Guide: Cascading your VPN connection over multiple hops with Linux

I am attempting to set up a cascade connection.
No matter how many hops I have added I still show no VPN connection and my IP address does not update.

I am using the guide but there is no change.
Is there an option I may be missing?
 

Attachments

  • Cascade Terminal Output.txt
    46.8 KB · Views: 11
Looks like your system is unable to find the route command. It's part of the net-tools package, maybe you need to install it first?
 
Looks like your system is unable to find the route command. It's part of the net-tools package, maybe you need to install it first?
My system does currently have net-tools installed and I am able to utilize the route command outside of these attempts.
I am testing on two separate machines running Fedora Linux and I get the same Route command not found error.
Possible issue with the syntax in the updown.sh?
 
Last edited:
The script works fine for me but maybe it's worth a shot to try and replace the route commands with whatever the syntax is that superseded it.
Then again your OS might simply just not have added the directory that the route command sits in to the path variable? Assuming it's in /sbin and that dir is not included, if you run export PATH=$PATH:/sbin and restart? Your problem kind of sounds like the command is there but the system can't find it by itself.
 
I ran sudo chmod +x /etc/openvpn/updown.sh as the guide stated to do.
Ran export PATH=$PATH:/sbin and rebooted with no change.
 
So I had a look at Fedora's packages and it would appear that it installs it in /usr/sbin. When you run echo $PATH, does it list that directory in the output? It'd be rather surprising if it didn't though.
 
So I had a look at Fedora's packages and it would appear that it installs it in /usr/sbin. When you run echo $PATH, does it list that directory in the output? It'd be rather surprising if it didn't though.
echo $PATH output below.

/home/dcg/.local/bin:/home/dcg/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin
 
Uhh... wait a minute. A closer look at updown.sh reveals it is already using the newer iproute2 syntax. Huh. Gotta be something else then. Your paths look fine as well.

There's a discussion at https://github.com/jotyGill/openpyn-nordvpn/issues/231 where people ran into a similar problem on Fedora. It would appear their issue was related to systemd not finding the command when it got called from whatever app it was they were running.
When you run which ip and the output is /usr/sbin/ip, could you try to symlink it to the /usr/bin directory as suggested in the link? The command would be sudo ln -s /usr/sbin/ip /usr/bin/ip.
 
Uhh... wait a minute. A closer look at updown.sh reveals it is already using the newer iproute2 syntax. Huh. Gotta be something else then. Your paths look fine as well.

There's a discussion at https://github.com/jotyGill/openpyn-nordvpn/issues/231 where people ran into a similar problem on Fedora. It would appear their issue was related to systemd not finding the command when it got called from whatever app it was they were running.
When you run which ip and the output is /usr/sbin/ip, could you try to symlink it to the /usr/bin directory as suggested in the link? The command would be sudo ln -s /usr/sbin/ip /usr/bin/ip.
Performed this and it does not appear to have changed anything.
 
Maybe you guys could be interested by that:

Some years ago, I worked out how to create nested VPN chains using virtual pfSense routers in nested networks. Each router serves as a NAT gateway for a VPN service. And routing routers through other routers creates nested VPN chains.

That approach has served me well. But it's somewhat resource heavy, in that each VPN gateway router is a separate VM. However, one can instead use routing and iptables in a single machine: TensorTom/VPN-Chain. There's no OS-level isolation, but it's far lighter, and also far easier to control.

Here, I use that basic approach to create dynamic two-hop VPN chains in a Debian router with DHCP. Using simple bash scripting. Without the forwarding and DHCP, the scripts could be used in a single machine or VM.
 
I am a beginner in Linux. For me, the configuration on Fedora in VirtualBox worked.

I encountered the following problems with the tutorial:

1. i had to download update-resolv-conf.sh.

Code:
wget https://github.com/alfredopalhares/openvpn-update-resolv-conf/blob/master/update-resolv-conf.sh

2. Following this guide I have changed in .conf:
Code:
script-security 2
# .
# .
# .
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

to:

Code:
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/update-resolv-conf.sh
down /etc/openvpn/update-resolv-conf.sh
down-pre

3. I have changed in .conf file "auth-user-pass" in:
Code:
auth-user-pass /etc/openvpn/password.txt

After that I was able to run the command normally:
Code:
sudo openvpn --config London.conf --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec

On the second hop I changed the country and executed:
Code:
sudo openvpn --config Rotterdam.conf --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec

And got the following:
Code:
...
updown.sh: STARTED
updown.sh: hop number:               (default: 1)
updown.sh: gateway of previous hop:  (default: local gateway)
updown.sh: local gateway:           10.0.2.2
updown.sh: VPN: int. IP address:    10.1.225.240
updown.sh: VPN: netmask:            255.255.255.0
updown.sh: VPN: gateway:            10.1.225.2
updown.sh: VPN: public IP address:  31.204.152.102
updown.sh: Notice: You didn't set 'hopid'. Assuming this to be the first hop (hopid=1).
updown.sh: Notice: You didn't set the previous gateway. The gateway of your local network ('10.0.2.2') will be used.
...

After that I specified the command with VPN Gateway:
Code:
sudo openvpn --config Rotterdam.conf --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 2 --setenv prevgw 10.1.225.2

I hope this helps other beginners, if it is not exactly wrong or deviates from the instructions. ?
 
Hello,

Does this method fully protect my IP address from subsequent hops, such that only the first hop knows my real IP?

Thanks
 
Back
Top