So, I have the following question:
Given a server with public (routable) ip's, let's say: x.y.z.1, x.y.z.2, x.y.z.3 – x.y.z.31, I want to configure OpenVPN as a proxy or masquerade server for some clients as follows: each client has a unique public static ip address: a.b.c.d. He will connect to the allowed server address: x.y.z.1 (he shall not be able to connect to any other public ip address of the server). Using this connection, he should be able to browse the internet having the public ip address to which he connected in the first place, say x.y.z.1. This setup is trivial using only Squid (attached for the ones who need it) but I must find a way to do this whole shebang using OpenVPN.
acl testuser1src src a.b.c.d # this is the client's public ip address
acl testuser1bindip myip x.y.z.1 # one of the server's public ip addresses
tcp_outgoing_address x.y.z.1 testuser1bindip
http_access allow testuser1src testuser1bindip # if the two conditions are fulfilled OK
Thanks in advance
Best Answer
Where "1.1.1.1" is the client's OpenVPN-assigned address and, "9.9.9.9" is the public IP address to SNAT the client's traffic to/from:
That's doing what you want on a test box of mine here. Obviously, you'll need OpenVPN setup with client configuration files to dole out the same IP address to a given client when they connect, but it sounds like you've got that already.
If you don't already have an entry in your FORWARD chain to allow the traffic from the clients through you'll want to add a rule there, too. You could do something like this if you want to blindly forward traffic received on a tunnel interface bound for the Internet:
Finally, if you want to direct unsolicited inbound connection attempts for the clients' public IP addresses to the clients you'll want to do that on the PREROUTING chain in the nat table with something like: