Jump to content
Not connected, Your IP: 52.15.191.241
Hansito

It's possible connect two vpn at the same time?

Recommended Posts

Hello, sorry, Im newbie

It´s possible connect two vpn at once? how? I think is more secure like 2 layers, of fail vpn 1 still I have vpn2... right?

I try make with virtual box and connection mode bridge but (1 vpn in pc and vp2 in virtual machine) but, I dont have success.


sorry if I not write fine, I not speak very well english.

 

Thank you!

Share this post


Link to post

Yes.

 

1) Login in to VPN #1 on the host machine.

2) Start your virtual machine (such as VmWare Workstation), and login to VPN #2

Share this post


Link to post

Yes.

 

1) Login in to VPN #1 on the host machine.

2) Start your virtual machine (such as VmWare Workstation), and login to VPN #2

Only its possible in vmware or also in virtualbox?  because in virtual box, the virtual machine get the ip of the real ip, not of the vpn, however in the host machine, the vpn is connected...

 

vmware in bridge mode, for make this that asked, right?

 

thank you!

Share this post


Link to post

Hello!

 

You must make sure that the VM (either in VirtualBox or VMWare) is attached to the host via NAT. This is vital to tunnel traffic over VPN1 over VPN2 on the VM. After that, just connect the host to a VPN, and then the guest to another one.

 

Kind regards

Share this post


Link to post

I do this all of the time on Windows without a VM.

 

Take a look at what I wrote as "UPDATE 2" and "UPDATE 3" in this post:

 

/topic/9491-guide-to-setting-up-vpn-just-for-torrenting-on-windows/?do=findComment&comment=10326

 

1) You need to set up a second VPN IP interface. The OpenVPN install only creates one.

 

2) You have to add directives for the OpenVPN client to manually set up the routing table so that there will be no conflicts.

 

3) There can be only one "default gateway" at a time. So any client that is to use a VPN that is not the default gateway must have an option to "bind" to a specific IP interface. This is certainly the case for major torrent clients, as I explain in these identical posts:

 

/topic/9549-traffic-splitting-guide-to-setting-up-vpn-only-for-torrenting-on-windows-thanks-to-nadre/

/topic/9491-guide-to-setting-up-vpn-just-for-torrenting-on-windows/?do=findComment&comment=10317

 

The technique I describe in that guide allows me to switch between the two VPN interfaces and the real interface as the default gateway without having to stop and start VPN-s. You will probably need to understand the background information I provide there in order to be able to do this.

 

UPDATE:

 

A comment regarding the restriction I mentioned in 3): "any client that is to use a VPN that is not the default gateway must have an option to "bind" to a specific IP interface".

 

I use get_iplayer to pull stuff from the BBC web site (over the VPN - I am not in the UK) to a file so that I can save it for posterity. I have not as yet figured out how to get the "Web PVR Manager" (written in Perl) to query the BBC web site using a specified IP interface, and invoke rtmpdump so as to use that same IP interface. Since I am familiar with Debian Linux, I did set up a VM to run Debian  to run under VMware Player.

 

So if the client you want to use cannot use a VPN interface that is not the default gateway, a VM may be the only option.

 

So I am certainly not against the idea of setting up a VM.

 

By the way, my Debian under VMware Player instance uses a "bridged" virtual ethernet adapter so that it appears to my router as if it was a separate machine. This assures that the VPN connection that the VM makes does not end up going over a VPN connection that my Windows system may be using as a default gateway at the same time!

 

Also by using a "bridged" adapter, my VM can be reached from other devices in my home so that the VPN can be shared by several devices at once. This can be very useful. Basically I sometimes use it as a "virtual router".

 

But setting up a VM like this may be beyond the ability of most folks here? There would be a lot to learn. But if anyone is interested in more information, let me know. Bear in mind though that I use VMware Player. I have not used Virtualbox in a very long time. And my Linux of choice is Debian. So it is about these that I can easily comment.

Share this post


Link to post

@NaDre

@Hansito

 

Apparently, Hansito wishes to tunnel ALL the VPN2 traffic over VPN1, he does not wish to have two independent tunnels.

 

Kind regards

Share this post


Link to post

@NaDre

@Hansito

 

Apparently, Hansito wishes to tunnel ALL the VPN2 traffic over VPN1, he does not wish to have two independent tunnels.

