Trying to run VpnHood inside another VPN client

[bizzbyster]

I want to use VpnHood to obscure my traffic within another VPN tunnel. The outer tunnel can be either a corporate VPN like Cisco AnyConnect or a consumer VPN like NordVPN. In this case, I'll use NordVPN to explain the behavior I'm seeing.

1. Connect VpnHood and everything is fine. I can browse the Internet and ping 8.8.8.8. Disconnect VpnHood.
2. Connect NordVPN and everything is fine. I can browse the Internet and ping 8.8.8.8.
3. Leave NordVPN connected and connect VpnHood. The UI says it connects but then nothing works including my pings to 8.8.8.8 time out.

My understanding is that typical VPNs like NordVPN add an interface and modify the routing on my local machine in order to intercept traffic but that NordVPN is different -- it uses Wfp (via WinDivert) to redirect the TCP connections to a local proxy above the routing layer and so it should be compatible with a routing-based VPN. Is my understanding wrong? Is it possible that NordVPN is detecting the presence of the local TCP connection redirection and so blocking everything including ICMP?

Perhaps VPNHood needs to exclude the NordVPN processes to avoid an infinite loop?

Thanks in advance for any help.

[bobvhood]

VpnHood also uses WinDivert to redirect the TCP connections to a local proxy, so I am wondering what you will achieve by running a double tunnel that both do the same job!

By the way, no VPN, nor any man in the middle can detect you are using VpnHoood. We did our best to make it exactly the same as ordinary web browsing. There is no trace unless there is a bug in VpnHood.

The UI says it connects but then nothing works including my pings to 8.8.8.8 time out.

Even double VpnHood connection to the different servers should work in theory, but perhaps not because we haven't worked on it :) I think we should make sure the WinDivert chain works properly. I am unsure what windivert does if two applications start intercepting packets using it. It may create a chain, or maybe one will stop working.

I don't think NordVPN detects the presence of the redirected local TCP connections because it is not detectable, and also, it has no benefit for them to look for it. The redirected TCP is the same as other TCP established from a local port.

If you let us understand the advantage of double VPN, we may be intrigued to work on it.

[bobvhood]

@bizzbyster I converted the issue into a discussion thread. You can follow up here.

[bizzbyster]

I'm not sure I explained the architecture very well. Let's say you are in an organization of some kind that requires you to use a software VPN client like Cisco Anyconnect but you don't want that organization to snoop your traffic. In this case, you might want something like VpnHood to operate INSIDE the organization VPN -- does that make sense?

Most VPNs are like Cisco AnyConnect or NordVPN and they accomplish the traffic interception by installing a software-based network interface (Tun/Tap driver implemented in NDIS on Windows) and updating the local routing table to send traffic to a user mode process for encryption. VpnHood should be able to interoperate with them because its interception is done via WinDivert, which uses WFP to redirect TCP connections without installing a software-based network interface and without modifying the routing table.

My guess is that VpnHood is intercepting the inner VPNs user mode process and redirecting it, which causes an infinite loop. I think this would be solved if I could exclude those processes from WinDivert.

[trudyhood]

It will not be helpful. You can simply exclude your VPN Host Source by PacketCaptureIpRanges and PacketCaptureIpRangesFilterMode in your VpnHood app settings, so VpnHood will not capture your outbound VPN packets. But, then VpnHood will not do anything for you. You should know your VPN already encapsulates your network packets, and WinDrivert captures the packets after that, so what you are trying to do will disable VpnHood at all.

[bizzbyster]

"You should know your VPN already encapsulates your network packets, and WinDrivert captures the packets after that, so what you are trying to do will disable VpnHood at all."

I think the order is the other way. For an outgoing TCP connection, WinDivert will alter the destination IP and port to the local VpnHood proxy process prior to any encryption done by my VPN. And then the connection from VpnHood client to VpnHood server will be encrypted by my VPN. So I think in this case VpnHood will do what I want it to -- obscure the traffic from the organization. Where do I set PacketCaptureIpRangesFilterMode and PacketCaptureIpRanges? I don't see those in the VpnHood UI. Thanks!

[trudyhood]

I don't think so, because I have tried that in another project. WinDivert uses WFP and processes after encryption is done to your VPN at least for Windows internal PPTP VPN mini adapter :) that's why the loop actually happens.

By the way, you can find the settings here:

"C:\Users<username>\AppData\Local\VpnHood\settings.json"
Please note that VpnHood should be closed before you save the file, otherwise It will be overwritten.

[bizzbyster]

Seems to work to exclude my VPN termination server and the VpnHood server IP when using the VpnHood public servers. But now I'm having issues setting up my own VpnHood server that I am debugging.

[trudyhood]

But now I'm having issues setting up my own VpnHood server that I am debugging.

So what is the issue:) We are with you, feel free to ask us any questions you have.

[bizzbyster]

I will post to a new thread.

[bizzbyster]

actually this is what i needed -- https://github.com/vpnhood/VpnHood/wiki/How-to-change-VpnHood-ServerIp-in-access-key. Thanks!

[trudyhood]

Happy to hear that. You may be interested to see VpnHood Access Server too. It has more control over your VpnHood servers, and you can manage and connect your VpnHood Servers.
https://github.com/vpnhood/VpnHood/wiki/VpnHood-Access-Server

[bizzbyster]

My VpnHood server is on a private network. Can I run Access Server on that private network as well?

[trudyhood]

That works, but your VpnHood server should have access to our AccessServer. The access server does not need to connect to your VpnHood server. You can try it. Since you already installed the VpnHood server, create a server profile in the access server, replace the config file, restart your VpnHood server, and see how it works. If you don't like it, replace your old config file and restart VpnHoodServer.