2

I have an Ubuntu 16.04 server that I have running xl2tp and openvpn as a VPN server. However, I want the server itself to be connected to either a SOCKS Proxy or another OpenVPN connection. That is:

client --> server --> vpn or socks server --> internet

Right now, if I perform a curl or wget request from the server's terminal (to, say, https://api.ipify.com/), it's traffic is clearly going through the second vpn or socks (I've tried both). However, if I connect a client to the server over l2tp or openvpn, and then try the same curl or wget from the client, it's traffic is exiting from the server directly, rather than router through the second vpn / socks proxy.

In other words, although what I want is:

client --> server --> vpn or socks server --> internet

What I'm getting instead is:

client --> server +---(server-native traffic)---> vpn2/socks --> internet
                  |
                  +---(client vpn traffic)----> internet

How can I achieve the result of forcing traffic from VPN clients into a second vpn or socks proxy?

I'd like to do this transparently - I can't control how the clients connect to the server, but I can control the server.

cegfault
  • 175
  • 1
  • 7
  • 1
    What are the routing table and firewall on the server, at the time it is exhibiting the problem? – Michael Hampton Dec 13 '17 at 20:01
  • All firewalls are temporarily disabled (to eliminate it as a problem). As for routing table, I've manually making a tuntap with subnet and default gateway to a foreign socks, as well as simply using openvpn as a client to connect to the foreign vpn server. – cegfault Dec 13 '17 at 20:04
  • openvpn probably needs a static route to the server and a default gateway "inside" the second vpn defined in the configs. – Daniel Widrick Dec 20 '17 at 17:44
  • @DanielWidrick wouldn't that require a change in the openvpn client config? – cegfault Dec 21 '17 at 16:35
  • Off the top of my head, I believe the server can push routes. It might need a client. update though. – Daniel Widrick Jan 10 '18 at 20:15
  • An example configuration is available at https://github.com/InternetForIran/InternetForIran . – HappyFace Nov 05 '22 at 13:07

1 Answers1

1

It's been five (5) years - almost to the day - since I posted this question (holy existential dread Batman!). For the sake of anyone coming here from a web search:

Use Wireguard

I was able to solve my problem a long time ago with WireGuard, compiled into the Linux kernel as of 5.6 (March 2020) and on. There are utilities available for mobile, desktop, and server platforms.

For those who don't want to use wireguard, or need a tor proxy, @HappyFace recently commented that example configurations exist in a new Iran-focused github project. I have no idea if they work or not.

Wireguard has met all my needs. It's networking scheme is far simpler and easier to learn.

cegfault
  • 175
  • 1
  • 7