dynamic IP
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVPN User
- Posts: 27
- Joined: Mon Feb 28, 2011 1:46 pm
dynamic IP
hi,
I have openvpn on debian server and it's working fine. Now i would like to assign dynamic out-bounding IP for my clients. So my provider gave me 5 IP's.
How I have to configure openvpn please?
P.S sorry for my english
I have openvpn on debian server and it's working fine. Now i would like to assign dynamic out-bounding IP for my clients. So my provider gave me 5 IP's.
How I have to configure openvpn please?
P.S sorry for my english
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: dynamic IP
By dynamic do you mean a new random IP each time a client connects?greg wrote:i would like to assign dynamic out-bounding IP for my clients
Example:
I am a client and I connect to your VPN. I visit http://www.whatismyip.com and I see that my IP is 111.222.333.444.
Now I disconnect and reconnect to VPN and visit http://www.whatismyip.com again. I see that my IP has now changed to is 555.111.222.333
So I can browse the intenet etc with a possible 5 distinct external IP addresses.
If yes, then your solution would most likely be solved with a client connect script, which modifies IPTABLES forwarding rules.
Can you post the OpenVPN relevent section of your IPTABLES code here in this thread? (change any references of your real external IPs, to some random IP, if you value your privacy)
eg:
Code: Select all
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.1.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 111.111.111.111
The cure for boredom is curiosity
-
- OpenVPN User
- Posts: 27
- Joined: Mon Feb 28, 2011 1:46 pm
Re: dynamic IP
thanks a lot for your reply,
so i did that:
iptables -t nat -A POSTROUTING -s 10.6.0.0/16 -o eth0 -j SNAT --to 113.111.77.1
and thats working fine.
can i do like this?
iptables -t nat -A POSTROUTING -s 10.6.0.0 10.6.0.20 -o eth0 -j SNAT --to 113.111.77.1
iptables -t nat -A POSTROUTING -s 10.6.0.21 10.6.0.30 -o eth0 -j SNAT --to 113.111.77.2
iptables -t nat -A POSTROUTING -s 10.6.0.0 31.6.0.40 -o eth0 -j SNAT --to 113.111.77.3
thanks again
so i did that:
iptables -t nat -A POSTROUTING -s 10.6.0.0/16 -o eth0 -j SNAT --to 113.111.77.1
and thats working fine.
can i do like this?
iptables -t nat -A POSTROUTING -s 10.6.0.0 10.6.0.20 -o eth0 -j SNAT --to 113.111.77.1
iptables -t nat -A POSTROUTING -s 10.6.0.21 10.6.0.30 -o eth0 -j SNAT --to 113.111.77.2
iptables -t nat -A POSTROUTING -s 10.6.0.0 31.6.0.40 -o eth0 -j SNAT --to 113.111.77.3
thanks again
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: dynamic IP
I assume you mean to map the addresses 0.0 - 0.20 to 77.1, 0.21 - 0.30 to 77.2 etc . It is possible to map different address ranges to different public IPs , it's just that the ranges you choose are not possible. What should work is this:
this will map the first 16 address to .1, the second 16 to .2 etc.
Code: Select all
iptables -t nat -A POSTROUTING -s 10.6.0.0/255.255.255.240 -o eth0 -j SNAT --to 113.111.77.1
iptables -t nat -A POSTROUTING -s 10.6.0.16/255.255.255.240 -o eth0 -j SNAT --to 113.111.77.2
iptables -t nat -A POSTROUTING -s 10.6.0.32/255.255.255.240 -o eth0 -j SNAT --to 113.111.77.1
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: dynamic IP
Sure. Is that dynamic enough for you though?greg wrote:can i do like this?
I was thinking to add a level of automation such as:
In server.conf, add the line for client connect script
Code: Select all
client-connect /etc/openvpn/clientconnect.sh
client-disconnect /etc/openvpn/clientdisconnect.sh
Code: Select all
#!/bin/bash
ip=$ifconfig_pool_remote_ip
last_octet = 1
random_num = $last_octet + ($RANDOM % 5)
iptables -t nat -A POSTROUTING -s $ip -o eth0 -j SNAT --to 113.111.77.$random_num
exit 0
Code: Select all
#!/bin/bash
ip=$ifconfig_pool_remote_ip
iptables -t nat -D POSTROUTING -s $ip -o eth0 -j SNAT --to 113.111.77.1
iptables -t nat -D POSTROUTING -s $ip -o eth0 -j SNAT --to 113.111.77.2
iptables -t nat -D POSTROUTING -s $ip -o eth0 -j SNAT --to 113.111.77.3
iptables -t nat -D POSTROUTING -s $ip -o eth0 -j SNAT --to 113.111.77.4
iptables -t nat -D POSTROUTING -s $ip -o eth0 -j SNAT --to 113.111.77.5
#why delete the same local ip 5 times? because due to the randomness
#factor of the connect script, and due to the fact that we are not using
#a mysql or other storage, we don't know what external IP was assigned.
#So we make 5 guesses and know that 1 is right, and the other 4 are harmless.
exit 0
With that said, the code provided by janjust will a great alternative.
Code: Select all
iptables -t nat -A POSTROUTING -s 10.6.0.0/255.255.255.240 -o eth0 -j SNAT --to 113.111.77.1
iptables -t nat -A POSTROUTING -s 10.6.0.16/255.255.255.240 -o eth0 -j SNAT --to 113.111.77.2
iptables -t nat -A POSTROUTING -s 10.6.0.32/255.255.255.240 -o eth0 -j SNAT --to 113.111.77.3
iptables -t nat -A POSTROUTING -s 10.6.0.64/255.255.255.240 -o eth0 -j SNAT --to 113.111.77.4
iptables -t nat -A POSTROUTING -s 10.6.0.96/255.255.255.240 -o eth0 -j SNAT --to 113.111.77.5
The cure for boredom is curiosity
-
- OpenVPN User
- Posts: 27
- Joined: Mon Feb 28, 2011 1:46 pm
Re: dynamic IP
thans à lot!
