openVPN and multiple external IP addresses
Solution 1
Try:
iptables -t nat -A POSTROUTING -s 10.19.88.0/24 -o eth0 -j SNAT --to 11.12.13.2
Or even better ;)
iptables -t nat -A POSTROUTING -s 10.19.88.0/24 -j SNAT --to 11.12.13.2
Solution 2
iptables -t nat -A POSTROUTING -i tun0 -j SNAT --to 11.12.13.2
The issue with rkthkr's response (besides the weird character in interface) is that it would only match packets coming in from the 10.19.88.0/24 subnet that are ALREADY going out eth0:0 and SNAT'ing them.
By using -i tun0, you're identifying packets only by what interface they come in (I assume that's the only traffic coming in from tun0), and then SNAT'ing it to the proper outgoing IP.
Related videos on Youtube
07 : 07
23 : 14
25 : 09
20 : 30
02 : 44
Tuinslak
Updated on September 17, 2022Comments
-
Tuinslak over 1 year
I currently have an openVPN server with multiple external IP addresses.
I'd like to have all VPN connections (tun0 interface, and/or 10.19.88.xx IP range) to take the 2nd external IP address as 'public IP', instead of the first one.
As an example, using fictive addresses:
Deault eth0 address: 11.12.13.1 (server.domain.tld) eth0:0 address: 11.12.13.2 (vpn.domain.tld)All VPN connections are currently using 11.12.13.1, instead of 11.12.13.2.
Is there any way to solve this (using iptables?)
Thanks
-
Tuinslak over 14 yearsThe server is running Debian linux (and is a virtual machine). This server is being used for testing purpose only.
-
-
Tuinslak over 14 years-o eth0:0 doesn't seem to be working. Only full interfaces are supported (eth0). Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).
-
rkthkr over 14 yearsFixed my answer :)
-
rkthkr over 14 yearsI concur fully..
-
Tuinslak over 14 yearsStill not working. '-i' doesn't work with postrouting, and -o eth0 (which I already tried before ;)) still uses the 1st IP address. Thanks
-
baumgart over 14 yearsJust drop the
-i tun0then. That should fix it. -
Tuinslak over 14 yearsiptables v1.4.2: Can't use -i with POSTROUTING :)
-
Tuinslak over 14 yearsAnd leaving out -i doesn't seem to change the VPN external IP address used -- but doesn't output any errors. Not to forget, all other services still need to use 11.12.13.1 as 'main' IP.
-
baumgart over 14 yearsYeah, leaving out the -i would make everything SNAT to .2. The second iptables line in rkthkr's answer should work.
-
Tuinslak over 14 yearsI'm afraid that doesn't change anything. No errors, but my external IP is still the 11.12.13.1 instead of the 11.12.13.2. I'm guessing iptable is instant, and each change doesn't require the VPN-service to restart or something? I can paste you my sample iptables config if that would be of any help.
-
baumgart over 14 yearsYeah, lets see your
iptables -t nat -L -v -noutput. Let's see what it's actually doing. -
baumgart over 14 yearsFor iptables, order is everything. Glad you got it figured out.
-
Tuinslak over 14 yearsMake sure there is no other MASQUERADING rule in iptables.
-
Tuinslak about 9 yearsThat doesn't (or didn't) work at that time.
