Looking to chain a personal VPN and commercial VPN

Voyager_Ten · March 5, 2025, 9:18am

I pay for a commercial VPN service, however I also have my own VPN that I built running on my home network using wireguard. I would like to use my personal VPN, and connect to it with my devices, then, the device that is running the VPN, would connect to my commercial VPN. My goal is to route all my internet traffic through my personal VPN as a protected middleman, which would then allow my data to flow through to the larger commercial VPN without issue.

An added bonus would be if I could also connect to my NAS that is running on the personal VPN device (192.168.1.XXX), while still having the protection of internet traffic being routed through to the commercial VPN.

I asked ChatGPT in all of it’s wisdom for an example on how this would work.
It mentioned editing the `/etc/sysctl.conf` file with the following forwarding parameters:

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

As well as the wireguard configuration changing:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <WireGuard Server Private Key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o <commercial-vpn-interface> -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o <commercial-vpn-interface> -j MASQUERADE

I’ve never trusted it too much in the scope of security / linux configuration. So I wanted to ask a knowledgable group for some clarification, also to figure out if it was even possible.

kearkan · March 5, 2025, 9:18am

You’re over complicating it.

Set up the commercial VPN on your router. If all traffic from your lan to the internet is going through that and your personal VPN is making your remote device look like a local device then it will connect to the internet through the same router.

Do note you have very high ping doing this.

haselnutexperience · March 5, 2025, 9:18am

What about buying a travel router (GL.iNET zB) that runs as wireguard (entry point) whereas your notebook/smartphone etc use your commercial VPN

Easy solution with basically no config effort

tails_switzerland · March 5, 2025, 9:18am

I had a similar problem like you

It is possible to redirect all WG traffic to a other VPN.

Redirect traffic from wg0 to a other Server with IPSec

Clients connects to Interface wg0 and all traffic is redirected to a IPSec connection (Freeswan)

This was easy to implement … a few ip-tables commands will do the job.

Redirect traffic from wg1 to a remote socks5 server

This was a hard battle … Because the clients that connects to the interface wg1 knows nothing about the

used socks5 server in the background, you need to translate the non socks5 communication into a socks5 communication. After a few weeks of playing around > it was working. I used redsocks with Debian 12

Voyager_Ten · March 5, 2025, 9:18am

That does sound like a good solution, but modifying the router would affect others who use it. Something I’m trying to avoid.

And yeah, ping is something I’ve been concerned about - was hoping I could test it to see if this approach was even plausible to use day-to-day.