Tunneling a public IP to a remote machine

linux-networking vpn tunnel openvpn static-ip

Solution 1:

I ended up going with the Ethernet bridging. Lots of extremely verbose examples to wade through online, but it turns out to be pretty easy:

First, on A, /etc/network/interfaces was changed from:

auto eth0
iface eth0 inet static
    address 8.8.8.122
    netmask 255.255.255.248
    gateway 8.8.8.121

to:

auto br0
iface br0 inet static
    address 8.8.8.122
    netmask 255.255.255.248
    gateway 8.8.8.121
    pre-up openvpn --mktun --dev tap0
    bridge_ports eth0 tap0
    bridge_fd 3

in order to bridge eth0 (the real WAN interface) with tap0 (a new tunnel interface) at boot.

Then, on A, run the openvpn server with:

openvpn --dev tap0

On B, connect to it with:

openvpn --remote 8.8.8.122 --dev tap0 --route-gateway 8.8.8.121 \
        --redirect-gateway def1 --ifconfig 8.8.8.123 255.255.255.248

That's the super simple config I was looking for, and it works -- B is now publicly accessible at 8.8.8.123, and outgoing connections originate from the same address.

Add security (--secret, --tls-server, etc) as needed, of course.

Solution 2:

You're going to have a hard time I think. Most firewalls will have difficulty routing OpenVPN traffic if both sides of the VPN are in the same subnet.

If you are trying to route for public access, I'd move both servers to different subnets from your public addresses and then use Virtual IPs (1 to 1 Nat) to connect them. To connect the two sites, OpenVPN would work or an IP-Sec tunnel.

Virtual IPs: http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F

Site to site: http://doc.pfsense.org/index.php/VPN_Capability_IPsec

Edit based on comments:

I'd personally install pfSense on the A box and give it the port you wanted for its WAN. Then setup an OpenVPN server on a local subnet (which is all ready to go in the pfSense web interface) and setup the other machine with a Virtual IP pointed to its local OpenVPN ip. This would give you room for expansion later (add more machines with Virtual IPs, logically forward specific ports to different servers, really have a full blown LAN/WAN/DMZ setup with OpenVPN for virtual access. Not to mention that you'd have a full blown router so it'd likely be more secure.

Related

How to identify heavy write to disk?
Postfix: Custom Reject Message for Certain Email Adresses
How to corrupt a file system
How can I run Selenium tests on an Ubuntu server?
The most powerful open source web analytics tools? [closed]
What should I know before going live with an InnoDB database?
Can I use nmap to discover IPs and mac addresses?
Design Patterns: Abstract Factory vs Factory Method
Python mysqldb: Library not loaded: libmysqlclient.18.dylib
Android image caching
Database design for a survey [closed]
C# Object Pooling Pattern implementation