One OpenVPN instance, multiple IP's

How to customize and extend your OpenVPN installation.
Devator
OpenVpn Newbie
Posts: 11
Joined: Wed Sep 14, 2011 12:10 am

One OpenVPN instance, multiple IP's

Post by Devator » Wed Sep 14, 2011 12:12 am

Hi there,

Ok, I'm using the solution number 2 posted here: http://forums.openvpn.net/topic8552-15.html

I can connect to my VPS, but when I connect using a user in the CCD list, I cannot view webpages anymore. This has probably todo with some iptables issue, although I don't know what it could be.

I've already added the IP to my server.

Could anyone point me in the right direction?

Thanks!

User avatar
Bebop
Forum Team
Posts: 305
Joined: Wed Dec 15, 2010 9:24 pm

Re: One OpenVPN instance, multiple IP's

Post by Bebop » Wed Sep 14, 2011 6:12 am

Actually there is an updated and more thorough how-to guide available, here: http://forums.openvpn.net/topic8559.html

It does include some iptables. First, you should double check that your setup incorporates all the the steps in the updated how-to..

If after double checking, there is any problem with your setup, I'll help you solve it (and maybe update my how-to if something is missing).
The cure for boredom is curiosity

Devator
OpenVpn Newbie
Posts: 11
Joined: Wed Sep 14, 2011 12:10 am

Re: One OpenVPN instance, multiple IP's

Post by Devator » Wed Sep 14, 2011 10:14 am

Hi Bepop,

Thanks for your reply, although my problem still exists. When I do: (i'm using a different local ip range)
iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -j SNAT --to MAIN_IP - you cannot browse anymore while connected to the VPN server. So I'm using (on a XEN box): iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -o eth0 -j MASQUERADE (and then browsing works again.).

However, this is all using the main IP. I'm using the range 172.18.0.0/24 for the second IP, but when I connect, I do get the IP (172.18.0.5) but browsing doesn't work anymore. I've done both your IPtables method and -t nat -A POSTROUTING -s 172.18.0.0/24 -o eth0:1 -j MASQUERADE (see device name) but none of them work.

I'm not sure what todo, it looks like outgoing connections to the box fails, while incoming works (when I go to the external IP, I see a PHP page which is the same as the main IP).


Thanks in advance.

User avatar
Bebop
Forum Team
Posts: 305
Joined: Wed Dec 15, 2010 9:24 pm

Re: One OpenVPN instance, multiple IP's

Post by Bebop » Wed Sep 14, 2011 11:27 am

Devator wrote:iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -j SNAT --to MAIN_IP - you cannot browse anymore while connected to the VPN server. So I'm using (on a XEN box): iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -o eth0 -j MASQUERADE (and then browsing works again.)
So, the difference between working and not working is simple SNAt vs Masquerade?

I think this might be the core of the entire problem. I didn't specify if I was using a XEN or OpenVZ VPS -- now looking at the SNAT rules, I can only assume it must have been OpenVZ.

So, the question is, how do we get the SNAT command to function on XEN instead of Masquerade (because masquerade doesn't allow to specify IP).

By the way, my iptables knowledge is limited only to as far as my previous needs had caused me to research. There may be more functionality to the masquerade command than I have knowledge about.

So for now, I will test my own VPS. Also, if another expert wants to step in with superior knowledge, that will also be appreciated.
The cure for boredom is curiosity

Devator
OpenVpn Newbie
Posts: 11
Joined: Wed Sep 14, 2011 12:10 am

Re: One OpenVPN instance, multiple IP's

Post by Devator » Wed Sep 14, 2011 11:56 am

Hi Bepop,

Thanks for your time!

User avatar
Bebop
Forum Team
Posts: 305
Joined: Wed Dec 15, 2010 9:24 pm

Re: One OpenVPN instance, multiple IP's

Post by Bebop » Thu Sep 15, 2011 1:52 am

I have not tested yet, but may have solved it. In my example code (and in yours) was:

Code: Select all

--to
When in fact the corrected syntax should be:

Code: Select all

--to-source
I predict this will solve the problem.
The cure for boredom is curiosity

User avatar
ecrist
Forum Team
Posts: 256
Joined: Wed Nov 26, 2008 10:33 pm
Location: Minneapolis, MN
Contact:

Re: One OpenVPN instance, multiple IP's

Post by ecrist » Thu Sep 15, 2011 3:16 am

You can have multiple --local statements in your configuration. Have you tried that?

Sent from my HTC Glacier using Tapatalk
OpenVPN Community Administrator
IRC: #openvpn, #openvpn-devel Twitter: @ecrist
Co-Author of Mastering OpenVPN
Author of Troubleshooting OpenVPN

Devator
OpenVpn Newbie
Posts: 11
Joined: Wed Sep 14, 2011 12:10 am

Re: One OpenVPN instance, multiple IP's

Post by Devator » Thu Sep 15, 2011 7:20 am

@Bepop: the --to-source works indeed, thanks. However, I'm still not able to browse with the second IP. I have the 172.18.0.5 as local IP.

@ecrist: No, what does the local parameter do? It seems when I put it in the config file openVPN isn't able to start.

User avatar
Bebop
Forum Team
Posts: 305
Joined: Wed Dec 15, 2010 9:24 pm

Re: One OpenVPN instance, multiple IP's

Post by Bebop » Thu Sep 15, 2011 7:53 am

May need to see your IPtables script.

Does it include both:

Code: Select all

iptables -A FORWARD -s 172.17.0.0/24 -j ACCEPT
iptables -A FORWARD -s 172.18.0.0/24 -j ACCEPT
and in server.conf:

Code: Select all

route 172.18.0.0 255.255.255.0
The cure for boredom is curiosity

Devator
OpenVpn Newbie
Posts: 11
Joined: Wed Sep 14, 2011 12:10 am

Re: One OpenVPN instance, multiple IP's

Post by Devator » Thu Sep 15, 2011 7:56 am

No, only iptables -A FORWARD -s 172.18.0.0/24 -j ACCEPT.

It seems I don't need the other IPtables (iptables -A FORWARD -s 172.17.0.0/24 -j ACCEPT), since it just works as it is.

User avatar
Bebop
Forum Team
Posts: 305
Joined: Wed Dec 15, 2010 9:24 pm

Re: One OpenVPN instance, multiple IP's

Post by Bebop » Thu Sep 15, 2011 8:00 am

Devator wrote:No, only iptables -A FORWARD -s 172.18.0.0/24 -j ACCEPT.

It seems I don't need the other IPtables (iptables -A FORWARD -s 172.17.0.0/24 -j ACCEPT), since it just works as it is.
If 172.18.0.0 is the only one with forward in iptables, and its the only one that doesn't work -- that doesn't make complete sense.. you might have 'forward all' rule somewhere. In any case, we'll ignore this for the moment.. what about the 'route' in server.conf that I meantion in last post (edited, so you might have missed it)....
The cure for boredom is curiosity

Devator
OpenVpn Newbie
Posts: 11
Joined: Wed Sep 14, 2011 12:10 am

Re: One OpenVPN instance, multiple IP's

Post by Devator » Thu Sep 15, 2011 8:05 am

Yes, it doesn't make sense to me either.

My complete openvpn.conf (server.conf) - yes it does include route 172.18.0.0 255.255.255.0:

Code: Select all

port 443
proto tcp-server
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 172.17.0.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-config-dir /etc/openvpn/ccd
route 172.18.0.0 255.255.255.0

User avatar
Bebop
Forum Team
Posts: 305
Joined: Wed Dec 15, 2010 9:24 pm

Re: One OpenVPN instance, multiple IP's

Post by Bebop » Thu Sep 15, 2011 8:22 am

I can't see much difference between your server.conf, and mine.. so I doubt the problem is there. I notice you don't have:

Code: Select all

local 111.222.333.444          #main public ip
Maybe significant..

As for iptables I am doing:

Code: Select all

iptables -A FORWARD -s 10.8.1.0/24 -j ACCEPT
 iptables -A FORWARD -s 10.8.2.0/24 -j ACCEPT

 iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -j SNAT --to-source 123.123.255.120
 iptables -t nat -A POSTROUTING -s 10.8.2.0/24 -j SNAT --to-source 123.123.255.121
You are doing?:

Code: Select all

iptables -A FORWARD -s 172.17.0.0/24 -j ACCEPT
 iptables -A FORWARD -s 172.18.0.0/24 -j ACCEPT

 iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -j SNAT --to-source 123.123.255.120
 iptables -t nat -A POSTROUTING -s 172.18.0.0/24 -j SNAT --to-source 123.123.255.121
Now I notice a problem. You are changing the 2nd octet (172.x and 172.y) and specifying /24

I don't know network addressing schemes *that* well, but I am pretty sure its illegal syntax. /24 cannot be used to change 172.x.0.0 ..... its only used for 172.18.x.0....


