Home

Awesome

VPN-Chain

Bash script which makes chained OpenVPN connections.

WARNING: This is beta release and is VERY experimental right now, so use at your own risk. WARNING: Please read HOW TO USE VPN CHAIN section, because it contains important security information

ABOUT VPN CHAIN

VPN Chain is a fork of the original VPNCHAIN bash script. I will be reworking this in either Go or Nim. For now, I will maintain this script and continue to add features and fix bugs.

VPN Chain is bash script which makes chained openvpn connections. You don't need to use virtual machine for this anymore. After chain is completed you can use internet in more secure and private way with all openvpn benefits.

Completed chain looks like this: PC <-> OPENVPN1 <-> OPENVPN2 <-> OPENVPN# <-> INTERNET

And yes, you can use TOR on top of chain: PC <-> OPENVPN1 <-> OPENVPN2 <-> OPENVPN# <-> TOR <-> INTERNET

There should be no limits on how many hops in chain can be (fix me if i'm wrong). I tested with 3 OpenVPNs in chain, but i think it should work with 5 or 10 configs. Ofcourse, there can be some practical limits like speed and stability of whole chain.

REQUIREMENTS

HOW TO USE VPN CHAIN

  1. Extract files: bash$ unzip vpnchain-XX.zip bash$ cd vpnchain

  2. Edit vpnchain.sh config section.

    VPN CHAIN should work with most OpenVPN providers default configs (i tested 3 different ones and all worked without major changes). If you get 'file not found' errors, try to change keys and certificate paths from relative to absolute in config files.

  3. Use sudo to run it: bash$ sudo ./vpnchain.sh

  4. To exit press CTRL+C keys

  5. If you enabled firewall blocking then run this command to flush rules: bash$ sudo ./vpnchain.sh flush

SECURITY WARNING: Your IP address doesn't change UNTIL WHOLE CHAIN IS CONNECTED. If you connect to first openvpn server then to second but LAST ONE doesn't connect, your IP IS NOT changed. For IP to change you need wait for WHOLE CHAIN to be connected (wait for green text saying 'Connected'). To avoid leaks you can disable all OUTPUT traffic in firewall and allow only remote openvpn servers IPs and tun devices. Or you should wait until chain is completed and check your ip before doing any online activity (your ip should be from your last OpenVPN provider's).

NOTICE: Automatic firewall blocking option is added in 0.2 version

After connect you can run wireshark and look for traffic:

HOW VPN CHAIN WORKS

The main idea is taken from http://forums.openvpn.net/topic7483.html. You change default routing pushed from OpenVPN server and manualy add your own custom routing:

In ClientA config file add lines: route-nopull # disable default routing pushed from server route <ClientA_Remote_IP> 255.255.255.255 <Default_Gateway> route <ClientB_Remote_IP> 255.255.255.255 <ClientA_Tun_IP>

In ClientB config file add those lines: route-nopull # disable default routing pushed from server route 0.0.0.0 128.0.0.0 <ClientB_Tun_IP> route 128.0.0.0 128.0.0.0 <ClientB_Tun_IP> dhcp-option DNS <ClientB_Dns_IP> up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf

But this can be applied for more than two OpenVPN instances:

Client_First: route-nopull # disable default routing pushed from server route <Client_First_Remote_IP> 255.255.255.255 <Default_Gateway> route <Next_Client_Remote_IP> 255.255.255.255 <Client_First_Tun_IP>

Client#: route-nopull # disable default routing pushed from server route <Next_Client_Remote_IP> 255.255.255.255 <Previous_Client_Tun_IP>

Client_Last: route-nopull # disable default routing pushed from server route 0.0.0.0 128.0.0.0 <Cient_Last_Tun_IP> route 128.0.0.0 128.0.0.0 <Client_Last_Tun_IP> dhcp-option DNS <Client_Last_Dns_IP> up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf

Basicaly, completed chain looks like this: PC <-> OPENVPN1 <-> OPENVPN2 <-> OPENVPN# <-> INTERNET

In theory there is no limits on how many hops in chain can be (fix me if i'm wrong), but there can be some practical limitations like whole chain speed, stability etc. I tested with 3 clients and it worked fine. It would be nice to get feedback (see CONTACTS section) on how much clients it worked for you and what issues did you have (if any).

TODO LIST

CHANGELOG

0.21:

0.2:

0.1: