A
A
Alexander2019-08-21 10:29:28
openvpn
Alexander, 2019-08-21 10:29:28

Why does the VPN show the real IP when connecting to a donor server?

Set up an OpenVPN server on VDS. Everything works, everything is fine. In addition to VPN, VDS also has websites and SSH access is open. And for some reason, if you connect to a VDS via HTTP(S) or via SSH from under a VPN that is running on the same VDS, then the real IP (IP from the ISP) is displayed. Why is this happening?

server.conf
port 161
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem

cipher AES-256-CBC

server 10.10.15.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1"

keepalive 10 120
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 5

client.ovpn
# --------------------------------------------------------
# Настройки для подключения к VPN на vpn.example.com
# -- Версия настроек от 14.08.2019
# --------------------------------------------------------

client
dev tun
proto udp
remote vpn.example.com 161
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
key-direction 1
block-outside-dns
cipher AES-256-CBC
comp-lzo
verb 3

<ca>
# Тут сертификат ЦС
</ca>
<cert>
# Тут сертификат клиента
</cert>
<key>
# Ключ клиента
</key>

Answer the question

In order to leave comments, you need to log in

2 answer(s)
L
landergate, 2019-08-21
@zkelo

Because in order to be able to route your traffic through the VPN, your routing table has to exclude the address of the VPN gateway itself, otherwise it will not be able to connect to the VPN gateway.
If you need to hide the address on this server as well, this can be achieved by connecting from another place, i.e. either by moving the VPN server to another node, or using third-party proxies, or using Tor.
You can also connect to the server via SSH using its internal IP in this private network, and then enter the site via local port forwarding, setting it, for example, to 1234:127.0.0.1:80, and then opening 127.0.0.1 in your browser :1234. In this case, in the logs of the site, connections will occur from 127.0.0.1.
Possible nuances: 1) links on the site must be relative, and not filled with a full domain name, otherwise in the browser they will all look not like 127.0.0.1:1234/something/, but switch to the main domain all the time; 2) the site itself must allow connections without specifying the domain, otherwise the location / vhost mismatch will occur and the site will not open in this way.

P
pcdesign, 2019-08-21
@pcdesign

If I'm not mistaken, then you need to abandon MASQUERADE in favor of SNAT
That is, remove the lines where openvpn traffic is pushed into MASQUERADE, and instead write:
By the way, SNAT is faster than MASQUERADE

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question