[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] How to assign random external IPs to OpenVPN users?

  • Subject: Re: [Openvpn-users] How to assign random external IPs to OpenVPN users?
  • From: Leonardo Rodrigues Magalhães <leolistas@xxxxxxxxxxxxxx>
  • Date: Sun, 10 Feb 2008 15:33:58 -0200

Perfect Privacy escreveu:
> The problem is that we have a public OpenVPN service. Pay €9.95 and you 
> get an OpenVPN account at currently half a dozen of servers for a 
> month. This means there are always and will always be some people who 
> create a certain amount of abuse or trouble. On the long run, the 
> external IP every OpenVPN user gets assigned is prohibited from editing 
> Wikipedia, it might be banned by e-gold and on some popular webforums, 
> one-click-hosters, etc.  Not a pleasant experience for the 97% of our 
> customers who use our service responsibly and legitimately to regain 
> their privacy.

    A simple question ...... usually people uses OpenVPN to allow 
external users to access some private network, for database access, 
ERP/internal systems and such. It seems that you're forwarding INTERNET 
traffic as well through the VPN tunnel.

    The question is .... is it really necessary, in your case, to 
forward INTERNET traffic as well as your internal traffic ?

    I'm supposing your users are reaching your OpenVPN service through 
internet, so maybe the best way is to let them access internet 'by 
theirselves', simple not forwarding ALL traffic through the VPN tunnel, 
probably the 'redirect-gateway' parameter in your server.

    Is that an option in your situation ?

> Assigning all 11 available external IPs "randomly", "arbitrarily" or 
> "sequentially" at the same time would only be a bonus.  I wonder if it's 
> possible at all.
    You can do this with iptables nat POSTROUTING rules. This has really 
nothing to do with OpenVPN. OpenVPN doesnt know about what's internal 
and what's internet traffic. OpenVPN does not your NAT stuff. It simply 
route things securely. If you need some NAT complex situation, iptables 
is the place to do it.

    You can simply do:

iptables -t nat -A POSTROUTING -s ip.vpn.network.0/24  -j SNAT  --to 

    that would make connections to be distributed over those IP 
addresses. But note you can and probably will have new problems with 
that. Systems that uses IP addresses for security reasons, for example, 
making the external ip of the user as part of the session informations, 
can brake with that. Of course translated ip wont change on the SAME 
connection, but http is made of a LOT of connections, so ip may change 
between different connections and that can brake some sessions on 
internet banking and stuff, for example.

    you will have problems with systems that uses ip addresses to 
allow/deny something in different protocols, pop-before-smtp for 
example. User would pop3 with one address and maybe reach smtp with 
another external addresses, thus not being allowed to forward their mail 
because that ip hasnt been 'seen' in the pop3 service.

    Also you should note that you dont have too many IP addresses. 11 
addresses is not a few but not that much as well. Changing the external 
IP, randomize it or anything else would be just a workaround that will 
continue to give you problems when your 11 external IP addresses have 
been 'badly used'.

    it's possible, but it will bring different problems.


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia

	Minha armadilha de SPAM, NÃO mandem email
	My SPAMTRAP, do not email it

Openvpn-users mailing list