[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] How to assign random external IPs to OpenVPN users?

  • Subject: Re: [Openvpn-users] How to assign random external IPs to OpenVPN users?
  • From: Perfect Privacy <admin@xxxxxxxxxxxxxxxxxxx>
  • Date: Sun, 10 Feb 2008 18:09:12 +0100

Willy Offermans wrote:
> Hello Admin@Perfect Privacy and OpenVPN friends,
> On Sun, Feb 10, 2008 at 06:37:18AM +0100, Perfect Privacy wrote:
>> Hello,
>> We have a dedicated server with 11 external IPs. On this server, we also 
>> have an OpenVPN server installed. We have several hundreds of OpenVPN 
>> users, all of which use the same client certificate (--duplicate-cn). We 
>> also use PAM password authentification. My users are not all connected 
>> at the same time of course, but maybe one dozen to a couple of dozens of 
>> users at the same time, depending on the time of the day.
>> What now happens if an OpenVPN client connects to the OpenVPN server is 
>> that the server will assign its "main IP" to him. If he goes to 
>> http://www.whatismyip.com/ he will always see the same "main IP" of my 
>> server, while the other IPs are actually never used.
>> What I would like to achieve is that I "randomly" assign any of my 11 
>> external IPs to him, and that not always only the "main IP" is used.
>> This is maybe not directly a problem that concerns OpenVPN but more a 
>> network question.  I also have Squid installed, for example, and have 
>> the same problem there. The user always gets the same external "main IP" 
>> of my server, while the others remain unused. I, however, would like to 
>> assign "randomly" any of my 11 external IPs to him.
>> Does anybody know how this is achieved?
> I have to admit that I have serious problems to understand what exactly
> you want to achieve. For example, I don't know what you mean with ``11
> external IPs''. How is an external IP defined? I guess it would help if
> you specify those IP's. Probably you mean an IP not in the reserved
> groups like 10., 192., etc. Neither did I ever hear about a ``main IP''.
> What is a main IP?

Hello, Willy!

Yes, exactly. Let's say my server provider gives me 11 IPs to use in my 
package, reaching from 216.xx.xx.164 to 216.xx.xx.174. If I now use 
OpenVPN or Squid or a SOCKS5 proxy, the connecting client always gets 
the IP 216.xx.xx.164 assigned, while I can't get the machine to use the 
IPs 216.xx.xx.165 to 216.xx.xx.174 at all.  -- Apart for webhosting, if 
I tell Plesk to use one of them as exclusive IP for a domain. The domain 
then can be reached both under its http://www.domain-name.com/ domain 
name and the external IP I assigned to it, e.g. http://216.xx.xx.169/; 
in contrast to defining an IP as a shared IP for hosting in Plesk; then 
I can host many domains on the same IP, but none of the domains can be 
reached by entering http://216.xx.xx.167/ if this would be shared 
hosting IP.

But this just as exkurs and some observation. We don't even provide 
hosting, but it seems to be possible to use the other IPs externally 

If I use Squid or OpenVPN or a SOCKS5 proxy, however, the user always 
gets my "first" or "primary" or "main" IP assigned: 216.xx.xx.164 -- 
which I call "main IP", as the other 10 IPs seems to have a somewhat 
inferior status and are never used.  Programms like Squid permit me even 
to bind the interface to a specific IP. But if I enter there 
216.xx.xx.170, nonetheless still my first or primary or main IP 
216.xx.xx.164 is used.

I would like to know first how to change it. How to make OpenVPN (or 
Squid) assign a different external IP to a client rather than always 
216.xx.xx.164. Let's say, it shall give them 216.xx.xx.169 from now on. 
  How would this be achieved on CentOS?

On the long run, I would like that a connecting client would get any of 
the 11 IPs -- "arbitrarily", "randomly", "sequentially" -- it wouldn't 
really matter, as long as they are assigned at all and approximately 
equally often.

> However assigning IP's does ring a bell for me: DHCP server is capable
> of doing exactly this kind of a job.

I'm not sure if DHCP is the right tool to do the job. Let's say I have 
at the moment 40 clients that are connected to my OpenVPN server. Then 
all these 40 clients would get the external IP 216.xx.xx.164.  DHCP 
seems to assign a *unique* IP to every client; so even if I could manage 
it somehow with DHCP, so that DHCP gives every incoming OpenVPN user a 
different external IP, it would limit the number of OpenVPN users that 
can be connected to OpenVPN at the same time to only 11?

  Randomly assigning is again a
> little bit harder, but maybe you can find a trick like randomly changing
> MAC addresses or something like that. I really don't know. At the end I
> ask myself, why is it a problem of having the same IP over and over
> again? Maybe you can give the remaining 10 external IP's to someone
> else and live with the situation you already have.

The problem is that we have a public OpenVPN service. Pay €9.95 and you 
get an OpenVPN account at currently half a dozen of servers for a 
month. This means there are always and will always be some people who 
create a certain amount of abuse or trouble. On the long run, the 
external IP every OpenVPN user gets assigned is prohibited from editing 
Wikipedia, it might be banned by e-gold and on some popular webforums, 
one-click-hosters, etc.  Not a pleasant experience for the 97% of our 
customers who use our service responsibly and legitimately to regain 
their privacy.

So even if I could change the assigned external IP every few months; e. 
g. from 216.xx.xx.164 to 216.xx.xx.170, it would help us a lot to combat 
this abuse and to provide our paying clients with "fresh" IP addresses 
that aren't banned or restricted on some popular Internet sites and 
services, yet.

Does anybody know how to change the first IP address assigned to the 
public interface in CentOS?  So that e.g. OpenVPN in future doesn't give 
  our OpenVPN clients the external IP 216.xx.xx.164 but rather 

Assigning all 11 available external IPs "randomly", "arbitrarily" or 
"sequentially" at the same time would only be a bonus.  I wonder if it's 
possible at all.
OpenVPN mailing lists