|
|
Dear Leonardo, Thank you very much for your kind reply. I think you guided me into the right direction, indeed. I will experiment with the knowledge you decided to share. I'm sorry if my question turned out to be finally a bit off topic, but maybe some other OpenVPN user will in future find some of the answers provided useful. When I installed OpenVPN first years ago, I couldn't figure out for days how to forward Internet traffic over OpenVPN, without sending my browser data over a Squid proxy with the address 10.xx.xx.1:3128. So sorry again for slipping into networking questions -- won't happen again --, but my sincere thanks once more for your useful answers. Kind regards. Leonardo Rodrigues Magalhães wrote: > > > Perfect Privacy escreveu: >> Hi again, Leonardo! >> >> Yes, I'm actually currently using >> >> iptables -t nat -A POSTROUTING -s 10.xx.xx.0/24 -o eth0 -j MASQUERADE >> >> on our dedicated servers to make the Internet forwarding for OpenVPN >> work and >> >> iptables -t nat -A POSTROUTING -s 10.yy.yy.0/24 -o venet0 -j SNAT >> --to-source 216.xx.xx.37 >> >> on our Virtual Private Servers. >> >> So, all I would have to do is to replace the command with >> >> iptables -t nat -A POSTROUTING -s 10.xx.xx.0/24 -o eth0 -j SNAT >> --to-source 216.xx.xx.YYY >> >> on our dedicated servers and with >> >> iptables -t nat -A POSTROUTING -s 10.yy.yy.0/24 -o venet0 -j SNAT >> --to-source 216.xx.xx.YYY >> >> on our VPS machines, where 216.xx.xx.YYY is a different IP we own, and >> it should assign our clients this IP externally in future? >> >> Just want to make sure I enter the correct commands. It's not to funny >> to be unable to access one's own machines. ;) >> >> Thanks for your help. > > Man ... i dont know your exact scenario so i preffer not to say > what's OK or what's not OK. > > I can help you with the basic idea .... the rest is up to you. Luckly > even a bad POSTROUTING rule, if you keep the '-s 10.yy.yy.0/24' > criteria, would probably NOT kick you off of your server. > > Basically you have to: > > 1) stop using MASQUERADE and use SNAT MASQUERADE works pretty well > indeed, but it doesnt give you the choice of choosing the external > translated address > 2) use, if desired, SNAT specificing range addresses instead of a simple > address > -j SNAT --to-source 216.xx.xx.1-216.xx.xx.10 > > Note, as well, that locally generated connections (not forwarded > ones), for example those served by squid, your web proxy interface, your > socks service ... wont have the 10.yy.yy.0/24 source address and thus > wont be affected specifically by these rules with '-s 10.xx.xx.0/24' > parameter. > > Maybe you'll have to really rewrite your POSTROUTING rules so ALL > network connections are afftected and not only those with source > 10.xx.xx.0/24. > > Good luck, this thread seems completly OFFTOPIC here in OpenVPN list > by the way .... > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > https://lists.sourceforge.net/lists/listinfo/openvpn-users ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |