Is nested VPNs possible?

  • 1
  • Question
  • Updated 5 months ago
I'm considering implementing a VPN from an iOS device back to a static location for the purposes of eliminating unnecessary traffic from my browser to privacy-unfriendly sites like Facebook, Google, and various advertising services. (See simple example here: https://www.cyberciti.biz/faq/ubuntu-linux-install-pi-hole-with-a-openvpn/) However, I believe the CE VPN grabs all traffic first, sending it straight to CE, meaning I can't enlist a tunnel to also eliminate problem traffic, without supplanting the CE VPN.
Is it possible to do this in a nested format?
Photo of Steel

Steel

  • 83 Posts
  • 11 Reply Likes

Posted 5 months ago

  • 1
Photo of Bryce Oakes

Bryce Oakes

  • 3 Posts
  • 0 Reply Likes
I would also like to know how this could work?
Photo of Steel

Steel

  • 83 Posts
  • 11 Reply Likes
My best guess on this would involve *sequential* VPNs, not `nested` VPNs....


Having asked the CE team (via phone) about this, there seems to be no officially-supported way to either do nested VPNs, nor to install a VPN on a non-mobile device. (Official reps, please prove me wrong on this one...) Thus, the only way I could see this happening from a technical perspective would be to set up a hosted VPN server, connect the device to that server's VPN, and then have that server's outgoing connections piped into another VPN - with this second (outbound) VPN being the CE VPN connection.

I hope this doesn't violate their ToS.

Also, the first VPN would have to be one that I (the user) have control over, as I'd have to ensure that the second hop (out of this first VPN) is directly into the CE VPN. Additionally, if we want to go for true accountability, I (the user) would have to have enough control over the VPN to route the outbound connection through the CE VPN, but not enough control to turn that routing off - i.e. "Don't let me shut it off or reroute it in a time of weakness." ... Those are a lot of stipulations. :\

If I were going to roll-my-own solution (which I'm inclined to do, if I can find the time to dedicate to it and proper testing ... not to mention maintenance), I would do it like this: 

- Set up a[n OpenVPN] server at a location / on an account that I can expect near-100% control over. (Think 'raspberry pi at my residence' or 'always-on linux server.')
- Set up an outgoing VPN connection from my OpenVPN server to connect into the CE VPN.
- Test traffic from the VPN server (curl/wget) and verify it shows up in my CE accountability report.
- Route traffic from a local computer through the OpenVPN server and verify that the traffic is detected in my accountability report.
- Add the OpenVPN connection to the mobile device and everything should be groovy.- **Most important step**: Have a trusted, preferably on-site individual remove login credentials for all but one account from the OpenVPN server software, or the computer hosting that service, and change the credentials to something I ***do not know***. (This prevents me from going into the OpenVPN service/server and rerouting traffic off of the CE VPN and circumventing the CE services.)

Of course, there's also the processing that would occur on the self-hosted VPN server (traffic filtering / blackholing) setup that would have to go in there and be tested as well, but that's less CE-centric for this conversation. [I'd probably do that testing after confirming a local computer can connect through the OpenVPN server and its traffic shows up on the accountability report, FWIW...]
(Edited)
Photo of Bryce Oakes

Bryce Oakes

  • 3 Posts
  • 0 Reply Likes
Wow that’s a pretty impressive reply. I think setting up a raspberry pie would be pretty cool but I’m not sure we need to necessarily do that yet. Covenant Eyes is itself is a VPN. My question is what is their privacy policy like. Do they keep the reported information on servers over a long time? Or do they just send them out to your accountability partner? Do they have a reporting policy to government? And do they allow information recording for social media sites. Currently I run Private Internet access (PIA). And I have about half a years worth of subscription left which is why I was curious.
(Edited)
Photo of Steel

Steel

  • 82 Posts
  • 11 Reply Likes
I think a request for a clear privacy policy is separate from a technical VPN discussion - although I understand why there is overlap (VPN use in the interest of privacy).

Have you directly requested the privacy policy and disclosure policies from CE?
Photo of Bryce Oakes

Bryce Oakes

  • 3 Posts
  • 0 Reply Likes
No not yet, but I intend to do so.
Photo of Steel

Steel

  • 83 Posts
  • 11 Reply Likes
Actually, I guess if the phone were completely locked down (all browsers restricted/removed and no other browser-capable apps installed), then a single vpn would take care of extraneous traffic, but at the expense of monitoring ... so if an app didn't contain a browser and then added one later, it would automatically introduce an exempted vector.