LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   OpenVPN assigning public & static IPs to pcs/devices behind an OpenVPN client (http://www.linuxquestions.org/questions/linux-networking-3/openvpn-assigning-public-and-static-ips-to-pcs-devices-behind-an-openvpn-client-819324/)

dgonzalezh 07-11-2010 10:31 PM

OpenVPN assigning public & static IPs to pcs/devices behind an OpenVPN client
 
Hi there people,

First of all, This is my 1st post and I'm a bit confused with something about OpenVPN which rules,, I have installed on my router, and at my NOC, works like a charm.

I'd like to ask a question divided in parts.

My setup

* OpenVPN 2.0.9 on CentOS (Virtualized on VMWare on W2k3 Server) with static IP (8.12.x.xxx) netmask 255.255.255.248 Gateway 8.12.x.145
* Bridged mode setup and 3 public static, valid IPs assigned to clients (WinXP), which use "edirect-gateway" parameter; this is working :). as described by me ;-) on this youtube video here
* Server is also running on a public static IP.

What I want to acomplish:

behind the winxp clients there are Quintum gateways which I'd like to get those public IPs assigned instead of to the XP machines themselves, I'm no network expert, when it comes to routing, but I know some things and it sounds to me as I could instead try a routed setup using 10.8.x.x IPs, then bridge the OpenVPN TAP device to the LAN connection and assign the publc IP to the gateway manually, (which I've already done), confused?, me too., but you're the gurus and that's why I come to the source.

I think I could do as mentioned before, but I don't know that much about routing to carry on with that part, I'm stuck there, I think, I could add.

route "8.12.x.x 255.255.255.248 10.8.0.1" or
route "8.12.x.x 255.255.255.248 8.12.x.145"

But I don't know if it'd work, and If I should push that to the clients (put this on the server.conf or client.conf file).

VPN connects, and I'm able to ping 10.8.x.x machines but I have attached the quintum to the LAN card of my Internet connectd PC, which has two NICs 1 for Internet and one bridged to the TUN/TAP OpenVPN device. Also I assigned a public IP to the quintum with the netmask and the gateway, but I'm not able to ping neother the 10.8.x.x nor 8.12.x.x networks. I know it's routing related issue but I don't knwo how to solve it.

For now as I said the server is assigning public addresses to the clients, but I don't know if it'd be better for me to install OpenVPN on the Windows machine directly and bridge OpenVPN device to the NIC that has the public IPs and assign these to the clients, or should I do it routed mode.

So how could I make this work, DO I need to add routes to server and client so they know where to route each others packets?.

If you need some more info please ask.

Any advise might be greatly appreciated.

Thanks.

traderbam 07-15-2010 09:06 AM

Hi. I'd like to help but I don't really understand what you are talking about. Any chance of a diagram, even hand-written? Include all the IP addresses and subnets.

I don't know what a NOC is. I do not understand this sentence at all: "behind the winxp clients there are Quintum gateways which I'd like to get those public IPs assigned instead of to the XP machines themselves"

Brian

dgonzalezh 07-15-2010 11:15 PM

1 Attachment(s)
Quote:

Originally Posted by traderbam (Post 4033986)
Hi. I'd like to help but I don't really understand what you are talking about. Any chance of a diagram, even hand-written? Include all the IP addresses and subnets.

I don't know what a NOC is. I do not understand this sentence at all: "behind the winxp clients there are Quintum gateways which I'd like to get those public IPs assigned instead of to the XP machines themselves"

Brian

Thanks for your reply man I really appreciate it,

Ok if there's an attachment on this response.

Some definitions

NOC = Network Operations Center
Quintum = Brand which makes VoIP gateways
VoIP = Voice Over IP
VoIP Gateway = Device used to connect either analog phones or cellular gateways.

What I want to do is simple:

I have a Linux server running openvpn it has a public IP and assigns 10.8.0.0/24 IPs to connecting clients.

There are two client machines in Pakistan both winxp connected to Internet using a USB 3g modem, they also have an Ethernet NIC, which is connected directly to this VoIP gateway.

We have some public IPs available to us that we can assign to the gateways 8.xx.162.147 and 8.xx.162.148 respectively.

So what I want is to be able to route traffic from and to these gateways using the VPN, so that gateways appear to be on another location and they're accessible directly form the internet.

I hope I make myself clear.

Thanks for your reply again

traderbam 07-17-2010 03:50 AM

Ok, things are getting clearer. Still some ambiguities. The diagram helps but there are inconsistencies. Like your diagram shows the two XP PCs connected directly to the linux server. But in your text you say the XP PCs are in Pakistan; this suggests the linux server is not in Pakistan? Then you say the XP PCs are connected to voip gateways but you don't say how the server connects to the voip gateways, which it must do in order for a VPN tunnel to exist.

Is it that you have two remote XP PCs that have no local internet access but do have telephone/cellular(?) access? How does the linux server connect to them?

"So what I want is to be able to route traffic from and to these gateways using the VPN, so that gateways appear to be on another location and they're accessible directly form the internet."
Would you be more specific? Route traffic from where? What "location" do you want the gateways to appear to be? When you say "accessible directly from the internet" then what exactly do you mean? They must already be accessible from the internet or your linux server could not talk to them. Or are you saying the linux server talks to them through its own voip gateway? I don't see one in your diagram.

