VPN multiple IP address



  • Hello ML People,
    We are currently using Securepoint Open VPN and users are authenticated on freeradius installed on Linux Ubuntu 12.04, using 1 public IP address and its working fine. But we want to use two (2) public IP address or maybe multiple IP for future. We want to setup specific users to use specific Public IP address.
    Example:

    User1 will use internal IP address 10.8.0.x and public IP of 123.123.255.120
    User2 will use internal IP address 10.8.2.x and public IP of 123.123.255.121

    I tried to follow the this link but user2 cannot use 10.8.2.x and public IP of 123.123.255.121 instead user2 still using the IP address 10.8.0.x and public IP of 123.123.255.120

    https://forums.openvpn.net/topic8559.html

    Thanks in advance 😐



  • Let's back up for a moment... what is the purpose of using the different public IP addresses? What is the end goal?



  • Hi Scott,

    I am friend of Joy and we are planning to use two different IP for each our team will use different IP as it is our requirements on our project. Two different teams will use different IP.

    We add this
    client-config-dir /etc/openvpn/ccd
    route 10.8.2.0 255.255.255.0
    on /etc/openvpn/server.conf

    Then
    mkdir /etc/openvpn/ccd
    touch /etc/openvpn/ccd/user1
    touch /etc/openvpn/ccd/user2

    Edit /etc/openvpn/ccd/user1:
    ifconfig-push 10.8.0.1 10.8.0.2

    Edit /etc/openvpn/ccd/user2:
    ifconfig-push 10.8.2.1 10.8.2.2

    IP Tables:

    iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
    iptables -A FORWARD -s 10.8.2.0/24 -j ACCEPT

    iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -j SNAT --to-source 123.123.255.120
    iptables -t nat -A POSTROUTING -s 10.8.2.0/24 -j SNAT --to-source 123.123.255.121

    But when user2 login still getting 10.8.0.x IP.

    I think that the ccd config does not effecting.

    Thanks.



  • @iahr said:

    I am friend of Joy and we are planning to use two different IP for each our team will use different IP as it is our requirements on our project.

    Why is it a requirement? What are the two IPs doing that makes them unique? What is the actual end goal, a technical requirement doesn't make sense unless it is supporting a business need. What's the actual purpose of the two IP addresses?



  • We have 2 different sites that will use different Public IP address with different restrictions. And those 2 different public IP address should be configure in our 1 VPN server.

    Thanks for the reply Scott.



  • @iahr said:

    We have 2 different sites that will use different Public IP address with different restrictions. And those 2 different public IP address should be configure in our 1 VPN server.

    Thanks for the reply Scott.

    What kind of restrictions? Why can't you restrict just as much or more using a single IP address? I feel like you are creating complications and making this hard because of a misunderstanding of requirements. I'm not sure how two IPs could help here but having two makes things more complicated and complications make things fragile and risky. As a general rule in IT, you want to work towards simplification whenever possible and simple, elegant solutions are easier to set up, easier to maintain, easier to understand and, consequently, easier to secure. Since this is a VPN, and we are talking restrictions, security seems like it must be important.

    What is being restricted with the additional IP that couldn't be restricted on a single one?



  • To make it simple, we need to use 2 different public IP address, since the website we will access are only allow 1 login account simultaneously for each public IP. For us to have 2 login simultaneous accounts we need to use 2 different Public IP address.

    Thanks.



  • @iahr said:

    To make it simple, we need to use 2 different public IP address, since the website we will access are only allow 1 login account simultaneously for each public IP. For us to have 2 login simultaneous accounts we need to use 2 different Public IP address.

    Thanks.

    So you need two IPs for outbound, but how does that play into the VPN connection?



  • The VPN connections show the IP addresses used to connect internally. This will not show up to a website. You could connect with a hundred VPN IP addresses and still look like just one IP to a website. Or you could have just one VPN IP and look like a hundred IPs to a website. There is no correlation.



  • @scottalanmiller We need to use different Public IP address. If we connect to our current setup of VPN we will use 123.123.255.120 (example Public IP) all users will use that Public IP. What we need is user1(authenticated to Daloradius) on will use Public IP of 123.123.255.120 and user2 (authenticated to Daloradius) must use 123.123.255.121. We need to different Public IP for us to login on our specific website simultaneously. Website login user only allow 1 public IP. If we login on website using same public IP we will not allow to login.



  • If user1 will check his public IP address on www.whatismyipaddress.com user1 will see his Public IP is 123.123.255.120
    If User2 will check his public IP address on www.whatismyipaddress.com user2 will see his Public IP is 123.123.255.121.



  • @iahr said:

    If user1 will check his public IP address on www.whatismyipaddress.com user1 will see his Public IP is 123.123.255.120
    If User2 will check his public IP address on www.whatismyipaddress.com user2 will see his Public IP is 123.123.255.121.

    If that is coming from the VPN connection, something is wrong. The VPN should never expose its inner workings to the outside world. You have a misconfiguration somewhere that is exposing your VPN connection details. That's not good. What other data is leaking?

    The site should be seeing the IP address that you come from, not the one you connect to. Having multiple VPNs does not enable that.



  • @iahr said:

    @scottalanmiller We need to use different Public IP address. If we connect to our current setup of VPN we will use 123.123.255.120 (example Public IP) all users will use that Public IP. What we need is user1(authenticated to Daloradius) on will use Public IP of 123.123.255.120 and user2 (authenticated to Daloradius) must use 123.123.255.121. We need to different Public IP for us to login on our specific website simultaneously. Website login user only allow 1 public IP. If we login on website using same public IP we will not allow to login.

    I understand what you are saying, what I'm explaining is that you are confused as to how this works and that the VPN connections are not related to this.



  • We're don't need multiple VPN. What we want to do is we will use 2 different Public IP address. We are not confuse on how our VPN works, we cannot setup it if we don't know how it works. I Think for better explanation on what we need to do, please refer to this link.

    https://forums.openvpn.net/topic8559.html



  • @iahr said:

    We are not confuse on how our VPN works, we cannot setup it if we don't know how it works.

    Maybe we are missing something in translation. My understanding is that you are looking for mutiple IP addresses for the VPN to connect. Is that not the cse?



  • @iahr said:

    We're don't need multiple VPN. What we want to do is we will use 2 different Public IP address.
    https://forums.openvpn.net/topic8559.html

    Good, but this thread was about getting VPN with multiple IPs for each client, not multiple IPs going out, right? This link explains the same thing that I've been saying in this whole thread.



  • Hi Scott,

    Yes, that's what I mentioned on my earlier messages. I think we got misunderstanding. Anyway, when I tried to follow the link I provided it seems that ccd is not taking effect, users define on ccd still getting 10.8.0.x IP instead of 10.8.2.x IP. I think user must take effect the assigning of internal IP address then you can route which public IP he will use.


Log in to reply