Run OpenVPN server on alias IP

Question

I want to configure OpenVPN server that works on alias IP. I changed the client config to have alias IP as remote and added "local 188.xx.xx.55" in OpenVPN config which is our alias IP. Also set "netd_interface=188.xx.xx.55" which is again alias ip. When the VPN connects and I check my public IP it displays xx.xx.207.4 which is the original IP not the alias IP we want it to work on. Can anyone please guide me how to make it work either with NATD or PF? If you want any more info just ask in comments and I'll post it.

Correction: "00050 divert 8668 ip4 from any to any via bge0" this ipfw rule is configured which might be causing the issue. Please look at my IP configuration below.

bge0: flags=8843 metric 0 mtu 1500 options=c019b ether xx:xx:97:xx:e5:xx hwaddr xx:xx:97:xx:e5:xx inet xx.xx.207.4 netmask 0xffffffc0 broadcast xx.xx.xx.63 inet 188.xx.xx.55 netmask 0xffffffff broadcast 188.xx.xx.55 nd6 options=29 media: Ethernet autoselect (1000baseT ) status: active

openvpn.conf: local 188.xx.xx.55 port 50983 push "route 188.xx.xx.55 255.255.255.255" askpass proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.8.0.0 255.255.255.0 keepalive 10 120 comp-lzo persist-key persist-tun verify-client-cert none plugin /usr/local/lib/openvpn/plugins/open$ status openvpn-status.log verb 3 push "redirect-gateway autolocal def1" push "redirect-gateway local def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"

rc.conf: firewall_enable="YES" firewall_type="open" hostname="example.com" ifconfig_bge0="inet xx.xx.207.4 netmask 255.255.255.197 defaultrouter="xx.xx.207.1" ifconfig_bge0_alias0="inet 188.xx.xx.55 n$ gateway_enable="YES" natd_enable="YES" natd_flags="-alias_address 188.xx.xx.55" openvpn_enable="YES" openvpn_if="tun"

ipfw rules: 00050 divert 8668 ip4 from any to any via bge0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe$ 00800 allow ipv6-icmp from fe80::/10 to ff$ 00900 allow ipv6-icmp from any to any ip6 $ 01000 allow ipv6-icmp from any to any ip6 $ 65000 allow ip from any to any 65535 deny ip from any to any

Please try to use proper capitalisation and the formatting options to make your posts more readable. - *"When I check my public IP it displays xx.xx.207.4 which is the original ip not the alias ip"* my first guess is that your VPN server is correctly configured to accept incoming traffic on the new IP-address but that you still need to adjust the rules in your firewall configuration to NAT/MASQUERADE with the new IP-address rather than primary IP-address for your internet network interface. — HBruijn, Oct 24 '18 at 11:35
Okay first of all i am new to all of this so bare with me. currently natd is configured. and in my rc.conf i have natd_interface="188.xx.xx.55" option which is the alias ip second i added push "route 188.xx.xx.55 255.255.255.255" in the openvpn.conf and "pull" on the client ovpn file. now how do i configure firewall? i am using ipfw — Zquest, Oct 24 '18 at 11:44

score 2 · Accepted Answer · answered Oct 24 '18 at 17:40

2

You're actually using natd for NAT, as this is FreeBSD and your ipfw rule uses divert socket to forward traffic to it. Look at your /etc/rc.conf for nat_interface option, it is currently set to your output interface name.

By default, with this configuration, natd will use primary address of the specified interface as a masquerade. To change this behavior, you have to remove natd_interface stanza altogether from rc.conf, and change your natd_flags line there (or create one if it doesn't exist) to include this:

natd_flags="-alias_address A.B.C.D"

Where A.B.C.D should be your desired masquerade IP address.

answered Oct 24 '18 at 17:40

Peter Zhabin

2,276
8
10

I tried what you said and it also seems logical but sadly it didn't work. here are my config files in the edits maybe if you can spot a mistake. Sorry for my poor editing skills. – Zquest Oct 24 '18 at 19:30
What do you mean by "it didn't work"? Have you restarted `natd` after making these changes? – Peter Zhabin Oct 24 '18 at 19:35
yes i did restarted both networking and openvpn service. can you check my config? – Zquest Oct 24 '18 at 19:44
You have to restart `natd`. You can do this by issuing `/etc/rc.d/natd restart`. – Peter Zhabin Oct 24 '18 at 19:49
i did restart a couple of times mate. – Zquest Oct 24 '18 at 19:53
So what kind of behavior you're seeing then? – Peter Zhabin Oct 24 '18 at 19:53
axactly the same. i am connecting with ovpn file which contains 188.xx.xx.55( alias ip) and after connecting if i check my ip online it says xx.xx.207.4(primary ip). – Zquest Oct 24 '18 at 19:57
Can you check with `ps auxwww` what arguments your `natd` instance is started with? – Peter Zhabin Oct 24 '18 at 20:10
strange but it started with `/sbin/natd -dynamic -m -n bge0` that line is commented out in `rc.conf` – Zquest Oct 24 '18 at 20:14

Zquest · Answer 2 · 2018-10-24T20:40:05.020

-1

finally it worked. I restarted natif and routing too along with natd. +1 for @Peter Zhabin. thank you brother so much. you finally saved me. Sadly my repution is not grater then 15 as i am new here too so i can't up vote your answer but your solution does work.

edited Oct 24 '18 at 20:40

answered Oct 24 '18 at 20:22

Zquest

19
8

You certainly _can_ accept it though! And that would also give you 2 repuation points. You can get 2 more (returned to you) by putting this "answer" into a comment, and then deleting this. – Colt Oct 24 '18 at 21:31

Run OpenVPN server on alias IP

2 Answers2