Tunneling a public IP to a remote machine

Question

I have a Linux server A with a block of 5 public IP addresses, 8.8.8.122/29. Currently, 8.8.8.122 is assigned to eth0, and 8.8.8.123 is assigned to eth0:1.

I have another Linux machine B in a remote location, behind NAT. I would like to set up an tunnel between the two so that B can use the IP address 8.8.8.123 as its primary IP address.

OpenVPN is probably the answer, but I can't quite figure out how to set things up (topology subnet or topology p2p might be appropriate. Or should I be using Ethernet bridging?). Security and encryption is not a big concern at this point, so GRE would be fine too -- machine B will be coming from a known IP address and can be authenticated based on that.

How can I do this? Can anyone suggest an OpenVPN config, or some other approach, that could work in this situation? Ideally, it would also be able to handle multiple clients (e.g. share all four of spare IPs with other machines), without letting those clients use IPs to which they are not entitled.

I hope you just made up those addresses, rather than that you actually work at Google. If you don't, you aren't going to be able to use their address space. — Michael Hampton, Sep 24 '12 at 21:23
Robert: **A** is a Linux server with some simple `iptables` rules. **B** is behind a NAT that is another Linux server running `shorewall`. — Jim Paris, Sep 24 '12 at 21:25
Michael: Yes, I changed the first three octets to 8 to obfuscate them, but still indicate that they're public. Sorry, Google. — Jim Paris, Sep 24 '12 at 21:26
For future reference, [we have an RFC for that](http://tools.ietf.org/html/rfc5737). — Michael Hampton, Oct 11 '12 at 13:29

Jim Paris · Accepted Answer · 2014-01-22T23:51:23.667

7

I ended up going with the Ethernet bridging. Lots of extremely verbose examples to wade through online, but it turns out to be pretty easy:

First, on A, /etc/network/interfaces was changed from:

auto eth0
iface eth0 inet static
    address 8.8.8.122
    netmask 255.255.255.248
    gateway 8.8.8.121

to:

auto br0
iface br0 inet static
    address 8.8.8.122
    netmask 255.255.255.248
    gateway 8.8.8.121
    pre-up openvpn --mktun --dev tap0
    bridge_ports eth0 tap0
    bridge_fd 3

in order to bridge eth0 (the real WAN interface) with tap0 (a new tunnel interface) at boot.

Then, on A, run the openvpn server with:

openvpn --dev tap0

On B, connect to it with:

openvpn --remote 8.8.8.122 --dev tap0 --route-gateway 8.8.8.121 \
        --redirect-gateway def1 --ifconfig 8.8.8.123 255.255.255.248

That's the super simple config I was looking for, and it works -- B is now publicly accessible at 8.8.8.123, and outgoing connections originate from the same address.

Add security (--secret, --tls-server, etc) as needed, of course.

edited Jan 22 '14 at 23:51

answered Sep 25 '12 at 21:28

Jim Paris

276
2
3
8

Nice! I'm going to try that. Did you find a way to configure that: "without letting those clients use IPs to which they are not entitled"? – Bastian Dec 10 '15 at 00:28
I didn't bother in my setup (which was temporary), but I imagine you could do it with ebtables. – Jim Paris Dec 14 '15 at 21:53
Very useful. A question: what I need to change in A configuration if I need to route two IP from A: A => B and A => C (where C is another host)? Do I need to configure another bridge ? – frhack Jan 13 '16 at 08:01
2

Yeah. Add another `pre-up openvpn` line to create `tap1` too, add `tap1` to `bridge_ports`, and run another instance of openvpn with `openvpn --dev tap1`. – Jim Paris Jan 14 '16 at 15:08
How about if you wanted to make A's gateway local via B so any system on the LAN can use B and assign the remote default gateway and use public IPs? – Areeb Soo Yasir Aug 08 '17 at 22:27
@JimParis If you don't assign IP's at OpenVPN and do it later manually you can assign multiple IPs to the same `tap` device. I also managed to get this to work in a way you can bind only some programs to those IPs and have everything else use the local gateway: https://unix.stackexchange.com/questions/527677/debian-2-interfaces-2-gateways – TCB13 Jun 30 '19 at 15:07

Robert · Answer 2 · 2012-09-24T22:13:17.633

1

You're going to have a hard time I think. Most firewalls will have difficulty routing OpenVPN traffic if both sides of the VPN are in the same subnet.

If you are trying to route for public access, I'd move both servers to different subnets from your public addresses and then use Virtual IPs (1 to 1 Nat) to connect them. To connect the two sites, OpenVPN would work or an IP-Sec tunnel.

Virtual IPs: http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F

Site to site: http://doc.pfsense.org/index.php/VPN_Capability_IPsec

Edit based on comments:

I'd personally install pfSense on the A box and give it the port you wanted for its WAN. Then setup an OpenVPN server on a local subnet (which is all ready to go in the pfSense web interface) and setup the other machine with a Virtual IP pointed to its local OpenVPN ip. This would give you room for expansion later (add more machines with Virtual IPs, logically forward specific ports to different servers, really have a full blown LAN/WAN/DMZ setup with OpenVPN for virtual access. Not to mention that you'd have a full blown router so it'd likely be more secure.

edited Sep 24 '12 at 22:13

answered Sep 24 '12 at 21:21

Robert

501
5
14

I don't understand how intermediate firewalls are involved; they certainly won't be looking inside the OpenVPN packets between **A** and **B**. For the OpenVPN config itself, I was expecting that something like `push "route 50.7.19.122 255.255.255.255 net_gateway"` would ensure that the VPN data is still pushed over the normal network. – Jim Paris Sep 24 '12 at 21:29
To be clear, I want to create tunnel directly between **A** and **B**, not on separate firewalls at each end. – Jim Paris Sep 24 '12 at 21:32
1

But when computer A wants to route to computer B it won't know if it should use the WAN (with your public IPs), the LAN (with its static IP) or the OpenVPN (also with your public IPs) because they are all same subnet. B to A should work though. – Robert Sep 24 '12 at 21:33
1

Also there is this, I've had it working but not with public IPs. I think virtual ip's will be much better either way. http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html – Robert Sep 24 '12 at 21:39
"To be clear, I want to create tunnel directly between A and B, not on separate firewalls at each end." You are going to need to open a port somewhere for an OpenVPN server – Robert Sep 24 '12 at 21:41
"it won't know if it should use the WAN, the LAN, or the OpenVPN" -- The OpenVPN server at **A** should be sending its packets back to their source address and port, which would be the NAT firewall at **B** (not in 8.8.8.0/29), so I don't think there's any confusion there. Note there's no LAN at **A**, just the WAN. – Jim Paris Sep 24 '12 at 21:45
"You are going to need to open a port somewhere for an OpenVPN server". All ports are open. **A** is directly on the Internet. – Jim Paris Sep 24 '12 at 21:45
"Also there is this..." Yeah, I mentioned Ethernet bridging in my question. It seems like this might be the only way to get things working without pulling my hair out, although I'd really prefer a point-to-point IP tunnel if possible. – Jim Paris Sep 24 '12 at 21:46
I've dealt with an older version of OpenVPN. And I agree with Robert, if your addresses are in the same subnet, you'll have trouble with anything other than bridging. The subnet mode is best for setting up routes between two different subnets, i.e. 8.8.1.0/24 and 8.8.2.0/24; when it does so, the version I'm using dynamically adds/removes the routing rules needed, and points the route for each "remote" subnet to the VPN's internal address. – Avery Payne Jan 23 '14 at 00:45

Tunneling a public IP to a remote machine

2 Answers2

Linked