OpenVPN 2.0.6 and multiple IP addresses

Hi all,

I have a /29 subnet of IP addresses from my provider. I have all 5 usable public IP addresses aliased to the public bge0 interface, as I am using jails on the host.

I have OpenVPN installed on the host, explicitly stating to listen on 1 IP address, but when I use a client to connect to the OpenVPN server, my public address randomly shown as one of my 5 useable addresses. NAT is being used for the VPN clients.

From /etc/rc.conf (IP addresses have been changed):
Code:
ifconfig_bge0="inet 10.10.1.26  netmask 255.255.255.248"
ifconfig_bge0_alias0="inet 10.10.1.27 netmask 255.255.255.248"
ifconfig_bge0_alias1="inet 10.10.1.28 netmask 255.255.255.248"
ifconfig_bge0_alias2="inet 10.10.1.29 netmask 255.255.255.248"
ifconfig_bge0_alias3="inet 10.10.1.30 netmask 255.255.255.248"

Is there a way to make sure it ONLY uses the .26 address?

Thanks,
James
 
First, set your IP aliases to netmask 255.255.255.255.

Are you sure OpenVPN is actually bound to a single IP address? Check with sockstat (port is probably 1194).

And I don't get this line:
when I use a client to connect to the OpenVPN server, my public address randomly shown as one of my 5 useable addresses
I'm assuming you connect to IP .26, so where do the 5 IPs 'show randomly'?
 
I changed the netmask for the alias interfaces to 255.255.255.255.

OpenVPN is listening on the correct IP address:
Code:
openvpn  openvpn    7830  5  udp4   10.10.1.26:1194    *:*

DutchDaemon said:
And I don't get this line:

I'm assuming you connect to IP .26, so where do the 5 IPs 'show randomly'?

I apologize about being unclear on this. If I go to a website, such as whatsmyip.org, it will show a random address ranging from .26 - .30. If I refresh the page, the IP address will change. Sometimes it will start with my .28 address, then if I refresh the page, it will change maybe to .27 or .29, but ultimately it will finally show my .26 address. I hope that this clears that up a bit.
 
Are you NAT'ing to the external interface in general, or to a single IP address on the external interface? In PF, using $ext_if:0 would bind outbound traffic to the primary IP address only, not to any aliases.
 
I will give that a try. I thought PF may have been the culprit here, because I was just using bge0, not $ext_if:0

This what is currently there for the NAT'd clients:
Code:
ext_if="bge0"
vpn_if="tun0"
vpn_network="10.8.0.0/24"

nat on $ext_if from $vpn_network to any -> ($ext_if)

pass in on $ext_if proto udp from any to port 1194 keep state
pass quick on $vpn_if

I thought that it could be pf, but I wasn't sure. I will change that and see how it goes. Thanks!
 
I think you can even set the IP address there, so either

Code:
-> $ext_if:0
or even
Code:
-> 10.10.1.26

That way you can associate certain NAT traffic with certain outbound IPs.
 
I went back and changed the nat rules, so now I have:

Code:
nat on $ext_if from $vpn_network to any -> 10.10.1.26

Now everything is working as it should. Thanks for your assistance!
 
Back
Top