Sam - September 22, 2016
How to setup a Double OpenVPN configuration
Introduction
In this tutorial I am going to show you how to setup a Double OpenVPN which is essentially the process chaining VPN servers to create a different exit point / IP address than the original connection.
This is a relatively easy process but there’s very little information out there on how to achieve this or it’s overly complicated. We will do this in the simplest and easiest way that I know possible.
*This tutorial will assume you already know how to setup a basic OpenVPN server and also client connection*
I may do a more in depth tutorial later but I feel that people who want to create a Double OpenVPN tunnel have already passed basic training on Linux and VPNs and networking.
Why would we want to create a Double OpenVPN configuration?
Every one has their own reasons but my reason for creating this configuration is that I want to have an exit IP in the USA but my ping is too high and the routing to the USA isn’t too good so I create a first hop in Tokyo or Singapore which then connects to my USA server.
Find the perfect Proxy Product.
In this diagram we can assume:
ServerA = Tokyo
ServerB = USA
Let’s Begin..
I will assume you already have setup a OpenVPN server and have root access.
The second OpenVPN server we do not require access to 😉
Step 1 — Setup routing rules
If we look at our ifconfig we can see that tun0 (our local OpenVPN server) has internal IP address of 108.61.168.1
root@test-vpn-double:/etc/openvpn# ifconfig
ens3 Link encap:Ethernet HWaddr 56:00:00:32:7b:2b
inet addr:108.61.168.153 Bcast:255.255.254.0 Mask:255.255.254.0
inet6 addr: fe80::5400:ff:fe32:7b2b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:122189 errors:0 dropped:0 overruns:0 frame:0
TX packets:134190 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:88730666 (88.7 MB) TX bytes:21559674 (21.5 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:500 (500.0 B) TX bytes:500 (500.0 B)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:108.61.168.1 P-t-P:108.61.168.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Now instead of normally adding the IP table MASQUERADING rule we want to add an IP routing rule instead.
Command:
ip route add default via 108.61.168.1 dev ens3 table 102ens3 is our main interface
Now let’s add the following 3 iptables rules:
iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
iptables -t mangle -A OUTPUT -p udp -m udp --sport 80 -j MARK --set-mark 0x2Port 80 is our local port OpenVPN is listening on
Next we add this IP route rules:
ip rule add fwmark 0x2/0x2 lookup 102
ip rule add from 108.61.168.153 table 102Step 2 – Connect to our second server
Now we need to connect to our second OpenVPN server, in this case we will use the program screen
You can download and install it quickly:
sudo apt-get -y install screenLet’s create our screen
screen -S vpnNow assuming our second OpenVPN servers connection config is called “second.ovpn” we will connect to it here
openvpn --config /path/to/second.ovpnYou can then disconnect from your screen session by pressing ctrl + a + d
Finished!
If everything went correctly you should just be able to connect to your OpenVPN server and all traffic will be routed over a second hop (server).
