Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-11-2010, 10:31 PM
|
#1
|
LQ Newbie
Registered: Jul 2010
Location: Colombia
Distribution: Debian, CentOS, Ubuntu, Fedora
Posts: 16
Rep:
|
OpenVPN assigning public & static IPs to pcs/devices behind an OpenVPN client
Hi there people,
First of all, This is my 1st post and I'm a bit confused with something about OpenVPN which rules,, I have installed on my router, and at my NOC, works like a charm.
I'd like to ask a question divided in parts.
My setup
* OpenVPN 2.0.9 on CentOS (Virtualized on VMWare on W2k3 Server) with static IP (8.12.x.xxx) netmask 255.255.255.248 Gateway 8.12.x.145
* Bridged mode setup and 3 public static, valid IPs assigned to clients (WinXP), which use "edirect-gateway" parameter; this is working . as described by me ;-) on this youtube video here
* Server is also running on a public static IP.
What I want to acomplish:
behind the winxp clients there are Quintum gateways which I'd like to get those public IPs assigned instead of to the XP machines themselves, I'm no network expert, when it comes to routing, but I know some things and it sounds to me as I could instead try a routed setup using 10.8.x.x IPs, then bridge the OpenVPN TAP device to the LAN connection and assign the publc IP to the gateway manually, (which I've already done), confused?, me too., but you're the gurus and that's why I come to the source.
I think I could do as mentioned before, but I don't know that much about routing to carry on with that part, I'm stuck there, I think, I could add.
route "8.12.x.x 255.255.255.248 10.8.0.1" or
route "8.12.x.x 255.255.255.248 8.12.x.145"
But I don't know if it'd work, and If I should push that to the clients (put this on the server.conf or client.conf file).
VPN connects, and I'm able to ping 10.8.x.x machines but I have attached the quintum to the LAN card of my Internet connectd PC, which has two NICs 1 for Internet and one bridged to the TUN/TAP OpenVPN device. Also I assigned a public IP to the quintum with the netmask and the gateway, but I'm not able to ping neother the 10.8.x.x nor 8.12.x.x networks. I know it's routing related issue but I don't knwo how to solve it.
For now as I said the server is assigning public addresses to the clients, but I don't know if it'd be better for me to install OpenVPN on the Windows machine directly and bridge OpenVPN device to the NIC that has the public IPs and assign these to the clients, or should I do it routed mode.
So how could I make this work, DO I need to add routes to server and client so they know where to route each others packets?.
If you need some more info please ask.
Any advise might be greatly appreciated.
Thanks.
|
|
|
07-15-2010, 09:06 AM
|
#2
|
LQ Newbie
Registered: Sep 2009
Posts: 8
Rep:
|
Hi. I'd like to help but I don't really understand what you are talking about. Any chance of a diagram, even hand-written? Include all the IP addresses and subnets.
I don't know what a NOC is. I do not understand this sentence at all: "behind the winxp clients there are Quintum gateways which I'd like to get those public IPs assigned instead of to the XP machines themselves"
Brian
|
|
|
07-15-2010, 11:15 PM
|
#3
|
LQ Newbie
Registered: Jul 2010
Location: Colombia
Distribution: Debian, CentOS, Ubuntu, Fedora
Posts: 16
Original Poster
Rep:
|
Quote:
Originally Posted by traderbam
Hi. I'd like to help but I don't really understand what you are talking about. Any chance of a diagram, even hand-written? Include all the IP addresses and subnets.
I don't know what a NOC is. I do not understand this sentence at all: "behind the winxp clients there are Quintum gateways which I'd like to get those public IPs assigned instead of to the XP machines themselves"
Brian
|
Thanks for your reply man I really appreciate it,
Ok if there's an attachment on this response.
Some definitions
NOC = Network Operations Center
Quintum = Brand which makes VoIP gateways
VoIP = Voice Over IP
VoIP Gateway = Device used to connect either analog phones or cellular gateways.
What I want to do is simple:
I have a Linux server running openvpn it has a public IP and assigns 10.8.0.0/24 IPs to connecting clients.
There are two client machines in Pakistan both winxp connected to Internet using a USB 3g modem, they also have an Ethernet NIC, which is connected directly to this VoIP gateway.
We have some public IPs available to us that we can assign to the gateways 8.xx.162.147 and 8.xx.162.148 respectively.
So what I want is to be able to route traffic from and to these gateways using the VPN, so that gateways appear to be on another location and they're accessible directly form the internet.
I hope I make myself clear.
Thanks for your reply again
|
|
|
07-17-2010, 03:50 AM
|
#4
|
LQ Newbie
Registered: Sep 2009
Posts: 8
Rep:
|
Ok, things are getting clearer. Still some ambiguities. The diagram helps but there are inconsistencies. Like your diagram shows the two XP PCs connected directly to the linux server. But in your text you say the XP PCs are in Pakistan; this suggests the linux server is not in Pakistan? Then you say the XP PCs are connected to voip gateways but you don't say how the server connects to the voip gateways, which it must do in order for a VPN tunnel to exist.
Is it that you have two remote XP PCs that have no local internet access but do have telephone/cellular(?) access? How does the linux server connect to them?
"So what I want is to be able to route traffic from and to these gateways using the VPN, so that gateways appear to be on another location and they're accessible directly form the internet."
Would you be more specific? Route traffic from where? What "location" do you want the gateways to appear to be? When you say "accessible directly from the internet" then what exactly do you mean? They must already be accessible from the internet or your linux server could not talk to them. Or are you saying the linux server talks to them through its own voip gateway? I don't see one in your diagram.
Are you saying that only the linux server has a connection to the XP PCs but that you want to have WAN IP addresses that are assigned to the linux server's internet gateway and forwarded to the XP PCs? You want the linux server to be an internet to voip router?
Eg: the linux server's internet router has WAN IP=8.12.0.1. When a connection is made to 8.12.0.1 from the public internet the packets are routed to the linux server which then routes them to the remote XP PC's gateway.
Let me test my understanding. I think you have the option of having the server either forward packets directly to the voip gateway of the XP PC or forward them to the XP PC via a VPN tunnel. Is that right?
In either case I imagine you need to make iptables entries in your linux server. The server will want to forward packets that originate from the local internet router whose WAN IP=8.12.0.1 to either 10.8.0.2 or to the voip gw IP (8.x.162.147?).
Unless I am missing the point, which is quite likely, I think that your routing should be done using iptables rather than using openVPN route directives.
Last edited by traderbam; 07-17-2010 at 03:55 AM.
|
|
|
07-17-2010, 09:28 AM
|
#5
|
LQ Newbie
Registered: Jul 2010
Location: Colombia
Distribution: Debian, CentOS, Ubuntu, Fedora
Posts: 16
Original Poster
Rep:
|
Quote:
Originally Posted by traderbam
Ok, things are getting clearer. Still some ambiguities. The diagram helps but there are inconsistencies. Like your diagram shows the two XP PCs connected directly to the linux server. But in your text you say the XP PCs are in Pakistan; this suggests the linux server is not in Pakistan? Then you say the XP PCs are connected to voip gateways but you don't say how the server connects to the voip gateways, which it must do in order for a VPN tunnel to exist.
|
Thanks for your reply, Linux server is in LA (USA), VOIP Gateways are attached with ethernet cable to the PC directly.
Quote:
Is it that you have two remote XP PCs that have no local internet access but do have telephone/cellular(?) access? How does the linux server connect to them?
|
XP PCs _do_ have Internet access using USB 3G modems (no cable or DSL), Linux server sees XP PCs using the VPN tunnel, because they connect using OpenVPN client.
Quote:
"So what I want is to be able to route traffic from and to these gateways using the VPN, so that gateways appear to be on another location and they're accessible directly form the internet."
