- You have a single Linux server which has multiple WAN ip addresses availale to use. You want to tunnel VPN clients through the server, and assign different WAN ip's to different clients. To put the example into practical terms, it would mean that you could login to the VPN and visit http://www.whatismyip.com to see your WAN ip. Then you could log out, and in to the VPN as a new user, and visit http://www.whatismyip.com again. This time the reported WAN ip will be different, depending on the user you have logged into the VPN as.
- This example assumes that you already know how to install OpenVPN and setup keys and/or certificates.
- We will use 10.8.1.x and 10.8.2.x local subnets.
- 123.123.255.120 & 123.123.255.121 will be our example WAN ip's.
- We will use certificates for authentication, but user-names and passwords could be substitued just as easily.
Code: Select all
local 123.123.255.120
port 1194
proto udp
dev tun
ca ./ca.crt
cert ./server.crt
key ./server.key
dh ./dh1024.pem
server 10.8.1.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 4.2.2.1"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status ./ovpnstatus.log
verb 3
client-config-dir /etc/openvpn/ccd
route 10.8.2.0 255.255.255.0
bash:
Code: Select all
mkdir /etc/openvpn/ccd
bash:
Code: Select all
touch /etc/openvpn/ccd/username1
touch /etc/openvpn/ccd/username2
touch /etc/openvpn/ccd/username5
Code: Select all
ifconfig-push 10.8.2.1 10.8.2.2
Code: Select all
ifconfig-push 10.8.2.5 10.8.2.6
Code: Select all
ifconfig-push 10.8.2.9 10.8.2.10
IPTABLES:
Code: Select all
iptables -A FORWARD -s 10.8.1.0/24 -j ACCEPT
iptables -A FORWARD -s 10.8.2.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -j SNAT --to-source 123.123.255.120
iptables -t nat -A POSTROUTING -s 10.8.2.0/24 -j SNAT --to-source 123.123.255.121
A basic summary of what is happening:
- Default VPN lan is 10.8.1.x
- Secondary VPN lan is 10.8.2.x
- Any user with a filename in ./ccd will be given a 10.8.2.x address
- The 10.8.2.x address is hardcoded for each user: eg username1 10.8.2.1
- IPTABLES will assign all the users with a 10.10.2.x address to the alternate WAN IP (123.123.255.121 or whatever)
- Any user who's name is not in the ccd will simply get the default LAN of 10.8.1.x, and therefore the default WAN IP also (123.123.255.120).
more info: http://openvpn.net/index.php/open-sourc ... howto.html[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]... and so on
- Visual Image
Looking at it another way....