I have multiple Wireguard client configurations. I want to chain the different VPNs together into a tunnel consisting of an arbitrary number of jumps. For example, if I am using two configs of VPN1 and VPN2, I should be able to build a chain looking either like this:
Router → VPN1 → VPN2 → Internet
or like this:
Router → VPN2 → VPN1 → Internet
So in practice I both clients to connect from the router, but the routing should be setup so that the second node routes all traffic through the first. There could be three, four, etc nodes.
How can I achieve this, either in the CLI or the GUI?
The router is connected to VPN 1 (server) or VPN2 (server), while the chain is done by VPN1 or 2 (server).
In this example, you need to configure a route or (over) VPN connection on the VPN 1 & 2 server, and the router only needs to connect to the VPN1 server, and the rest is done between the servers.
Thank you, I already know of providers providing multi-hop functionality within their own networks. I want to achieve the same thing in the router with multiple configs. This should be done by chaining them together with routing and preferably in their own separate namespace.
What I want to achieve is essentialy to run multiple VPN client at the same time, but route the output from one client into the input of the next one in the chain.
This would allow me to build a VPN chain (like Tor, but with VPNs instead). I want this feature for increased privacy when using a VPN provider that is untrusted, so you can combine multiple providers to build a more secure chain (since neither provider will know either your IP or your destination).
I am certain this can be done since you already can run multiple clients at once with policy based routing, but it would be great to have “tunnels” and have a policy based routing with tunnels instead…
A peer has a virtual ip, in order to route a ip to a tunnel you route it over this ip.
But... if you go about routing a virtual ip to a virtual ip and then to another virtual ip, it did not made it yet through the tunnel over the internet and basicly only masquarades locally on the virtual ips.
If I look to mullvad, it seem they put some kind of transparant proxy behind it which then redirects your traffic to a other vpn, I know that I have seen some examples with socks and wireguard, but that is not so officially supported by Wireguard I believe, it just happened to work, it's kinda like the v2ray dokodemo door that can also pass tunnels.
Also last time I checked, multi hop was only a thing in their own software client, so it can be using anything different which we don't know.
There are multiple ways to do it with wireguard (or any VPN). I do not want to use multi-hop in the VPN provider, since this use case I want to chain multiple providers together.
One way is with network namespaces for example, which is easy on OpenWRT. Then you can bring multiple interfaces up and chain them together so that one namespace goes to the other, and then you have the physical namespace as an entry point.
The basic flow is always src to dest, which punches a hole in the firewall for the other side to respond on the same line, otherwise the packet get dropped.
So the first hop probably works, but you have zero control of the second hop, how can you possibly command the remote side of the endpoint that traffic needs to go to the second hop.
^ please don't get confused about the word hop for multihop, with hop I mean the flow you see in traceroute/tracert.
If you got a configuration like this please share, I don't think it is possible or maybe it is but with alot of DNAT manipulation, I know that Stangris PBR uses the prerouting chain which basicly handles it before DNAT, I had some success having everything routed over vpn via prerouting and then forward it over tor, but I don't think this works on vpns, it will be possible if you own all ends, which works for a wifivpn cascade.
The only way it might work without additional requirements, in my opinion, would be that you connect to a VPN server and then, inside this tunnel, you start a new connection to another one.
So it would be VPN tunneled via VPN, which might cause speed drops, but you will get 2-hop-VPN then. But this isn't multihop VPN at all.
this is exactly what i am trying to describe: tunneling multiple VPN sessions inside each other, so that you can build chains of entry points.
So for example:
Host → entry VPN → exit VPN → internet
Could be done like this:
1. Create the middle namespace:
ip netns add middle
2. Bring up wg-entry — create it in default namespace (socket uses physical NIC), then move the tunnel interface into middle:
ip link add wg-entry type wireguard
wg setconf wg-entry /etc/wireguard/entry.conf
ip link set wg-entry netns middle
ip netns exec middle ip link set lo up
ip netns exec middle ip addr add ENTRY_TUNNEL_IP/32 dev wg-entry
ip netns exec middle ip link set wg-entry up
ip netns exec middle ip route add default dev wg-entry
Now inside middle, all traffic routes through the entry VPN.
3. Bring up wg-exit — create it inside middle (socket routes through wg-entry), then move the tunnel interface back to the host:
ip netns exec middle ip link add wg-exit type wireguard
ip netns exec middle wg setconf wg-exit /etc/wireguard/exit.conf
ip netns exec middle ip link set wg-exit netns 1
ip addr add EXIT_TUNNEL_IP/32 dev wg-exit
ip link set wg-exit up
4. Route host traffic through wg-exit:
ip route add ENTRY_SERVER_PUBLIC_IP via GATEWAY dev eth0
ip route replace default dev wg-exit
Awesome, this is what I’m looking for! Can you the (redacted) configs of the default tunnel and the test tunnel?
My feature request then is this: integrate GUI features to enable this! Just being able to have a “primary tunnel” and forward other tunnels through it by adding the fwmark option in their configs would be easy, chainable, and very very awesome.
These are simply two temporary Tunnels I created on the VPN dashboard; nothing special.
The main idea is to configure VPN2 using the fwmark associated with VPN1.
We are currently discussing internally how to make this a usable feature in the web UI and its feasibility, as we are concerned that this might lead to more complex configuration logic.
One suggestion from similar setups I have seen is to allow the user to setup multiple different VPNs (which you already do), and then create multiple “tunnels” or “chains” by drag and dropping VPNs. A “chain" can consist of multiple VPN jumps in different orders.
My dream would be the option to create tunnels, which could then be used in policy based routing. I know many paranoid people who have home built solutions for this which would be very happy to have it built in into their travel routers.
I like this idea to have this freedom to do that, I want to add a common setup I use at home:
I got a wgserver called wifivpn where client devices are forced to use vpn via app, and wifivpn cascades to wgclient.
One limitation I have with gl firmware is multiple wg server tunnels, because I also want to remote from wan via a other wg server and also cascade to wgclient.
But as OP asks this can be also pretty well incorporated, different than my setup.
I was able to get this working using the same approach on my side, so it might be worth double-checking whether the marks are set and matched correctly.
If it still doesn’t work after that, and if you’re comfortable with it, you can share your device via the cloud with our support team. I’d be happy to help take a look and assist with the configuration.
I know many paranoid people who have home built solutions for this which would be very happy to have it built in into their travel routers.