Are you saying that only the linux server has a connection to the XP PCs but that you want to have WAN IP addresses that are assigned to the linux server's internet gateway and forwarded to the XP PCs? You want the linux server to be an internet to voip router?
Eg: the linux server's internet router has WAN IP=8.12.0.1. When a connection is made to 8.12.0.1 from the public internet the packets are routed to the linux server which then routes them to the remote XP PC's gateway.

Let me test my understanding. I think you have the option of having the server either forward packets directly to the voip gateway of the XP PC or forward them to the XP PC via a VPN tunnel. Is that right?

In either case I imagine you need to make iptables entries in your linux server. The server will want to forward packets that originate from the local internet router whose WAN IP=8.12.0.1 to either 10.8.0.2 or to the voip gw IP (8.x.162.147?).

Unless I am missing the point, which is quite likely, I think that your routing should be done using iptables rather than using openVPN route directives.

dgonzalezh 07-17-2010 09:28 AM

Quote:

Originally Posted by traderbam (Post 4036106)
Ok, things are getting clearer. Still some ambiguities. The diagram helps but there are inconsistencies. Like your diagram shows the two XP PCs connected directly to the linux server. But in your text you say the XP PCs are in Pakistan; this suggests the linux server is not in Pakistan? Then you say the XP PCs are connected to voip gateways but you don't say how the server connects to the voip gateways, which it must do in order for a VPN tunnel to exist.

Thanks for your reply, Linux server is in LA (USA), VOIP Gateways are attached with ethernet cable to the PC directly.

Quote:

Is it that you have two remote XP PCs that have no local internet access but do have telephone/cellular(?) access? How does the linux server connect to them?
XP PCs _do_ have Internet access using USB 3G modems (no cable or DSL), Linux server sees XP PCs using the VPN tunnel, because they connect using OpenVPN client.

Quote:

"So what I want is to be able to route traffic from and to these gateways using the VPN, so that gateways appear to be on another location and they're accessible directly form the internet."
Would you be more specific? Route traffic from where? What "location" do you want the gateways to appear to be? When you say "accessible directly from the internet" then what exactly do you mean? They must already be accessible from the internet or your linux server could not talk to them. Or are you saying the linux server talks to them through its own voip gateway? I don't see one in your diagram.
No, no, Ok here's the thing, I want to be able to reach the VOIP Gateways which are attached to the XP PC with an ethernet cable, assigned public IPs which we own, and talk to them trhough the tunnel without the need to use NAT.

Quote:

Are you saying that only the linux server has a connection to the XP PCs but that you want to have WAN IP addresses that are assigned to the linux server's internet gateway and forwarded to the XP PCs? You want the linux server to be an internet to voip router?
Eg: the linux server's internet router has WAN IP=8.12.0.1. When a connection is made to 8.12.0.1 from the public internet the packets are routed to the linux server which then routes them to the remote XP PC's gateway.
Well, not quite, but near, you see, I want to route traffic from the gateways in Pakistan to the Internet using the VPN tunnel, and make the gateways appear as if they were in the US using the 8.12.0.147-150 IPs.

Quote:

Let me test my understanding. I think you have the option of having the server either forward packets directly to the voip gateway of the XP PC or forward them to the XP PC via a VPN tunnel. Is that right?

In either case I imagine you need to make iptables entries in your linux server. The server will want to forward packets that originate from the local internet router whose WAN IP=8.12.0.1 to either 10.8.0.2 or to the voip gw IP (8.x.162.147?).
Yeah, that's more like it, XP PCs already have a WAN connection, gateways don't, so what I need is for them to have Internet access through the vpn tunnel, some guy on the OpenVPN list which until now hasn't been very usefull, told me to use masquerding like this, but I haven't tested it yet until I can comfirm.

Quote:

Example IP Tables
iptables -t nat -I POSTROUTING -s OPENVPNCLIENTIP -o tun0 -j SNAT --to PUBLICIP
iptables -t nat -I PREROUTING -d PUBLICIP -j DNAT --to-destination OPENVPNCLIENTIP
This might work, but as he works for a company selling this he didn't help, he wanted me to give him away my client, and that's not very likely.

Quote:

Unless I am missing the point, which is quite likely, I think that your routing should be done using iptables rather than using openVPN route directives.
Yeah, I think I have answered and made clear some points so pleas If you know what to do please spare some of yout know-how.

Thanks.

traderbam 07-18-2010 04:20 AM

"Yeah, I think I have answered and made clear some points so pleas If you know what to do please spare some of yout know-how."
I am interested in understanding your problem but I am having trouble parsing your descriptions.

I think you are asking how to provide two VOIP internet gateways in Pakistan that appear on the internet as if they are located in the US, and you want all the connections to be encrypted.

Should I tell you how to do it or should I report you to Homeland Security? ;)

dgonzalezh 07-18-2010 09:50 AM

Quote:

Originally Posted by traderbam (Post 4036928)
"Yeah, I think I have answered and made clear some points so pleas If you know what to do please spare some of yout know-how."
I am interested in understanding your problem but I am having trouble parsing your descriptions.

I think you are asking how to provide two VOIP internet gateways in Pakistan that appear on the internet as if they are located in the US, and you want all the connections to be encrypted.

Should I tell you how to do it or should I report you to Homeland Security? ;)

Hi, you can do as you wish, there's be no problem I'm not even in US soil :) In the meantime the problem is Pakistan government who blocks and spies on people, I'm just trying to help a troubled community.

Altho, I'd rather you answer my question, and help me solve this issue, if you can/want obviously.

Thanks.


All times are GMT -5. The time now is 03:16 AM.