Private tunnel + vpn

ChiefsFanInMD · March 9, 2025, 1:27pm

Hello. Been an openwrt / ddwrt user for quite some time. However, I have an oddball project and need to know if possible.

Location a and location b have their own isp’s

Want to configure two routers to communicate over a private tunnel.

Then, vpn into corporate vpn concentrator by way of connecting to one end’s private tunnel, and have the vpn connection made from the other

So, in effect, a dual layer vpn

I know that a lot of vpn services offer simple vpn solutions, it is the additional vpn layer that has me stumped.

Can this be done?

Textual diagram

Site A . . . Private tunnel.  Site B
   |                                            |

Laptop
Vpn client vpn request

So, to the vpn concentrator, the vpn request would be coming from site B versus site A

Laptop would receive vpn traffic

Is this feasible ?

TheTrimtab · March 9, 2025, 1:27pm

Look at Tinc or OpenVPN.

Tinc works well between 2 or more endpoints. While OpenVPN is compatible with many VPN services *if* you ever want that and you can use it point-to-point.

Both are packages within OpenWRT. There are number of tutorials on the web on how to set either up on OpenWRT.

https://www.tinc-vpn.org/

Starfox-sf · March 9, 2025, 1:28pm

That’s going to kill performance due to having a very low MTU and lost packets are going to murder throughput because each layer will end up trying to retransmit. Recommend you look at Cloudflare Tunnel or Tailscale to allow access to private networks.

— Starfox

abeorch · March 9, 2025, 1:28pm

Sounds like you want to appear like you are connecting to the Corporate VPN from one location in another.

Wireguard VPNs + Dyn DNs + Policy based routing.

AlanSpicerG · March 9, 2025, 1:28pm

Would this be the same thing as …

I bring up OpenVPN with ExpressVPN in My Router. Then on Windows I also connect with VPN client to ExpressVPN. Um Express VPN might not like this (might not allow this) and it would screw the h out of routing since things are set up a certain way with routing. But lets say the 2nd VPN from Windows was a different VPN provider … might work. A quick google search seems to indicate this is possible. You, in your case, you would be maintaining/controlling everything. So then it’s just a VPN tunnel within a VPN tunnel. Where you initiate it from, I guess does not matter. How badly the bandwidth would suck is a question. And VPN takes processing on each computer, and doubling the processing doubles the system resource usage. I guess if the only way to know if it will work is to set it up and give it a try.

So the question is … is it 1.) A VPN Tunnel inside a VPN Tunnel? Or a VPN Tunnel then a separate another VPN Tunnel outside of the first VPN Tunnel. In other words you are just starting a separate VPN Tunnel via the WAN (Internet) not within the first one.