Tag Archives: lan

Routing public IPs to a LAN behind a dynamic IP connection with OpenVPN and ipfw policy-based routing

I’ve just had the need to route a range of public IP addresses to the LAN behind my home connection (dynamic IP). Tried gre at first but couldn’t get my crappy 20 EUR home router to pass gre packets. So, gave OpenVPN a try, with success:

Data center router: route packets for 217.172.172.0/26 to 217.172.1.1

Linux box (217.172.1.1) in data center acting as OpenVPN server. server.conf:

# push “redirect-gateway def1 bypass-dhcp”
server 10.10.10.0 255.255.255.0
route 217.172.172.0 255.255.255.192
client-config-dir /etc/openvpn/clients

We’ve commented out the redirect-gateway stuff because we do not want the OpenVPN client to send all traffic through the OpenVPN server. 10.10.10.0/24 can be any RFC range really.

/etc/openvpn/clients/DEFAULT:

iroute 217.172.172.0 255.255.255.192

This will make 217.172.172.0/26 accessible from the internet through OpenVPN.

That’s it for the server side. netstat -nr looks like this:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.10.10.2      0.0.0.0         255.255.255.255 UH        0 0          0 tun0
217.172.172.0    10.10.10.2      255.255.255.192 UG        0 0          0 tun0
10.10.10.0      10.10.10.2      255.255.255.0   UG        0 0          0 tun0

Client (FreeBSD) at home:

em0:
192.168.1.2: For connectivity to home router
217.172.172.1/26: one public IP address

No special configuration needed. Just start the OpenVPN client and the server will push the important stuff to the client. netstat -nr after client is up and running:

Destination Gateway Flags Refs Use Netif Expire
default            192.168.1.1        UGS     16570 911365865    em0
10.10.10.1/32      10.10.10.5         UGS         0        0   tun0
10.10.10.5         link#23            UH         39       41   tun0
10.10.10.6         link#23            UHS         0        0    lo0
217.172.172.0/26    link#1             U           0      331    em0
217.172.172.1       link#1             UHS         0        1    lo0

192.168.1.1 = internet gateway (home broadband router)

Now all that is left is to tell ipfw to route packets which have a source address in 217.172.172.x/26 via the OpenVPN link, namely 10.10.10.5:

ipfw 10 add fwd 10.10.10.5 ip from 217.172.172.0/26 to any

And that’s it. Finally you can configure machines in your LAN with IPs from 217.172.172.x/26 with gateway 217.172.172.1 and they’ll be fully accessible from the internet. Traffic from the machines to the internet will get routed through OpenVPN.