[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] How to assign random external IPs to OpenVPN users?

  • Subject: Re: [Openvpn-users] How to assign random external IPs to OpenVPN users?
  • From: Perfect Privacy <admin@xxxxxxxxxxxxxxxxxxx>
  • Date: Sun, 10 Feb 2008 19:27:32 +0100

Leonardo Rodrigues Magalhães wrote:
> Perfect Privacy escreveu:
>> The problem is that we have a public OpenVPN service. Pay €9.95 and you 
>> get an OpenVPN account at currently half a dozen of servers for a 
>> month. This means there are always and will always be some people who 
>> create a certain amount of abuse or trouble. On the long run, the 
>> external IP every OpenVPN user gets assigned is prohibited from editing 
>> Wikipedia, it might be banned by e-gold and on some popular webforums, 
>> one-click-hosters, etc.  Not a pleasant experience for the 97% of our 
>> customers who use our service responsibly and legitimately to regain 
>> their privacy.
>     A simple question ...... usually people uses OpenVPN to allow 
> external users to access some private network, for database access, 
> ERP/internal systems and such. It seems that you're forwarding INTERNET 
> traffic as well through the VPN tunnel.

Yes, we are actually doing this exclusively. We don't operate the 
OpenVPN to give the clients access to internal systems -- God help us, 
we want to keep them out of our server, as far as possible! -- but 
simply to encrypt and forward their Internet traffic and to anonymize 
their IP.

I don't have to tell you that the Internet access situation in countries 
like China or the Middle East is pretty bad. We give the Chinese for 
example full, uncensored access to the Internet through our Hongkong VPN 
  and this with very good speed. Some say it's faster than their direct 
access, and they can access Wikipedia and all the other banned sites 
through our Hongkong server.

In many EU countries they began to oblige the ISPs to store all your 
Internet connection data (all sites and IPs you access), even if you are 
not a crime suspect; just store the data of everyone and to save it for 
6 months to some years. The idea became famous under the German term 
"Vorratsdatenspeicherung" and either has already been implemented by 
many EU countries or they are in the process of doing so within the next 

The ISPs have to hand the the connection data over to the authorities 
without further ado and without review by an independent judge. 
Allegedly that's necessary to combat terrorism better. Of course, there 
is no public control mechanism for what and how these data are used and 
that the collected data will ever be destroyed. You can count on that 
they won't, but that they will be saved forever in some National 
Security Agency cellar. Absolute power corrupts absolutely. 
Authoritarianism is creeping back slowly under the disguise of 
"democracy", "liberty" and "war against terror."

You can read under point 1. of our FAQ what the idea is and how it is done:


>     The question is .... is it really necessary, in your case, to 
> forward INTERNET traffic as well as your internal traffic ?

Absolutely. It is necessary to forward our clients' Internet traffic, 
that's the whole idea.

>     I'm supposing your users are reaching your OpenVPN service through 
> internet, so maybe the best way is to let them access internet 'by 
> theirselves', simple not forwarding ALL traffic through the VPN tunnel, 
> probably the 'redirect-gateway' parameter in your server.
>     Is that an option in your situation ?

I'm not really sure what the consequence of this would be, but if it 
would mean that all our clients' Internet traffic isn't encrypted and 
forwarded through our server and their IP isn't replaced with our 
server's IP, then it's not an option.

>> Assigning all 11 available external IPs "randomly", "arbitrarily" or 
>> "sequentially" at the same time would only be a bonus.  I wonder if it's 
>> possible at all.
>     You can do this with iptables nat POSTROUTING rules. This has really 
> nothing to do with OpenVPN. OpenVPN doesnt know about what's internal 
> and what's internet traffic. OpenVPN does not your NAT stuff. It simply 
> route things securely. If you need some NAT complex situation, iptables 
> is the place to do it.
>     You can simply do:
> iptables -t nat -A POSTROUTING -s ip.vpn.network.0/24  -j SNAT  --to 
> your.external.ip.1-your-external.ip.10
>     that would make connections to be distributed over those IP 
> addresses. But note you can and probably will have new problems with 
> that. Systems that uses IP addresses for security reasons, for example, 
> making the external ip of the user as part of the session informations, 
> can brake with that. Of course translated ip wont change on the SAME 
> connection, but http is made of a LOT of connections, so ip may change 
> between different connections and that can brake some sessions on 
> internet banking and stuff, for example.
>     you will have problems with systems that uses ip addresses to 
> allow/deny something in different protocols, pop-before-smtp for 
> example. User would pop3 with one address and maybe reach smtp with 
> another external addresses, thus not being allowed to forward their mail 
> because that ip hasnt been 'seen' in the pop3 service.
>     Also you should note that you dont have too many IP addresses. 11 
> addresses is not a few but not that much as well. Changing the external 
> IP, randomize it or anything else would be just a workaround that will 
> continue to give you problems when your 11 external IP addresses have 
> been 'badly used'.
>     it's possible, but it will bring different problems.

Okay, I fully understand you here. Thanks for the command.

Every new connection, like a
new HTTP connection, will get a new IP between this range
  -- randomly --, thus the external IP of the client will actually
change all the time?  You are right, this can and will cause problems.

I suppose there is no way to put a
time limit on this POSTROUTING, i. e. "choose a --to IP between 
your.external.ip.1-your-external.ip.10 and use this one and only this 
one for the client for 1 day"?

Thank you again for your help.

Openvpn-users mailing list