VPN over another VPN

non7top · February 3, 2020, 10:53pm

So I have a work vpn which I use to connect to the corporate network, then inside that network we have another vpn which is used to access some other subnets. VPN2 is openvpn and it goes to a server that is in VPN1, that mostly works fine, except that openwrt automagically adds a route to the VPN2 server over the WAN connection, where it obviously is not available (since that should go over VPN1). And every time I have to fix routing in console with

ip r del 10.10.10.10 (VPN2 server)
ip r add 10.10.10.10 dev vpn-vpn1

Automagic route is
10.10.10.10 via 10.61.72.1 dev eth0.2 (10.61.72 is what provider gives me, i.e. wan)

So I'm wondering what is the proper way to have that configured, i.e. a VPN over VPN. Probably routing and metricking, but I can't figure out ho to set that up.

Any hint will be much appreciated.

mikma · February 4, 2020, 12:08am

Can't you add a static route to 10.10.10.10 in the configuration?

Though it would be nice if it was possible to disable the host route added by tunnel protocols.

ulmwind · February 4, 2020, 7:35am

The simplest case is to run one VPN on router, and second on PC behind router.

non7top · April 27, 2020, 3:35pm

Thanks for replies. I tried setting up a static route, but it doesn't help, since openvpn does things in a weird way

This is part of the log. What it does is it adds a route to OpenVPN server via WAN gw (10.61.72.1, provider gw on wan), while that server is only reachable over another vpn.

Mon Apr 27 18:23:56 2020 /sbin/route add -net 10.10.10.10 netmask 255.255.255.255 gw 10.61.72.1

I end up with two route table entries and the first (wrong one) takes precedence.

# ip r|grep 10.10.10.10
10.10.10.10 via 10.61.72.1 dev eth0.2 (defined by openvpn)
10.10.10.10 dev vpn-corp scope link (defined from static routes)

I tried route-metric option in openvpn config, but that only overrides all other routes, except this one.

ulmwind · May 15, 2020, 5:37pm

What route do you want to add?

non7top · May 18, 2020, 9:25pm

I'm adding a static route to vpn server IP address 10.10.10.10 to go through my main corp vpn. However when openvpn does it's connecting sequence it also adds a route to the same address but through WAN ( 10.10.10.10 via 10.61.72.1 dev eth0.2 ) and system always uses the latter. Both routes have same metric (undefined, which I assume is 0), but the wrong one is always used (through wan)

ulmwind · May 21, 2020, 1:34pm

Subnetworks should be different, without overlapping.

non7top · May 21, 2020, 2:22pm

Ugh, apparently I'm not exactly following but there are no subnets involved, because it's just one single address of the VPN server.

ulmwind · May 24, 2020, 7:11pm

Please, specify all subnetworks, lan, VPN, etc.