[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] How to assign random external IPs to OpenVPN users?

  • Subject: Re: [Openvpn-users] How to assign random external IPs to OpenVPN users?
  • From: Perfect Privacy <admin@xxxxxxxxxxxxxxxxxxx>
  • Date: Sun, 10 Feb 2008 18:16:57 +0100

Roland Pope wrote:
 > Perfect Privacy wrote:
 >> Hello,
 >> We have a dedicated server with 11 external IPs. On this server, we
 >> also have an OpenVPN server installed. We have several hundreds of
 >> OpenVPN users, all of which use the same client certificate
 >> (--duplicate-cn). We also use PAM password authentification. My users
 >> are not all connected at the same time of course, but maybe one dozen
 >> to a couple of dozens of users at the same time, depending on the time
 >> of the day.
 >> What now happens if an OpenVPN client connects to the OpenVPN server
 >> is that the server will assign its "main IP" to him. If he goes to
 >> http://www.whatismyip.com/ he will always see the same "main IP" of my
 >> server, while the other IPs are actually never used.
 >> What I would like to achieve is that I "randomly" assign any of my 11
 >> external IPs to him, and that not always only the "main IP" is used.
 >> This is maybe not directly a problem that concerns OpenVPN but more a
 >> network question.  I also have Squid installed, for example, and have
 >> the same problem there. The user always gets the same external "main
 >> IP" of my server, while the others remain unused. I, however, would
 >> like to assign "randomly" any of my 11 external IPs to him.
 >> Does anybody know how this is achieved?
 >  From a networking viewpoint, outgoing packets on an Interface generally
 > use the Primary Interface, or NIC Address. Incoming packets can be
 > directed at any one of your 11 IP's and it generally doesn't matter
 > which one, as long as any services you are connecting to are available
 > on all of them.

Yes, this seems to be the case. I observed for example, that it doesn't 
matter if I use IP 216.xx.xx.164 or IP 216.xx.xx.170 to connect with 
SSH. I still reach the same server and directory.

 > Trying to get outgoing packets to use any one of your 11 external IP's
 > would probably involve some clever firewall rules.
 > Roland

I can't imagine how this can be done in my case via firewall rules; the 
only idea I have is basing them on the incoming IPs of our clients, but 
that's out of the questions, as we as a matter of policy couldn't store 
them in any way.

But let's come to the basics first: How would I change the IP that is 
assigned to the Primary Interface, or NIC address on CentOS?  This 
should, as a result mean, that every client who connects to my OpenVPN 
gets assigned a different external IP, e.g. 216.xx.xx.170, instead of 
the current one, e.g. 216.xx.xx.164?
OpenVPN mailing lists