Guide: Cascading your VPN connection over multiple hops with Linux

dcgassett

Freshly Joined Member
I am attempting to set up a cascade connection.
No matter how many hops I have added I still show no VPN connection and my IP address does not update.

I am using the guide but there is no change.
Is there an option I may be missing?
 

Attachments

  • Cascade Terminal Output.txt
    46.8 KB · Views: 9

gumba

Junior Member
Looks like your system is unable to find the route command. It's part of the net-tools package, maybe you need to install it first?
 

dcgassett

Freshly Joined Member
Looks like your system is unable to find the route command. It's part of the net-tools package, maybe you need to install it first?
My system does currently have net-tools installed and I am able to utilize the route command outside of these attempts.
I am testing on two separate machines running Fedora Linux and I get the same Route command not found error.
Possible issue with the syntax in the updown.sh?
 
Last edited:

gumba

Junior Member
The script works fine for me but maybe it's worth a shot to try and replace the route commands with whatever the syntax is that superseded it.
Then again your OS might simply just not have added the directory that the route command sits in to the path variable? Assuming it's in /sbin and that dir is not included, if you run export PATH=$PATH:/sbin and restart? Your problem kind of sounds like the command is there but the system can't find it by itself.
 

dcgassett

Freshly Joined Member
I ran sudo chmod +x /etc/openvpn/updown.sh as the guide stated to do.
Ran export PATH=$PATH:/sbin and rebooted with no change.
 

gumba

Junior Member
So I had a look at Fedora's packages and it would appear that it installs it in /usr/sbin. When you run echo $PATH, does it list that directory in the output? It'd be rather surprising if it didn't though.
 

dcgassett

Freshly Joined Member
So I had a look at Fedora's packages and it would appear that it installs it in /usr/sbin. When you run echo $PATH, does it list that directory in the output? It'd be rather surprising if it didn't though.
echo $PATH output below.

/home/dcg/.local/bin:/home/dcg/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin
 

gumba

Junior Member
Uhh... wait a minute. A closer look at updown.sh reveals it is already using the newer iproute2 syntax. Huh. Gotta be something else then. Your paths look fine as well.

There's a discussion at https://github.com/jotyGill/openpyn-nordvpn/issues/231 where people ran into a similar problem on Fedora. It would appear their issue was related to systemd not finding the command when it got called from whatever app it was they were running.
When you run which ip and the output is /usr/sbin/ip, could you try to symlink it to the /usr/bin directory as suggested in the link? The command would be sudo ln -s /usr/sbin/ip /usr/bin/ip.
 

dcgassett

Freshly Joined Member
Uhh... wait a minute. A closer look at updown.sh reveals it is already using the newer iproute2 syntax. Huh. Gotta be something else then. Your paths look fine as well.

There's a discussion at https://github.com/jotyGill/openpyn-nordvpn/issues/231 where people ran into a similar problem on Fedora. It would appear their issue was related to systemd not finding the command when it got called from whatever app it was they were running.
When you run which ip and the output is /usr/sbin/ip, could you try to symlink it to the /usr/bin directory as suggested in the link? The command would be sudo ln -s /usr/sbin/ip /usr/bin/ip.
Performed this and it does not appear to have changed anything.
 

gumba

Junior Member
Well that's me out of ideas then. Maybe there's someone on the Fedora forums who can help out?
 

Erenys

New Member
Maybe you guys could be interested by that:

Some years ago, I worked out how to create nested VPN chains using virtual pfSense routers in nested networks. Each router serves as a NAT gateway for a VPN service. And routing routers through other routers creates nested VPN chains.

That approach has served me well. But it's somewhat resource heavy, in that each VPN gateway router is a separate VM. However, one can instead use routing and iptables in a single machine: TensorTom/VPN-Chain. There's no OS-level isolation, but it's far lighter, and also far easier to control.

Here, I use that basic approach to create dynamic two-hop VPN chains in a Debian router with DHCP. Using simple bash scripting. Without the forwarding and DHCP, the scripts could be used in a single machine or VM.
 

Gerd

Active Member
I am a beginner in Linux. For me, the configuration on Fedora in VirtualBox worked.

I encountered the following problems with the tutorial:

1. i had to download update-resolv-conf.sh.

Code:
wget https://github.com/alfredopalhares/openvpn-update-resolv-conf/blob/master/update-resolv-conf.sh

2. Following this guide I have changed in .conf:
Code:
script-security 2
# .
# .
# .
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

to:

Code:
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/update-resolv-conf.sh
down /etc/openvpn/update-resolv-conf.sh
down-pre

3. I have changed in .conf file "auth-user-pass" in:
Code:
auth-user-pass /etc/openvpn/password.txt

After that I was able to run the command normally:
Code:
sudo openvpn --config London.conf --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec

On the second hop I changed the country and executed:
Code:
sudo openvpn --config Rotterdam.conf --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec

And got the following:
Code:
...
updown.sh: STARTED
updown.sh: hop number:               (default: 1)
updown.sh: gateway of previous hop:  (default: local gateway)
updown.sh: local gateway:           10.0.2.2
updown.sh: VPN: int. IP address:    10.1.225.240
updown.sh: VPN: netmask:            255.255.255.0
updown.sh: VPN: gateway:            10.1.225.2
updown.sh: VPN: public IP address:  31.204.152.102
updown.sh: Notice: You didn't set 'hopid'. Assuming this to be the first hop (hopid=1).
updown.sh: Notice: You didn't set the previous gateway. The gateway of your local network ('10.0.2.2') will be used.
...

After that I specified the command with VPN Gateway:
Code:
sudo openvpn --config Rotterdam.conf --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec --setenv hopid 2 --setenv prevgw 10.1.225.2

I hope this helps other beginners, if it is not exactly wrong or deviates from the instructions. 😁
 

alphaben

Freshly Joined Member
Hello,

Does this method fully protect my IP address from subsequent hops, such that only the first hop knows my real IP?

Thanks
 
Top