 

Kind regards

Sorry. I missed that.

 

I have done this, also without a VM. I accessed AirVPN over a VPN that I get with my seed box. But I have never attempted to document it here. It also needs some subtle OpenVPN configuration tricks. But it may be easier than a VM for someone who has no background with VM-s, or knowledge of Linux, or the ability to install another Windows instance?

 

===

 

Hansito (or anyone else),

 

Let me know if you are interested in this. It would not be simple for a newbie. And explaining it would take some effort. So I want to be sure it is wanted. The result when I did it was not very good for streaming media.

Share this post


Link to post

 

@NaDre

@Hansito

 

Apparently, Hansito wishes to tunnel ALL the VPN2 traffic over VPN1, he does not wish to have two independent tunnels.

 

Kind regards

Sorry. I missed that.

 

I have done this, also without a VM. I accessed AirVPN over a VPN that I get with my seed box. But I have never attempted to document it here. It also needs some subtle OpenVPN configuration tricks. But it may be easier than a VM for someone who has no background with VM-s, or knowledge of Linux, or the ability to install another Windows instance?

 

===

 

Hansito (or anyone else),

 

Let me know if you are interested in this. It would not be simple for a newbie. And explaining it would take some effort. So I want to be sure it is wanted. The result when I did it was not very good for streaming media.

 

Hello!

 

Probably with a VM the whole procedure is easier, considering the "click and go" philosophy of nowadays VirtualBox etc., but your method may have a very high value under a technical and didactic point of view, not to mention its importance in old boxes for which virtualization is problematic.

 

Kind regards

Share this post


Link to post

hello again. First i want give thanks for help me in my question.

Finally I have succes with my objective, I used  vmware and, I have make connection the virtual machine with the host, and when I make this I get 2 layers of vpn.

NaDre, I have interesting in your information, I am newbie, yes, but I dont have fear to study, I want know about your investigations, if you still want.

I have another question now:

Its possible connect another virtual machine with the first virtual machine for getting 3 vpn layers...?

Yes, I sound how a paranoic  :-D , but is only curiosity.

 

Kind regards

Share this post


Link to post

hello again. First i want give thanks for help me in my question.

 

Finally I have succes with my objective, I used vmware and, I have make connection the virtual machine with the host, and when I make this I get 2 layers of vpn.

 

NaDre, I have interesting in your information, I am newbie, yes, but I dont have fear to study, I want know about your investigations, if you still want.

 

I have another question now:

 

Its possible connect another virtual machine with the first virtual machine for getting 3 vpn layers...?

 

Yes, I sound how a paranoic :-D , but is only curiosity.

 

Kind regards

 

Ok. I will first try to explain it briefly. If people ask questions I may come back and add to this.

 

This discussion applies to Windows. But the trick here could the adapted to Linux (and I suspect Mac) too.

 

First let me say that I avoid all of the hassle with DNS set up in OpenVPN by running BIND on my PC. See this post for an explanation of how to do this:

 

/topic/9289-dns-leaks-and-how-to-fix-them/?do=findComment&comment=9978

 

I think in the context of chaining VPN-s running BIND yourself makes even more sense. I will assume here that the user is doing this.

 

Also, the background information about IP interfaces and the routing table that I provided in my guide would (as I said in a post above) be helpful here. See:

 

/topic/9549-traffic-splitting-guide-to-setting-up-vpn-only-for-torrenting-on-windows-thanks-to-nadre/

/topic/9491-guide-to-setting-up-vpn-just-for-torrenting-on-windows/?do=findComment&comment=10317

 

And I explained in my post about having a second independent VPN instance (see the post above), you need to create a second "TAP-Windows" VPN adapter. In the Windows "Start Menu" use  "TAP-Windows/Utilities/Add a new TAP virtual ethernet adapter". You still need to run it as "Administrator" by right mouse-clicking.

