TUN can assign public IPs?

[imjebran]

Hello Michael,

How are you,

details are:-

Server OS win 2008 R2 server, have one ethernet connection connected directed WAN router, I have 125 public IP pool linked with this server, "means I can add any public IP(s) from this pool on enternet connected and I will be work"

I have installed OpenVPN then I configure OpenVPN give all necessary options as per my requirement, and give a 30 IPs pool which assigned to OpenVPN client, these 30 IPs are part of 125 IP pool linked with this server.

I have dial from client to the server, openVPN server give to the client an IP from 30 IP which I configured for incoming VPN connection, after connection established no internet activity on client end, to diagnose this issue I have take several steps are were useless, but when I add the IP(which assigned to openVPN client) on server enternet and remove it within few seconds Internet will be active on client end at same time outgoing through same IP which assigned to client, it is strange behavior,

I have dial on more session of OpenVPN from different client machine OpenVPN server assigned one more IP from 30 IP pool, same as previous internet was not active, I again do same thing add this IP on server ethernet and remove it within few seconds, internet start working for this client too.

these all IPs are Public IPs.
Please advise.

Jebran.

[maikcat]

can you post the latest configs used?

to give out ips used in your lan you must setup openvpn in bridge mode,
which needs special attention not breaking your clients routing table.

using real ips and tun interface means that you must break your subnet accordingly
for routing to work...

another approach is to hand out private ips and perform 1-to-1 NAT on your openvpn server...

please repost your latest configs used to get a picture of your current setup..

Michael.

[imjebran]

I already checked bridge mode do configure my OS interfaces bridging it will be working fine each client get Public ip and internet was working but as you know bridge-mode configure on TAP .

You are right I can use one-to-one NAT, But our priority is provide public IP directly to each client with TUN.

Config file is below.

Code: Select all

tls-server
port 80
proto tcp-server
dev tun
topology subnet
client-cert-not-required
username-as-common-name

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"  # This file should be kept secret
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"

server xx.xx.229.224 255.255.255.224
;server 10.13.1.224 255.255.255.224

push "redirect-gateway def1"

;server-bridge xx.xx.229.225 255.255.255.224 xx.xx.229.226 xx.xx.229.254

cipher AES-256-CBC

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.4.4"

duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3
management localhost 7505
mute 20
route-method exe
script-security 3
auth-user-pass-verify "C:/xxx.exe C:/xxx/xxx.php" via-file

[maikcat]

ok then

i assume that your openvpn servers lan ip is configured correcty...

your internet router also needs to be configured for routing correctly packets
destined from openvpn subnet to your opencpn server...

did you configured your internet router too?

Michael.

[imjebran]

Hello,

Openvpn servers lan ip is configured correctly,

your internet router also needs to be configured for routing correctly packets
destined from openvpn subnet to your opencpn server...

I have not put any additional routes on internet route, because route already configure to destined whole subnet to openVPN server.

do you thing we need to add some addition configuration on router side if I break the subnet?

Regards,
Jebran.

[maikcat]

I have not put any additional routes on internet route, because route already configure to destined whole subnet to openVPN server.

in that case your router will try to use its ethernet interface for ips that are over openvpn....

you should use the same netmask as your openvpn server uses and create a static route
for the ips given to your openvpn clients...

you do configured routing correctly right?

Michael.

[imjebran]

Hello Michael,

That is good point, I have inform our data center Network Administrator about it, and force them to add such static router separately for OpenVPN.

I will confirm you once we response from Network administrator, thanks for your support


Regards,
Jebran.

[imjebran]

Hello Michael,

How are you?

You were right

It is working after putting route on router side.

Only one thing which hesitating me that openVPN server always taking first IP from the subnet however the first IP of every subnet will use as gateway at router side.

it is possible that we force OpenVPN server to take second IP?

Regards,
Jebran.

[maikcat]

hello jebran,

You were right

i am always right and i am humble too

Only one thing which hesitating me that openVPN server always taking first IP from the subnet however the first IP of every subnet will use as gateway at router side.

i dont quite understand that....
openvpn takes the first ip derived from the subnet mask given in server directive.....

can you please post the server directive used (the mask portion) and write what ip openvpn gets?

Michael.

[imjebran]

Hi,

i am humble too

hahahaha,

can you please post the server directive used (the mask portion)

server xxx.145.50.0 255.255.255.0

write what ip openvpn gets

IP: xxx.145.50.1 Netmask 255.255.255.0

As you know I am using public IP pool so xxx.145.50.1 already configured at router side as gateway.
please advise.
Jebran.

[maikcat]

IP: xxx.145.50.1 Netmask 255.255.255.0

As you know I am using public IP pool so xxx.145.50.1 already configured at router side as gateway.
please advise.

unfortunately you have to divide your subnet....

how good is your subneting skills?

the downside is that you will lose some ips on the way....
your problem is purely ip subnetting...

regards
Michael.

[imjebran]

unfortunately you have to divide your subnet....

So If i divide my subnet IP: xxx.145.50.128 Netmask 255.255.255.128
OpenVPN server will take xxx.145.50.129 rest xxx.145.50.130 to xxx.145.50.254 for incoming VPN client.
problem is again that IP xxx.145.50.129 is gateway of this subnet am i right.

how good is your subneting skills?

I don't know

the downside is that you will lose some ips on the way

no issue if I lose few IPs.

[maikcat]

So If i divide my subnet IP: xxx.145.50.128 Netmask 255.255.255.128
OpenVPN server will take xxx.145.50.129 rest xxx.145.50.130 to xxx.145.50.254 for incoming VPN client.
problem is again that IP xxx.145.50.129 is gateway of this subnet am i right.

yes you are,
yes you need ip address re-assignment also

I don't know

i guess its time you will find out

no issue if I lose few IPs.

it depends of the number of subnets you intend to create,
using .128 mask you only lose extra 2 ips....
the problem is that you are assinging 126 ips to your clients,
if you want to assign 30 (+2) you need to brake your range by 8 (32*8)
meaning that you will loose 8*2 16 ips along the way...

Michael.

[Douglas]

Have your provider give you a /30 and route the /25 to it. No IP's lost then

[imjebran]

Hi Michael, Douglas,

Thanks for advise, I have provided static route information to our provider.

I will update you once they done it.

Regards,
Jebran.

[imjebran]

Hello Michael,

I want to say thanks to you for understanding my case.

As I open this case name "TUN can assign public IPs?" answer is YES.

It is working fine I have configure OpenVPN on windows server OS it is working, after putting static routes for subnet which assigned by OpenVPN on our router side.

Regards,
Jebran.

[maikcat]

t is working fine I have configure OpenVPN on windows server OS it is working

glad to know that things worked out for you...

closing topic.

Best regards

Michael.