0

I've been trying for the last few days to accomplish the following task:

I need to create a multi user environment for more than 5 users simultaneously and each user needs it's own different ip, but it can't be through SOCKS proxy, it must be something like VPN that affect all applications open on that user session. Users will use often the same application.

In my tests, I managed to get the multi user working with multiple RDP logins at Windows and also using Ubuntu with xrdp.

WINDOWS: I tried using OpenVPN, created multiple TAP interfaces to connect to multiple different vpn at the sime time, but it doesn't work: every user session get the IP from first connection. Also tried to use ForceBindIP to force the applications to one of the TAP interfaces, but the result was the same. Tried creating one different L2TP connection in each user, all users got the same IP too.

UBUNTU: With xrdp it wasn't different, used openvpn to connect to multiple vpn, and every user got the same ip all the same.

Is there anyway I can properly hook each user to only one interface, so everyone has a different ip address? Virtual machine isn't an option.

Thanks!

EDIT:

Followed @Enrico Bassetti tips. This is the output:

Output of ip route show:

default via 10.41.10.5 dev tun0  proto static  metric 50 
default via 10.15.10.5 dev tun1  proto static  metric 51 
default via 192.168.0.1 dev ens33  proto static  metric 100 
10.15.10.1 via 10.15.10.5 dev tun1  proto static  metric 50 
10.15.10.5 dev tun1  proto kernel  scope link  src 10.15.10.6  metric 50 
10.41.10.1 via 10.41.10.5 dev tun0  proto static  metric 50 
10.41.10.5 dev tun0  proto kernel  scope link  src 10.41.10.6  metric 50 
108.61.122.87 via 192.168.0.1 dev ens33  proto static  metric 100 
169.254.0.0/16 dev ens33  scope link  metric 1000 
192.40.95.8 via 192.168.0.1 dev ens33  proto static  metric 100 
192.168.0.0/24 dev ens33  proto kernel  scope link  src 192.168.0.124  metric 100

Output of ip addr show:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:22:68:98 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.124/24 brd 192.168.0.255 scope global dynamic ens33
       valid_lft 79226sec preferred_lft 79226sec
    inet6 fe80::35de:fa5c:36f9:ef75/64 scope link 
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.41.10.6 peer 10.41.10.5/32 brd 10.41.10.6 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::7673:9948:3a19:4893/64 scope link flags 800 
       valid_lft forever preferred_lft forever
6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.15.10.6 peer 10.15.10.5/32 brd 10.15.10.6 scope global tun1
       valid_lft forever preferred_lft forever
    inet6 fe80::1e6e:7618:8b1e:5e9d/64 scope link flags 800 
       valid_lft forever preferred_lft forever

EDIT2:

$ sudo ip rule

0:  from all lookup local 
32764:  from all fwmark 0x3e9 lookup 1001 
32765:  from all fwmark 0x3e8 lookup 1000 
32766:  from all lookup main 
32767:  from all lookup default

$ sudo ip route

default via 10.33.10.5 dev tun0  proto static  metric 50 
default via 10.49.10.5 dev tun1  proto static  metric 51 
default via 192.168.0.1 dev ens33  proto static  metric 100 
10.33.10.1 via 10.33.10.5 dev tun0  proto static  metric 50 
10.33.10.5 dev tun0  proto kernel  scope link  src 10.33.10.6  metric 50 
10.49.10.1 via 10.49.10.5 dev tun1  proto static  metric 50 
10.49.10.5 dev tun1  proto kernel  scope link  src 10.49.10.6  metric 50 
108.61.122.224 via 192.168.0.1 dev ens33  proto static  metric 100 
169.254.0.0/16 dev ens33  scope link  metric 1000 
192.40.95.4 via 192.168.0.1 dev ens33  proto static  metric 100 
192.168.0.0/24 dev ens33  proto kernel  scope link  src 192.168.0.124  metric 100

$ sudo ip route show table 1000

default via 10.33.10.5 dev tun0

$ sudo ip route show table 1001

default via 10.49.10.5 dev tun1

$ sudo iptables -vnL OUTPUT

Chain OUTPUT (policy ACCEPT 34103 packets, 59M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 3238  241K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 1000 MARK set 0x3e8
15180   55M MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 1001 MARK set 0x3e9
billhall
  • 1
  • 1

1 Answers1

0

If you are referring to multiple users on the same PC, you can achieve this on Linux by using the owner module of iptables, creating a route table for each user and point it to the right VPN tun interface.

For example, you can create routing tables for UIDs (1000 and 1001 are examples for user IDs):

ip rule add fwmark 1000 table 1000
ip route add default via $gateway_tun0 dev tun0 table 1000

ip rule add fwmark 1001 table 1001
ip route add default via $gateway_tun1 dev tun1 table 1001

and then mark packets with iptables:

iptables -A OUTPUT -m owner --uid-owner 1000 -j MARK --set-mark 1000
iptables -A OUTPUT -m owner --uid-owner 1001 -j MARK --set-mark 1001

On Windows, there is no way to have multiple routing tables AFAIK.

  • Yes, it's multiple users on the same PC. I'm not a Linux expert, I tried following those commands, replacing the $gateway_tun0 with the tun0 gateway ip address. But even so, all the users got the same ip address. I'm connecting through the Ubuntu Network Manager, I noticied that it goes creating the tun interfaces on-the-fly as I make more connections to vpn. Maybe it has something to do with that? When I try using the openvpn --config command, I get a halt at the "Initialization Sequence Completed" and I can't open any site... – billhall Apr 30 '18 at 17:33
  • Actually, `ip route` configurations needs to be created after the `tun` interface, so it's better if you do this in a script (see `openvpn` documentation for that). In the meantime, you need to be sure that the VPN is up before issuing these commands. Are you using the same certificate / common name to do all the VPN connections? If you open two or three VPN connections, do you see different IP on different `tun` interfaces? Can you edit your question and add the output for `ip route show` and `ip addr show` commands? –  Apr 30 '18 at 21:13
  • Thanks for getting back to me, sorry for the delay to reply. Yes, I connect first and then I issue the commands, I edited the main post with the outputs, the ubuntu system is running on a virtual machine. Yes, different internal ip on each tun interface, the same certificate, different connection name and different server (It's the same provider though). It seems to connect just fine, but I can't isolate one tun to each user. I'm not familiar on how Ubuntu Network Manager handles the connection on multiple vpn servers, I get the external ip of the first connection across all users. – billhall May 02 '18 at 05:00
  • What you mean by "external ip of the first connection"? You're referring to the IP of the `tun` interface? Check `iptables` and `ip rule`/`ip route` rules. If you have configured user IDs and rules correctly, that should work. Use `ip route show table 1000` to check if the routing table is ok, and `iptables -vnL OUTPUT` to check if the firewall is configured correctly. –  May 02 '18 at 07:26
  • I mean the IP address I get when I visit a website like ipinfo.io. I edited the main post with the output of the commands, everything seems to be OK. But when I login the second user via RDP (uid 1001) and visit ipinfo, I get the same IP as doing the same in the first user (uid 1000) – billhall May 03 '18 at 01:06
  • `ipinfo.io` will show you the public IP address, not the IP addresses within the VPN (due the NAT made by your router). If your goal is to have more than one public IP address, you need to configure your VPN with a public subnet (instead of 10/8 subnet) or use `iptables` with `SNAT` rules. –  May 03 '18 at 09:07