iTopVPN: Double VPN for Enhanced Privacy

Double VPN, or VPN chaining, routes your traffic through two VPN servers instead of one, providing an extra layer of encryption and obfuscation. This setup makes it significantly harder to trace your online activity back to you.

Setting up a Double VPN with WireGuard

Using WireGuard for a double VPN requires configuring two WireGuard interfaces and routing traffic accordingly.

• Server 1 (VPN Entry Point):

  • Install WireGuard: apt install wireguard (Debian/Ubuntu) or yum install wireguard (CentOS/RHEL).

  • Generate keys: wg genkey | tee privatekey | wg pubkey > publickey.

  • Configure wg0.conf:

  • [Interface]

  • PrivateKey = <Server1 Private Key>
    Address = 10.6.0.1/24
    ListenPort = 51820
    PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
    ​
    [Peer]
    PublicKey = <Server2 Public Key>
    AllowedIPs = 10.7.0.0/24
    Endpoint = <Server2 Public IP>:51820
    PersistentKeepalive = 25

  • Enable forwarding: sysctl -w net.ipv4.ip_forward=1 (persist in /etc/sysctl.conf).

• Server 2 (VPN Exit Point):

  • Install WireGuard: apt install wireguard (Debian/Ubuntu) or yum install wireguard (CentOS/RHEL).

  • Generate keys: wg genkey | tee privatekey | wg pubkey > publickey.

  • Configure wg0.conf:

  • [Interface]

  • PrivateKey = <Server2 Private Key>
    Address = 10.7.0.1/24
    ListenPort = 51820
    PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
    ​
    [Peer]
    PublicKey = <Client Public Key>
    AllowedIPs = 0.0.0.0/0
    PersistentKeepalive = 25

  • Enable forwarding: sysctl -w net.ipv4.ip_forward=1 (persist in /etc/sysctl.conf).

• Client Configuration:

  • Install WireGuard.

  • Configure wg0.conf:

  • [Interface]

  • PrivateKey = <Client Private Key>
    Address = 10.7.0.2/24
    DNS = 1.1.1.1, 1.0.0.1
    ​
    [Peer]
    PublicKey = <Server2 Public Key>
    AllowedIPs = 0.0.0.0/0
    Endpoint = <Server2 Public IP>:51820
    PersistentKeepalive = 25

• Routing on Server 1:

  • Add a route to forward all traffic from the VPN client to Server 2: ip route add 10.7.0.0/24 via 10.6.0.2 dev wg0

Quick Checks and Pitfalls

• Firewall Rules: Ensure firewalls on both servers allow WireGuard traffic (UDP port 51820).

• IP Forwarding: Verify net.ipv4.ip_forward is enabled on both servers.

• Key Exchange: Double-check public keys are correctly configured in all wg0.conf files. Mismatched keys will prevent connection.

• MTU: Adjust MTU if experiencing connectivity issues (e.g., ip link set mtu 1420 dev wg0).

• DNS Leaks: Ensure DNS is properly configured on the client to use a DNS server within the VPN or a public resolver like Cloudflare (1.1.1.1).

Double VPN Checklist

• Install WireGuard on both servers and the client.

• Generate and exchange keys correctly.

• Configure wg0.conf files with correct IPs and keys.

• Enable IP forwarding on both servers.

• Configure firewall rules to allow WireGuard traffic.

• Verify DNS settings on the client.

• Test the connection and verify the exit IP address.