View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions OpenVPN Client IP on LAN
Log in to Ask a Question

OpenVPN Client IP on LAN

networking

Hi all, probably a very basic question.

I have openvpn setup and functional (Diagram at bottom) on an Ubuntu 16 machine. I am able to connect to vpn and then putty into the private ip of linode 2. However, when I do a who, it shows my openvpn server IP (192.168.200.10) instead of my client ip (172.18.0.10).

I have IP forwarding turned on.

What am I missing? Would appreciate being pointed in the right direction. I glimpsed at the Linode docs and couldn't find anything.

Relevant Configs

linode01:~# sudo sysctl -p
net.ipv4.ip_forward = 1

linode01:~# head -n 20 /etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered!)
-A POSTROUTING -s 172.18.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

"Very Detailed" Network Diagram

![](" />

3 Replies

The POSTROUTING rule you added to the NAT table causes Linode 1 to SNAT the outgoing traffic before it goes to Linode 2, i.e change the source address to make it look like the connection is coming from Linode 1. This is expected.

That makes sense. My goal is to have the assigned IP from OpenVPN (eg User A gets assigned 172.18.0.10) to show on Linode 2 instead of Nic from Linode 1. I'll look some more into the post routing rules.

I am assuming that my end goal is standard behavior in networks as you want to be able to keep track on the different vm's of who is doing what (instead of matching time stamps to openvpn logs etc.).

I believe on Azure when I set this up, the only additional item I did was a next hop for 172.18.0.0/24 to Openvpn box for machines in the subnet. Now, as Linode doesn't have a similar setup, I would go onto each VM (such as Linode 2) and set next hop for 172.18.0.0/24 to the private IP of my OpenVPN server.

Thanks for your time any additional input is always appreciated.

Since the IP of the OpenVPN subnet is not local to linode 2, it needs to be routable on that Linode. You would have to add a route to Linode 2 saying that traffic to 172.18.x.x goes through gateway 192.168.200.10. IP forwarding must be enabled on Linode 1, and the NAT rule disabled. On the OpenVPN end, the VPN server must be configured to push to clients the route to 192.168.200.x.

Then the following would happen:

1) A packet from 172.18.0.10 to 192.168.200.20 would be routed over the VPN into Linode 1

2) The packet will exit the VPN on Linode

3) Linode 1 will look up the destination in its local routing table and forward the packet to Linode 2 as is

4) Linode 2 will accept the packet and process it, yielding a response where the addresses are inverted

5) Linode 2 will route the packet to Linode 1 because its routing table tells it to do so

6) Linode 1 will forward the packet back to the VPN because OpenVPN configured its routing table to do so

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct