Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Multi-hop/double VPN
New on LowEndTalk? Please Register and read our Community Rules.

Multi-hop/double VPN

ShakibShakib Member, Patron Provider

So I'd like to setup a multi-hop/double VPN.

My Current Config 1: My PC > Wireguard > Internet

Current Config 2: My PC > Wireguard > Browser VPN/Proxy/Exitlag > Internet

Idea: My PC > VPN 1 > VPN 2 > Internet

Anyone knows how can I do it the right way?

Comments

  • emghemgh Member

    Try to switch between them really fast in the middle of each request.

    Otherwise I don’t know.

    Thanked by 1Shakib
  • My advice is to think hardware, not software, because it's much simpler. Setup your router with VPN1 which makes all packages go through VPN1 by using something standard like OpenVPN configuration files. Then on your computer start the VPN2 with the proprietary software. This way you have VPN2 through VPN1.

    If you want even more security, use Tor too; so it will be Tor through VPN2 through VPN1.

    Thanked by 2Shakib Zyra
  • ShakibShakib Member, Patron Provider

    @default said:
    My advice is to think hardware, not software, because it's much simpler. Setup your router with VPN1 which makes all packages go through VPN1 by using something standard like OpenVPN configuration files. Then on your computer start the VPN2 with the proprietary software. This way you have VPN2 through VPN1.

    If you want even more security, use Tor too; so it will be Tor through VPN2 through VPN1.

    That's something I was also looking into. Any hardware/router recommendation?

    Currently looking at OpenWRT & Mikrotik.

  • @Shakib said:

    @default said:
    My advice is to think hardware, not software, because it's much simpler. Setup your router with VPN1 which makes all packages go through VPN1 by using something standard like OpenVPN configuration files. Then on your computer start the VPN2 with the proprietary software. This way you have VPN2 through VPN1.

    If you want even more security, use Tor too; so it will be Tor through VPN2 through VPN1.

    That's something I was also looking into. Any hardware/router recommendation?

    Currently looking at OpenWRT & Mikrotik.

    OpenWRT has packages you can install, including OpenVPN. You don't need to go into expensive stuff like Mirkrotik. This is a low-end community after all.

    OpenWRT can be installed even on a cheap Raspberry Pi laying around (if you don't have a cheap router supporting latest version of OpenWRT due to RAM requirements).

    Thanked by 1Shakib
  • OpenVPN on a router can be very challenging and slow.
    Instead use wireguard on the router, to get much higher speeds. And then on your desktop you can run whatever.

    Thanked by 1Shakib
  • HxxxHxxx Member
    edited November 9

    Well was having a look at this. Running double OpenVPN between servers might be a little hard.

    However you could do two things:
    -Have two VPS. A and B.
    A runs openvpn server.
    B runs Wireguard.
    Client connect to A -> A connect to B -> B to destination.

    Another way is to run double VPN in your computer instead of connecting or bridging the servers.

    Fire up Client Connection to A.
    Fire up Client Connection to B.

    I was reading that most likely it should work fine as long as you do one first then the other (in order).

    Then there are the other ways (router and computer mix that you already know).

    If security is the goal, and maybe there are ways to configure or setup this action to not happen, but usually decryption happen once data reached the VPN server. In theory... VPS 1 decrypt data then encrypt again and send it to VPS2. That might not be as effective as it should.

    I also read that NordVPN offer double VPN. Some providers do.

    Thanked by 1Shakib
  • Maybe completely forget VPN 1? If you do want your traffic to pass server 1, you may set up port forwarding on server 1, so you connect to VPN 2 via server 1.

    How to: google "iptables port forwarding udp"

    Thanked by 1Shakib
  • ralfralf Member
    edited November 9

    You'll probably need 2 wireguard interfaces on server 1, as I always end up having problems when I try to forward packets back onto the interface they came in on.

    On server 1, you'll want to add 0.0.0.0 to the AllowedIPs for server 2 peer entry so that the default route is via the second server.

    Then add an SNAT iptables rule, like this:

    iptables -t nat -A POSTROUTING -s 192.168.99.0/24 ! -d 192.168.99.0/24 -j SNAT --to-source server1_wireguard_ip

    That last IP address is the "external address" of server1, which will be the wireguard IP address that server2 knows for server1.

    Server 2 would need a similar SNAT rule too, but this time using the real external address for that machine. So, something like this:

    iptables -t nat -A POSTROUTING -s server1_wireguard_ip ! -d server1_wireguard_ip -j SNAT --to-source server2_external_ip

    I would also question what the point of the second server is, but I can see some obfuscation edge cases, but in general it doesn't seem massively useful.

    Thanked by 2Shakib Zyra
  • JasonMJasonM Member
    edited November 10

    What is did for VPN to VPN...

    home pc > windscribe VPN (desktop application) > chrome Browsec VPN (extention) > internet.

    Thanked by 1Shakib
  • jahrincjahrinc Member
    edited November 10

    What I currently use:

    Desktop -> OVPN desktop app -> VILFO (VPN Router made by OVPN folks) connected on Mullvad -> Internet

    All wireguard.

