TUN can assign public IPs?

[imjebran]

Hello,

It there any possibilities that we provide public IPs to each session using TUN?

please advise.

Regards,
Jebran.

[maikcat]

hi there,

you can assign any ip you want...

the problem though is that public ips are routed by internet routers,
you cant simply assign a public ip to your vpn and expect that the world will know
how to route traffic back to you....(except you are an ISP )

there is a reason why they called "public"...

Michael.

[imjebran]

Hi Michael,

Thanks for reply,

IPs which I want to assign VPN client are already set in router to pass traffic, I have tested this to provide our IP range through "tap bridge" method, it was working great.
But now want to do the same thing through "tun" please advise.

Regards,
Jebran.

[maikcat]

tun uses routing only,
if you setup your routing accordingly then it will work...

Michael.

[imjebran]

ok, if I setup routing properly so, what server directive I can use?

I have 125 public IPs (xxx.47.229.129 to xxx.47.229.255 ) linked with OpenVPN server I want so assign 30 of them so server directive should be
server xxx.47.229.224 255.255.255.224 ?

Kindly advise.

Regards,
Jebran.

[maikcat]

yes and you will lose 2 (network & broadcast)...

i suggest you also use mode subnet instead of p2p

Michael.

[imjebran]

Yes defiantly I don't want to lose any IP from public pool.

what is mode subnet how can I use?

Regards,
Jebran.

[maikcat]

--topology mode
Configure virtual addressing topology when running in --dev tun mode. This direc‐
tive has no meaning in --dev tap mode, which always uses a subnet topology.

If you set this directive on the server, the --server and --server-bridge direc‐
tives will automatically push your chosen topology setting to clients as well.
This directive can also be manually pushed to clients. Like the --dev directive,
this directive must always be compatible between client and server.

mode can be one of:

net30 -- Use a point-to-point topology, by allocating one /30 subnet per client.
This is designed to allow point-to-point semantics when some or all of the con‐
necting clients might be Windows systems. This is the default on OpenVPN 2.0.

p2p -- Use a point-to-point topology where the remote endpoint of the client's tun
interface always points to the local endpoint of the server's tun interface. This
mode allocates a single IP address per connecting client. Only use when none of
the connecting clients are Windows systems. This mode is functionally equivalent
to the --ifconfig-pool-linear directive which is available in OpenVPN 2.0 and is
now deprecated.

subnet -- Use a subnet rather than a point-to-point topology by configuring the
tun interface with a local IP address and subnet mask, similar to the topology
used in --dev tap and ethernet bridging mode. This mode allocates a single IP
address per connecting client and works on Windows as well. Only available when
server and clients are OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been man‐
ually patched with the --topology directive code. When used on Windows, requires
version 8.2 or higher of the TAP-Win32 driver. When used on *nix, requires that
the tun driver supports an ifconfig(8) command which sets a subnet instead of a
remote endpoint IP address.

you can assing ips like in tap mode...

Michael.

[imjebran]

Hello Michael,

Thanks for the document, I have configure the server as documented understanding still getting some errors kindly note given below details.

{server config}

Code: Select all

mode server
tls-server
port 80
dev tun
topology subnet
client-cert-not-required
username-as-common-name

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"  # This file should be kept secret
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
ifconfig 10.2.13.1 10.2.13.10
push "redirect-gateway def1 bypass-dhcp"
cipher AES-256-CBC
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.4.4"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3
mute 20
route-method exe
script-security 3
auth-user-pass-verify "C:/php/php.exe C:/scripts/ldap.php" via-file 

{client config}

Code: Select all

client
dev tun
proto tcp
remote xx.xx.229.130 80
nobind
persist-key
persist-tun
ca ca.crt
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
mute 20
route-method exe
route-delay 2
auth-user-pass login.conf
reneg-sec 0
tun-mtu 1500
mssfix 1450

Getting error at client side logs please advise.

Wed Feb 06 16:28:11 2013 SENT CONTROL [Server]: 'PUSH_REQUEST' (status=1)
Wed Feb 06 16:28:11 2013 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 8.8.4.4,ping 10,ping-restart 120'
Wed Feb 06 16:28:11 2013 OPTIONS IMPORT: timers and/or timeouts modified
Wed Feb 06 16:28:11 2013 OPTIONS IMPORT: route options modified
Wed Feb 06 16:28:11 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Feb 06 16:28:11 2013 ROUTE default_gateway=192.168.20.1
Wed Feb 06 16:28:11 2013 TAP-WIN32 device [Open connection] opened: \\.\Global\{9D9D0336-1476-4B02-A401-5C59FEFE2449}.tap
Wed Feb 06 16:28:11 2013 TAP-Win32 Driver Version 9.6
Wed Feb 06 16:28:11 2013 TAP-Win32 MTU=1500
Wed Feb 06 16:28:11 2013 ERROR: --dev tun also requires --ifconfig
Wed Feb 06 16:28:11 2013 Exiting

[maikcat]

please edit your server config to:

tls-server
port 80
proto tcp-server
dev tun
topology subnet
client-cert-not-required
username-as-common-name
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key" # This file should be kept secret
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
server 10.2.13.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
cipher AES-256-CBC
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.4.4"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20
route-method exe
script-security 3
auth-user-pass-verify "C:/php/php.exe C:/scripts/ldap.php" via-file

[imjebran]

Dear Michael,

As per you advise I have edit conf file but service could not starting given below error one by one.

Options error: --duplicate-cn requires --mode server

Options error: --client-cert-not-required requires --mode server

Options error: --username-as-common-name requires --mode server

Options error: --auth-user-pass-verify requires --mode server

Regards,
Jebran.

[maikcat]

did you add this:

server 10.2.13.0 255.255.255.0

Michael.

[imjebran]

Yes it is working after this. but internet traffic not working I am check network configuration form server site.

Regards,
Jebran.

[imjebran]

Dear Michael,

It is working now.

My Windows server assigned public IPs to each session over OpnVPN, and clients pass their traffic through assigned IPs directly, but it need some manually works on windows OS put some manually route for assigned IPs.

Just advise is it possible that OpenVPN server but route at server side when connection established and remove it when IP release or client disconnect session.

Regards,
Jebran.

[imjebran]

Dear Michael,

When I add once the public IP pool which I want to provide through OpenVPN on my network connection,then remove it after few minuts.

It is working and OpenVPN clients can pass their internet traffic since I do not restart the server.

Kindly advise if you have an idea in this regards.
Jebran.

[maikcat]

Just advise is it possible that OpenVPN server but route at server side when connection established and remove it when IP release or client disconnect session.

because my english are not very good...

can you please explain it a little bit more?

Michael.

[imjebran]

My English is not good, it was my Mistake,

Code: Select all

Just advise is it possible that OpenVPN server but route at server side when connection established and remove it when IP release or client disconnect session.

I meant to say "is it possible that OpenVPN server put a route on server site, when a VPN connection established"

But I have test above thing it is not working in our scenario

Regards,
Jebran.

[maikcat]

i meant to say "is it possible that OpenVPN server put a route on server site, when a VPN connection established"

openvpn supports client-connect directive which you can use
combined with a shell script checking and modifying routing table on the fly...

Michael.

[imjebran]

Dear Michael,

Thanks for "client-connect directive"

Have you read my another reply about add IPs on enthernet connection once and remove after few seconds, Internet start working on VPN client, any idea ?

Regards,
Jebran.

[maikcat]

Have you read my another reply about add IPs on enthernet connection once and remove after few seconds, Internet start working on VPN client, any idea ?

can you give more technical info please..?


Michael.