dynamic IP

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
greg
OpenVPN User
Posts: 27
Joined: Mon Feb 28, 2011 1:46 pm

dynamic IP

Post by greg » Mon Feb 28, 2011 1:53 pm

hi,

I have openvpn on debian server and it's working fine. Now i would like to assign dynamic out-bounding IP for my clients. So my provider gave me 5 IP's.

How I have to configure openvpn please?

P.S sorry for my english

User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: dynamic IP

Post by Bebop » Tue Mar 01, 2011 6:21 am

greg wrote:i would like to assign dynamic out-bounding IP for my clients
By dynamic do you mean a new random IP each time a client connects?

Example:

I am a client and I connect to your VPN. I visit http://www.whatismyip.com and I see that my IP is 111.222.333.444.

Now I disconnect and reconnect to VPN and visit http://www.whatismyip.com again. I see that my IP has now changed to is 555.111.222.333



So I can browse the intenet etc with a possible 5 distinct external IP addresses.

If yes, then your solution would most likely be solved with a client connect script, which modifies IPTABLES forwarding rules.

Can you post the OpenVPN relevent section of your IPTABLES code here in this thread? (change any references of your real external IPs, to some random IP, if you value your privacy)

eg:

Code: Select all

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.1.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 111.111.111.111
The cure for boredom is curiosity

greg
OpenVPN User
Posts: 27
Joined: Mon Feb 28, 2011 1:46 pm

Re: dynamic IP

Post by greg » Tue Mar 01, 2011 9:42 am

thanks a lot for your reply,

so i did that:


iptables -t nat -A POSTROUTING -s 10.6.0.0/16 -o eth0 -j SNAT --to 113.111.77.1

and thats working fine.

can i do like this?
iptables -t nat -A POSTROUTING -s 10.6.0.0 10.6.0.20 -o eth0 -j SNAT --to 113.111.77.1
iptables -t nat -A POSTROUTING -s 10.6.0.21 10.6.0.30 -o eth0 -j SNAT --to 113.111.77.2
iptables -t nat -A POSTROUTING -s 10.6.0.0 31.6.0.40 -o eth0 -j SNAT --to 113.111.77.3


thanks again

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: dynamic IP

Post by janjust » Tue Mar 01, 2011 9:50 am

I assume you mean to map the addresses 0.0 - 0.20 to 77.1, 0.21 - 0.30 to 77.2 etc . It is possible to map different address ranges to different public IPs , it's just that the ranges you choose are not possible. What should work is this:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.6.0.0/255.255.255.240 -o eth0 -j SNAT --to 113.111.77.1
iptables -t nat -A POSTROUTING -s 10.6.0.16/255.255.255.240 -o eth0 -j SNAT --to 113.111.77.2
iptables -t nat -A POSTROUTING -s 10.6.0.32/255.255.255.240 -o eth0 -j SNAT --to 113.111.77.1
this will map the first 16 address to .1, the second 16 to .2 etc.

User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: dynamic IP

Post by Bebop » Tue Mar 01, 2011 10:03 am

greg wrote:can i do like this?
Sure. Is that dynamic enough for you though?

I was thinking to add a level of automation such as:

In server.conf, add the line for client connect script

Code: Select all

client-connect /etc/openvpn/clientconnect.sh
client-disconnect /etc/openvpn/clientdisconnect.sh
and then in clientconnect.sh

Code: Select all

#!/bin/bash

ip=$ifconfig_pool_remote_ip
last_octet = 1
random_num = $last_octet + ($RANDOM % 5) 

iptables -t nat -A POSTROUTING -s $ip -o eth0 -j SNAT --to 113.111.77.$random_num

exit 0
and in clientdisconnect.sh

Code: Select all

#!/bin/bash

ip=$ifconfig_pool_remote_ip

iptables -t nat -D POSTROUTING -s $ip -o eth0 -j SNAT --to 113.111.77.1
iptables -t nat -D POSTROUTING -s $ip -o eth0 -j SNAT --to 113.111.77.2
iptables -t nat -D POSTROUTING -s $ip -o eth0 -j SNAT --to 113.111.77.3
iptables -t nat -D POSTROUTING -s $ip -o eth0 -j SNAT --to 113.111.77.4
iptables -t nat -D POSTROUTING -s $ip -o eth0 -j SNAT --to 113.111.77.5

#why delete the same local ip 5 times? because due to the randomness 
#factor of the connect script, and due to the fact that we are not using 
#a mysql or other storage, we don't know what external IP was assigned. 
#So we make 5 guesses and know that 1 is right, and the other 4 are harmless.

exit 0
Not the perfect coding but gives you a sense of the idea. Every time a client connects, a completely pseudo-random external IP is assigned.

With that said, the code provided by janjust will a great alternative.

Code: Select all

iptables -t nat -A POSTROUTING -s 10.6.0.0/255.255.255.240 -o eth0 -j SNAT --to 113.111.77.1
iptables -t nat -A POSTROUTING -s 10.6.0.16/255.255.255.240 -o eth0 -j SNAT --to 113.111.77.2
iptables -t nat -A POSTROUTING -s 10.6.0.32/255.255.255.240 -o eth0 -j SNAT --to 113.111.77.3
iptables -t nat -A POSTROUTING -s 10.6.0.64/255.255.255.240 -o eth0 -j SNAT --to 113.111.77.4
iptables -t nat -A POSTROUTING -s 10.6.0.96/255.255.255.240 -o eth0 -j SNAT --to 113.111.77.5
And then find a way to assign random local IPs. If you don't assign random local IP then your first 15 clients will always get the same external IP.
The cure for boredom is curiosity

greg
OpenVPN User
Posts: 27
Joined: Mon Feb 28, 2011 1:46 pm

Re: dynamic IP

Post by greg » Tue Mar 01, 2011 1:14 pm

thans à lot!

With those 2 lines in openvpn.conf

Code: Select all

client-connect /etc/openvpn/clientconnect.sh
client-disconnect /etc/openvpn/clientdisconnect.sh
I can't connect to openvpn.

In log's:

Code: Select all

openvpn_execve: external program may not be called due to setting of --script-security level
 client-connect command failed: external program fork failed
there is my openvpn.conf

Code: Select all

dev tun 
proto udp
port 1194

####### keys #######
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt 
cert /etc/openvpn/easy-rsa/2.0/keys/vpnd.crt 
key /etc/openvpn/easy-rsa/2.0/keys/vpn.key 
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem 
tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key
#################

#tous les clients utilisent la même clé
duplicate-cn
# permet de réattribuer la même adresse à chaque client
#ifconfig-pool-persist ipp.txt
cipher AES-256-CBC

user nobody 
group nogroup 

# sous-réseau que constituera le réseau virtuel
server 10.8.0.0 255.255.255.0 

#daemon
#writepid /var/run/openvpn.pid

keepalive 20 120 
#pour plus de securite on chroot 
#chroot /etc/openvpn/openvpn_jail

client-connect /etc/openvpn/clientconnect.sh
client-disconnect /etc/openvpn/clientdisconnect.sh

# ne doit pas relire la clé en cas de réinitialisation de la connexion
persist-key 

# ne doit pas reconfigurer l'interface en cas de réinitialisation de la connexion
persist-tun 

plugin /etc/openvpn/openvpn-auth-pam.so /etc/pam.d/openvpn
client-cert-not-required 
username-as-common-name 

#client-to-client 

push "redirect-gateway def1" 
push "dhcp-option DNS 8.8.8.8" 
push "dhcp-option DNS 8.8.4.4" 
# compression des données 
comp-lzo 
max-clients 200

status status/openvpntest-status.log 
log-append /var/log/openvpn/server-test.log 
verb 2

#client-config-dir ccd
#route 192.168.1.0 255.255.255.0

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: dynamic IP

Post by janjust » Tue Mar 01, 2011 1:39 pm

if you want to use such a client-connect/client-disconnect script then

* comment out the lines

Code: Select all

  user nobody
  group nogroup
* add a line
  • script-security 2
and restart the Openvpn server

greg
OpenVPN User
Posts: 27
Joined: Mon Feb 28, 2011 1:46 pm

Re: dynamic IP

Post by greg » Tue Mar 01, 2011 1:40 pm

ok, I put that in openvpn.config:

Code: Select all

--script-security 3
And now in logs I have:

Code: Select all

/etc/openvpn/clientconnect.sh: line 4: last_octet: command not found
/etc/openvpn/clientconnect.sh: line 5: syntax error near unexpected token `('
/etc/openvpn/clientconnect.sh: line 5: `random_num = $last_octet + ($RANDOM % 5) '
 client-connect command failed: external program exited with error status: 2
Tue Mar  1 13:42:09 2011 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Tue Mar  1 13:42:11 2011 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: dynamic IP

Post by janjust » Tue Mar 01, 2011 1:46 pm

now I know why Bebop's script did not make sense to me ;-)

try changing the line
random_num = $last_octet + ($RANDOM % 5)
to
let random_num = $last_octet + $RANDOM % 5

greg
OpenVPN User
Posts: 27
Joined: Mon Feb 28, 2011 1:46 pm

Re: dynamic IP

Post by greg » Tue Mar 01, 2011 1:49 pm

now in logs:

Code: Select all

/etc/openvpn/clientconnect.sh: line 4: last_octet: command not found
/etc/openvpn/clientconnect.sh: line 5: let: =: syntax error: operand expected (error token is "=")

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: dynamic IP

Post by janjust » Tue Mar 01, 2011 1:56 pm

ah doh - I knew I should have tested it before posting :mrgreen:

try

Code: Select all

  let random_num=1+$RANDOM%5
and read up on bash scripting ;-)

greg
OpenVPN User
Posts: 27
Joined: Mon Feb 28, 2011 1:46 pm

Re: dynamic IP

Post by greg » Tue Mar 01, 2011 2:05 pm

ok, now I can conect but I dont have acces on internet. It is seem to be a problem with iptables:

Code: Select all

Server:~# /etc/openvpn/clientconnect.sh 
Bad argument `eth0'
Try `iptables -h' or 'iptables --help' for more information.

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: dynamic IP

Post by janjust » Tue Mar 01, 2011 2:11 pm

you can't call the client-connect script directly, the openvpn server does that for you when a client connects...
Restart the server and reconnect a client - then post the relevant part of the server log file (look for any iptables error messages).

greg
OpenVPN User
Posts: 27
Joined: Mon Feb 28, 2011 1:46 pm

Re: dynamic IP

Post by greg » Tue Mar 01, 2011 2:15 pm

yes, in openvpn logs :

Code: Select all

iptables: No chain/target/match by that name
iptables: No chain/target/match by that name

greg
OpenVPN User
Posts: 27
Joined: Mon Feb 28, 2011 1:46 pm

Re: dynamic IP

Post by greg » Tue Mar 01, 2011 2:21 pm

finaly, after restarting openvpn there is no more errors in logs, but i still dont have a acces on internet

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: dynamic IP

Post by janjust » Tue Mar 01, 2011 3:03 pm

OK, but what does 'iptables -t nat -L' produce after the first client connects?

User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: dynamic IP

Post by Bebop » Tue Mar 01, 2011 8:47 pm

Whoops.. I wasn't totally clear -- when I said "Not the perfect coding" what I meant was, "All this bash script is untested"! (I Googled the commands for $RANDOM and then pieced together something which I thought would work).

Theoretically the concept should work though, so just some perseverance.

Alternatively the idea suggested by janjust on the 1st page would be great.

If only you can figure a way to assign pseudo random local IPs. Something I would be very interested in learning for my self also.
The cure for boredom is curiosity

greg
OpenVPN User
Posts: 27
Joined: Mon Feb 28, 2011 1:46 pm

Re: dynamic IP

Post by greg » Tue Mar 01, 2011 10:56 pm

I think I will keep the first solution. On my server I have running 3 daemons Openvpn in client file I have random option, so the clients will get (randomly) the different daemon and different IP.

Thanks a lot for your help!

Post Reply