Hi all. This is an update to the thread originally started at:
<http://lists.debian.org/debian-user/2013/08/msg00718.html> I won't give a summary here, the above URL can give the full story. To recap briefly though, I ended up using NAT to route a public address from my /29 subnet on my VPS to a private IP address assigned to my client by openvpn on the VPS. The result of this is that my client got a 10.28.49.253 address from openvpn on my VPS, but the rest of the internet saw traffic from that client as if it came from the public address I was doing NAT from/to on my VPS. This worked well. However, the proxy arp discussion in the latter part of this thread stayed with me, and I wanted my gnu/linux clients to actually get a public address directly from my /29 on their tap interface without doing NAT. Bob Proulx indicated this was possible, but nobody actually explained it in step-by-step detail. Since at the time I saw proxy arp as being incompatible with openvpn (more below) I ended up trying to figure out various ways to do this, even suggesting proxying a tun device at one point. So, I ended up doing some research on proxy arp to make sure I understood the parts that I did correctly, and to understand the other parts of it which weren't so clear. The bottom line is that I have my VPS doing proxy arp for my openvpn clients, so my clients get a public address assigned directly without the need for doing NAT. While this probably won't be a step-by-step, I wanted to provide an overview of how to do proxy arp with openvpn in case someone wanted to do the same, and was searching the web to find out how. The key is to use --server-bridge on the openvpn server, but you actually aren't setting up a bridged interface. The below from the openvpn man page initially threw me for a loop, and made me think at first that proxy arp and openvpn wouldn't work together: "--server-bridge gateway netmask pool-start-IP pool-end-IP --server-bridge ['nogw'] A helper directive similar to --server which is designed to sim- plify the configuration of OpenVPN's server mode in ethernet bridging configurations." I only wanted to use a tun/tap device, not a bridge. So, the only way I saw how to do what I wanted to do was to use the --server directive, which requires letting opvnvpn have a full /24 subnet all to itself! So, I decided at some point to just try using --server-bridge with a tap device instead of a bridge, and it works! The server-side openvpn config file I posted earlier in this thread should work fine from what I recall. I'm fairly sure all I did there is to replace the line: "server 10.28.49.0 255.255.255.0" with: "server-bridge" Now, I still wanted to have my clients get an address through dhcp. However, using --server-bridge means I don't get to use openvpn's dhcp server anymore. So, I installed the isc-dhcp-server package. I configured dhcpd for my /29 subnet, but specified mac addresses instead of an IP range. Like so: "host myhost.example.com { fixed-address client_public_address; hardware ethernet mac_address; } Yes, you can apparently configure a subnet block without giving a range. This means that only clients with a known mac address by the dhcp server will be given their own address. Also, my VPS is on its own VLAN, and my VPS provider assures me nobody could use my public interface to get assigned an IP address from my /29 by my dhcp server, even if I were to use the range directive. So, I feel that running a dhcp server under these conditions is secure enough for me. Ok, we're ready to start the dhcp server, except that it would be listening on the public interface only, not on the tap0 device which openvpn would create. Besides that, we also need to setup routing for the tap 0 interface. So, we have to edit /etc/network/interfaces file. To create the tap0 device before openvpn is started, I added the following line to the end of my iface eth0 stanza: "pre-up openvpn --mktun --dev tap0" without the quotation marks of course. Then in my interfaces file I have: "auto tap0 iface tap0 inet static address vps_public_address netmask 255.255.255.255 post-up route -A inet add -host client_public_address dev tap0 pre-down route -A inet del -host client_public_address dev tap0" Notice the /32 netmask. I could simply have assigned another IP address from my /29 subnet to the tap0 device. However, given how precious each IP address from a /29 is to me, I simply used the public address already assigned to the VPS' eth0, but with a /32 subnet. That way, I still get an address for tap0, dhcpd can listen on it for lease requests, and the tap0 device is all set. Add more post-up and pre-down lines for every new client you want to get a public address from the /29. This tells the VPS to use tap0 to communicate with those addresses, instead of trying to reach them over eth0, which wouldn't work. We're almost done, but we haven't yet enabled proxy arp. To do that, I put the following in /etc/sysctl.d/local.conf: "net.ipv4.conf.all.proxy_arp=1" without the quotes. Or, you can just do: $ echo 1 >/proc/sys/net/ipv4/conf/all/proxy_arp" Why all? I used all because just eth0 and tap0 by themselves didn't work. That's pretty much it. One more note. In the client's opvnvpn config file, you'll want to specify the same mac address you assigned it on the dhcp server. You would do that with the --lladdr directive. Also, on gnu/linux, I found the best approach is to start dhclient on the client's tap0 device by hand. I do this in a bash script which also starts the openvpn connection on the client. You can't use the --up and --down directives in the openvpn config file to call dhclient directly. To do that, you'd have to write a wrapper around dhclient which can deal with the arguments openvpn passes to each --up and --down command. I just found it easier to start openvpn/dhclient, and to bring them both down in a bash script. Ok, so this isn't a step-by-step, but I think it does give a good enough overview of things. I'll do my best to answer any questions. There are probably improvements too which others will point out as well. Enjoy! Greg -- web site: http://www.gregn..net gpg public key: http://www.gregn..net/pubkey.asc skype: gregn1 (authorization required, add me to your contacts list first) -- Free domains: http://www.eu.org/ or mail dns-mana...@eu.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131025034729.ga18...@gregn.net
