How-to: Tunnel WAN IP assigned to specific users

Samples of working configurations.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

How-to: Tunnel WAN IP assigned to specific users

Post by Bebop » Sat Jul 30, 2011 8:19 pm

Goal
  • You have a single Linux server which has multiple WAN ip addresses availale to use. You want to tunnel VPN clients through the server, and assign different WAN ip's to different clients. To put the example into practical terms, it would mean that you could login to the VPN and visit http://www.whatismyip.com to see your WAN ip. Then you could log out, and in to the VPN as a new user, and visit http://www.whatismyip.com again. This time the reported WAN ip will be different, depending on the user you have logged into the VPN as.
Scope
  • This example assumes that you already know how to install OpenVPN and setup keys and/or certificates.
Overview
  • We will use 10.8.1.x and 10.8.2.x local subnets.
  • 123.123.255.120 & 123.123.255.121 will be our example WAN ip's.
  • We will use certificates for authentication, but user-names and passwords could be substitued just as easily.
The procedure

Code: Select all

local 123.123.255.120
port 1194
proto udp
dev tun

ca ./ca.crt
cert ./server.crt
key ./server.key
dh ./dh1024.pem

server 10.8.1.0 255.255.255.0

push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 4.2.2.1"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status ./ovpnstatus.log
verb 3

client-config-dir /etc/openvpn/ccd
route 10.8.2.0 255.255.255.0
Create the afformentioned client-config-dir.
bash:

Code: Select all

mkdir /etc/openvpn/ccd
What are your usernames? lets do example, "username1", "username2", "username5"

bash:

Code: Select all

touch /etc/openvpn/ccd/username1
touch /etc/openvpn/ccd/username2
touch /etc/openvpn/ccd/username5
Edit /etc/openvpn/ccd/username1:

Code: Select all

ifconfig-push 10.8.2.1 10.8.2.2
Edit /etc/openvpn/ccd/username2:

Code: Select all

ifconfig-push 10.8.2.5 10.8.2.6
Edit /etc/openvpn/ccd/username5:

Code: Select all

ifconfig-push 10.8.2.9 10.8.2.10

IPTABLES:

Code: Select all

 iptables -A FORWARD -s 10.8.1.0/24 -j ACCEPT
 iptables -A FORWARD -s 10.8.2.0/24 -j ACCEPT

 iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -j SNAT --to-source 123.123.255.120
 iptables -t nat -A POSTROUTING -s 10.8.2.0/24 -j SNAT --to-source 123.123.255.121

A basic summary of what is happening:
  • Default VPN lan is 10.8.1.x
  • Secondary VPN lan is 10.8.2.x
  • Any user with a filename in ./ccd will be given a 10.8.2.x address
  • The 10.8.2.x address is hardcoded for each user: eg username1 10.8.2.1
  • IPTABLES will assign all the users with a 10.10.2.x address to the alternate WAN IP (123.123.255.121 or whatever)
  • Any user who's name is not in the ccd will simply get the default LAN of 10.8.1.x, and therefore the default WAN IP also (123.123.255.120).
Important note: learn your IP addressing schema for Windows. IP's can only be paired as
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]... and so on
more info: http://openvpn.net/index.php/open-sourc ... howto.html
  • Visual Image
Image

Looking at it another way....
Image
The cure for boredom is curiosity

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: How-to: Tunnel WAN IP assigned to specific users

Post by janjust » Mon Aug 01, 2011 1:33 pm

interesting HOWTO, but wouldn't it be easier to use

Code: Select all

topology subnet
also, in my book I explain how to assing public IPs to clients, such that the client receives the real public IP, without the use of NATting :)

User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: How-to: Tunnel WAN IP assigned to specific users

Post by Bebop » Mon Aug 01, 2011 11:33 pm

janjust wrote:interesting HOWTO, but wouldn't it be easier to use

Code: Select all

topology subnet
It would if there were no bugs. Bug report: here.

Natting is fine is this situation because clients will be sharing IP's.
The cure for boredom is curiosity

JTidler
OpenVpn Newbie
Posts: 2
Joined: Mon Sep 05, 2011 3:40 pm

Re: How-to: Tunnel WAN IP assigned to specific users

Post by JTidler » Mon Sep 05, 2011 5:41 pm

will someone help me with setting this up!!!!! my setup for openVPN is way diffrent

User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: How-to: Tunnel WAN IP assigned to specific users

Post by Bebop » Fri Sep 09, 2011 4:40 am

JTidler wrote:will someone help me with setting this up!!!!! my setup for openVPN is way diffrent
Replied to you in your other thread: topic8753.html
The cure for boredom is curiosity

svimik
OpenVpn Newbie
Posts: 1
Joined: Mon Sep 26, 2011 9:09 pm

Re: How-to: Tunnel WAN IP assigned to specific users

Post by svimik » Mon Sep 26, 2011 9:41 pm

Your example is quite simple. My question is more interesting:

Is it possible to assign a real IP address to a client?
For example, my server has subnet of internet IP addresses, and I want to give one IP per user, so they have, for example, 123.123.255.120 instead of 10.8.2.1.
The point is, that user should not see we are using NAT, getting real IP address. Is it possible with OpenVPN?

Of course, I can set up SNAT and DNAT to naturally forward connections in both directions, but it's not graceful to offer dedicated IP address, and give a local address with NAT, no matter how good it works ;)

User avatar
Mimiko
Forum Team
Posts: 1564
Joined: Wed Sep 22, 2010 3:18 am

Re: How-to: Tunnel WAN IP assigned to specific users

Post by Mimiko » Tue Sep 27, 2011 5:19 am

Is it possible to assign a real IP address to a client?
Yes, its possible.
For example, my server has subnet of internet IP addresses, and I want to give one IP per user, so they have, for example, 123.123.255.120 instead of 10.8.2.1. The point is, that user should not see we are using NAT, getting real IP address. Is it possible with OpenVPN?
It's possible. but it will be a waist of address space. Virtually for each VPN connection in routed mode is allocated two IPs. So you must have double the number of consecutive IP than number of clients. Or you can bridge tun adapter with internet interface from server, but it will be a sequirity concern and a waist of bandwith.