Would you be more specific? Route traffic from where? What "location" do you want the gateways to appear to be? When you say "accessible directly from the internet" then what exactly do you mean? They must already be accessible from the internet or your linux server could not talk to them. Or are you saying the linux server talks to them through its own voip gateway? I don't see one in your diagram.
|
No, no, Ok here's the thing, I want to be able to reach the VOIP Gateways which are attached to the XP PC with an ethernet cable, assigned public IPs which we own, and talk to them trhough the tunnel without the need to use NAT.
Quote:
Are you saying that only the linux server has a connection to the XP PCs but that you want to have WAN IP addresses that are assigned to the linux server's internet gateway and forwarded to the XP PCs? You want the linux server to be an internet to voip router?
Eg: the linux server's internet router has WAN IP=8.12.0.1. When a connection is made to 8.12.0.1 from the public internet the packets are routed to the linux server which then routes them to the remote XP PC's gateway.
|
Well, not quite, but near, you see, I want to route traffic from the gateways in Pakistan to the Internet using the VPN tunnel, and make the gateways appear as if they were in the US using the 8.12.0.147-150 IPs.
Quote:
Let me test my understanding. I think you have the option of having the server either forward packets directly to the voip gateway of the XP PC or forward them to the XP PC via a VPN tunnel. Is that right?
In either case I imagine you need to make iptables entries in your linux server. The server will want to forward packets that originate from the local internet router whose WAN IP=8.12.0.1 to either 10.8.0.2 or to the voip gw IP (8.x.162.147?).
|
Yeah, that's more like it, XP PCs already have a WAN connection, gateways don't, so what I need is for them to have Internet access through the vpn tunnel, some guy on the OpenVPN list which until now hasn't been very usefull, told me to use masquerding like this, but I haven't tested it yet until I can comfirm.
Quote:
Example IP Tables
iptables -t nat -I POSTROUTING -s OPENVPNCLIENTIP -o tun0 -j SNAT --to PUBLICIP
iptables -t nat -I PREROUTING -d PUBLICIP -j DNAT --to-destination OPENVPNCLIENTIP
|
This might work, but as he works for a company selling this he didn't help, he wanted me to give him away my client, and that's not very likely.
Quote:
Unless I am missing the point, which is quite likely, I think that your routing should be done using iptables rather than using openVPN route directives.
|
Yeah, I think I have answered and made clear some points so pleas If you know what to do please spare some of yout know-how.
Thanks.
|
|
|
07-18-2010, 04:20 AM
|
#6
|
LQ Newbie
Registered: Sep 2009
Posts: 8
Rep:
|
"Yeah, I think I have answered and made clear some points so pleas If you know what to do please spare some of yout know-how."
I am interested in understanding your problem but I am having trouble parsing your descriptions.
I think you are asking how to provide two VOIP internet gateways in Pakistan that appear on the internet as if they are located in the US, and you want all the connections to be encrypted.
Should I tell you how to do it or should I report you to Homeland Security?
Last edited by traderbam; 07-18-2010 at 04:21 AM.
|
|
|
07-18-2010, 09:50 AM
|
#7
|
LQ Newbie
Registered: Jul 2010
Location: Colombia
Distribution: Debian, CentOS, Ubuntu, Fedora
Posts: 16
Original Poster
Rep:
|
Quote:
Originally Posted by traderbam
"Yeah, I think I have answered and made clear some points so pleas If you know what to do please spare some of yout know-how."
I am interested in understanding your problem but I am having trouble parsing your descriptions.
I think you are asking how to provide two VOIP internet gateways in Pakistan that appear on the internet as if they are located in the US, and you want all the connections to be encrypted.
Should I tell you how to do it or should I report you to Homeland Security?
|
Hi, you can do as you wish, there's be no problem I'm not even in US soil In the meantime the problem is Pakistan government who blocks and spies on people, I'm just trying to help a troubled community.
Altho, I'd rather you answer my question, and help me solve this issue, if you can/want obviously.
Thanks.
|
|
|
All times are GMT -5. The time now is 08:16 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|