How to setup a Double OpenVPN configuration
In this tutorial I am going to show you how to setup a Double OpenVPN which is essentially the process chaining VPN servers to create a different exit point / IP address than the original connection.
This is a relatively easy process but there’s very little information out there on how to achieve this or it’s overly complicated. We will do this in the simplest and easiest way that I know possible.
*This tutorial will assume you already know how to setup a basic OpenVPN server and also client connection*
I may do a more in depth tutorial later but I feel that people who want to create a Double OpenVPN tunnel have already passed basic training on Linux and VPNs and networking.
Why would we want to create a Double OpenVPN configuration?
Every one has their own reasons but my reason for creating this configuration is that I want to have an exit IP in the USA but my ping is too high and the routing to the USA isn’t too good so I create a first hop in Tokyo or Singapore which then connects to my USA server.
In this diagram we can assume:
- ServerA = Tokyo
- ServerB = USA
I will assume you already have setup a OpenVPN server and have root access.
The second OpenVPN server we do not require access to 😉
Step 1 — Setup routing rules
If we look at our ifconfig we can see that tun0 (our local OpenVPN server) has internal IP address of 184.108.40.206
[email protected]:/etc/openvpn# ifconfig ens3 Link encap:Ethernet HWaddr 56:00:00:32:7b:2b inet addr:220.127.116.11 Bcast:255.255.254.0 Mask:255.255.254.0 inet6 addr: fe80::5400:ff:fe32:7b2b/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:122189 errors:0 dropped:0 overruns:0 frame:0 TX packets:134190 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:88730666 (88.7 MB) TX bytes:21559674 (21.5 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:10 errors:0 dropped:0 overruns:0 frame:0 TX packets:10 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:500 (500.0 B) TX bytes:500 (500.0 B) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:18.104.22.168 P-t-P:22.214.171.124 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Now instead of normally adding the IP table MASQUERADING rule we want to add an IP routing rule instead.
ip route add default via 126.96.36.199 dev ens3 table 102
ens3 is our main interface
Now let’s add the following 3 iptables rules:
iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE iptables -t mangle -A OUTPUT -p udp -m udp --sport 80 -j MARK --set-mark 0x2
Port 80 is our local port OpenVPN is listening on
Next we add this IP route rules:
ip rule add fwmark 0x2/0x2 lookup 102 ip rule add from 188.8.131.52 table 102
Step 2 – Connect to our second server
Now we need to connect to our second OpenVPN server, in this case we will use the program screen
You can download and install it quickly:
sudo apt-get -y install screen
Let’s create our screen
screen -S vpn
Now assuming our second OpenVPN servers connection config is called “second.ovpn” we will connect to it here
openvpn --config /path/to/second.ovpn
You can then disconnect from your screen session by pressing ctrl + a + d
If everything went correctly you should just be able to connect to your OpenVPN server and all traffic will be routed over a second hop (server).