How to set outgoing IP for OpenVPN (there are several of them on the server)?

H

hostadmin2020-10-04 17:08:26

openvpn

hostadmin, 2020-10-04 17:08:26

A VPN is installed on the server (Debian 10), which gives clients an IP like 10.8.0.*.
The server has multiple IPs, but all clients come out of the "first" IP (which was set when the server was installed).

There is a third IP on the server

eth0:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 4.3.2.1  netmask 255.255.255.255  broadcast 4.3.2.1

and I want to let OpenVPN clients through it.

Twisted designs like:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -j SNAT --to 4.3.2.1

give no effect.

iptables without trying to specify rules:

# iptables --table nat --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
NAT_PREROUTING_CHAIN  all  --  anywhere             anywhere
POST_NAT_PREROUTING_CHAIN  all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere
TCPMSS     tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
NAT_POSTROUTING_CHAIN  all  --  anywhere             anywhere
MASQUERADE  all  --  10.8.0.0/24         !10.8.0.0/24
POST_NAT_POSTROUTING_CHAIN  all  --  anywhere             anywhere
MASQUERADE  tcp  --  172.16.238.2         172.16.238.2         tcp dpt:https
MASQUERADE  tcp  --  172.16.238.2         172.16.238.2         tcp dpt:http

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain NAT_PREROUTING_CHAIN (1 references)
target     prot opt source               destination

Chain NAT_POSTROUTING_CHAIN (1 references)
target     prot opt source               destination

Chain POST_NAT_PREROUTING_CHAIN (1 references)
target     prot opt source               destination

Chain POST_NAT_POSTROUTING_CHAIN (1 references)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:172.16.238.2:443
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:172.16.238.2:80
# Warning: iptables-legacy tables present, use iptables-legacy to see them

and after trying:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
NAT_PREROUTING_CHAIN  all  --  anywhere             anywhere
POST_NAT_PREROUTING_CHAIN  all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere
TCPMSS     tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
NAT_POSTROUTING_CHAIN  all  --  anywhere             anywhere
MASQUERADE  all  --  10.8.0.0/24         !10.8.0.0/24
POST_NAT_POSTROUTING_CHAIN  all  --  anywhere             anywhere
MASQUERADE  tcp  --  172.16.238.2         172.16.238.2         tcp dpt:https
MASQUERADE  tcp  --  172.16.238.2         172.16.238.2         tcp dpt:http
SNAT       all  --  10.8.0.0/24          anywhere             to:4.3.2.1

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain NAT_PREROUTING_CHAIN (1 references)
target     prot opt source               destination

Chain NAT_POSTROUTING_CHAIN (1 references)
target     prot opt source               destination

Chain POST_NAT_PREROUTING_CHAIN (1 references)
target     prot opt source               destination

Chain POST_NAT_POSTROUTING_CHAIN (1 references)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:172.16.238.2:443
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:172.16.238.2:80
# Warning: iptables-legacy tables present, use iptables-legacy to see them

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

H

hostadmin, 2020-10-04
@hostadmin

alex1478 gave me the idea that something might add rules to iptables earlier. I remembered that I have arno-iptables-firewall. Climbed to smoke mana on it and found the necessary plugin.
As a result, everything came down to this:
in /etc/arno-iptables-firewall/plugins/outbound-snat.conf you need to put ENABLED=1it at the very bottom of the file and specify the internal subnet and external IP for it OUTBOUND_SNAT_NET_HOST="10.8.0.1/24>4.3.2.1".

R

res2001, 2020-10-04
@res2001

In the OpenVPN config, set the local option - in it, specify which address OpenVPN will listen on to accept incoming connections.
By default listens to all addresses.