    Thanked by 2Shakib jazzii
  • You can find the ikuai router through Google. It has vpn access and vpn link as the exit. It also has the feature of specifying different line exits according to the source IP. What's more, since it can be installed on vps through dd, of course, it can also buy hardware routers

    Thanked by 1Shakib
  • ShakibShakib Member, Patron Provider
    edited November 10

    Thanks @everyone for your suggestions. <3

    I have found a quick fix for now.

    PC > Wireguard > Private Proxy > Internet

    Future plan is to get a MikroTik/OpenWRT router for proper double VPN setup.

  • @Shakib said: Any hardware/router recommendation?

    if you're looking for a cheap vpn router, these might be worth a look (openwrt based + "userfriendly" gui).
    https://www.gl-inet.com/products/gl-mt300n-v2/
    https://www.gl-inet.com/products/gl-ar300m/

    until last year i had several vms with openwrt in proxmox, but at some point that was too much tinkering for me. now I use several of these gl inet routers in the local network and connect to the vps via them. if you want double vpn, you could set up a vpn through the computer and send the traffic through the vpn router.

    Thanked by 2Shakib jazzii
  • You only need iptables to forward a port's traffic to destination port.

    Thanked by 1Shakib
  • NeoonNeoon Member, Community Contributor

    The easy way: tinc mesh vpn.
    The hard way: bird2 + wireguard, at least what I use, for my gaming latency optimization.

    Thanked by 3Shakib i4P1 FrankZ
  • ShakibShakib Member, Patron Provider
    edited November 10

    @Neoon said:
    The easy way: tinc mesh vpn.
    The hard way: bird2 + wireguard, at least what I use, for my gaming latency optimization.

    I just ordered a MikroTik RouterBoard. It already supports OpenVPN and the latest firmware 7.6 supposed to have Wireguard.

    I am still interested in your hard way setup.

  • i4P1i4P1 Member

    I also meet similar problems. Thanks for all the comments! <3

    Thanked by 1Shakib
  • NeoonNeoon Member, Community Contributor
    edited November 10

    @Shakib said:

    @Neoon said:
    The easy way: tinc mesh vpn.
    The hard way: bird2 + wireguard, at least what I use, for my gaming latency optimization.

    I just ordered a MikroTik RouterBoard. It already supports OpenVPN and the latest firmware 7.6 supposed to have Wireguard.

    I am still interested in your hard way setup.

    I use this, to setup my wireguard mesh.
    https://github.com/Ne00n/pipe-builder-3000
    Plus, bird2 setup, that takes care of the routes.
    https://github.com/Ne00n/bird-spawner-3000

    You can in theory manipulate the ospf values/weight/cost so, that bird routes the traffic as you wish.
    Setup is pretty stable so far, using it for my Japanese gaming.

    Thanked by 2Shakib ralf
  • CiprianoOscarCiprianoOscar Member, Host Rep

    @Shakib said:
    So I'd like to setup a multi-hop/double VPN.

    My Current Config 1: My PC > Wireguard > Internet

    Current Config 2: My PC > Wireguard > Browser VPN/Proxy/Exitlag > Internet

    Idea: My PC > VPN 1 > VPN 2 > Internet

    Anyone knows how can I do it the right way?

    i think is not that hard, just connect the 2 VPS togheter and make one route rules.

    We need to test it, but yeah is possible without problems ;)

    Thanked by 1Shakib
  • I'm curious what the use case is and why you'd take the performance hit.

  • ShakibShakib Member, Patron Provider

    @TimboJones said:
    I'm curious what the use case is and why you'd take the performance hit.

    I am moving all my traffic through a single internet exchange then to the internet.

    It actually makes my Internet faster and I get almost no packet loss in exchange for 5ms delay.

    This is why I need the 1st VPN.

    I want switch between multiple locations whenever needed and this is what the 2nd VPN interface will do. (Switch VPN profiles)

    I don't to use any VPN company's service. I already have multiple VPS around the world that's been prepaid for years. Just gonna use them instead.

    Thanked by 1gzz
  • @Shakib said:

    @TimboJones said:
    I'm curious what the use case is and why you'd take the performance hit.

    I am moving all my traffic through a single internet exchange then to the internet.

    It actually makes my Internet faster and I get almost no packet loss in exchange for 5ms delay.

    This is why I need the 1st VPN.

    I want switch between multiple locations whenever needed and this is what the 2nd VPN interface will do. (Switch VPN profiles)

    I don't to use any VPN company's service. I already have multiple VPS around the world that's been prepaid for years. Just gonna use them instead.

    I won't argue if it works for you well enough, so I'll agree to disagree.

    Thanked by 1Shakib
  • ShakibShakib Member, Patron Provider
    edited November 16

    Update: Got a MikroTik RB. Wireguard is running perfectly on it.

    The delay is 2ms from my PC to 1st VPN. (VPN on MikroTik)

    2nd Wireguard on my PC is also running fine. But, I loose about 20% of the bandwidth speed when I connect to distance server with over 200ms ping.

    It's been stable otherwise.

    Thanked by 1i4P1
Sign In or Register to comment.