So you might want to make a switch to the 3rd octet, OR, replace /24 with something else.
The cure for boredom is curiosity

Devator
OpenVpn Newbie
Posts: 11
Joined: Wed Sep 14, 2011 12:10 am

Re: One OpenVPN instance, multiple IP's

Post by Devator » Thu Sep 15, 2011 8:37 am

Alright, I added the local tag aswell. I'm doing the following iptable commands:

Code: Select all

iptables -A FORWARD -s 172.18.1.0/24 -j ACCEPT

iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -j SNAT --to-source 123.123.255.120
iptables -t nat -A POSTROUTING -s 172.18.1.0/24 -j SNAT --to-source 123.123.255.121
However, it still doesnt work, while the main IP does work. Am I missing something? Did you do anything regarding your IP? How did you add it to your linux machine?

User avatar
Bebop
Forum Team
Posts: 305
Joined: Wed Dec 15, 2010 9:24 pm

Re: One OpenVPN instance, multiple IP's

Post by Bebop » Thu Sep 15, 2011 8:59 am

Devator wrote:

Code: Select all

iptables -A FORWARD -s 172.18.1.0/24 -j ACCEPT

iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -j SNAT --to-source 123.123.255.120
iptables -t nat -A POSTROUTING -s 172.18.1.0/24 -j SNAT --to-source 123.123.255.121
You got:

172.17.0.0
172.18.1.0

I can't see it working.

Ideal would be:

172.17.0.0
172.17.1.0
The cure for boredom is curiosity

Devator
OpenVpn Newbie
Posts: 11
Joined: Wed Sep 14, 2011 12:10 am

Re: One OpenVPN instance, multiple IP's

Post by Devator » Thu Sep 15, 2011 9:11 am

I've changed it to 172.17.1.0 however, it still doesn't work. I'll ask my VPS provider to see if he knows anything I am probably missing.

Thanks for your awesome help though!

User avatar
Bebop
Forum Team
Posts: 305
Joined: Wed Dec 15, 2010 9:24 pm

Re: One OpenVPN instance, multiple IP's

Post by Bebop » Thu Sep 15, 2011 9:23 am

Now with all the changes being made...

When you changed from 2nd octet to 3rd octet, then entire system needs to reflect that.

server.conf:

Code: Select all

local 123.123.255.120   #main Ip
.
.
.
.
route 172.17.1.0
iptables

Code: Select all

iptables -A FORWARD -s 172.17.0.0/24 -j ACCEPT
 iptables -A FORWARD -s 172.17.1.0/24 -j ACCEPT

 iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -j SNAT --to-source 123.123.255.120
 iptables -t nat -A POSTROUTING -s 172.17.1.0/24 -j SNAT --to-source 123.123.255.121
in /etc/openvpn/ccd/username1:

Code: Select all

ifconfig-push 172.17.1.1 172.17.1.2
The cure for boredom is curiosity

Devator
OpenVpn Newbie
Posts: 11
Joined: Wed Sep 14, 2011 12:10 am

Re: One OpenVPN instance, multiple IP's

Post by Devator » Thu Sep 15, 2011 9:39 am

Have this all, still not working.

Could you tell me how you added the IP to your machine? I've just added the device eth0:1 with the proper IP and gateway / netmask.

User avatar
Bebop
Forum Team
Posts: 305
Joined: Wed Dec 15, 2010 9:24 pm

Re: One OpenVPN instance, multiple IP's

Post by Bebop » Thu Sep 15, 2011 9:45 am

I don't recall having to do anything manually..

Can you ping the machine at either IP, or just the one?
The cure for boredom is curiosity

Devator
OpenVpn Newbie
Posts: 11
Joined: Wed Sep 14, 2011 12:10 am

Re: One OpenVPN instance, multiple IP's

Post by Devator » Thu Sep 15, 2011 9:48 am

I can ping them at both.

Post Reply