it.
  7. I have a system with a VPN server for PPTP running in our network. If I am inside the organization network, I can connect to it and establish a VPN connection.

So what I want to do is:

  1. Connect my home computer to the internet via DSL. This is easy. From here, I cannot access any computer in the organization network and I cannot "see" our group's switch (since the organization's router does not route or forward VPN connections).
  2. I want to open a VPN connection to the organization network. This is again easy and possible. From here, I can see our group's switch, but not anything inside our group'S network behind it.
  3. Open a VPN connection to the switch/router, which is then forwarded to the system with the VPN server on it. This second VPN connection should be "nested" inside the first one. It would allow me to connect to applications inside our group's network, such as a database and network shares. I don't know how to get this to work.

Things that I've tried and which did not work:

  1. Try to open a VPN connection to our group's switch/router's public IP address directly. The connection never even arrives at the switch, i.e., is not routed by the organization's router.

  2. I tried to have the first VPN connection inside my Linux/Ubuntu system, start another system instance in a Virtual Box and inside the virtualized system open a VPN connection to our network. I thought that this should work, but it did not.

Is there any way to create a VPN connection that, instead of using a physical DSL connection, uses an existing VPN connection?

Or is there another much easier solution? I personally think VPN is the way to go, since I need to access several network services (database, shares, maybe even printer), but I am not sure.

Best Answer

As long as the VPN servers do not use the same IPs internally, it should possible - but probably not by using only one wrapper like NetworkManager. You need to start at least one VPN client by hand or by using others tools like kvpnc.

Depending on what you want, you need to be careful with the routes. You need to get sure, that the routes which are set by the second vpn client do not replace the direct access to the first vpn server. You may need to set explicit routing options before you start the second vpn client by calling:

ip route add IP_OF_FIRST_VPN_SERVER dev WAN-INTERFACE
ip route add IP_OF_SECOND_VPN_SERVER dev FIRST-VPN-INTERFACE

(replace the words in capitals by the corresponding values. Your WAN interface is probably eth0 or wlan0, the vpn interface could be e.g. ppp0).

Additionally, the two vpn clients need to use separate interfaces (which should be normally the case).

Related Question