LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Server with two IP addresses, how do I use the 2nd one for an openvpn tunnel? (https://www.linuxquestions.org/questions/linux-networking-3/server-with-two-ip-addresses-how-do-i-use-the-2nd-one-for-an-openvpn-tunnel-734600/)

remote42 06-21-2009 02:15 PM
Server with two IP addresses, how do I use the 2nd one for an openvpn tunnel?
 
Hello,

I've recently got a 2nd IP address for my server. When running ifconfig, I get the following output (let the first IP be xxx.xxx.xxx.xxx and the second IP be yyy.yyy.yyy.yyy):
Code:
eth0      Link encap:Ethernet
          inet addr:xxx.xxx.xxx.xxx  Bcast:zzz.zzz.zzz.255  Mask:255.255.248.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:803 errors:0 dropped:0 overruns:0 frame:0
          TX packets:629 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Memory:88380000-883a0000

eth0:1    Link encap:Ethernet
          inet addr:yyy.yyy.yyy.yyy  Bcast:zzz.255.255.255  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Memory:88380000-883a0000
I would like to use the 2nd IP for openvpn, meaning all clients should connect to the internet via yyy.yyy.yyy.yyy. My openvpn-server config looks like this:
Code:
local yyy.yyy.yyy.yyy
proto udp
float
port 1149
dev tun
tun-mtu 1500
fragment 1300
mssfix
secret sec.key
ifconfig 10.0.8.1 10.0.8.2
keepalive 5 60
ping-timer-rem
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 1
mute 10
And my openvpn-client config like that:
Code:
remote yyy.yyy.yyy.yyy
port 1149
dev tun
nobind
proto udp
tun-mtu 1500
fragment 1300
mssfix
float
resolv-retry infinite
persist-key
persist-tun
route-method exe
route-delay 2
secret sec.key
ifconfig 10.0.8.2 10.0.8.1
redirect-gateway def1
cipher AES-256-CBC
inactive 604800
keepalive 5 60
ping-timer-rem
comp-lzo
verb 1
Probably most important, I've also configured natting for openvpn:
Quote:
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.8.0/24 -j MASQUERADE
The odd thing is that all clients show up on the internet via the first IP address xxx.xxx.xxx.xxx (and not via yyy.yyy.yyy.yyy as I intended). I've tested the IP of the clients using e.g. this site.

It seems that the MASQUERADE-target is using the first IP of the interface, meaning xxx.xxx.xxx.xxx instead of the alias yyy.yyy.yyy.yyy.

From studying various documentations on the net, I guess marking the packets from the tun-interface and then testing for the mark could somehow solve the problem. But how do I do that? Can someone give me an example?

Thanks in advance.


All times are GMT -5. The time now is 02:49 PM.