[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] OFFTOPIC: How to assign random external IPs to OpenVPN users?

  • Subject: [Openvpn-users] OFFTOPIC: How to assign random external IPs to OpenVPN users?
  • From: Leonardo Rodrigues Magalhães <leolistas@xxxxxxxxxxxxxx>
  • Date: Sun, 10 Feb 2008 18:10:48 -0200

Perfect Privacy escreveu:
Hi again, Leonardo!

Yes, I'm actually currently using

iptables -t nat -A POSTROUTING -s 10.xx.xx.0/24 -o eth0 -j MASQUERADE

on our dedicated servers to make the Internet forwarding for OpenVPN work and

iptables -t nat -A POSTROUTING -s 10.yy.yy.0/24 -o venet0 -j SNAT --to-source 216.xx.xx.37

on our Virtual Private Servers.

So, all I would have to do is to replace the command with

iptables -t nat -A POSTROUTING -s 10.xx.xx.0/24 -o eth0 -j SNAT --to-source 216.xx.xx.YYY

on our dedicated servers and with

iptables -t nat -A POSTROUTING -s 10.yy.yy.0/24 -o venet0 -j SNAT --to-source 216.xx.xx.YYY

on our VPS machines, where 216.xx.xx.YYY is a different IP we own, and it should assign our clients this IP externally in future?

Just want to make sure I enter the correct commands. It's not to funny to be unable to access one's own machines. ;)

Thanks for your help.

Man ... i dont know your exact scenario so i preffer not to say what's OK or what's not OK.

I can help you with the basic idea .... the rest is up to you. Luckly even a bad POSTROUTING rule, if you keep the '-s 10.yy.yy.0/24' criteria, would probably NOT kick you off of your server.

   Basically you have to:

1) stop using MASQUERADE and use SNAT MASQUERADE works pretty well indeed, but it doesnt give you the choice of choosing the external translated address 2) use, if desired, SNAT specificing range addresses instead of a simple address
-j SNAT --to-source 216.xx.xx.1-216.xx.xx.10

Note, as well, that locally generated connections (not forwarded ones), for example those served by squid, your web proxy interface, your socks service ... wont have the 10.yy.yy.0/24 source address and thus wont be affected specifically by these rules with '-s 10.xx.xx.0/24' parameter.

Maybe you'll have to really rewrite your POSTROUTING rules so ALL network connections are afftected and not only those with source 10.xx.xx.0/24.

Good luck, this thread seems completly OFFTOPIC here in OpenVPN list by the way ....


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia

	Minha armadilha de SPAM, NÃO mandem email
	My SPAMTRAP, do not email it

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature