VPN chaining using openvpn

Question

My boss got extra-paranoid and wants me to organize VPN-chaining of some sort for him. I come up with following scheme:

Client              VPN1                    VPN2
10.0.1.x[tun0]------10.0.1.1[tun0]
[1.1.1.1][eth0]     10.0.2.x[tun1]----------10.0.2.1[tun0]
                    2.2.2.2[eth0]           3.3.3.3[eth0]------internet

I can use VPN1 from Client through iptables forwarding, like this:

vpn1 # iptables -A FORWARD -s 10.0.1.0/24 -j ACCEPT
vpn1 # iptables -A FORWARD -d 10.0.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
vpn1 # iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j SNAT --to-source 2.2.2.2

I can use VPN2 from VPN1 if I make it default gateway, or if I select specified hosts, like this:

vpn1 # route add -host 8.8.8.8 dev tun1

What I can't use is full chain VPN1-VPN2-Internet from Client. I tried forwarding traffic from tun0 to tun1 and vice versa like this:

vpn1 # iptables -A FORWARD -i tun0 -o tun1 -j ACCEPT
vpn1 # iptables -A FORWARD -i tun1 -o tun0 -j ACCEPT

In this case I can see ICMP requests going off from client IP on both VPN1 tun interfaces, but can't get any response.

How can I forward all traffic from Client through full chain?

edit: (all on vpn1)

tcpdump -i tun0 icmp shows requests with 10.0.1.6(Client) going to internet

tcpdump -i tun1 shows nothing

tcpdump -i eth0 shows same as tun0, 10.0.1.6(Client) sending request

My thought was iptables rules should forward tun0 to tun1 and vice versa, but for some reason traffic from tun0 gets to eth0 and then off to internet, could it be the problem?

What makes your boss think this is more secure then a single, properly secured, end-to-end tunnel? — Shane Madden, May 31 '13 at 04:47
I wish I knew, I'm really in no position in argue this decision — user175985, May 31 '13 at 05:57
Heh, fair enough. Can you capture on the target of the ICMP and see if they're getting there? And see if there's a response being sent, and where it's going? — Shane Madden, May 31 '13 at 06:00
Okay, here what I did. I pinged VPN2 node external IP from Client, and fired up tcpdump -i venet0 icmp on VPN2, no packets received. Just to be sure, I pinged VPN2 from different machine and in worked okay. Also, I started tcpdump on VPN1 on tun1 AND tun0, requests were sent only from tun0. Forwarding between tun1 and tun0 was enabled as stated in example in my post. — user175985, May 31 '13 at 06:23
I managed to get traffic using full chain, but only for explicitly targeted host. First, I cleaned iptables rules, then I add iptables -A FORWARD -s 10.0.1.0/24 -j ACCEPT iptables -A FORWARD -d 10.0.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j SNAT --to-source 10.0.2.6 and then adding route like so route add -host 8.8.8.8 dev tun1. The question is, how do I do that for any traffic from tun0, not just hardcoded hosts? : ( — user175985, May 31 '13 at 09:29
[enter image description here](https://i.stack.imgur.com/aScNx.png) hi, I was trying to understand your configuration I tried I can not make it work you can have a configuration based on my chart? thank you — Mauro, May 31 '18 at 12:09

score 5 · Accepted Answer · answered May 31 '13 at 12:06

I managed to make this thing work. Basically, I need to forward all packets that comes from Client to tun0 interface of VPN1 to VPN1 tun1 IP address(10.0.2.6).

iptables -A FORWARD -s 10.0.1.0/24 -j ACCEPT
iptables -A FORWARD -d 10.0.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j SNAT --to-source 10.0.2.6

Secondly, I need to make use of iproute2 system by adding this rules:

this adds default route to table 120

ip route add default via 10.0.2.6 table 120

and this rule based routing, uses src of packet as condition

ip rule add from 10.0.1.0/24 table 120

And good to go! Now to test, I do traceroute 8.8.8.8 on Client:

1  10.0.1.1 (10.0.1.1) 223.570 ms  444.898 ms  444.875 ms
2  10.0.2.1 (10.0.2.1) 444.845 ms  666.709 ms  889.544 ms
....

Now just the little things like automation and post-up scripts... Thanks for help!

VPN chaining using openvpn

1 Answers1

Linked