One OpenVPN instance, multiple IP's
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 11
- Joined: Wed Sep 14, 2011 12:10 am
One OpenVPN instance, multiple IP's
Hi there,
Ok, I'm using the solution number 2 posted here: http://forums.openvpn.net/topic8552-15.html
I can connect to my VPS, but when I connect using a user in the CCD list, I cannot view webpages anymore. This has probably todo with some iptables issue, although I don't know what it could be.
I've already added the IP to my server.
Could anyone point me in the right direction?
Thanks!
Ok, I'm using the solution number 2 posted here: http://forums.openvpn.net/topic8552-15.html
I can connect to my VPS, but when I connect using a user in the CCD list, I cannot view webpages anymore. This has probably todo with some iptables issue, although I don't know what it could be.
I've already added the IP to my server.
Could anyone point me in the right direction?
Thanks!
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: One OpenVPN instance, multiple IP's
Actually there is an updated and more thorough how-to guide available, here: http://forums.openvpn.net/topic8559.html
It does include some iptables. First, you should double check that your setup incorporates all the the steps in the updated how-to..
If after double checking, there is any problem with your setup, I'll help you solve it (and maybe update my how-to if something is missing).
It does include some iptables. First, you should double check that your setup incorporates all the the steps in the updated how-to..
If after double checking, there is any problem with your setup, I'll help you solve it (and maybe update my how-to if something is missing).
The cure for boredom is curiosity
-
- OpenVpn Newbie
- Posts: 11
- Joined: Wed Sep 14, 2011 12:10 am
Re: One OpenVPN instance, multiple IP's
Hi Bepop,
Thanks for your reply, although my problem still exists. When I do: (i'm using a different local ip range)
iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -j SNAT --to MAIN_IP - you cannot browse anymore while connected to the VPN server. So I'm using (on a XEN box): iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -o eth0 -j MASQUERADE (and then browsing works again.).
However, this is all using the main IP. I'm using the range 172.18.0.0/24 for the second IP, but when I connect, I do get the IP (172.18.0.5) but browsing doesn't work anymore. I've done both your IPtables method and -t nat -A POSTROUTING -s 172.18.0.0/24 -o eth0:1 -j MASQUERADE (see device name) but none of them work.
I'm not sure what todo, it looks like outgoing connections to the box fails, while incoming works (when I go to the external IP, I see a PHP page which is the same as the main IP).
Thanks in advance.
Thanks for your reply, although my problem still exists. When I do: (i'm using a different local ip range)
iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -j SNAT --to MAIN_IP - you cannot browse anymore while connected to the VPN server. So I'm using (on a XEN box): iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -o eth0 -j MASQUERADE (and then browsing works again.).
However, this is all using the main IP. I'm using the range 172.18.0.0/24 for the second IP, but when I connect, I do get the IP (172.18.0.5) but browsing doesn't work anymore. I've done both your IPtables method and -t nat -A POSTROUTING -s 172.18.0.0/24 -o eth0:1 -j MASQUERADE (see device name) but none of them work.
I'm not sure what todo, it looks like outgoing connections to the box fails, while incoming works (when I go to the external IP, I see a PHP page which is the same as the main IP).
Thanks in advance.
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: One OpenVPN instance, multiple IP's
So, the difference between working and not working is simple SNAt vs Masquerade?Devator wrote:iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -j SNAT --to MAIN_IP - you cannot browse anymore while connected to the VPN server. So I'm using (on a XEN box): iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -o eth0 -j MASQUERADE (and then browsing works again.)
I think this might be the core of the entire problem. I didn't specify if I was using a XEN or OpenVZ VPS -- now looking at the SNAT rules, I can only assume it must have been OpenVZ.
So, the question is, how do we get the SNAT command to function on XEN instead of Masquerade (because masquerade doesn't allow to specify IP).
By the way, my iptables knowledge is limited only to as far as my previous needs had caused me to research. There may be more functionality to the masquerade command than I have knowledge about.
So for now, I will test my own VPS. Also, if another expert wants to step in with superior knowledge, that will also be appreciated.
The cure for boredom is curiosity
-
- OpenVpn Newbie
- Posts: 11
- Joined: Wed Sep 14, 2011 12:10 am
Re: One OpenVPN instance, multiple IP's
Hi Bepop,
Thanks for your time!
Thanks for your time!
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: One OpenVPN instance, multiple IP's
I have not tested yet, but may have solved it. In my example code (and in yours) was:
When in fact the corrected syntax should be:
I predict this will solve the problem.
Code: Select all
--to
Code: Select all
--to-source
The cure for boredom is curiosity
- ecrist
- Forum Team
- Posts: 237
- Joined: Wed Nov 26, 2008 10:33 pm
- Location: Northern Minnesota, USA
- Contact:
Re: One OpenVPN instance, multiple IP's
You can have multiple --local statements in your configuration. Have you tried that?
Sent from my HTC Glacier using Tapatalk
Sent from my HTC Glacier using Tapatalk
OpenVPN Community Administrator
IRC: #openvpn, #openvpn-devel
Co-Author of Mastering OpenVPN
Author of Troubleshooting OpenVPN
IRC: #openvpn, #openvpn-devel
Co-Author of Mastering OpenVPN
Author of Troubleshooting OpenVPN
-
- OpenVpn Newbie
- Posts: 11
- Joined: Wed Sep 14, 2011 12:10 am
Re: One OpenVPN instance, multiple IP's
@Bepop: the --to-source works indeed, thanks. However, I'm still not able to browse with the second IP. I have the 172.18.0.5 as local IP.
@ecrist: No, what does the local parameter do? It seems when I put it in the config file openVPN isn't able to start.
@ecrist: No, what does the local parameter do? It seems when I put it in the config file openVPN isn't able to start.
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: One OpenVPN instance, multiple IP's
May need to see your IPtables script.
Does it include both:
and in server.conf:
Does it include both:
Code: Select all
iptables -A FORWARD -s 172.17.0.0/24 -j ACCEPT
iptables -A FORWARD -s 172.18.0.0/24 -j ACCEPT
Code: Select all
route 172.18.0.0 255.255.255.0
The cure for boredom is curiosity
-
- OpenVpn Newbie
- Posts: 11
- Joined: Wed Sep 14, 2011 12:10 am
Re: One OpenVPN instance, multiple IP's
No, only iptables -A FORWARD -s 172.18.0.0/24 -j ACCEPT.
It seems I don't need the other IPtables (iptables -A FORWARD -s 172.17.0.0/24 -j ACCEPT), since it just works as it is.
It seems I don't need the other IPtables (iptables -A FORWARD -s 172.17.0.0/24 -j ACCEPT), since it just works as it is.
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: One OpenVPN instance, multiple IP's
If 172.18.0.0 is the only one with forward in iptables, and its the only one that doesn't work -- that doesn't make complete sense.. you might have 'forward all' rule somewhere. In any case, we'll ignore this for the moment.. what about the 'route' in server.conf that I meantion in last post (edited, so you might have missed it)....Devator wrote:No, only iptables -A FORWARD -s 172.18.0.0/24 -j ACCEPT.
It seems I don't need the other IPtables (iptables -A FORWARD -s 172.17.0.0/24 -j ACCEPT), since it just works as it is.
The cure for boredom is curiosity
-
- OpenVpn Newbie
- Posts: 11
- Joined: Wed Sep 14, 2011 12:10 am
Re: One OpenVPN instance, multiple IP's
Yes, it doesn't make sense to me either.
My complete openvpn.conf (server.conf) - yes it does include route 172.18.0.0 255.255.255.0:
My complete openvpn.conf (server.conf) - yes it does include route 172.18.0.0 255.255.255.0:
Code: Select all
port 443
proto tcp-server
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 172.17.0.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-config-dir /etc/openvpn/ccd
route 172.18.0.0 255.255.255.0
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: One OpenVPN instance, multiple IP's
I can't see much difference between your server.conf, and mine.. so I doubt the problem is there. I notice you don't have:
Maybe significant..
As for iptables I am doing:
You are doing?:
Now I notice a problem. You are changing the 2nd octet (172.x and 172.y) and specifying /24
I don't know network addressing schemes *that* well, but I am pretty sure its illegal syntax. /24 cannot be used to change 172.x.0.0 ..... its only used for 172.18.x.0....
So you might want to make a switch to the 3rd octet, OR, replace /24 with something else.
Code: Select all
local 111.222.333.444 #main public ip
As for iptables I am doing:
Code: Select all
iptables -A FORWARD -s 10.8.1.0/24 -j ACCEPT
iptables -A FORWARD -s 10.8.2.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -j SNAT --to-source 123.123.255.120
iptables -t nat -A POSTROUTING -s 10.8.2.0/24 -j SNAT --to-source 123.123.255.121
Code: Select all
iptables -A FORWARD -s 172.17.0.0/24 -j ACCEPT
iptables -A FORWARD -s 172.18.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -j SNAT --to-source 123.123.255.120
iptables -t nat -A POSTROUTING -s 172.18.0.0/24 -j SNAT --to-source 123.123.255.121
I don't know network addressing schemes *that* well, but I am pretty sure its illegal syntax. /24 cannot be used to change 172.x.0.0 ..... its only used for 172.18.x.0....
So you might want to make a switch to the 3rd octet, OR, replace /24 with something else.
The cure for boredom is curiosity
-
- OpenVpn Newbie
- Posts: 11
- Joined: Wed Sep 14, 2011 12:10 am
Re: One OpenVPN instance, multiple IP's
Alright, I added the local tag aswell. I'm doing the following iptable commands:
However, it still doesnt work, while the main IP does work. Am I missing something? Did you do anything regarding your IP? How did you add it to your linux machine?
Code: Select all
iptables -A FORWARD -s 172.18.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -j SNAT --to-source 123.123.255.120
iptables -t nat -A POSTROUTING -s 172.18.1.0/24 -j SNAT --to-source 123.123.255.121
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: One OpenVPN instance, multiple IP's
You got:Devator wrote:Code: Select all
iptables -A FORWARD -s 172.18.1.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -j SNAT --to-source 123.123.255.120 iptables -t nat -A POSTROUTING -s 172.18.1.0/24 -j SNAT --to-source 123.123.255.121
172.17.0.0
172.18.1.0
I can't see it working.
Ideal would be:
172.17.0.0
172.17.1.0
The cure for boredom is curiosity
-
- OpenVpn Newbie
- Posts: 11
- Joined: Wed Sep 14, 2011 12:10 am
Re: One OpenVPN instance, multiple IP's
I've changed it to 172.17.1.0 however, it still doesn't work. I'll ask my VPS provider to see if he knows anything I am probably missing.
Thanks for your awesome help though!
Thanks for your awesome help though!
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: One OpenVPN instance, multiple IP's
Now with all the changes being made...
When you changed from 2nd octet to 3rd octet, then entire system needs to reflect that.
server.conf:
iptables
in /etc/openvpn/ccd/username1:
When you changed from 2nd octet to 3rd octet, then entire system needs to reflect that.
server.conf:
Code: Select all
local 123.123.255.120 #main Ip
.
.
.
.
route 172.17.1.0
Code: Select all
iptables -A FORWARD -s 172.17.0.0/24 -j ACCEPT
iptables -A FORWARD -s 172.17.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.17.0.0/24 -j SNAT --to-source 123.123.255.120
iptables -t nat -A POSTROUTING -s 172.17.1.0/24 -j SNAT --to-source 123.123.255.121
Code: Select all
ifconfig-push 172.17.1.1 172.17.1.2
The cure for boredom is curiosity
-
- OpenVpn Newbie
- Posts: 11
- Joined: Wed Sep 14, 2011 12:10 am
Re: One OpenVPN instance, multiple IP's
Have this all, still not working.
Could you tell me how you added the IP to your machine? I've just added the device eth0:1 with the proper IP and gateway / netmask.
Could you tell me how you added the IP to your machine? I've just added the device eth0:1 with the proper IP and gateway / netmask.
- Bebop
- Forum Team
- Posts: 301
- Joined: Wed Dec 15, 2010 9:24 pm
Re: One OpenVPN instance, multiple IP's
I don't recall having to do anything manually..
Can you ping the machine at either IP, or just the one?
Can you ping the machine at either IP, or just the one?
The cure for boredom is curiosity
-
- OpenVpn Newbie
- Posts: 11
- Joined: Wed Sep 14, 2011 12:10 am
Re: One OpenVPN instance, multiple IP's
I can ping them at both.