Vpn over Vpn, Two chained Vpns, Nested Vpn

[skilsprism]

Hi!
Need your help guys. I have an N66U running Merlin 380.65 . I would like to create a VPN chain.

ISP-> VPN Client1->VPNClient2->Internet.

I would like my VPN Client2 never to touch my ISP. Can I add a specific rule in place, that says VPNclient2 will not connect unless VPN Client1 is connected?

So far, I have configured VP1 correctly. I have added Policy Rules on both VPN Clients that say Source IP: 192.168.1.0/24 to VPN

and added a Kill Switch for both VP1 and VPN2. I figure the kill switch will keep VPN2 from touching the ISP?

VPN Client 2 is not working right now... Log says "Tunnel down - VPN client access blocked". Working to fix this.

Any help with this would be greatly appreciated.

Cheers!

 

[Martineau]

Hi!
Need your help guys. I have an N66U running Merlin 380.65 . I would like to create a VPN chain.

ISP-> VPN Client1->VPNClient2->Internet.

I would like my VPN Client2 never to touch my ISP. Can I add a specific rule in place, that says VPNclient2 will not connect unless VPN Client1 is connected?

So far, I have configured VP1 correctly. I have added Policy Rules on both VPN Clients that say Source IP: 192.168.1.0/24 to VPN

and added a Kill Switch for both VP1 and VPN2. I figure the kill switch will keep VPN2 from touching the ISP?

VPN Client 2 is not working right now... Log says "Tunnel down - VPN client access blocked". Working to fix this.

Any help with this would be greatly appreciated.

Cheers!

Lower numbered VPN client instance RPDB rules take priority over the higher numbered VPN client rules.
i.e. VPN Client 1 RPDB rule(s) take priority over the VPN Client 2 RPDB rule(s)

So in theory you may not need additional rules if you strictly control the order in which the VPN Clients will start
i.e.

VPN Client 2 'Start with WAN=YES'
VPN Client 1 'Start with WAN=NO'

If you have enabled Selective routing for both VPN clients using:

All_VPN1   192.168.1.0/24   0.0.0.0   vpn{1}
All_VPN2   192.168.1.0/24   0.0.0.0   vpn{2}

then when the first VPN instance (VPN Client 2) is started via the WAN, upon a successful connection, the 'All_VPN2' RPDB rule will now force ALL traffic via the established VPN Client 2 tunnel.

Consequently, when the second VPN instance (VPN Client 1) is then started, it is forced via the VPN Client 2 tunnel and when it sucessfully connects it will have created the 'All_VPN1' RPDB rule which now takes priority over the 'All_VPN2' RPDB rule.

So ALL traffic is now via VPN Client 1, which was hopefully established though the VPN Client 2 tunnel.


To control the order of the VPN client startup then you will use the openvpn-event scripts to cascade the 'double' VPN:

/jffs/scripts/vpnclient2-up

#!/bin/sh
/jffs/scripts/Double_VPN.sh &

/jffs/scripts/Double_VPN.sh

#!/bin/sh
sleep 5
if [ "$(nvram get vpn_client2_state)" == "2" ];then
   service restart_vpnclient1
fi

 

[skilsprism]

Thank so much! Really appreciate your quick and in-depth response, Martineau!

Some follow up questions so I'm clear on what to do:

Where do I type the first code you recommended?

VPN Client 2 'Start with WAN=YES'
VPN Client 1 'Start with WAN=NO'

Should I put it in the custom config box at the bottom of OpenVPN Client Settings (marked in Red)? [

Please explain why does Client 2 have the "Start with Wan=Yes" ? I do not want VPN Client 2 touch the ISP. Is this setup correct?

------

You refer to the first VPN instance as (VPN Client 2) and the second VPN instance (VPN Client 1). this is confusing. I thought the first instance would be VPN Client 1 and Second instance is VPN client 2.

This may be totally wrong, but what if I instead did:
VPN Client 2 'Start with WAN=NO'
VPN Client 1 'Start with WAN=YES'

I start VPN client 1 first via wan with selective routing/kill switch, and then upon a successful connection, the 'All_VPN1' RPDB rule will now force ALL traffic via the established VPN Client 1 tunnel.
Consequently, when the second VPN instance (VPN Client 2) is then started, it is forced via the VPN Client 2 tunnel and when it successfully connects it will have created the 'All_VPN1' RPDB rule which now takes priority over the 'All_VPN2' RPDB rule.

