remote42 |
06-21-2009 02:15 PM |
Server with two IP addresses, how do I use the 2nd one for an openvpn tunnel?
Hello,
I've recently got a 2nd IP address for my server. When running ifconfig, I get the following output (let the first IP be xxx.xxx.xxx.xxx and the second IP be yyy.yyy.yyy.yyy):
Code:
eth0 Link encap:Ethernet
inet addr:xxx.xxx.xxx.xxx Bcast:zzz.zzz.zzz.255 Mask:255.255.248.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:803 errors:0 dropped:0 overruns:0 frame:0
TX packets:629 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Memory:88380000-883a0000
eth0:1 Link encap:Ethernet
inet addr:yyy.yyy.yyy.yyy Bcast:zzz.255.255.255 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Memory:88380000-883a0000
I would like to use the 2nd IP for openvpn, meaning all clients should connect to the internet via yyy.yyy.yyy.yyy. My openvpn-server config looks like this:
Code:
local yyy.yyy.yyy.yyy
proto udp
float
port 1149
dev tun
tun-mtu 1500
fragment 1300
mssfix
secret sec.key
ifconfig 10.0.8.1 10.0.8.2
keepalive 5 60
ping-timer-rem
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 1
mute 10
And my openvpn-client config like that:
Code:
remote yyy.yyy.yyy.yyy
port 1149
dev tun
nobind
proto udp
tun-mtu 1500
fragment 1300
mssfix
float
resolv-retry infinite
persist-key
persist-tun
route-method exe
route-delay 2
secret sec.key
ifconfig 10.0.8.2 10.0.8.1
redirect-gateway def1
cipher AES-256-CBC
inactive 604800
keepalive 5 60
ping-timer-rem
comp-lzo
verb 1
Probably most important, I've also configured natting for openvpn:
Quote:
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.8.0/24 -j MASQUERADE
|
The odd thing is that all clients show up on the internet via the first IP address xxx.xxx.xxx.xxx (and not via yyy.yyy.yyy.yyy as I intended). I've tested the IP of the clients using e.g. this site.
It seems that the MASQUERADE-target is using the first IP of the interface, meaning xxx.xxx.xxx.xxx instead of the alias yyy.yyy.yyy.yyy.
From studying various documentations on the net, I guess marking the packets from the tun-interface and then testing for the mark could somehow solve the problem. But how do I do that? Can someone give me an example?
Thanks in advance.
|