Use another public ip of openvpn server

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
wolfgangpue
OpenVpn Newbie
Posts: 2
Joined: Mon Dec 28, 2020 4:07 pm

Use another public ip of openvpn server

Post by wolfgangpue » Thu Oct 20, 2022 10:44 pm

Hi, the main ip of my debian server is: 51.*.*.12 (eno1)
There is also a subinterface (eno1:1) with the ip 94.*.*.164

I want all clients to have the eno1:1 ip as public ip.
I added following iptable rule, but the clients still have the main server ip as public ip.

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 94.*.*.164
My server conf is:
server
local 94.*.*.164
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Use another public ip of openvpn server

Post by ordex » Fri Oct 21, 2022 10:33 am

Where traffic goes out depends on how your routing is configured, it's unrelated to OpenVPN.
How does your server decide which interface/IP to use right now?

I believe you could use policy routing and then instruct only VPN traffic to follow a specific route across the interface you want.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Use another public ip of openvpn server

Post by openvpn_inc » Thu Oct 27, 2022 11:21 am

Hi Wolf,

Just a few things to toss out in addition to what ordex said:
  1. An alias is NOT a "subinterface", it is merely an alias
  2. It looks like you added an alias to an interface for an entirely different ISP.
  3. --local is entirely unrelated to outbound VPN client routing
Point 1: Get rid of Linux nettools, ifconfig(8) and route(8). Unlearn them. They are broken and buggy, and completely unable to use to configure the advanced routing features ordex mentioned. Compare this to ifconfig and see your "subinterface":

Code: Select all

ip addr
Point 2: How can this work? Does it work? I am pretty sure it cannot, unless both are routed through the same upstream router by chance (and that appears unlikely.) Have you been able to ping or otherwise connect to the 94.x address from outside? If so all the replies are going back through the 51.x ISP.

Point 3: If the 94.x IP address does not work at all, it surely will not work as --local for openvpn. You have to cover the basic functionality before you can venture out into policy routing.

Good luck, regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

wolfgangpue
OpenVpn Newbie
Posts: 2
Joined: Mon Dec 28, 2020 4:07 pm

Re: Use another public ip of openvpn server

Post by wolfgangpue » Wed Nov 09, 2022 7:39 am

Hi, the output from "ip addr"

Code: Select all

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 0c:c4:7a:db:0e:4c brd ff:ff:ff:ff:ff:ff
    inet 5.135.141.XXX/24 brd 5.135.141.255 scope global dynamic eno1
       valid_lft 82205sec preferred_lft 82205sec
    inet 94.23.161.XXX/32 brd 94.23.161.164 scope global eno1:0
       valid_lft forever preferred_lft forever
    inet6 fe80::ec4:7aff:fedb:XXX/64 scope link
       valid_lft forever preferred_lft forever
3: eno2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 0c:c4:7a:db:0e:4d brd ff:ff:ff:ff:ff:ff
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::78a3:2a80:c10:XXXX/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
The second ip 94.23.161.XXX (eno1:0) is working fine. I can ping from outside, the server is listening on that ip (--local) and the OpenVPN client connects also to this ip without problems.

I think I need to route all traffic coming from (10.8.0.X) to 94.23.161.XXX somehow.

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Use another public ip of openvpn server

Post by ordex » Wed Nov 09, 2022 1:24 pm

You can do that with policy routing:
* create a new routing table
* use ip rule to send all traffic *from* 10.8.0.0/24 to that routing table
* set a default route in the new routing table using the 94.X as src

For completeness, can you also post the output of

Code: Select all

ip route
Thanks!

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Use another public ip of openvpn server

Post by ordex » Wed Nov 09, 2022 1:25 pm

Maybe you also SNATting with iptables may work, actually. It seems you tried that...but more insights are needed to understand why it did not work (maybe a conflict with your NAT rules)

Post Reply