Cascading your VPN (Multi-Hop) with Linux

This guide explains how to set up and use a cascaded OpenVPN connection (multi-hop VPN) in a terminal on Linux. It is assumed that you know how to install software packages like wget and unzip. For other distributions you may have to use the respective package manager instead of apt. For information on how to do this, please consult the documentation of your distribution regarding the used package manager.

Requirements and preparation

To follow the steps in this guide, you should already be able to establish a single OpenVPN connection in the terminal as explained in the guide "OpenVPN in Linux Terminal".

Download OpenVPN profiles

If you have not already downloaded the OpenVPN configurations, as explained in the guide on setting up a single OpenVPN connection, you may download the OpenVPN configuration files here using the button. To download the configuration files in the terminal instead, in the /etc/openvpn/ directory use the following command: sudo wget --content-disposition https://www.perfect-privacy.com/downloads/openvpn/get?system=linux and to unpack the archive in the /etc/openvpn/ directory: sudo unzip -j linux_op24_udp_v4_AES256GCM_AU_in_ci.zip

Download View alternate downloads

Downloading the updown.sh script | Cascading your VPN (Multi-Hop) with Linux

To download the updown.sh script using wget in a terminal use the following commands: cd /etc/openvpn/ and then sudo wget https://www.perfect-privacy.com/downloads/updown.sh, and afterwards make the file executable with chmod: sudo chmod +x /etc/openvpn/updown.sh.

Alternatively you can download the script here using the browser, save the file as updown.sh in your /etc/openvpn/ directory (requires root privileges, copy for example like sudo cp ~/Downloads/updown.sh /etc/openvpn/updown.sh) and then make it executable with sudo chmod +x /etc/openvpn/updown.sh.

Establishing a VPN connection to london.perfect-privacy.com | Cascading your VPN (Multi-Hop) with Linux

If not done already, change into the /etc/openvpn/ directory and then issue the following command to establish the connection to the first hop. In this example a connection to london.perfect-privacy.com is established, hence the configuration file London.conf is used:

sudo openvpn --config London.conf --script-security 2 --route remote_host --persist-tun --up updown.sh --down updown.sh --route-noexec

Enter Perfect Privacy username and password | Cascading your VPN (Multi-Hop) with Linux

If you haven’t configured the VPN configuration file to read your password from a file, as explained in the guide "OpenVPN in Linux Terminal", you will be asked to provide your Perfect Privacy username and password.

The command to establish a connection to the next hop is displayed | Cascading your VPN (Multi-Hop) with Linux

After the connection to the first hop has been established, the script will display the necessary command with all parameters to connect to the second hop. You can copy and paste this line but you have to prepend the sudo command to it and will need to exchange <config.conf> for the configuration file of the server desired for the next hop.

Establishing the VPN connection to the next hop | Cascading your VPN (Multi-Hop) with Linux

Adding a hop: Open a new terminal, change to the /etc/openvpn/ directory, type sudo (followed by the SPACE key) and paste the connection line displayed by the script. Before you press the ENTER key though, make sure that you replace <config.conf> with the configuration of the location you want to connect to. In this example the second hop is rotterdam.perfect-privacy.com, so the configuration file Rotterdam.conf is used.

Once the connection is established you already have a cascaded VPN connection using two hops. The VPN connections are encrypted separately (tunnel in tunnel). The script will show the command for the next hop just like before.

To add a third hop, repeat the "Adding a hop" step in a new terminal window. Please note that every hop generates additional CPU load and possibly makes the connection more vulnerable regarding network instabilities (e.g. occurring routing issues).

In this example we’re continuing the cascade with reykjavik.perfect-privacy.com, so the configuration file Reykjavik.conf is used. If you want, you can add even more hops by repeating the "Adding a hop" step once more.

You can use our Check IP test also in the terminal to verify that the OpenVPN connection was established and is working correctly:

wget -q -O - https://checkip.perfect-privacy.com/csv