Question

Route all OpenVPN connections through Floating IP

Posted October 9, 2018 3k views
Debian VPN

I used this tutorial to setup an OpenVPN server on a Debian droplet: https://github.com/Nyr/openvpn-install
I’ve also added a floating IP to the droplet, and now I’d like all connections to the VPN to appear as if they are coming from the floating IP, and NOT the primary IP of the server

When SSHing into the server, I managed to use the floating IP with a curl call:

curl --interface [ACNHOR-IP] https://api.ipify.org/

This worked - it gave the floating IP as response

How can it be done?
I saw this tutorial, but not sure what are the correct values, since the netstat -anr doesn’t give a similar output (I have only one record: eth0 )

Thanks in advance

Add a comment
itai
By:
itai
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

3 answers
X40C October 10, 2018

I managed to get both incoming connection and outgoing to occur via the floating ip. In /etc/openvpn/server.conf i added a line local floating-local-ip(10.19.0.6) after which i restarted openvpn with service openvpn restart. After that i have removed/added some iptables rules like below:

iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source droplet-ip
iptables -t nat -D POSTROUTING -s 10.0.0.2/32 -o eth0 -j SNAT --to-source 10.19.0.6
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
iptables-save

root@ghost-s-1vcpu-1gb-fra1-01:~# netstat -anr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         165.227.144.1   0.0.0.0         UG        0 0          0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
10.19.0.0       0.0.0.0         255.255.0.0     U         0 0          0 eth0
165.227.144.0   0.0.0.0         255.255.240.0   U         0 0          0 eth0
root@ghost-s-1vcpu-1gb-fra1-01:~# netstat -ltnup | grep 1194
udp    12288      0 10.19.0.6:1194          0.0.0.0:*                           829/openvpn
root@ghost-s-1vcpu-1gb-fra1-01:~#

In my user.ovpn i have replaced remote droplet-ip 1194 with remote floating-ip 1194

All of the above was on a clean Ubuntu 18.04 install.

Reply Report
  • itai October 13, 2018

    Great, it did the trick.
    Thanks!

    Reply Report
  • cellu October 3, 2019

    hi @X40C and thank you for providing the details. Would you perhaps know why when I run your iptables commands I get iptables: No chain/target/match by that name.? Also by local floating-local-ip(10.19.0.6) you simply mean local 10.19.0.6? And can this be any number as long as it matches with the rule in the iptable?

    Thanks

    Reply Report
    • X40C October 3, 2019

      Heya @cellu that is because the iptables command is trying to remove something that is not there. As for the IP, this is where i got it from i believe: curl –interface [ACNHOR-IP] https://api.ipify.org/

      It’s been a while since i worked on this so memory is kind of a hit and miss. :D

      Reply Report
      • cellu October 5, 2019

        I see! Well thank you already for the reply :)

        I’ll try to explain what I did…

        1) I have enabled and assigned the floating-ip to the droplet
        2) I have installed OpenVPN using angristan’s script
        3) I have found my anchor-ip with curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/address (from this)
        4) I have added local anchor-ip in /etc/openvpn/server.conf
        5) I have restarted OpenVPN with systemctl restart openvpn@server.service
        6) I have updated in my local user.ovpn the ip of the floating ip (replacing the line remote with remote floating-ip 1194)

        If I run netstat -anr and netstat -ltnup | grep 1194 everything seems fine. Also if I run curl --interface anchor-ip https://api.ipify.org/ or wget --bind-address=anchor-ip https://api.ipify.org/ I get the correct (floating) ip. I can connect to the vpn fine.

        However, if I hit https://api.ipify.org/ from my browser while connected to the VPN I still get the public ip of the droplet and not the floating one.

        Any ideas on where the issue could be?

        Reply Report
        • cellu October 13, 2019

          Hi @X40C, I managed to get it working! I have been messing around too much with the iptables so there was a mess with the rules… I simply flushed all nat rules and then re-applied iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source anchor-ip and it worked!

          Just if anybody else is interested here’s what I did:

          1. Make sure you have floating ip enabled on the droplet with curl -s http://169.254.169.254/metadata/v1/floating_ip/ipv4/active (if so, will return true)
          2. Get anchor-ip with curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/address
          3. Get floating-ip with curl -s http://169.254.169.254/metadata/v1/floating_ip/ipv4/ip_address
          4. Download angristan’s openvpn-install script and run it with ./openvpn-install.sh (uninstall it first if you have it installed already); follow the process providing the anchor-ip for all instances when the ip of the vpn is asked for
          5. Comment out/replace line 1 (iptables -t nat -I POSTROUTING (...)) of both /etc/iptables/rm-openvpn-rules.sh and /etc/iptables/add-openvpn-rules.sh to use instead iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source anchor-ip
          6. (In my case I had some leftover iptables nat rules from previous experiments, so I had to flush the whole thing with iptables -t nat -F)
          7. Add local anchor-ip in /etc/openvpn/server.conf
          8. Restart the server
          9. Update in your local machine the user.ovpn config to connect to the vpn using the floating-ip (replacing the line remote (...) with remote floating-ip 1194)
          10. That’s it! Now if you connect to the vpn and hit https://api.ipify.org/ you should see the floating-ip
          Reply Report
X40C October 9, 2018

Heya,

Maybe this will help you with your task.

Reply Report
ray.moncada March 8, 2019

This is the answer you are looking for: https://blog.programster.org/openvpn-digitalocean-ip-alias

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help