Chaining VPNs and I need help with tun0 and tun1 settings

yaunkay23 · Jul 22, 2022

am using this script: https://github.com/loeken/CascadingOpenvpnConnect

It creates a tun0 instance and a tun1 instance, and another if I want. I am having trouble on how to direct traffic.

When running the first command,
Code:


sudo openvpn --config eu.fr1.cdn.internetz.me.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec (example)

I am able to connect thru the VPN correctly.

However, when I initiate the second command,
Code:


sudo openvpn --config eu.fr4.cdn.internetz.me.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 2 --setenv prevgw 10.9.1.1 (example)

I cannot figure out what to do next? The second command runs successfully but my IP address is still listed as the first VPN (tun0). So, how do I get tun1 into the picture here?

Thanks for any help.

Script output...

This is my default routing table.

Code:


Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 100 0 0 enp0s3
10.0.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3

This is the first command to run. It appears to be successful.

Code:


sudo openvpn --config client-east.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec
Thu Jul 21 19:29:55 2022 OpenVPN 2.4.4 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Thu Jul 21 19:29:55 2022 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Enter Auth Username: openvpn
Enter Auth Password: ***
Thu Jul 21 19:29:59 2022 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Thu Jul 21 19:29:59 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jul 21 19:29:59 2022 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 21 19:29:59 2022 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 21 19:29:59 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]3.228.10.177:1194
Thu Jul 21 19:29:59 2022 Socket Buffers: R=[180224->180224] S=[180224->180224]
Thu Jul 21 19:29:59 2022 UDP link local: (not bound)
Thu Jul 21 19:29:59 2022 UDP link remote: [AF_INET]3.228.10.177:1194
Thu Jul 21 19:29:59 2022 TLS: Initial packet from [AF_INET]3.228.10.177:1194, sid=e06d136c ef7fcba7
Thu Jul 21 19:29:59 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jul 21 19:29:59 2022 VERIFY OK: depth=1, CN=OpenVPN CA
Thu Jul 21 19:29:59 2022 VERIFY OK: nsCertType=SERVER
Thu Jul 21 19:29:59 2022 VERIFY OK: depth=0, CN=OpenVPN Server
Thu Jul 21 19:30:00 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Jul 21 19:30:00 2022 [OpenVPN Server] Peer Connection Initiated with [AF_INET]3.228.10.177:1194
Thu Jul 21 19:30:01 2022 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Thu Jul 21 19:30:01 2022 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,compress stub-v2,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.27.232.1,dhcp-option DNS 172.31.0.2,register-dns,block-ipv6,ifconfig 172.27.232.27 255.255.248.0,peer-id 0,auth-tokenSESS_ID,cipher AES-256-GCM'
Thu Jul 21 19:30:01 2022 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.4)
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.4)
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.4)
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:16: register-dns (2.4.4)
Thu Jul 21 19:30:01 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:17: block-ipv6 (2.4.4)
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: compression parms modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: route options modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: route-related options modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: peer-id set
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Jul 21 19:30:01 2022 OPTIONS IMPORT: data channel crypto options modified
Thu Jul 21 19:30:01 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jul 21 19:30:01 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 21 19:30:01 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 21 19:30:01 2022 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:cb:a6:e2
Thu Jul 21 19:30:01 2022 TUN/TAP device tun0 opened
Thu Jul 21 19:30:01 2022 TUN/TAP TX queue length set to 100
Thu Jul 21 19:30:01 2022 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Jul 21 19:30:01 2022 /sbin/ip link set dev tun0 up mtu 1500
Thu Jul 21 19:30:02 2022 /sbin/ip addr add dev tun0 172.27.232.27/21 broadcast 172.27.239.255
Thu Jul 21 19:30:02 2022 updown.sh tun0 1500 1553 172.27.232.27 255.255.248.0 init
## updown.sh: STARTED
## updown.sh: hop id: (default: 1)
## updown.sh: gateway of last hop: (default: local gateway)
## updown.sh: local gateway: 10.0.2.2
## updown.sh: VPN: local IP address: 172.27.232.27
## updown.sh: VPN: local netmask: 255.255.248.0
## updown.sh: VPN: local gateway: 172.27.232.1
## updown.sh: VPN: vpn IP address: 3.228.10.177
## updown.sh: Notice: You didn't set 'hopid'. Assuming this to be the first hop (hopid=1).
## updown.sh: Notice: You didn't set the previous gateway. The gateway of your local network ('10.0.2.2') will be used.
## updown.sh: executing: '/sbin/ip route add 3.228.10.177 via 10.0.2.2'
## updown.sh: executing: '/sbin/ip route add 0.0.0.0/1 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 128.0.0.0/1 via 172.27.232.1'
## updown.sh: HINT: For the next hop, start openvpn with the following options:
## updown.sh: HINT: openvpn --config <config.ovpn> --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 2 --setenv prevgw 172.27.232.1
## updown.sh: FINISHED
Thu Jul 21 19:30:07 2022 Initialization Sequence Completed

Change my DNS to 8.8.8.8 and my traffic goes thru my VPN.

After running the first command, this is what my routing table looks like.
Code:


Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
default 10.0.2.2 0.0.0.0 UG 100 0 0 enp0s3
3.228.10.177 10.0.2.2 255.255.255.255 UGH 0 0 0 enp0s3
10.0.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3
128.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
172.27.232.0 0.0.0.0 255.255.248.0 U 0 0 0 tun0

This is my second command. It also appears to be successful.
Code:


sudo openvpn --config client-west.ovpn --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 2 --setenv prevgw 172.27.232.1
Thu Jul 21 19:34:30 2022 OpenVPN 2.4.4 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Thu Jul 21 19:34:30 2022 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Enter Auth Username: openvpn
Enter Auth Password: ***
Thu Jul 21 19:34:34 2022 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Thu Jul 21 19:34:34 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jul 21 19:34:34 2022 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 21 19:34:34 2022 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 21 19:34:34 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]52.53.125.237:1194
Thu Jul 21 19:34:34 2022 Socket Buffers: R=[180224->180224] S=[180224->180224]
Thu Jul 21 19:34:34 2022 UDP link local: (not bound)
Thu Jul 21 19:34:34 2022 UDP link remote: [AF_INET]52.53.125.237:1194
Thu Jul 21 19:34:34 2022 TLS: Initial packet from [AF_INET]52.53.125.237:1194, sid=0ca1cb6e b7f72f45
Thu Jul 21 19:34:34 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jul 21 19:34:34 2022 VERIFY OK: depth=1, CN=OpenVPN CA
Thu Jul 21 19:34:34 2022 VERIFY OK: nsCertType=SERVER
Thu Jul 21 19:34:34 2022 VERIFY OK: depth=0, CN=OpenVPN Server
Thu Jul 21 19:34:34 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Jul 21 19:34:34 2022 [OpenVPN Server] Peer Connection Initiated with [AF_INET]52.53.125.237:1194
Thu Jul 21 19:34:35 2022 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Thu Jul 21 19:34:36 2022 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,compress stub-v2,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.27.232.1,dhcp-option DNS 172.31.0.2,register-dns,block-ipv6,ifconfig 172.27.232.28 255.255.248.0,peer-id 0,auth-tokenSESS_ID,cipher AES-256-GCM'
Thu Jul 21 19:34:36 2022 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.4)
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.4)
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.4)
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:16: register-dns (2.4.4)
Thu Jul 21 19:34:36 2022 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:17: block-ipv6 (2.4.4)
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: compression parms modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: route options modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: route-related options modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: peer-id set
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Jul 21 19:34:36 2022 OPTIONS IMPORT: data channel crypto options modified
Thu Jul 21 19:34:36 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jul 21 19:34:36 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 21 19:34:36 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jul 21 19:34:36 2022 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:cb:a6:e2
Thu Jul 21 19:34:36 2022 TUN/TAP device tun1 opened
Thu Jul 21 19:34:36 2022 TUN/TAP TX queue length set to 100
Thu Jul 21 19:34:36 2022 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Jul 21 19:34:36 2022 /sbin/ip link set dev tun1 up mtu 1500
Thu Jul 21 19:34:36 2022 /sbin/ip addr add dev tun1 172.27.232.28/21 broadcast 172.27.239.255
Thu Jul 21 19:34:36 2022 updown.sh tun1 1500 1553 172.27.232.28 255.255.248.0 init
## updown.sh: STARTED
## updown.sh: hop id: 2 (default: 1)
## updown.sh: gateway of last hop: 172.27.232.1 (default: local gateway)
## updown.sh: local gateway: 10.0.2.2
## updown.sh: VPN: local IP address: 172.27.232.28
## updown.sh: VPN: local netmask: 255.255.248.0
## updown.sh: VPN: local gateway: 172.27.232.1
## updown.sh: VPN: vpn IP address: 52.53.125.237
## updown.sh: executing: '/sbin/ip route add 52.53.125.237 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 0.0.0.0/2 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 64.0.0.0/2 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 128.0.0.0/2 via 172.27.232.1'
## updown.sh: executing: '/sbin/ip route add 192.0.0.0/2 via 172.27.232.1'
## updown.sh: HINT: For the next hop, start openvpn with the following options:
## updown.sh: HINT: openvpn --config <config.ovpn> --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 3 --setenv prevgw 172.27.232.1
## updown.sh: FINISHED
Thu Jul 21 19:34:41 2022 Initialization Sequence Completed

My routing table after running the second command. some issue here:https://github.com/loeken/CascadingOpenvpnConnect here
Code:


Kernel IP routing table
0.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
0.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
default 10.0.2.2 0.0.0.0 UG 100 0 0 enp0s3
ec2-3-228-10-17 10.0.2.2 255.255.255.255 UGH 0 0 0 enp0s3
10.0.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3
ec2-52-53-125-2 172.27.232.1 255.255.255.255 UGH 0 0 0 tun0
64.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
128.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0
128.0.0.0 172.27.232.1 128.0.0.0 UG 0 0 0 tun0
172.27.232.0 0.0.0.0 255.255.248.0 U 0 0 0 tun0
172.27.232.0 0.0.0.0 255.255.248.0 U 0 0 0 tun1
192.0.0.0 172.27.232.1 192.0.0.0 UG 0 0 0 tun0

When I run tcpdump, there is traffic over tun0 (the first vpn), however, there is no traffic at all on tun1 (the second VPN).

I'm stumped. Not sure what to do next.

Chaining VPNs and I need help with tun0 and tun1 settings

yaunkay23

New Member

Members online

Latest posts