Skip to content

Instantly share code, notes, and snippets.

@todgru

todgru/vpn-in-a-vpn.md

Last active January 6, 2022 21:56
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save todgru/b244e6de3055f01a2d0092cdfed3da8c to your computer and use it in GitHub Desktop.
Save todgru/b244e6de3055f01a2d0092cdfed3da8c to your computer and use it in GitHub Desktop.
Download ZIP
vpn route through another vpn pihole pivpn dnsmasq openvpn
Raw
vpn-in-a-vpn.md

Vpn-ception

Ideally, I like to run one vpn. I have OpenVPN/PiVPN working just fine.

On the PiVPN server, I'd like to run a VPN client to my work office.

It's difficult to get Cisco VPN client and Tunnelblick clients running side-by-side on the same machine, ie my local dev machine, without a seeming hack(see below).

I have it working locally.

  • Cisco AnyConnect Client connect to work VPN. Only specific resources are made available. All other traffic is routed as normal.
  • Tunnelblick will connect my personal vpn (PiVPN) routing all other traffic.
  • With an entry in /etc/hosts, ie an entry like 123.45.67.89 work-resource.my-company.com I'm able to access URL's that are for work only.
  • Without the /etc/hosts entry, the work resource URL's do not resolve. this seems like a hack. :(
  • Maybe this is a DNS or IP mask issue that can be handled through a local OpenVPN config? TBD.

On Raspbian

A few notes about what is working for PiVPN:

  • OpenConnect connects to my work VPN when logged into the VPN server via ssh. Successfully able to route traffic to my work VPN if I am logged into the server as a user.
  • When connected through the VPN, this will NOT route work specific URL's though PiVPN and then through the OpenConnect Client
  • WIP/TODO need to figure out how to route select PiVPN traffic throught a local PiVPN server OpenConnect client connection.
  • after openconnect install, this works for connection. I did not have any issues getting this to work.
sudo openconnect https://vpn.my-company.com

Update

  • I installed the OpenVPN app, Version 3.1.0 (890), on my OS X dev machine as a replacement for Tunnelblick. The OpenVPN app works MUCH better.
  • Regardless of app I use to connect to my PiVPN, I first need to connect to my work VPN using the Cisco AnyConnect app and then launch the OpenVPN PiVPN client.
  • I still need the dns entry in /etc/hosts for my work resource as mentioned above.
  • I'm now using openconnect instead of Cisco AnyConnect to connect to my work vpn. Install with brew install openconnect. Run with sudo openconnect https://vpn.my-office.com. Enter username and password. ez pz.
  • UPDATE/TODO: find openconnect settings that allow okta/totp link

Another Update, Pi-Hole DNS when on the local network

When on my local network, without running a OpenVPN client on my local machine, I still want to have Pi-Hole handle the the DNS resolution. I followed a few of the instructions online, but mostly this one from Marc Stan. The key to getting DNS resolution to work locally with DHCP, was adding the eth0 entry to the the config file. The /etc/dnsmasq.d/02-ovpn.conf file looks like this:

interface=eth0
interface=tun0

This change allows Pi-hole to listen to both the tunnel connection and the traffic coming into the Pi-Hole DNS from the local network.

Note this Pi-Hole Admin Console DNS setting: Screen Shot 2019-11-02 at 10 51 35 PM

I'm running dd-wrt on my router.

Setup->Basic Setup

Screen Shot 2019-11-02 at 10 37 35 PM

Services->Services

Screen Shot 2019-11-02 at 10 39 40 PM

Third Update

Running PiVPN(OpenVPN) on UDP and TCP protocols

Sometimes networks block 1194/UDP. Running on 443/TCP might be a way around this.

Install PiVPN and Pihole

documented elsewhere

Please note, I initially used the recommened udp protocol and port 1194 when setting up PiVPN. I also made modifiations to my conf files to get PiVPN and PiHole to play nice together for both the VPN connections and local network traffic.

My router handles all port forwarding. (another topic and documented elsewhere.)

cp /etc/openvpn/server.conf /etc/openvpn/server_tcp.conf

Duplicate the current server.conf file. We'll edit the new version below.

Edit /etc/openvpn/server_tcp.conf.

The only lines I need to update were the following:

dev tun_tcp
proto tcp
port 1194
server 10.9.0.0 255.255.255.0

Keep the rest of the conf file the same.

Edit /etc/dnsmasq.d/02-ovpn.conf

I'm running pi-hole to resolve dns queries for both vpn and internal network traffic. The dnsmasq file looks like this:

interface=eth0
interface=tun0
interface=tun_tcp

iptables /etc/iptables/rules.v4

I needed to add one line, -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE

Generated by iptables-save v1.4.21 on Thu Dec 29 19:17:57 2016
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:184]
:POSTROUTING ACCEPT [1:184]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
COMMIT

Reboot

This is the easiest way to restart the services, but there are quicker ways to restart services for dnasmasq, iptables, and openvpn. The Raspberry Pi restarts so fast, whatev's. :)

@todgru
Copy link
Author

todgru commented Nov 2, 2019

I left a comment here. good info on running openconnect. though it's not as difficult as it once was to install. 😄

@todgru
Copy link
Author

todgru commented Nov 13, 2019
edited

@document @todo to allow open vpn connection when connection is blocked by network firewalls. https://medium.com/bob-kfir-tech/how-to-bypass-dpi-for-openvpn-4d3748cb0353
DONE (see above) @document @todo run both udp and tcp. pivpn/pivpn#178 and https://www.reddit.com/r/OpenVPN/comments/9a02hs/anyone_got_tcp_and_udp_working_simultaneously_on/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment