VPN chaining using openvpn

iptables vpn openvpn

My boss got extra-paranoid and wants me to organize VPN-chaining of some sort for him. I come up with following scheme:

Client              VPN1                    VPN2
10.0.1.x[tun0]------10.0.1.1[tun0]
[1.1.1.1][eth0]     10.0.2.x[tun1]----------10.0.2.1[tun0]
                    2.2.2.2[eth0]           3.3.3.3[eth0]------internet

I can use VPN1 from Client through iptables forwarding, like this:

vpn1 # iptables -A FORWARD -s 10.0.1.0/24 -j ACCEPT
vpn1 # iptables -A FORWARD -d 10.0.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
vpn1 # iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j SNAT --to-source 2.2.2.2

I can use VPN2 from VPN1 if I make it default gateway, or if I select specified hosts, like this:

vpn1 # route add -host 8.8.8.8 dev tun1

What I can't use is full chain VPN1-VPN2-Internet from Client. I tried forwarding traffic from tun0 to tun1 and vice versa like this:

vpn1 # iptables -A FORWARD -i tun0 -o tun1 -j ACCEPT
vpn1 # iptables -A FORWARD -i tun1 -o tun0 -j ACCEPT

In this case I can see ICMP requests going off from client IP on both VPN1 tun interfaces, but can't get any response.

How can I forward all traffic from Client through full chain?

edit: (all on vpn1)

tcpdump -i tun0 icmp shows requests with 10.0.1.6(Client) going to internet

tcpdump -i tun1 shows nothing

tcpdump -i eth0 shows same as tun0, 10.0.1.6(Client) sending request

My thought was iptables rules should forward tun0 to tun1 and vice versa, but for some reason traffic from tun0 gets to eth0 and then off to internet, could it be the problem?


Solution 1:

I managed to make this thing work. Basically, I need to forward all packets that comes from Client to tun0 interface of VPN1 to VPN1 tun1 IP address(10.0.2.6). 

iptables -A FORWARD -s 10.0.1.0/24 -j ACCEPT
iptables -A FORWARD -d 10.0.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j SNAT --to-source 10.0.2.6

Secondly, I need to make use of iproute2 system by adding this rules:

this adds default route to table 120

ip route add default via 10.0.2.6 table 120

and this rule based routing, uses src of packet as condition

ip rule add from 10.0.1.0/24 table 120

And good to go! Now to test, I do traceroute 8.8.8.8 on Client:

1  10.0.1.1 (10.0.1.1) 223.570 ms  444.898 ms  444.875 ms
2  10.0.2.1 (10.0.2.1) 444.845 ms  666.709 ms  889.544 ms
....

Now just the little things like automation and post-up scripts... Thanks for help!

Related

Yum on Centos 8 - Failed to download metadata for repo 'AppStream'
Repositories for CentOS that don't suck?
Multiple versions of PHP through nginx
SVN - Error Rep Repository UUID 'XXX...' doesn't match expected 'XXX..'
finding the best network latency between two countries
PDF of a sum of exponential random variables [closed]
For $n \in \mathbb{N}$ $\lfloor{\sqrt{n} + \sqrt{n+1}\rfloor} = \lfloor{\sqrt{4n+2}\rfloor}$
Differentiability of a two variable function $f(x,y)=\dfrac{1}{1+x-y}$
Submartingale convergence (Durrett 5.3.1)
Proving Distributivity of Matrix Multiplication
Hilbert class field of a quadratic field whose class number is 3
Norm bound on exponential matrix with eigenvalue negative real part, proof