Tunneling a public IP to a remote machine

vpn openvpn linux-networking static-ip tunnel
11,823

Solution 1

I ended up going with the Ethernet bridging. Lots of extremely verbose examples to wade through online, but it turns out to be pretty easy:

First, on A, /etc/network/interfaces was changed from:

auto eth0
iface eth0 inet static
    address 8.8.8.122
    netmask 255.255.255.248
    gateway 8.8.8.121

to:

auto br0
iface br0 inet static
    address 8.8.8.122
    netmask 255.255.255.248
    gateway 8.8.8.121
    pre-up openvpn --mktun --dev tap0
    bridge_ports eth0 tap0
    bridge_fd 3

in order to bridge eth0 (the real WAN interface) with tap0 (a new tunnel interface) at boot.

Then, on A, run the openvpn server with:

openvpn --dev tap0

On B, connect to it with:

openvpn --remote 8.8.8.122 --dev tap0 --route-gateway 8.8.8.121 \
        --redirect-gateway def1 --ifconfig 8.8.8.123 255.255.255.248

That's the super simple config I was looking for, and it works -- B is now publicly accessible at 8.8.8.123, and outgoing connections originate from the same address.

Add security (--secret, --tls-server, etc) as needed, of course.

Solution 2

You're going to have a hard time I think. Most firewalls will have difficulty routing OpenVPN traffic if both sides of the VPN are in the same subnet.

If you are trying to route for public access, I'd move both servers to different subnets from your public addresses and then use Virtual IPs (1 to 1 Nat) to connect them. To connect the two sites, OpenVPN would work or an IP-Sec tunnel.

Virtual IPs: http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F

Site to site: http://doc.pfsense.org/index.php/VPN_Capability_IPsec

Edit based on comments:

I'd personally install pfSense on the A box and give it the port you wanted for its WAN. Then setup an OpenVPN server on a local subnet (which is all ready to go in the pfSense web interface) and setup the other machine with a Virtual IP pointed to its local OpenVPN ip. This would give you room for expansion later (add more machines with Virtual IPs, logically forward specific ports to different servers, really have a full blown LAN/WAN/DMZ setup with OpenVPN for virtual access. Not to mention that you'd have a full blown router so it'd likely be more secure.

Share:
11,823

Related videos on Youtube

Jim Paris
Author by

Jim Paris

Updated on September 18, 2022

Comments

  • Jim Paris
    Jim Paris over 1 year

    I have a Linux server A with a block of 5 public IP addresses, 8.8.8.122/29. Currently, 8.8.8.122 is assigned to eth0, and 8.8.8.123 is assigned to eth0:1.

    I have another Linux machine B in a remote location, behind NAT. I would like to set up an tunnel between the two so that B can use the IP address 8.8.8.123 as its primary IP address.

    OpenVPN is probably the answer, but I can't quite figure out how to set things up (topology subnet or topology p2p might be appropriate. Or should I be using Ethernet bridging?). Security and encryption is not a big concern at this point, so GRE would be fine too -- machine B will be coming from a known IP address and can be authenticated based on that.

    How can I do this? Can anyone suggest an OpenVPN config, or some other approach, that could work in this situation? Ideally, it would also be able to handle multiple clients (e.g. share all four of spare IPs with other machines), without letting those clients use IPs to which they are not entitled.

    • Robert
      Robert over 11 years
      What firewalls are at both locations?
    • Michael Hampton
      Michael Hampton over 11 years
      I hope you just made up those addresses, rather than that you actually work at Google. If you don't, you aren't going to be able to use their address space.
    • Jim Paris
      Jim Paris over 11 years
      Robert: A is a Linux server with some simple iptables rules. B is behind a NAT that is another Linux server running shorewall.
    • Jim Paris
      Jim Paris over 11 years
      Michael: Yes, I changed the first three octets to 8 to obfuscate them, but still indicate that they're public. Sorry, Google.
    • Michael Hampton
      Michael Hampton over 11 years
      For future reference, we have an RFC for that.
  • Jim Paris
    Jim Paris over 11 years
    I don't understand how intermediate firewalls are involved; they certainly won't be looking inside the OpenVPN packets between A and B. For the OpenVPN config itself, I was expecting that something like push "route 50.7.19.122 255.255.255.255 net_gateway" would ensure that the VPN data is still pushed over the normal network.
  • Jim Paris
    Jim Paris over 11 years
    To be clear, I want to create tunnel directly between A and B, not on separate firewalls at each end.
  • Robert
    Robert over 11 years
    But when computer A wants to route to computer B it won't know if it should use the WAN (with your public IPs), the LAN (with its static IP) or the OpenVPN (also with your public IPs) because they are all same subnet. B to A should work though.
  • Robert
    Robert over 11 years
    Also there is this, I've had it working but not with public IPs. I think virtual ip's will be much better either way. openvpn.net/index.php/open-source/documentation/miscellaneou‌​s/…
  • Robert
    Robert over 11 years
    "To be clear, I want to create tunnel directly between A and B, not on separate firewalls at each end." You are going to need to open a port somewhere for an OpenVPN server
  • Jim Paris
    Jim Paris over 11 years
    "it won't know if it should use the WAN, the LAN, or the OpenVPN" -- The OpenVPN server at A should be sending its packets back to their source address and port, which would be the NAT firewall at B (not in 8.8.8.0/29), so I don't think there's any confusion there. Note there's no LAN at A, just the WAN.
  • Jim Paris
    Jim Paris over 11 years
    "You are going to need to open a port somewhere for an OpenVPN server". All ports are open. A is directly on the Internet.
  • Jim Paris
    Jim Paris over 11 years
    "Also there is this..." Yeah, I mentioned Ethernet bridging in my question. It seems like this might be the only way to get things working without pulling my hair out, although I'd really prefer a point-to-point IP tunnel if possible.
  • Bastian
    Bastian over 8 years
    Nice! I'm going to try that. Did you find a way to configure that: "without letting those clients use IPs to which they are not entitled"?
  • Jim Paris
    Jim Paris over 8 years
    I didn't bother in my setup (which was temporary), but I imagine you could do it with ebtables.
  • frhack
    frhack over 8 years
    Very useful. A question: what I need to change in A configuration if I need to route two IP from A: A => B and A => C (where C is another host)? Do I need to configure another bridge ?
  • Jim Paris
    Jim Paris over 8 years
    Yeah. Add another pre-up openvpn line to create tap1 too, add tap1 to bridge_ports, and run another instance of openvpn with openvpn --dev tap1.
  • Areeb Soo Yasir
    Areeb Soo Yasir almost 7 years
    How about if you wanted to make A's gateway local via B so any system on the LAN can use B and assign the remote default gateway and use public IPs?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I permanently delete tun interfaces
How to use openvpn for browsing
OpenVPN Client connects, but DNS setting are not correct (cannot resolve domain names)
OpenVPN Route Client Traffic Through VPN Server Tunnel
openVPN Could not determine IPv4/IPv6 protocol. Using AF_INET
How do I know if an openVPN tunnel is established?
Allow OpenVPN client to push it's own DNS servers, regardless of OpenVPN server's pushed dns?
Is it possible to setup a VPN on Heroku?
Pre-configured EC2 VPN AMI
Forgot openvpn admin's password