Bdtyktl

I'm wanting to tunnel two VPNs, using OpenVPN. So, the client would connect to the first VPN and would be redirect to the second VPN. (These are all VPSs, I don't have physical access to it as it will be important a little later.)

So, here is the picture:

Client              VPN1                    VPN2

10.8.0.2[tun0]------10.8.0.1[tun0]

[1.1.1.1][eth0]     10.8.100.2[tun1]----------10.8.100.1[tun0]

                    45.55.45.55[eth0]         186.186.186.186[eth0]------internet

The server configuration is a pretty standard configuration:

port 1194

auth-user-pass-verify /etc/openvpn/script/login.py via-env

username-as-common-name

script-security 3

proto udp

dev tun

duplicate-cn

sndbuf 0

rcvbuf 0

vca ca.crt

cert server.crt

key server.key

dh dh.pem

tls-auth ta.key 0

topology subnet

server 10.8.0.0 255.255.255.0 (or 10.8.100.0 in the VPN2)

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"

keepalive 10 120

cipher AES-128-CBC

comp-lzo

user nobody

group nogroup

persist-key

persist-tun

status openvpn-status.log

verb 3

crl-verify crl.pem

The client configuration is also, pretty standard:

client

dev tun

auth-user-pass login.txt

proto udp

sndbuf 0

rcvbuf 0

remote 45.55.45.55 1194 (or 186.186.186.186 for VPN2)

resolv-retry infinite

nobind

persist-key

persist-tun

remote-cert-tls server

cipher AES-128-CBC

comp-lzo

key-direction 1

verb 3

So, in order to achieve the VPN chaining, I'm connecting to the VPN1 straightforward.

openvpn --config toOpenVPN1.ovpn

If I connect like this from VPN1 to VPN2, I get locked out from VPN1 server, as all the traffic gets redirected to VPN2 and VPN1's public IP is set to VPN2's. So, I reject the pushed route coming from the second VPN with the --route-nopull option.

openvpn --config toOpenVPN2.ovpn --route-nopull

So, this connects fine. I have traffic coming from localhost to VPN1 and my public IP is the VPN1s. I've, also, assigned IP's to the tunX interfaces. However, there is still no traffic coming from localhost (client) to VPN2. I have to create the routes to get this to work. And that's were I'm failing.

As the client doesn't have to care if its traffic is being redirected to another location, I'm assuming that there is no configuration or iptables rules needed to be done in its side (client). The same follows to the VPN2 server, that doesn't need to know if it is coming from VPN1 or other peers. So, all I have to setup is VPN1 configurations.

First of all, I will set iptables rules, as follows. This will just allow the traffic to go by.

iptables -A INPUT -i tun1 -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i tun1 -o tun0 -j ACCEPT

iptables -A FORWARD -i tun0 -o tun1 -j ACCEPT

iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -p udp -m multiport --dports 6880:7000 -j DROP

iptables -A FORWARD -i tun1 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -s 10.8.0.0/24 -d 10.8.100.0/24 -i tun0 -o tun1 -m conntrack --ctstate NEW -j ACCEPT 

iptables -A FORWARD -s 10.8.100.0/24 -d 10.8.0.0/24 -i tun1 -o tun0 -m conntrack --ctstate NEW -j ACCEPT

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

Now, I've to create the routes for one peer see others:

route add 0.0.0.0/0 dev tun0

route add 0.0.0.0/0 dev tun1

### route from the the first tunnel, through the client's IP

route add -net 10.8.0.0/24 gw 10.8.0.2 dev tun0

### same for the 2nd

route add -net 10.8.100.0/24 gw 10.8.100.1 dev tun1

### route all the traffic to the 2nd VPN

### end server's IP and internet's gateway

route add 186.186.186.186 gw 45.55.45.1

route add default gw 10.8.100.1 dev tun1 <<<<<<<<<<<<<<<<<< got locked out of VPN1 server

So, either or I'm creating wrong routes or the iptables rules are not set up correctly, but I can't have traffic coming from one client to the second VPN. And after many tries, I always keep getting locked out from VPN1.

How would be a correct set of routes for VPN1?

So, I figure it out. In order to do so, one have to use custom routing tables and iptables rules to mark all the packages that you want to forward.

For example, to forward one port on TCP, you could use something like:

iptables -t mangle -I PREROUTING -p tcp -m multiport --dport 9999 -j MARK --set-mark 0x9999

Then, create an routing table on /etc/iproute2/rt_tables for that marked packets: Let's say 9999 tableToForward.

Finally, add two rules to forward all marked packets to on that table through the tun1 interface:

ip route add 0.0.0.0/0 dev tun1 table tableToForward

ip rule add from all fwmark 1 table tableToForward

openvpn --config toOpenVPN2.ovpn --route-nopull

worked fine

two Vpn servers, one connected to other via again openvpn with the above command.

Internet access worked, without -- route-nopull internet access does not work.