So ALL traffic is now via VPN Client 2, which was hopefully established through the VPN Client 1 tunnel.

Thanks so much for your help and sorry if I caused even more confusion with my questions.

 

[Martineau]

Where do I type the first code you recommended?

VPN Client 2 'Start with WAN=YES'
VPN Client 1 'Start with WAN=NO'

The options above are set in the appropriate GUI
e.g. assuming all the other VPN clients 1,3,4 and 5 have 'Start with WAN=NO'

Please explain why does Client 2 have the "Start with Wan=Yes" ? I do not want VPN Client 2 touch the ISP.
You refer to the first VPN instance as (VPN Client 2) and the second VPN instance (VPN Client 1). this is confusing. I thought the first instance would be VPN Client 1 and Second instance is VPN client 2.Is this setup correct?

I apologise if English is not your first language.

Assume there are no VPN Clients connected:

If I then manually start VPN Client 5, then this is the first VPN instance.
If I then manually start VPN Client 3, then this will be the second VPN instance.

You state you don't want the second VPN from touching the ISP, so the first VPN must already be connected before you start the second ('hidden double') VPN connection, hence you only want the first VPN instance started automatically when the router is booted.

Use of the openvpn-event scripts associated with the first VPN instance ensures ONLY the first VPN instance can start the second 'hidden' VPN instance (hopefully over the first VPN instance connection.)

However, as the RPDB rules are always applied in priority order i.e. by absolute VPN Client number (VPN Client 1 rules processed first through to VPN Client 5 rules processed last), then the second VPN instance MUST be physically a lower numbered VPN client than the first VPN for your required scenario.

 

[skilsprism]

Hi Again! I appreciate your feedback and clarification! Thank you!

Almost there....

In regard to the last part about adding the openvpn-event scripts. I have connected to the router via ssh and have typed cd /jffs/scripts/ so that it now shows that directory in the command line.

I need some specific directions on this next part. Do I create the two files you mentioned (Double_VPN.sh) & (vpnclient2-up) add the needed code to the file, and upload each file to that directory? OR do edit already existing files and add that code? If creating the files, do both need to end in .sh?

Which commands/specific process would I do to execute this last part (editing, adding files?, uploading?) I GREATLY appreciate your support and guidance during this journey. Why isn't this the process of setting up a double cascading VPN process spelled out more clearly on the web already?

Thank you!

 

[Martineau]

Hi Again! I appreciate your feedback and clarification! Thank you!

Almost there....

In regard to the last part about adding the openvpn-event scripts. I have connected to the router via ssh and have typed cd /jffs/scripts/ so that it now shows that directory in the command line.

I need some specific directions on this next part. Do I create the two files you mentioned (Double_VPN.sh) & (vpnclient2-up) add the needed code to the file, and upload each file to that directory? OR do edit already existing files and add that code? If creating the files, do both need to end in .sh?

Which commands/specific process would I do to execute this last part (editing, adding files?, uploading?) I GREATLY appreciate your support and guidance during this journey. Why isn't this the process of setting up a double cascading VPN process spelled out more clearly on the web already?

Thank you!

I use WinSCP to develop all my scripts (although I have configured it to use notepad++)

I posted a mini-tutorial of getting a script onto the router and how to test it all via WinSCP:

https://www.snbforums.com/threads/h...outbound-connections.38086/page-3#post-314828

I prefer to ensure that the '.sh' suffix is used for all end-user named custom scripts to differentiate between RMerlin scripts that are recognised by the firmware and made available for use ( see the wiki https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts )

So if WinSCP is appropriate in your environment (i.e. Windows) then it should be a case of simple copy'n'paste.

 

[dr_lucas]

I followed the instructions in this thread, but all I am getting are 2 separately connected OpenVPN clients that I can use for different devices on my LAN separately and not one VPN that tunnels through the other.
Could you please tell me what I am doing wrong?