With those 2 lines in openvpn.conf
I can't connect to openvpn.
In log's:
there is my openvpn.conf
With those 2 lines in openvpn.conf
Code: Select all
client-connect /etc/openvpn/clientconnect.sh
client-disconnect /etc/openvpn/clientdisconnect.sh
In log's:
Code: Select all
openvpn_execve: external program may not be called due to setting of --script-security level
client-connect command failed: external program fork failed
Code: Select all
dev tun
proto udp
port 1194
####### keys #######
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/vpnd.crt
key /etc/openvpn/easy-rsa/2.0/keys/vpn.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key
#################
#tous les clients utilisent la même clé
duplicate-cn
# permet de réattribuer la même adresse à chaque client
#ifconfig-pool-persist ipp.txt
cipher AES-256-CBC
user nobody
group nogroup
# sous-réseau que constituera le réseau virtuel
server 10.8.0.0 255.255.255.0
#daemon
#writepid /var/run/openvpn.pid
keepalive 20 120
#pour plus de securite on chroot
#chroot /etc/openvpn/openvpn_jail
client-connect /etc/openvpn/clientconnect.sh
client-disconnect /etc/openvpn/clientdisconnect.sh
# ne doit pas relire la clé en cas de réinitialisation de la connexion
persist-key
# ne doit pas reconfigurer l'interface en cas de réinitialisation de la connexion
persist-tun
plugin /etc/openvpn/openvpn-auth-pam.so /etc/pam.d/openvpn
client-cert-not-required
username-as-common-name
#client-to-client
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# compression des données
comp-lzo
max-clients 200
status status/openvpntest-status.log
log-append /var/log/openvpn/server-test.log
verb 2
#client-config-dir ccd
#route 192.168.1.0 255.255.255.0
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: dynamic IP
if you want to use such a client-connect/client-disconnect script then
* comment out the lines
* add a line
* comment out the lines
Code: Select all
user nobody
group nogroup
- script-security 2
-
- OpenVPN User
- Posts: 27
- Joined: Mon Feb 28, 2011 1:46 pm
Re: dynamic IP
ok, I put that in openvpn.config:
And now in logs I have:
Code: Select all
--script-security 3
Code: Select all
/etc/openvpn/clientconnect.sh: line 4: last_octet: command not found
/etc/openvpn/clientconnect.sh: line 5: syntax error near unexpected token `('
/etc/openvpn/clientconnect.sh: line 5: `random_num = $last_octet + ($RANDOM % 5) '
client-connect command failed: external program exited with error status: 2
Tue Mar 1 13:42:09 2011 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Tue Mar 1 13:42:11 2011 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: dynamic IP
now I know why Bebop's script did not make sense to me
try changing the line
try changing the line
torandom_num = $last_octet + ($RANDOM % 5)
let random_num = $last_octet + $RANDOM % 5
-
- OpenVPN User
- Posts: 27
- Joined: Mon Feb 28, 2011 1:46 pm
Re: dynamic IP
now in logs:
Code: Select all
/etc/openvpn/clientconnect.sh: line 4: last_octet: command not found
/etc/openvpn/clientconnect.sh: line 5: let: =: syntax error: operand expected (error token is "=")
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: dynamic IP
ah doh - I knew I should have tested it before posting
try
and read up on bash scripting
try
Code: Select all
let random_num=1+$RANDOM%5
-
- OpenVPN User
- Posts: 27
- Joined: Mon Feb 28, 2011 1:46 pm
Re: dynamic IP
ok, now I can conect but I dont have acces on internet. It is seem to be a problem with iptables:
Code: Select all
Server:~# /etc/openvpn/clientconnect.sh
Bad argument `eth0'
Try `iptables -h' or 'iptables --help' for more information.
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: dynamic IP
you can't call the client-connect script directly, the openvpn server does that for you when a client connects...
Restart the server and reconnect a client - then post the relevant part of the server log file (look for any iptables error messages).
Restart the server and reconnect a client - then post the relevant part of the server log file (look for any iptables error messages).
-
- OpenVPN User
- Posts: 27
- Joined: Mon Feb 28, 2011 1:46 pm
Re: dynamic IP
yes, in openvpn logs :
Code: Select all
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
-
- OpenVPN User
- Posts: 27
- Joined: Mon Feb 28, 2011 1:46 pm
Re: dynamic IP
finaly, after restarting openvpn there is no more errors in logs, but i still dont have a acces on internet
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: dynamic IP
OK, but what does 'iptables -t nat -L' produce after the first client connects?
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: dynamic IP
Whoops.. I wasn't totally clear -- when I said "Not the perfect coding" what I meant was, "All this bash script is untested"! (I Googled the commands for $RANDOM and then pieced together something which I thought would work).
Theoretically the concept should work though, so just some perseverance.
Alternatively the idea suggested by janjust on the 1st page would be great.
If only you can figure a way to assign pseudo random local IPs. Something I would be very interested in learning for my self also.
Theoretically the concept should work though, so just some perseverance.
Alternatively the idea suggested by janjust on the 1st page would be great.
If only you can figure a way to assign pseudo random local IPs. Something I would be very interested in learning for my self also.
The cure for boredom is curiosity
-
- OpenVPN User
- Posts: 27
- Joined: Mon Feb 28, 2011 1:46 pm
Re: dynamic IP
I think I will keep the first solution. On my server I have running 3 daemons Openvpn in client file I have random option, so the clients will get (randomly) the different daemon and different IP.
Thanks a lot for your help!
Thanks a lot for your help!