VPN Cascading on GL.iNet routers

alzhao · October 19, 2022, 7:44am

Finally, you can use VPN Client and Server at the same time on one GL.iNet router.

You need to have Firmware 4.1.1 .

We call this VPN Cascading.

How VPN Cascading works

VPN Cascading is also called double VPN in various scenarios. But GL.iNet VPN Cascading may be a little different. Please refer to the following figure for the idea.

VPN 1: The router is used as VPN server. Clients connected to this server will go to Internet using the router’s ISP Network by default.

VPN 2: The router is used as VPN client to 3rd party VPN services.

VPN Cascading: You can forward data of VPN1 tunnel to VPN2 tunnel. So when the Laptop, Desktop and Smartphones (end devices) connected on VPN1 will go to 3rd party VPN services, without any other setup in these end devices.

How to enable VPN cascading

The following figure has OpenVPN and Wireguard servers enabled on the router. And also connect to Nord via OpenVPN protocol.

You can enable VPN cascading in “Global Options” in VPN server section.

Does VPN policy affect VPN Cascading

Policies DO NOT affect VPN Cascading.

VPN policies, including Global Proxy, IP/Domain based and Mac based polices, VLAN based polices, does not affect VPN cascading. These polices only affect on the devices connected on the router physically, i.e. in the router’s own subnet.

Policies DO affect VPN Cascading

When you use “Auto Detect” or “Customized Routing Rules”, the routing rules comes with the VPN config or you set up will affect how the router route data so VPN cascading may not work.

K3rn3l_Ku5h · November 8, 2022, 9:16pm

Cascading is only available on the Brume 2?
Can some one use Wiregaurd for both the client and server at the same time?

wcs2228 · November 9, 2022, 12:47am

Would VPN cascading on the same router place a higher load on and reduce the router throughput significantly?

I do not work for and I do not have formal association with GL.iNet

alzhao · November 9, 2022, 1:43am

Yes. Pls use Firmware 4.1.1

Angus · December 8, 2022, 6:52pm

Is there a release timeline for 4.1.1 on the GL-AX1800?

alzhao · December 10, 2022, 3:54am

Should be next week.

StubbedTail · January 20, 2023, 12:33am

Is there any way to run Tor and VPN at the same time so the entry node only gets the VPN IP and the ISP can’t see tor

alzhao · January 20, 2023, 2:05am

Not on one router. Maybe you can have two routers.

But the best practice is using VPN on the router and using Tor broswer on your pc.

Angus · February 3, 2023, 8:57pm

I have been unable to get cascading to work on my GL-AX1800. The VPN client works just fine, but I can not connect to the VPN server. Tried using both clearnet IP address and the VPN ip address (forwarded with my provider)

edit: 4.2 snapshot build date 2023-02-02

wcs2228 · February 4, 2023, 2:14am

Is the VPN client using OpenVPN or Wireguard? Is there a connection error displayed and/or in the System Log?

hansome · February 6, 2023, 2:07am

Is “clearnet IP address” a public one?

Angus · February 6, 2023, 2:18pm

@wcs2228 both the VPN client and server are Openvpn. The client works fine, but with the client connection online, I am unable to access the VPN server. There are no errors displayed and I dont see any in the system log.

@hansome The clearnet IP is public

hansome · February 7, 2023, 2:23am

Please try to change openvpn server’s Local Port to a different one, although that’s a guess.
By the way, do you use multi-wan?

Angus · February 7, 2023, 3:02pm

I have changed the openvpn server’s port to a different port as part of my troubleshooting.

Yes I do have multi-wan set up, though I dont really need it. I’ll try disabling that…

Should I be attempting to connect via my public IP? or through my VPN client IP address? (I’ve tried both)

Edit: Multi-wan being disabled does not fix the issue. I still can not connect to the OpenVPN server with the Openvpn Client enabled.

Angus · February 7, 2023, 10:24pm

Could it be the same issue as you solved here?

The fix you provided was only for wireguard VPN servers. Is there an alternate attempted fix when using an OpenVPN as the server protocol?

hansome · February 8, 2023, 2:14am

Public IP.

root@GL-AX1800:/tmp# cat /tmp/ovpnserver/ovpnserver 

persist-key
persist-tun
auth SHA256
cipher AES-256-GCM
ncp-disable
dev ovpnserver
dev-type tun
group nogroup
keepalive 10 120
mode server
mute 5
port 1194
proto udp
push "persist-key"
push "persist-tun"
push "redirect-gateway def1"
route-gateway dhcp
topology subnet
duplicate-cn
user nobody
mark 524288
...

mark 524288 is the same function as fwmark setting in wireguard_server.
So it should not be the issue. I’ll pm you for more info.

Angus · February 8, 2023, 2:43pm

Issue was solved for me by switching to a new port. Thanks for the support hansome.

ngtimofeev · March 8, 2023, 6:51am

Hi all,
I run the Surfshark VPN Client (WireGuard protocol) and the WireGuard Server on my Brume2 (v4.1.1 2022-11-05 1:16:04)
Everything works fine until I enable the VPN Cascading. After that my remote WireGuard Clients can still connect to the router (port 80 is open), but have no internet! Any advise where the issue can be?
Thanks!