I am trying to set up a double VPN with openvpn 2.3.4, on two Debian 8.
Say I have this 'diagram':
client -> A (vpn server 1) -> B (vpn server 2)
Interfaces:
- on A : eth0 with public ip & tun0 10.8.0.1
- on B : eth0 with public ip & tun0 10.8.1.1
The connections between client and A and between A and B work respectively. Also, I cannot connect to server A whenever it is connected to server vpn B.
My guess is that I need a second interface on A in order to have:
- client binds his network interfaces to tun0 with the vpn connection initiated with A
- server A has an interface eth1 that serves the server-side VPN part and connects with openvpn client to vpn server B with interface eth0
- server B manages the connections from A and therefore from client
My question is : am I thinking correctly here ? Except theory, I haven't found any practical explanations about configuring double VPN…
Also, would it be possible to 'split' an interface (on A) into 2 new virtual ones (eth0:0 and eth0:1 for instance) and use them as replacement of eth0 and eth1 as described before ?
Thanks for the help !
EDIT 1:
To answer qasdfdsaq and make my question clearer, I want :
client connects through VPN tunnel from A -> A connects through VPN tunnel to B -> B manages clients connections
In the end, client should have server B's ip on the internet.
EDIT 2:
I think I could actually summarize my problem as so:
A and B are Debian 8 servers, where B is running openvpn server. A has one network interface with public ip, eth0, on which I can ssh.
I ssh to A and launch openvpn client.
A is correctly connected through the tunnel to B and can access the web via B but, I cannot ssh anymore to A (because I guess that all, meaning here, the only interface I have available, is bound to the VPN connection.
Is there a way to counter this ?
Best Answer
Correct. You can specify name of TUN/TAP interface by adding to VPN config file:
dev tapX
ordev tunX
On client use:
no bind
option or specify other port by adding to server:port 119X
and to clientremote address:119X
Enable ip forrward @ server 1 & 2.
Setup routing, every fragment of network must be aware of subnetwork existence.
I completely missed sense of this.