Page 1 of 1

How-to: Tunnel WAN IP assigned to specific users

Posted: Sat Jul 30, 2011 8:19 pm
by Bebop
Goal
  • You have a single Linux server which has multiple WAN ip addresses availale to use. You want to tunnel VPN clients through the server, and assign different WAN ip's to different clients. To put the example into practical terms, it would mean that you could login to the VPN and visit http://www.whatismyip.com to see your WAN ip. Then you could log out, and in to the VPN as a new user, and visit http://www.whatismyip.com again. This time the reported WAN ip will be different, depending on the user you have logged into the VPN as.
Scope
  • This example assumes that you already know how to install OpenVPN and setup keys and/or certificates.
Overview
  • We will use 10.8.1.x and 10.8.2.x local subnets.
  • 123.123.255.120 & 123.123.255.121 will be our example WAN ip's.
  • We will use certificates for authentication, but user-names and passwords could be substitued just as easily.
The procedure

Code: Select all

local 123.123.255.120
port 1194
proto udp
dev tun

ca ./ca.crt
cert ./server.crt
key ./server.key
dh ./dh1024.pem

server 10.8.1.0 255.255.255.0

push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 4.2.2.1"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status ./ovpnstatus.log
verb 3

client-config-dir /etc/openvpn/ccd
route 10.8.2.0 255.255.255.0
Create the afformentioned client-config-dir.
bash:

Code: Select all

mkdir /etc/openvpn/ccd
What are your usernames? lets do example, "username1", "username2", "username5"

bash:

Code: Select all

touch /etc/openvpn/ccd/username1
touch /etc/openvpn/ccd/username2
touch /etc/openvpn/ccd/username5
Edit /etc/openvpn/ccd/username1:

Code: Select all

ifconfig-push 10.8.2.1 10.8.2.2
Edit /etc/openvpn/ccd/username2:

Code: Select all

ifconfig-push 10.8.2.5 10.8.2.6
Edit /etc/openvpn/ccd/username5:

Code: Select all

ifconfig-push 10.8.2.9 10.8.2.10

IPTABLES:

Code: Select all

 iptables -A FORWARD -s 10.8.1.0/24 -j ACCEPT
 iptables -A FORWARD -s 10.8.2.0/24 -j ACCEPT

 iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -j SNAT --to-source 123.123.255.120
 iptables -t nat -A POSTROUTING -s 10.8.2.0/24 -j SNAT --to-source 123.123.255.121

A basic summary of what is happening:
  • Default VPN lan is 10.8.1.x
  • Secondary VPN lan is 10.8.2.x
  • Any user with a filename in ./ccd will be given a 10.8.2.x address
  • The 10.8.2.x address is hardcoded for each user: eg username1 10.8.2.1
  • IPTABLES will assign all the users with a 10.10.2.x address to the alternate WAN IP (123.123.255.121 or whatever)
  • Any user who's name is not in the ccd will simply get the default LAN of 10.8.1.x, and therefore the default WAN IP also (123.123.255.120).
Important note: learn your IP addressing schema for Windows. IP's can only be paired as
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]... and so on
more info: http://openvpn.net/index.php/open-sourc ... howto.html
  • Visual Image
Image

Looking at it another way....
Image

Re: How-to: Tunnel WAN IP assigned to specific users

Posted: Mon Aug 01, 2011 1:33 pm
by janjust
interesting HOWTO, but wouldn't it be easier to use

Code: Select all

topology subnet
also, in my book I explain how to assing public IPs to clients, such that the client receives the real public IP, without the use of NATting :)

Re: How-to: Tunnel WAN IP assigned to specific users

Posted: Mon Aug 01, 2011 11:33 pm
by Bebop
janjust wrote:interesting HOWTO, but wouldn't it be easier to use

Code: Select all

topology subnet
It would if there were no bugs. Bug report: here.

Natting is fine is this situation because clients will be sharing IP's.

Re: How-to: Tunnel WAN IP assigned to specific users

Posted: Mon Sep 05, 2011 5:41 pm
by JTidler
will someone help me with setting this up!!!!! my setup for openVPN is way diffrent

Re: How-to: Tunnel WAN IP assigned to specific users

Posted: Fri Sep 09, 2011 4:40 am
by Bebop
JTidler wrote:will someone help me with setting this up!!!!! my setup for openVPN is way diffrent
Replied to you in your other thread: topic8753.html

Re: How-to: Tunnel WAN IP assigned to specific users

Posted: Mon Sep 26, 2011 9:41 pm
by svimik
Your example is quite simple. My question is more interesting:

Is it possible to assign a real IP address to a client?
For example, my server has subnet of internet IP addresses, and I want to give one IP per user, so they have, for example, 123.123.255.120 instead of 10.8.2.1.
The point is, that user should not see we are using NAT, getting real IP address. Is it possible with OpenVPN?

Of course, I can set up SNAT and DNAT to naturally forward connections in both directions, but it's not graceful to offer dedicated IP address, and give a local address with NAT, no matter how good it works ;)

Re: How-to: Tunnel WAN IP assigned to specific users

Posted: Tue Sep 27, 2011 5:19 am
by Mimiko
Is it possible to assign a real IP address to a client?
Yes, its possible.
For example, my server has subnet of internet IP addresses, and I want to give one IP per user, so they have, for example, 123.123.255.120 instead of 10.8.2.1. The point is, that user should not see we are using NAT, getting real IP address. Is it possible with OpenVPN?
It's possible. but it will be a waist of address space. Virtually for each VPN connection in routed mode is allocated two IPs. So you must have double the number of consecutive IP than number of clients. Or you can bridge tun adapter with internet interface from server, but it will be a sequirity concern and a waist of bandwith.

Re: How-to: Tunnel WAN IP assigned to specific users

Posted: Tue Sep 27, 2011 7:48 am
by janjust
Is it possible to assign a real IP address to a client?
yes this is certainly possible and I explain how to do it my book 8-)
it is best to use 'topology subnet' in this case, so that you assign only a single IP address to each client.

Re: How-to: Tunnel WAN IP assigned to specific users

Posted: Wed Jan 04, 2012 5:49 am
by secondd
Thank you :D I definitely want to assign a unique IP address to each user. Given that the number of users is 4, I do not consider this unduly wasteful.

Re: How-to: Tunnel WAN IP assigned to specific users

Posted: Fri Jan 20, 2012 5:00 pm
by raffus
I'm unable to get this to work.

I have multiple INTERNET address in our servers and what I want to do is assign INTERNET DEDICATED IPs to each user.

I have setup for testing 2 addresses on my box:
- eth0 => 177.x.x.10
- eth0:0 => 177.x.x.11

I've also configured STATIC ips per user using INTERNAL addresses.
Ie:
John: 5.5.32.10
Mark: 5.5.32.11

After OPENVPN started, I've ran these commands:
- iptables -A FORWARD -s 5.5.32.0/24 -j ACCEPT
- iptables -t nat -A POSTROUTING -s 5.5.32.10/32 -j SNAT --to-source 177.x.x.11
- iptables -t nat -A POSTROUTING -s 5.5.32.11/32 -j SNAT --to-source 177.x.x.10

But everytime I try to access sites like WHATSMYIP, it shows me the eth0 default IP, in this case 177.x.x.10 unstead of 177.x.x.11.

User's profile is set to do ROUTING as addressing mode and VPN server is configured to use ROUTE/NAT.

Am I doing anything wrong?

Thanks in advance.

Rafael

Re: How-to: Tunnel WAN IP assigned to specific users

Posted: Thu Aug 30, 2012 10:32 am
by xauen
Hi,

How about if you want to randomly allow clients to any ips on the server?
what is the server configuration and iptable rules?

Hope you'll answer my questions guys :D

Thanks!

Re: How-to: Tunnel WAN IP assigned to specific users

Posted: Mon Dec 31, 2012 2:25 am
by warbux
Not to bring up a really old thread but I have a very similar setup to what the OP posted and it works great the only thing I want to do differently is allow concurrent connections from the same user. Does anyone know if its possible with a network configuration similar to the OP?

Re: How-to: Tunnel WAN IP assigned to specific users

Posted: Fri Mar 01, 2013 1:45 pm
by ralphfitings
Nice post.Thanks very much! This explanations are exactly what I need now with pictures and good examples. :D

Re: How-to: Tunnel WAN IP assigned to specific users

Posted: Tue Mar 19, 2013 12:37 pm
by scarabeuz
Hi guys :)
Since you are absolutely professional I think to post my question here.

What I have:
My VPN is currently running on Windows (client & server).
Everything is running well I think but outgoing IP of each client is still his real one. (whatsmyip-proved)

What I want:
I want some users (up to 10) to be able to use my VPN.
I would like my users to have the outgoing IP of my VPN-Server.

My Problems:
1.) I dont understand much about iptables and
dont know how to configure it using windows.
2.) My english is not the best :)

I hope you are able to help me..

Here my current config:

Code: Select all

#Server machine running Windows XP with static IP
user nobody
group nogroup

dev tun
local 176.xx.xxx.xxx

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd

port 1194
proto udp
keepalive 10 120
comp-lzo
verb 3
client-to-client
persist-tun
persist-key

ca cert/ca.crt
cert cert/server.crt
key cert/server.key
dh cert/dh1024.pem

status openvpn-status.log

push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1"

Code: Select all

#Client machine running Windows 8 behind router
client 

proto udp 

dev tun 

remote vpn.example.org 1194 

resolv-retry infinite 

nobind 

persist-key 
persist-tun 

ca ../easy-rsa/keys/ca.crt
cert ../easy-rsa/keys/user.crt 
key ../easy-rsa/keys/user.key 

comp-lzo 

verb 3 

route 192.168.1.0 255.255.255.0 10.8.0.1 
redirect-gateway

Re: How-to: Tunnel WAN IP assigned to specific users

Posted: Tue Mar 19, 2013 1:17 pm
by maikcat
bebop has already written a windows xp based howto....

please search.

Michael.

Re: How-to: Tunnel WAN IP assigned to specific users

Posted: Tue Mar 19, 2013 1:43 pm
by scarabeuz
maikcat wrote:bebop has already written a windows xp based howto....

please search.

Michael.
It's the third day now that I am searching and following guides..
And none of them worked like I wanted to make it work, that's why I was asking here :?

Sorry for my unuseful post.