Two IPs - One OpenVPN instance, impossible?

linux vps openvpn openvz

11,727

Solution 1

man openvpn:

--local
host Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces.

So, if you do not specify any "local" directive, openvpn server will listen on all interfaces. You can check this with netstat -nlp. You should see something like:

udp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 2005/openvpn

Change protocol to tcp and try to connect to 1194 port for both addresses. If you have problems, error is somewhere in routing rules.

Solution 2

You need the --multihome option.

Don't use --local because it is incompatible with a multihome situation.

Also, you need to be 100% sure your routing table is good to go with a multihome setup. Linux users should check their distribution details, in particular:

/sbin/ip rule list

You should see at least 1 rule for each specific IP address your clients can connect to. If all the rules are "from all" and you only have local, main, default as your routing tables then that's not enough.

11,727

user2489483

Updated on September 18, 2022

Comments

user2489483 over 1 year

I have a debian 64bit vps, OpenVZ, with perfectly working openvpn server.

I have ADDITIONAL IP which I want to use on that same openvpn server and I can't make it work. It only works if I specify "local ADDITIONAL-IP" directive in openvpn.conf, but then the first IP does not work. If I specify "local" directive two times, neither work.

root@deal1:/etc/openvpn# ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1338 (1.3 KiB) TX bytes:1338 (1.3 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.186.35.1 P-t-P:10.186.35.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.186.36.1 P-t-P:10.186.36.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.2 P-t-P:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.255.255 inet6 addr: 2607:ff28:0:12::c4e:18e5/128 Scope:Global inet6 addr: 2607:ff28:0:12::2ad7:f2b1/128 Scope:Global inet6 addr: 2607:ff28:0:12::86d5:56d4/128 Scope:Global inet6 addr: 2607:ff28:0:12::9d21:aba3/128 Scope:Global UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 RX packets:38904 errors:0 dropped:0 overruns:0 frame:0 TX packets:20408 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:53671396 (51.1 MiB) TX bytes:1712747 (1.6 MiB)

venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:X.2.39.161 P-t-P:X.2.39.161 Bcast:0.0.0.0 Mask:255.255.255.255 UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

venet0:5 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:X.2.39.162 P-t-P:X.2.39.162 Bcast:0.0.0.0 Mask:255.255.255.255 UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

iptables:

-A POSTROUTING -s 10.186.35.0/24 -j SNAT --to-source X.2.39.161   
-A POSTROUTING -s 10.186.35.0/24 -j SNAT --to-source X.2.39.162

openvpn config:

server 10.186.35.0 255.255.255.0
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
#push "route 0.0.0.0 0.0.0.0"
#push "redirect-gateway"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
script-security 3
auth-user-pass-verify /etc/openvpn/auth-chap via-env
client-cert-not-required
duplicate-cn
management 127.0.0.1 51194

Any ideas what am I missing? I've tried quite a few things and searched a lot, there is simply no solution on the googleable internet.

user2489483 almost 11 years

Selivanov Pavel, changing protocol to TCP works on both IPs without "local" statement in config. However when the config is set to UDP (the recommended protocol) is only working when I specify the IP with "local" statement.
user2489483 almost 11 years

How to make it work via UDP on both IPs? It works for TCP but it does not allow connection on neither IP via UDP, unless I specify "local" statement in config. But with "local" I can only make it work on 1 IP and I need both IPs to accept connections. Thank you
Zoredache almost 11 years

Why not just add an iptables rule to redirect packets to the correct IP?
Selivanov Pavel almost 11 years

Show us netstat -nlp when openvpn server in udp mode is running. If it's OK, you have problems with routing. Possibly, server ansvers not from IP where it was asked.Try to configure two additional routing tables for both IPs and corresponding routing rules, like here
user1167223 almost 9 years

I can't help but think multihome should be the default option in OpenVPN if the default is to listen on all interfaces?
Shi B. almost 5 years

@user1167223 man openvpn --multihome *This is not supported on all platforms, and it adds more processing, so it's not enabled by default.