9

I have a Linux server A with a block of 5 public IP addresses, 8.8.8.122/29. Currently, 8.8.8.122 is assigned to eth0, and 8.8.8.123 is assigned to eth0:1.

I have another Linux machine B in a remote location, behind NAT. I would like to set up an tunnel between the two so that B can use the IP address 8.8.8.123 as its primary IP address.

OpenVPN is probably the answer, but I can't quite figure out how to set things up (topology subnet or topology p2p might be appropriate. Or should I be using Ethernet bridging?). Security and encryption is not a big concern at this point, so GRE would be fine too -- machine B will be coming from a known IP address and can be authenticated based on that.

How can I do this? Can anyone suggest an OpenVPN config, or some other approach, that could work in this situation? Ideally, it would also be able to handle multiple clients (e.g. share all four of spare IPs with other machines), without letting those clients use IPs to which they are not entitled.

Jim Paris
  • 296

2 Answers2

8

I ended up going with the Ethernet bridging. Lots of extremely verbose examples to wade through online, but it turns out to be pretty easy:

First, on A, /etc/network/interfaces was changed from:

auto eth0
iface eth0 inet static
    address 8.8.8.122
    netmask 255.255.255.248
    gateway 8.8.8.121

to:

auto br0
iface br0 inet static
    address 8.8.8.122
    netmask 255.255.255.248
    gateway 8.8.8.121
    pre-up openvpn --mktun --dev tap0
    bridge_ports eth0 tap0
    bridge_fd 3

in order to bridge eth0 (the real WAN interface) with tap0 (a new tunnel interface) at boot.

Then, on A, run the openvpn server with:

openvpn --dev tap0

On B, connect to it with:

openvpn --remote 8.8.8.122 --dev tap0 --route-gateway 8.8.8.121 \
        --redirect-gateway def1 --ifconfig 8.8.8.123 255.255.255.248

That's the super simple config I was looking for, and it works -- B is now publicly accessible at 8.8.8.123, and outgoing connections originate from the same address.

Add security (--secret, --tls-server, etc) as needed, of course.

Jim Paris
  • 296
1

You're going to have a hard time I think. Most firewalls will have difficulty routing OpenVPN traffic if both sides of the VPN are in the same subnet.

If you are trying to route for public access, I'd move both servers to different subnets from your public addresses and then use Virtual IPs (1 to 1 Nat) to connect them. To connect the two sites, OpenVPN would work or an IP-Sec tunnel.

Virtual IPs: http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F

Site to site: http://doc.pfsense.org/index.php/VPN_Capability_IPsec

Edit based on comments:

I'd personally install pfSense on the A box and give it the port you wanted for its WAN. Then setup an OpenVPN server on a local subnet (which is all ready to go in the pfSense web interface) and setup the other machine with a Virtual IP pointed to its local OpenVPN ip. This would give you room for expansion later (add more machines with Virtual IPs, logically forward specific ports to different servers, really have a full blown LAN/WAN/DMZ setup with OpenVPN for virtual access. Not to mention that you'd have a full blown router so it'd likely be more secure.

Robert
  • 511