 

First I will explain why you cannot just start one VPN and then the second, and have them nest the way that we want here. For this I will repeat here an sample from the guide:

 

Routing Table with VPN Up

C:\Documents and Settings\user>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 29 a2 b9 61 ...... AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
0x3 ...00 ff 42 5e d2 9e ...... TAP-Windows Adapter V9 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 128.0.0.0 10.4.50.141 10.4.50.142 1
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.69 10
10.4.0.1 255.255.255.255 10.4.50.141 10.4.50.142 1
10.4.50.140 255.255.255.252 10.4.50.142 10.4.50.142 30
10.4.50.142 255.255.255.255 127.0.0.1 127.0.0.1 30
10.255.255.255 255.255.255.255 10.4.50.142 10.4.50.142 30
95.211.169.3 255.255.255.255 192.168.1.254 192.168.1.69 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
128.0.0.0 128.0.0.0 10.4.50.141 10.4.50.142 1
192.168.1.0 255.255.255.0 192.168.1.69 192.168.1.69 10
192.168.1.69 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.69 192.168.1.69 10
224.0.0.0 240.0.0.0 10.4.50.142 10.4.50.142 30
224.0.0.0 240.0.0.0 192.168.1.69 192.168.1.69 10
255.255.255.255 255.255.255.255 10.4.50.142 10.4.50.142 1
255.255.255.255 255.255.255.255 192.168.1.69 192.168.1.69 1
Default Gateway: 10.4.50.141
===========================================================================
Persistent Routes:
None

The problem relates to these entries that were added by OpenVPN when the VPN came up:

0.0.0.0 128.0.0.0 10.4.50.141 10.4.50.142 1
...
95.211.169.3 255.255.255.255 192.168.1.254 192.168.1.69 1
...
128.0.0.0 128.0.0.0 10.4.50.141 10.4.50.142 1

The lines with the "128.0.0.0" net mask are used to override the default gateway. If we do nothing to avoid a conflict, when you start the second VPN, it will want to use the same trick. And this will not work.

 

The line with the "255.255.255.255" net mask is used to ensure that traffic to the VPN server gets routed out the original gateway, which was the routing table entry with the "0.0.0.0" net mask. Without this there would basically be an infinite loop. The second problem is that when you start the second VPN, it will also make an entry like this. But unfortunately OpenVPN again points to the original gateway with the "0.0.0.0" net mask. And this is not what is needed.

 

So to make this work I overrode what OpenVPN does to the routing table, and set it up myself.

 

In the ".ovpn" configuration file for the first VPN instance I added these lines:

route-nopull
route   0.0.0.0 128.0.0.0
route 128.0.0.0 128.0.0.0
route remote_host 255.255.255.255 net_gateway

This basically achieves the same thing that OpenVPN would have done. Except it will not attempt to set up DHCP or DNS stuff (again, I use BIND myself).

 

Once again, for reference, the documentation for OpenVPN configuration directives is here:

 

https://community.op...penvpn23ManPage

 

In the config for the second VPN instance, we do not want to use a "128.0.0.0" net mask for the default gateway entries. We will move up to a net mask of "192.0.0.0" (see the background information in my guide). Also, we will not use the special symbol "net_gateway". As I said above, OpenVPN will unfortunately point this at the original "0.0.0.0" gateway. But what we need is for this to point to the "128.0.0.0" gateway that the first VPN instance set up. So in the ".ovpn" configuration file for the second VPN instance I added lines like these:

route-nopull
route   0.0.0.0 192.0.0.0
route  64.0.0.0 192.0.0.0
route 128.0.0.0 192.0.0.0
route 192.0.0.0 192.0.0.0
route remote_host 255.255.255.255 10.4.50.141

I said "like" because the address I had for the "128.0.0.0" gateway was something else, provided by the VPN that came with my seed box.

 

With this done, the second VPN instance can be started. And it will be nested. You can confirm by looking at the AirVPN "Client Area" page that the connection is coming from the exit address of the first VPN instance.

 

If one wanted to get fancy and use scripts, the need to manually put in the "10.4.50.141" address above could be avoided. But if I had provided such a set up I think it would obscure the underlying mechanism. I think it is probably best that anyone trying to do this make the effort to understand what is going on.

 

UPDATE:

 

I neglected to answer Hansito's question about going to 3 or more layers. The short answer is "Yes, with this approach you can go to more layers."

 

In this connection, the issue with what I wrote above, is that we retained the "128.0.0.0" gateway entries for VPN 1 and made new "192.0.0.0" gateway entries for VPN 2. What could be done next is to make the following changes to the routing table using the "route" command (running as "Administrator"):

 

1) Remove the "128.0.0.0" gateway entries for VPN 1. These are now hidden and not needed.

2) Use the gateway from the "192.0.0.0" gateway entries for VPN 2 to create "128.0.0.0" gateway entries for VPN 2.

3) Remove the "192.0.0.0" gateway entries for VPN 2.

 

Now the process may be repeated to add a third layer. Or more.

Share this post


Link to post

My setup involves running VPN connection #1 on a Sabai Technology router which protects all my devices at home and VPN connection #2 from the individual device.

 

Any DD-WRT or Tomato based Router will help you achieve a 2 layered VPN connection. You can get fancy and create a 3rd layer by running VPN connection #3 inside a VM within your PC.

Share this post


Link to post

To add a 3rd-layer I tried a different approach and it seems to work. In the config file of the third ovpn, i put these lines:

 

route-nopull

route   0.0.0.0 224.0.0.0
route  32.0.0.0 224.0.0.0
route  64.0.0.0 224.0.0.0
route  96.0.0.0 224.0.0.0
route 128.0.0.0 224.0.0.0
route 160.0.0.0 224.0.0.0
route 192.0.0.0 224.0.0.0
route 224.0.0.0 224.0.0.0
route remote_host 255.255.255.255 IP_of_the_previous_ovpn
 
Is it right?

Share this post


Link to post

 

To add a 3rd-layer I tried a different approach and it seems to work. In the config file of the third ovpn, i put these lines:

 

route-nopull

route   0.0.0.0 224.0.0.0
route  32.0.0.0 224.0.0.0
route  64.0.0.0 224.0.0.0
route  96.0.0.0 224.0.0.0
route 128.0.0.0 224.0.0.0
route 160.0.0.0 224.0.0.0
route 192.0.0.0 224.0.0.0
route 224.0.0.0 224.0.0.0
route remote_host 255.255.255.255 IP_of_the_previous_ovpn
 
Is it right?

 

The concept is right. I do sometimes have gateway overrides with a 224.0.0.0 mask. But if you try going further, you will probably collide with some other important routing table entries. Trying to always get back to a single gateway override with a 128.0.0.0 mask can go on forever though (in principle).

Share this post


Link to post

 

Off topic. But out of curiosity, why would someone need to connect to two vpn servers ?

Having one VPN feed into another is an interesting exercise. I doubt many here would actually need whatever additional privacy might come from such a thing though.

 

Having two VPN connections and using them for different things can be useful. In the past I have had one VPN connection up continuously for use with my torrent client, while occasionally cranking up another to use for accessing geo-restricted web sites. Despite AirVPN's internal rerouting efforts, one may need different servers for different web sites. I don't want to restart my torrent client when I need to do that.

Share this post


Link to post

I did it just for convenience myself, with extra privacy being a bonus. I route most of my home network over AirVPN via my router. I like this setup due to the breakdown of privacy rules in my country as it covers family who connects to my guest network and devices incapable of running OpenVPN software. I run my torrents on a little Android box with a 2 TB drive that pushes new files to a 6 TB NAS via rsync. I setup a VPN just for torrents which makes port forwarding convenient vs messing with iptables on the router, which I find to be hit or miss depending on other configuration options and must be changed as you change ports or network config. I got the speed to be very good as in nearly my max connection speed. I lose about 0.5 mbit up/down, which I can live with.

Share this post


Link to post

I have a similar question as the original post. 

I am a work from home employee. I need access to a server inside a firewall. They use vpnux which appears to be a Japanise localized version of the OpenVPN client. For "security reasons", you are only able to connect from a whitelisted IP address. (Yeah I know, that really doesn't make it much more secure, but they think they know what they are doing.). Getting a static IP from Comcast requires moving to a business account and is more than a $100 a month.
Can I use AirVPN to connect, whitelisting one server (https://airvpn.org/topic/13667-static-ip/?p=25529) then use vpnux to connect from that "static ip"? I have dd-wrt routers so could run an OpenVPN client on it, and then another client from my PC?
Would https://vpnstaticip.com/ make this any easier?

TIA!

Share this post


Link to post

@wiz222

 

Hello!

 

Yes, that solution is fine for your purpose. An OpenVPN client on the router (connecting to the Air VPN server you need for static address), another one (vpnux) in the machine you work with (connected to the same DD-WRT router).

 

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...