This is what I am trying to do:
I want to connect
First VPN (on Client 2, manually started first) to Hong Kong and use it as the main tunnel for some devices on my LAN and as a tunnel for the second VPN.
Second VPN (on Client 1, manually started after I connect to HK with Client 1) to London and use it as the secondary VPN that must connect through the first VPN and then provide access only to my Television. (currently the second VPN doesn't connect through the first VPN, but it connects through the WAN connection)

These are my rules on Client 2 (Hong Kong):

These are my rules on Client 1 (London):

Please note that at this stage I don't care about the startup automation process. I know how to get it done.
I just want it to work as explained above first.

Thank you

 

[Martineau]

I followed the instructions in this thread, but all I am getting are 2 separately connected OpenVPN clients that I can use for different devices on my LAN separately and not one VPN that tunnels through the other.
Could you please tell me what I am doing wrong?
Please note that at this stage I don't care about the startup automation process. I know how to get it done.
I just want it to work as explained above first.

I think this used to work , or perhaps it was because I may have used 'Redirect Internet traffic=ALL' when initially starting VPN Client 2, so that should have forced VPN Client 1 to established its connection via the existing VPN Client 2 tunnel, or this was back when I didn't use RMerlin's vpnrouting.sh script to manage the contents of the RPDB tables, so effectively only had the single default line in the VPN Client RPDB tables.

Sorry to have wasted your time.

 

[dr_lucas]

Ok, I gave this a try now. I set "Redirect Internet traffic" on the VPN Client 2 (Hong Kong) to "All" and connected with it.
Then I connected with VPN Client 1 (London) which I set to "Policy Rules (Strict) and then only 192.168.1.240 (my TV) -> 0.0.0.0 via VPN.
This time I could see through the provider's website (they have a sessions control page) that VPN Client 1 indeed connected to the London VPN via Hong Kong, however, I am not getting any internet access on my TV (192.168.1.240).
Any suggestions?

 

[Martineau]

Ok, I gave this a try now. I set "Redirect Internet traffic" on the VPN Client 2 (Hong Kong) to "All" and connected with it.
Then I connected with VPN Client 1 (London) which I set to "Policy Rules (Strict) and then only 192.168.1.240 (my TV) -> 0.0.0.0 via VPN.
This time I could see through the provider's website (they have a sessions control page) that VPN Client 1 indeed connected to the London VPN via Hong Kong, however, I am not getting any internet access on my TV (192.168.1.240).
Any suggestions?

Sometimes dumb devices such as TVs are hard coded to use a specific DNS which may conflict with the VPN ISP's default DNS servers.

You could try overriding the pushed VPN ISP DNS servers by using the OpenVPN directive

dhcp-option DNS xxx.xxx.xxx.xxx

on both VPN Client configs, where xxx.xxxx.xxx.xxx can be one of Google/OpenDNS/Dyn/Comodo etc. public DNS servers.

P.S. Perhaps you should add a laptop/PC to be explicitly routed via VPN Client 1 to assist debugging rather than rely on the limited tools on the TV.

 

[dr_lucas]

Thanks. It's not the TV. I forgot to mention I tried it also on several of my LAN'd computers with the same results.
And I also tried to access servers by their direct IP instead of domain names. There is no internet access at all, it's not a name resolving issue.
Any suggestions?

 

[john9527]

I may be missing something, but I really don't see how you can accomplish what you want without some major changes....i.e. you would need to update policy routing to be able to specify the VPN instance and have it set the routing tables appropriately.

Just for my info, why do you want to route a VPN within another VPN?

 

[dr_lucas]

@john9527
I am in Thailand.
My ISP has a very very slow direct connection to London, but a very fast connection to Hong Kong due to their peering/transit agreements.
To be able to get a fast enough speed connecting to a London VPN, I must first connect/reroute through Hong Kong.

Would really appreciate if you can post a guide showing how to accomplish this. I honestly have no experience and no knowledge with policy routing and routing tables.

Thank you

 

[bilboSNB]

This sounds interesting. Maybe you could do it with two separate routers one behind the other.

 

[dr_lucas]

Yes, that's what I am doing right now for the TV as I don't have any better choice, but I wanna remove the second router and just use my main router, and I know it's fully capable of achieving this if configured properly.
Problem is, I don't know how to, hopefully someone can help.