Tunneling a public IP to a remote machine
Solution 1
I ended up going with the Ethernet bridging. Lots of extremely verbose examples to wade through online, but it turns out to be pretty easy:
First, on A, /etc/network/interfaces
was changed from:
auto eth0
iface eth0 inet static
address 8.8.8.122
netmask 255.255.255.248
gateway 8.8.8.121
to:
auto br0
iface br0 inet static
address 8.8.8.122
netmask 255.255.255.248
gateway 8.8.8.121
pre-up openvpn --mktun --dev tap0
bridge_ports eth0 tap0
bridge_fd 3
in order to bridge eth0
(the real WAN interface) with tap0
(a new tunnel interface) at boot.
Then, on A, run the openvpn server with:
openvpn --dev tap0
On B, connect to it with:
openvpn --remote 8.8.8.122 --dev tap0 --route-gateway 8.8.8.121 \
--redirect-gateway def1 --ifconfig 8.8.8.123 255.255.255.248
That's the super simple config I was looking for, and it works -- B is now publicly accessible at 8.8.8.123, and outgoing connections originate from the same address.
Add security (--secret
, --tls-server
, etc) as needed, of course.
Solution 2
You're going to have a hard time I think. Most firewalls will have difficulty routing OpenVPN traffic if both sides of the VPN are in the same subnet.
If you are trying to route for public access, I'd move both servers to different subnets from your public addresses and then use Virtual IPs (1 to 1 Nat) to connect them. To connect the two sites, OpenVPN would work or an IP-Sec tunnel.
Virtual IPs: http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F
Site to site: http://doc.pfsense.org/index.php/VPN_Capability_IPsec
Edit based on comments:
I'd personally install pfSense on the A box and give it the port you wanted for its WAN. Then setup an OpenVPN server on a local subnet (which is all ready to go in the pfSense web interface) and setup the other machine with a Virtual IP pointed to its local OpenVPN ip. This would give you room for expansion later (add more machines with Virtual IPs, logically forward specific ports to different servers, really have a full blown LAN/WAN/DMZ setup with OpenVPN for virtual access. Not to mention that you'd have a full blown router so it'd likely be more secure.
Related videos on Youtube
Jim Paris
Updated on September 18, 2022Comments
-
Jim Paris over 1 year
I have a Linux server A with a block of 5 public IP addresses,
8.8.8.122/29
. Currently,8.8.8.122
is assigned toeth0
, and8.8.8.123
is assigned toeth0:1
.I have another Linux machine B in a remote location, behind NAT. I would like to set up an tunnel between the two so that B can use the IP address
8.8.8.123
as its primary IP address.OpenVPN is probably the answer, but I can't quite figure out how to set things up (
topology subnet
ortopology p2p
might be appropriate. Or should I be using Ethernet bridging?). Security and encryption is not a big concern at this point, so GRE would be fine too -- machine B will be coming from a known IP address and can be authenticated based on that.How can I do this? Can anyone suggest an OpenVPN config, or some other approach, that could work in this situation? Ideally, it would also be able to handle multiple clients (e.g. share all four of spare IPs with other machines), without letting those clients use IPs to which they are not entitled.
-
Robert over 11 yearsWhat firewalls are at both locations?
-
Michael Hampton over 11 yearsI hope you just made up those addresses, rather than that you actually work at Google. If you don't, you aren't going to be able to use their address space.
-
Jim Paris over 11 yearsRobert: A is a Linux server with some simple
iptables
rules. B is behind a NAT that is another Linux server runningshorewall
. -
Jim Paris over 11 yearsMichael: Yes, I changed the first three octets to 8 to obfuscate them, but still indicate that they're public. Sorry, Google.
-
Michael Hampton over 11 yearsFor future reference, we have an RFC for that.
-
-
Jim Paris over 11 yearsI don't understand how intermediate firewalls are involved; they certainly won't be looking inside the OpenVPN packets between A and B. For the OpenVPN config itself, I was expecting that something like
push "route 50.7.19.122 255.255.255.255 net_gateway"
would ensure that the VPN data is still pushed over the normal network. -
Jim Paris over 11 yearsTo be clear, I want to create tunnel directly between A and B, not on separate firewalls at each end.
-
Robert over 11 yearsBut when computer A wants to route to computer B it won't know if it should use the WAN (with your public IPs), the LAN (with its static IP) or the OpenVPN (also with your public IPs) because they are all same subnet. B to A should work though.
-
Robert over 11 yearsAlso there is this, I've had it working but not with public IPs. I think virtual ip's will be much better either way. openvpn.net/index.php/open-source/documentation/miscellaneous/…
-
Robert over 11 years"To be clear, I want to create tunnel directly between A and B, not on separate firewalls at each end." You are going to need to open a port somewhere for an OpenVPN server
-
Jim Paris over 11 years"it won't know if it should use the WAN, the LAN, or the OpenVPN" -- The OpenVPN server at A should be sending its packets back to their source address and port, which would be the NAT firewall at B (not in 8.8.8.0/29), so I don't think there's any confusion there. Note there's no LAN at A, just the WAN.
-
Jim Paris over 11 years"You are going to need to open a port somewhere for an OpenVPN server". All ports are open. A is directly on the Internet.
-
Jim Paris over 11 years"Also there is this..." Yeah, I mentioned Ethernet bridging in my question. It seems like this might be the only way to get things working without pulling my hair out, although I'd really prefer a point-to-point IP tunnel if possible.
-
Bastian over 8 yearsNice! I'm going to try that. Did you find a way to configure that: "without letting those clients use IPs to which they are not entitled"?
-
Jim Paris over 8 yearsI didn't bother in my setup (which was temporary), but I imagine you could do it with ebtables.
-
frhack over 8 yearsVery useful. A question: what I need to change in A configuration if I need to route two IP from A: A => B and A => C (where C is another host)? Do I need to configure another bridge ?
-
Jim Paris over 8 yearsYeah. Add another
pre-up openvpn
line to createtap1
too, addtap1
tobridge_ports
, and run another instance of openvpn withopenvpn --dev tap1
. -
Areeb Soo Yasir almost 7 yearsHow about if you wanted to make A's gateway local via B so any system on the LAN can use B and assign the remote default gateway and use public IPs?