Dynamic OpenVPN Network with multiple droplets and configurations

July 16, 2017 503 views
VPN Networking Ubuntu 16.04

Hi there,

The short version:

Is it possible to have dynamic OpenVPN configurations based on the client profile that is connected to it?

The long version:

I was able to successfully set up an OpenVPN server on Ubuntu 16.04 with the help of this awesome tutorial:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04

I have been using the VPN service with my computer since a couple of days and everything works amazingly well. I am still relatively new to the VPN server world, but I would like to try to improve the setup for my private use.

I followed this tutorial below to set up Pi Hole for DNS based Ad blocking:
https://www.cyberciti.biz/faq/ubuntu-linux-install-pi-hole-with-a-openvpn/

This worked also without many issues, almost too well. However, sometimes I would not like to use it. Then I usually connect via SSH and change the DNS "dhcp-option" lines back to Google's nameservers. This was the first time when I wondered if I could control the OpenVPN configuration based on the client profile that is connected to it? In best case I would have two profiles that utilize different OpenVPN configurations. Is this possible?

Secondly, due to my local internet connection, I noticed that the connection between my computer and the VPN (in another country) is sometimes very slow. It would be amazing if I could create a droplet in a region closer to my location, essentially resulting in this set up.

My computer -> VPN Connection -> Droplet 1 (close to my region) -> VPN Connection -> Droplet 2 (in target region) -> Default or VPN Connection -> Target Service

I assume that I could set up a OpenVPN server and client in Droplet 1 running at the same time. That would create a network as outlined above. But again I have the big question, if I could create multiple client profiles and depending with which profile I connect, I could control if I use the network as outlined above or maybe directly connect with Droplet 1 to the target service. Essentially is it possible to have dynamic OpenVPN configurations based on the client profile that is connected to the service?

With my beginner knowledge, I read that Tinc supports multiple nodes easily, but at the same time many users seem to prefer OpenVPN over Tinc.

In case it is relevant, I come from a web development background (PHP,JavaScript,etc.), but I also know my way around in bash scripting, Java and C++.

Any help, even just links that help me to better understand the possibilities.

Thank you,

Jan

6 Answers

Hi @janrohweder

I might be misunderstanding you, but when you wrote about the link between your computer and the target service, then you lost me.
Is the target service any website/"regular internet", or is it a VPN node?

Hi @hansen ,

Thank you for your reply. Actually the target service is the least relevant item (in my point of view). I use the VPN for multiple services, but all of them are web services if that is what you are asking fo, e.g. websites, but also some custom applications through custom defined ports. This part is working fine as it is right now.
I am more interested if there is some sort of dynamic configs for OpenVPN where I can change OpenVPNs config based on the client profile that connects to it.

  • @janrohweder

    But what I didn't understand was the multiple VPN tunnels - Droplet1 to Droplet2.
    It wouldn't make anything faster by VPN'ing between the two droplets - just the opposite. And it would make your setup a lot more complicated.

    If you need different configurations, then I would probably recommend that you create different users, since each user can be configured with different push commands.
    So user1 would have the Pi Hole DNS and user2 would just use a regular public DNS.

@hansen,

Thank you for your response. I really appreciate you taking the time.
The bottleneck is my local connection to Droplet 2. (the government of the country where I am currently living is limiting bandwidth to some western countries at specific times). That is why I would like to be able to connect to a droplet that is as close as possible to my location and then let that droplet connect to my target droplet. This way I overcome the local bandwidth limitation.
However, I sometimes maybe want to connect to Droplet 1 without connecting to Droplet 2, hence the dynamic configuration I anticipate.

Regarding the DNS configuration, that tip is amazing! I will have a closer look at customizing the profiles.

Thank you.

  • @janrohweder

    Which country are you connecting located in? And which data center is Droplet1 and Droplet2 in?
    It will help to try to find the best solution.
    VPN was a great creation for companies, when it was "invented", but it's even better to preserve privacy and to keep governments out of the communication.

    The reason why it didn't make any sense (your visual link description), was that if you can connect to Droplet1 without any issues/limitations, then you wouldn't get anything out of connecting Droplet1->Droplet2, since that part of the connection is maintained by DigitalOcean and their connections are not limited (meaning censorship and such), so it would be enough just to connect to Droplet1.

@hanse,

I am located in Thailand at the moment. In the evenings connections to the USA and to Europe become horrible due to a limited bandwidth allowance of the local ISPs. However, I would like to connect to services in the USA and Europe through the VPN service running on the droplets with improved connection stability (stability is more important than latency to me). So I intend to create another droplet in Singapore. Based on my tests connections to Singapore work most of the time great here and then have that droplet connect to either the droplet in the US or in Europe, in best case based on the client profile I connect with.

  • @janrohweder

    Okay, great. I've heard about those issues with some providers in some locations in Thailand, so I understand your situation.
    I would guess your connection to Singapore would be your best option - or maybe even Bangalore?

    In the evening, when connections are limited, try doing a few speed tests:
    http://speedtest-sgp1.digitalocean.com/

    An even better tool is called MTR, which does a trace route ping to every hop between you and the end point. You simply ping the DigitalOcean speedtest-server of choice, so Singapore would be mtr speedtest-sgp1.digitalocean.com
    https://en.wikipedia.org/wiki/MTR_(software)

    But again, your setup should not connect two droplets via VPN. You should maybe setup two droplets in different regions (I would guess Singapore and Bangalore) and then you have multiple VPN profiles on your computer, where you only use one at the time.
    Profile 1 could be Singapore with Pi Hole as DNS
    Profile 2 could be Singapore with Google DNS
    And then the same again, but for another location like Bangalore

@hansen,

Thank you very much for all the details. This is great! I think the issue is that I am partly using the VPN in Europe and the US to connect to services that are only available in those countries. With my current setup this is possible, but with a horrible connection in the evenings. That is why I wonder if I can route the traffic through Singapore (or Bangalore) before connecting to the actual second droplet.

At the same time, it would be amazing if I could use the same droplet in Singapore or Bangalore to connect directly to the service of my choice, e.g. when I just want to normally browse the web. In best case I would make the choice by connecting with two different client profiles to the droplet in Singapore (or Bangalore).

Thank you for your help. I really do appreciate it and hate to make things so complicated.

  • @janrohweder

    Ahhh, now I understand. You want to see Netflix (or similar services). Then I can understand your setup of connecting something like this:
    You(Thailand)->Droplet(Singapore/Bangalore)->Droplet(Europe/US)->Service

    It's not an easy setup - well, it's not a common setup - so I think it would be hard to find a configuration tutorial on this specifically.

@hansen sorry for the late reply. I was way to occupied with work the last days.
If it helps, we can use Netflix as an example, but actually I am just interested connecting to some of my client's and my own webservice's that are blocked from outside Germany or the US. (e.g. (s)FTP connections, etc.)

If you have any suggestions on where to start, I would highly appreciate it.

Thank you.

Have another answer? Share your knowledge.