[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] using public addresses


  • Subject: [Openvpn-users] using public addresses
  • From: Jon Rowell <jrowell@xxxxxxxxx>
  • Date: Wed, 11 Jan 2006 00:31:54 -0600

First, let me say that I have tried several different ways to get what I want out of openvpn but I have been unsuccessful. I am quite sure what I want can be done but I am getting lost in the details. My end result is that I want an openvpn client to be able to connect into an openvpn server and answer on a public ip address.

There are two ways I have know to do this:

1) Configure openvpn to use public ip addresses directly. The problem with this is that I have a linux router/firewall with an ip of 65.xx.xx.162. I want the openvpn server to assign itself 65.xx.xx. 163 and 164 for tun0. The netmask for this particular network is 255.255.255.224. How can I write a server line in server.conf so that this happens?

2) Configure openvpn to use private addresses and then use static nat to transfer all traffic from a public ip address to one of my private addresses. I have tried doing this two ways and have been unable to get either of them to work.
a) Using the linux fast nat (iproute2) commands:
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/ip route add nat 65.xx.xx.163 via 10.8.0.10
/sbin/ip rule add prio 320 from 10.8.0.10 nat 65.xx.xx.163

65.xx.xx.163 is the public address I want the openvpn client to answer on. 10.8.0.10 is the ip assigned to the client when connect to the openvpn server.


b) Using iptables to do the nat:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p all -d 65.xx.xx.163 -i eth0 -j DNAT --to-destination 10.8.0.10
iptables -t nat -A POSTROUTING -p all -s 10.8.0.10 -o eth0 -j SNAT --to-source 65.xx.xx.163
iptables -A FORWARD -p all -d 10.8.0.10 -j ACCEPT
iptables -A FORWARD -p all -s 10.8.0.10 -j ACCEPT


		These rules are pretty "open" but I would expect them to work.

Btw, when I say that I can't get these to "work" I mean that I cannot sit on a computer on the internet and ping the public ip address (65.xx.xx.163) and get a response.

I like the idea of using private addresses and then mapping public addresses to the client just because it saves an extra public ip address. At the moment anything that works would be fine. I realize that my issue (at least with item 2) is most likely a routing issue so its probably out of scope for this list but I know that there are people doing exactly what I want to do so maybe they can at least point me in the right direction.

Jon Rowell

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users