Openvpn – Configuring OpenVPN using different network interfaces for different clients

networkingopenvpnvpn

I want to set different outgoing IPs for each client of openvpn. I have two IPs and two different network interface for each: ens3 and ens3:1 (i have more client, this is just for trying). They are defined in /etc/network/interfaces like below:

auto lo
iface lo inet loopback

auto ens3
iface ens3 inet static
        address `default_ip`
        netmask 255.255.254.0
        gateway `gateway`
        dns-nameservers 108.61.10.10
        post-up ip route add 169.254.0.0/16 dev ens3


auto ens3:1
iface ens3:1 inet static
        address `ip2`
        netmask 255.255.254.0

I created keys, installed openvpn and configured network.

I made net.ipv4.ip_forward=1 in sysctl.conf, DEFAULT_FORWARD_POLICY="ACCEPT" in /etc/default/ufw and configure iptable with iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE.

I configurated openvpn just like below (/etc/openvpn/server.conf) by looking here:

mode server
tls-server
proto tcp-server
port 443
dev tun
topology "subnet"
push "topology subnet"
ifconfig 10.8.0.1 255.255.254.0
push "route-gateway 10.8.0.1"
push "redirect-gateway def1"
ifconfig-pool 10.8.0.2 10.8.255.255 255.255.0.0
client-config-dir ccd
log-append openvpn.log
status openvpn-status.log
keepalive 10 60
# TLS needs:
pkcs12 keys/server.p12
dh keys/dh2048.pem

Openvpn worked up to this point. When I logged in with this client1.opvn (below) file and client1.psk by using Tunnelblick in macOs, it worked. I could use internet with default_ip.

client
dev tun
ns-cert-type server
proto tcp
remote `default_ip` 443
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
verb 3
pkcs12 /Users/User/client1.p12

However, when I tried to make client1 use ip2 while using openvpn by creating ccd/client1 file like below and configuring iptable with iptables -t nat -A POSTROUTING -s 10.8.5.0 -o ens3:1 -j MASQUERADE, it didn't work. Tunnelblick connected to OpenVPN but there was no internet connection.

ifconfig-push 10.8.5.1 255.255.254.0

BTW, openvpn is installed on Ubuntu 16.04. I should say, I am new at network and also openvpn. I tried several things to make it out, but it didn't work no matter what. How can I make this work?

Best Answer

I couldn't make it work in this way. That's why, I configured multiple openvpn instances so that each one listen single ip and use interface of same ip.

I used this bash script for initial installation.

I created a directory, for each instance under /etc/openvpninstances . You can copy default directory for a quick start.

For each ip, network interface should be defined and iptables should be configured.

# $i should be different for each ip, we use 10.9.$i.0 in server.conf
iptables -t nat -A POSTROUTING -s 10.9.$i.0/24 -j SNAT --to $ip

Here is server.conf for each ip:

port 1194
local $ip1
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca /etc/openvpninstances/ovpn-$ip1/ca.crt
cert /etc/openvpninstances/ovpn-$ip1/server.crt
key /etc/openvpninstances/ovpn-$ip1/server.key
dh /etc/openvpninstances/ovpn-$ip1/dh.pem
tls-auth /etc/openvpninstances/ovpn-$ip1/ta.key 0
topology subnet
server 10.9.$.0 255.255.255.0
ifconfig-pool-persist /etc/openvpninstances/ovpn-$ip1/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS $DNSIP"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /etc/openvpninstances/ovpn-ip1/openvpn-status.log
verb 3
crl-verify /etc/openvpninstances/ovpn-ip1/crl.pem
daemon ovpn-$ip1

Each openvpn instances can be started by following command:

/usr/sbin/openvpn /etc/openvpninstances/ovpn-$ip/server.conf

In ovpn files, remote ip and port and also certificates should be changed for each ip.

Related Topic