Routing public IPs to a LAN behind a dynamic IP connection with OpenVPN and ipfw policy-based routing

I’ve just had the need to route a range of public IP addresses to the LAN behind my home connection (dynamic IP). Tried gre at first but couldn’t get my crappy 20 EUR home router to pass gre packets. So, gave OpenVPN a try, with success:

Data center router: route packets for 217.172.172.0/26 to 217.172.1.1

Linux box (217.172.1.1) in data center acting as OpenVPN server. server.conf:

# push “redirect-gateway def1 bypass-dhcp”
server 10.10.10.0 255.255.255.0
route 217.172.172.0 255.255.255.192
client-config-dir /etc/openvpn/clients

We’ve commented out the redirect-gateway stuff because we do not want the OpenVPN client to send all traffic through the OpenVPN server. 10.10.10.0/24 can be any RFC range really.

/etc/openvpn/clients/DEFAULT:

iroute 217.172.172.0 255.255.255.192

This will make 217.172.172.0/26 accessible from the internet through OpenVPN.

That’s it for the server side. netstat -nr looks like this:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.10.10.2      0.0.0.0         255.255.255.255 UH        0 0          0 tun0
217.172.172.0    10.10.10.2      255.255.255.192 UG        0 0          0 tun0
10.10.10.0      10.10.10.2      255.255.255.0   UG        0 0          0 tun0

Client (FreeBSD) at home:

em0:
192.168.1.2: For connectivity to home router
217.172.172.1/26: one public IP address

No special configuration needed. Just start the OpenVPN client and the server will push the important stuff to the client. netstat -nr after client is up and running:

Destination Gateway Flags Refs Use Netif Expire
default            192.168.1.1        UGS     16570 911365865    em0
10.10.10.1/32      10.10.10.5         UGS         0        0   tun0
10.10.10.5         link#23            UH         39       41   tun0
10.10.10.6         link#23            UHS         0        0    lo0
217.172.172.0/26    link#1             U           0      331    em0
217.172.172.1       link#1             UHS         0        1    lo0

192.168.1.1 = internet gateway (home broadband router)

Now all that is left is to tell ipfw to route packets which have a source address in 217.172.172.x/26 via the OpenVPN link, namely 10.10.10.5:

ipfw 10 add fwd 10.10.10.5 ip from 217.172.172.0/26 to any

And that’s it. Finally you can configure machines in your LAN with IPs from 217.172.172.x/26 with gateway 217.172.172.1 and they’ll be fully accessible from the internet. Traffic from the machines to the internet will get routed through OpenVPN.

6 thoughts on “Routing public IPs to a LAN behind a dynamic IP connection with OpenVPN and ipfw policy-based routing

  1. Lauren Weinstein

    Trying to make this work in a very similar topology (Linux on the client end, so iptables and/or ipchains, depending on the box). So far, no luck getting the public /24 to appear on the clients at the far end. Wondering what we’re missing! Any ideas appreciated! Thanks.

    Reply
  2. Areeb

    Trying to follow this but once I assign the remote router IP to my NIC the VPN tunnel goes down the tap0 disappears and even manually bringing it back up does not fix things.

    I am using Centos on both ends with br0 (bridged NICs) and the remote side is not the router but has a public IP on the same subnet as the router.

    Any hints or more information would be greatly appreciated in achieving the same thing (being able to use remote public IPs on the LAN).

    Cheers

    Reply
  3. Areeb

    Trying this on FreeBSD do you think you could be more specific about the exact commands needed to setup the client end? Also iroute is deprecated and does not work on newer clients.

    Thanks for any advice

    Reply
  4. Areeb

    Trying on FreeBSD once I assign the remote gateway as an alias to em0 the problem becomes that I lose connectivity to the VPN. There must be some routing or ipfw rules that are required that are missing.

    Any detailed update would be much appreciated and willing to pay.

    Reply
  5. Areeb

    Just another update basically I have the same problem on Linux the problem is when you have the remote gateway assigned on your LAN NIC it is hard to send traffic for it back over the VPN tunnel. It seems the system treats it as local and does not forward it on I have tried via routing rules, iptables in Linux and ipfw in FreeBSD.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *