Bash script which makes chained OpenVPN connections.
WARNING: This is beta release and is VERY experimental right now, so use at your own risk. WARNING: Please read HOW TO USE VPN CHAIN section, because it contains important security information
VPN Chain is a fork of the original VPNCHAIN bash script. I will be reworking this in either Go or Nim. For now, I will maintain this script and continue to add features and fix bugs.
VPN Chain is bash script which makes chained openvpn connections. You don't need to use virtual machine for this anymore. After chain is completed you can use internet in more secure and private way with all openvpn benefits.
Completed chain looks like this: PC <-> OPENVPN1 <-> OPENVPN2 <-> OPENVPN# <-> INTERNET
And yes, you can use TOR on top of chain: PC <-> OPENVPN1 <-> OPENVPN2 <-> OPENVPN# <-> TOR <-> INTERNET
There should be no limits on how many hops in chain can be (fix me if i'm wrong). I tested with 3 OpenVPNs in chain, but i think it should work with 5 or 10 configs. Ofcourse, there can be some practical limits like speed and stability of whole chain.
Extract files: bash$ unzip vpnchain-XX.zip bash$ cd vpnchain
Edit vpnchain.sh config section.
VPN CHAIN should work with most OpenVPN providers default configs (i tested 3 different ones and all worked without major changes). If you get 'file not found' errors, try to change keys and certificate paths from relative to absolute in config files.
Use sudo to run it: bash$ sudo ./vpnchain.sh
To exit press CTRL+C keys
If you enabled firewall blocking then run this command to flush rules: bash$ sudo ./vpnchain.sh flush
SECURITY WARNING: Your IP address doesn't change UNTIL WHOLE CHAIN IS CONNECTED. If you connect to first openvpn server then to second but LAST ONE doesn't connect, your IP IS NOT changed. For IP to change you need wait for WHOLE CHAIN to be connected (wait for green text saying 'Connected'). To avoid leaks you can disable all OUTPUT traffic in firewall and allow only remote openvpn servers IPs and tun devices. Or you should wait until chain is completed and check your ip before doing any online activity (your ip should be from your last OpenVPN provider's).
NOTICE: Automatic firewall blocking option is added in 0.2 version
After connect you can run wireshark and look for traffic:
The main idea is taken from http://forums.openvpn.net/topic7483.html. You change default routing pushed from OpenVPN server and manualy add your own custom routing:
In ClientA config file add lines:
route-nopull # disable default routing pushed from server
route
In ClientB config file add those lines:
route-nopull # disable default routing pushed from server
route 0.0.0.0 128.0.0.0
But this can be applied for more than two OpenVPN instances:
Client_First:
route-nopull # disable default routing pushed from server
route
Client#:
route-nopull # disable default routing pushed from server
route
Client_Last:
route-nopull # disable default routing pushed from server
route 0.0.0.0 128.0.0.0
Basicaly, completed chain looks like this: PC <-> OPENVPN1 <-> OPENVPN2 <-> OPENVPN# <-> INTERNET
In theory there is no limits on how many hops in chain can be (fix me if i'm wrong), but there can be some practical limitations like whole chain speed, stability etc. I tested with 3 clients and it worked fine. It would be nice to get feedback (see CONTACTS section) on how much clients it worked for you and what issues did you have (if any).
0.21:
0.2:
0.1: