[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] How to assign random external IPs to OpenVPN users?


  • Subject: Re: [Openvpn-users] How to assign random external IPs to OpenVPN users?
  • From: Perfect Privacy <admin@xxxxxxxxxxxxxxxxxxx>
  • Date: Mon, 11 Feb 2008 00:21:33 +0100

Dear Leonardo,

Thank you very much for your kind reply. I think you guided me into the 
right direction, indeed. I will experiment with the knowledge you 
decided to share.

I'm sorry if my question turned out to be finally a bit off topic, but 
maybe some other OpenVPN user will in future find some of the answers 
provided useful. When I installed OpenVPN first years ago, I couldn't 
figure out for days how to forward Internet traffic over OpenVPN, 
without sending my browser data over a Squid proxy with the address 
10.xx.xx.1:3128.

So sorry again for slipping into networking questions -- won't happen 
again --, but my sincere thanks once more for your useful answers.

Kind regards.


Leonardo Rodrigues Magalhães wrote:
> 
> 
> Perfect Privacy escreveu:
>> Hi again, Leonardo!
>>
>> Yes, I'm actually currently using
>>
>> iptables -t nat -A POSTROUTING -s 10.xx.xx.0/24 -o eth0 -j MASQUERADE
>>
>> on our dedicated servers to make the Internet forwarding for OpenVPN 
>> work and
>>
>> iptables -t nat -A POSTROUTING -s 10.yy.yy.0/24 -o venet0 -j SNAT 
>> --to-source 216.xx.xx.37
>>
>> on our Virtual Private Servers.
>>
>> So, all I would have to do is to replace the command with
>>
>> iptables -t nat -A POSTROUTING -s 10.xx.xx.0/24 -o eth0 -j SNAT 
>> --to-source 216.xx.xx.YYY
>>
>> on our dedicated servers and with
>>
>> iptables -t nat -A POSTROUTING -s 10.yy.yy.0/24 -o venet0 -j SNAT 
>> --to-source 216.xx.xx.YYY
>>
>> on our VPS machines, where 216.xx.xx.YYY is a different IP we own, and 
>> it should assign our clients this IP externally in future?
>>
>> Just want to make sure I enter the correct commands. It's not to funny 
>> to be unable to access one's own machines. ;)
>>
>> Thanks for your help.
> 
>    Man ... i dont know your exact scenario so i preffer not to say 
> what's OK or what's not OK.
> 
>    I can help you with the basic idea .... the rest is up to you. Luckly 
> even a bad POSTROUTING rule, if you keep the '-s 10.yy.yy.0/24' 
> criteria, would probably NOT kick you off of your server.
> 
>    Basically you have to:
> 
> 1) stop using MASQUERADE and use SNAT MASQUERADE works pretty well 
> indeed, but it doesnt give you the choice of choosing the external 
> translated address
> 2) use, if desired, SNAT specificing range addresses instead of a simple 
> address
> -j SNAT --to-source 216.xx.xx.1-216.xx.xx.10
> 
>    Note, as well, that locally generated connections (not forwarded 
> ones), for example those served by squid, your web proxy interface, your 
> socks service ... wont have the 10.yy.yy.0/24 source address and thus 
> wont be affected specifically by these rules with '-s 10.xx.xx.0/24' 
> parameter.
> 
>    Maybe you'll have to really rewrite your POSTROUTING rules so ALL 
> network connections are afftected and not only those with source 
> 10.xx.xx.0/24.
> 
>    Good luck, this thread seems completly OFFTOPIC here in OpenVPN list 
> by the way ....
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users