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: How-to: Tunnel WAN IP assigned to specific users

Post by janjust » Tue Sep 27, 2011 7:48 am

Is it possible to assign a real IP address to a client?
yes this is certainly possible and I explain how to do it my book 8-)
it is best to use 'topology subnet' in this case, so that you assign only a single IP address to each client.

raffus
OpenVpn Newbie
Posts: 1
Joined: Fri Jan 20, 2012 4:53 pm

Re: How-to: Tunnel WAN IP assigned to specific users

Post by raffus » Fri Jan 20, 2012 5:00 pm

I'm unable to get this to work.

I have multiple INTERNET address in our servers and what I want to do is assign INTERNET DEDICATED IPs to each user.

I have setup for testing 2 addresses on my box:
- eth0 => 177.x.x.10
- eth0:0 => 177.x.x.11

I've also configured STATIC ips per user using INTERNAL addresses.
Ie:
John: 5.5.32.10
Mark: 5.5.32.11

After OPENVPN started, I've ran these commands:
- iptables -A FORWARD -s 5.5.32.0/24 -j ACCEPT
- iptables -t nat -A POSTROUTING -s 5.5.32.10/32 -j SNAT --to-source 177.x.x.11
- iptables -t nat -A POSTROUTING -s 5.5.32.11/32 -j SNAT --to-source 177.x.x.10

But everytime I try to access sites like WHATSMYIP, it shows me the eth0 default IP, in this case 177.x.x.10 unstead of 177.x.x.11.

User's profile is set to do ROUTING as addressing mode and VPN server is configured to use ROUTE/NAT.

Am I doing anything wrong?

Thanks in advance.

Rafael

User avatar
xauen
Forum Team
Posts: 80
Joined: Tue May 10, 2011 7:57 pm
Location: Manila, Philippines
Contact:

Re: How-to: Tunnel WAN IP assigned to specific users

Post by xauen » Thu Aug 30, 2012 10:32 am

Hi,

How about if you want to randomly allow clients to any ips on the server?
what is the server configuration and iptable rules?

Hope you'll answer my questions guys :D

Thanks!
"Never be bullied into silence. Never allow yourself to be made a victim. Accept no ones definition of you"
-IDK

warbux
OpenVpn Newbie
Posts: 10
Joined: Sun Dec 30, 2012 5:14 pm

Re: How-to: Tunnel WAN IP assigned to specific users

Post by warbux » Mon Dec 31, 2012 2:25 am

Not to bring up a really old thread but I have a very similar setup to what the OP posted and it works great the only thing I want to do differently is allow concurrent connections from the same user. Does anyone know if its possible with a network configuration similar to the OP?

User avatar
ralphfitings
OpenVpn Newbie
Posts: 1
Joined: Fri Mar 01, 2013 1:37 pm
Location: New York
Contact:

Re: How-to: Tunnel WAN IP assigned to specific users

Post by ralphfitings » Fri Mar 01, 2013 1:45 pm

Nice post.Thanks very much! This explanations are exactly what I need now with pictures and good examples. :D

scarabeuz
OpenVpn Newbie
Posts: 3
Joined: Tue Mar 19, 2013 12:16 pm

Re: How-to: Tunnel WAN IP assigned to specific users

Post by scarabeuz » Tue Mar 19, 2013 12:37 pm

Hi guys :)
Since you are absolutely professional I think to post my question here.

What I have:
My VPN is currently running on Windows (client & server).
Everything is running well I think but outgoing IP of each client is still his real one. (whatsmyip-proved)

What I want:
I want some users (up to 10) to be able to use my VPN.
I would like my users to have the outgoing IP of my VPN-Server.

My Problems:
1.) I dont understand much about iptables and
dont know how to configure it using windows.
2.) My english is not the best :)

I hope you are able to help me..

Here my current config:

Code: Select all

#Server machine running Windows XP with static IP
user nobody
group nogroup

dev tun
local 176.xx.xxx.xxx

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd

port 1194
proto udp
keepalive 10 120
comp-lzo
verb 3
client-to-client
persist-tun
persist-key

ca cert/ca.crt
cert cert/server.crt
key cert/server.key
dh cert/dh1024.pem

status openvpn-status.log

push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1"

Code: Select all

#Client machine running Windows 8 behind router
client 

proto udp 

dev tun 

remote vpn.example.org 1194 

resolv-retry infinite 

nobind 

persist-key 
persist-tun 

ca ../easy-rsa/keys/ca.crt
cert ../easy-rsa/keys/user.crt 
key ../easy-rsa/keys/user.key 

comp-lzo 

verb 3 

route 192.168.1.0 255.255.255.0 10.8.0.1 
redirect-gateway

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: How-to: Tunnel WAN IP assigned to specific users

Post by maikcat » Tue Mar 19, 2013 1:17 pm

bebop has already written a windows xp based howto....

please search.

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

scarabeuz
OpenVpn Newbie
Posts: 3
Joined: Tue Mar 19, 2013 12:16 pm

Re: How-to: Tunnel WAN IP assigned to specific users

Post by scarabeuz » Tue Mar 19, 2013 1:43 pm

maikcat wrote:bebop has already written a windows xp based howto....

please search.

Michael.
It's the third day now that I am searching and following guides..
And none of them worked like I wanted to make it work, that's why I was asking here :?

Sorry for my unuseful post.

Locked