4

I've a server running openvpn, and I have a little issue.

All my traffic is forwarded to the VPN, and when I use a website like "whatismyip" I see the server IP, so this part is working.

But when I connect to a site hosted on the same server than the VPN, I see my real IP adress instead of local IP adress such as 10.8.0.2 (in apache2 logs)

Can someone help me to fix that issue ?

Clem
  • 41
  • 2
  • Are you connecting to the site on the local VPN server using the local network address or are you using your ISP ip address? – Peter May 26 '12 at 23:41
  • You really ought to be posting some OpenVPN configs if you want a definitive answer. – Magellan May 27 '12 at 01:41
  • Are you trying to route the traffic to VPN server through VPN? – Hex May 26 '12 at 23:46

1 Answers1

2

In order to route all traffic through the VPN server, the VPN client sets the default route for the client machine to the tunnel device. However, the outgoing encrypted packets created by the VPN client need to be routed directly to the VPN server (and not back into the VPN client), and so there is a specific route created to the VPN server going out the local gateway. The routing table looks something like this (where 1.2.3.4 is the VPN server's public IP):

192.168.0.0/24 dev eth0     # Local network
1.2.3.4/32 via 192.168.0.1  # Route to VPN server
default via 10.8.0.2        # Everything else via VPN client

When you access another service on the VPN server it is matched by that specific route and routed directly onto the Internet.

There are a couple ways to address this:

  1. Use the VPN server's private IP when accessing the other services on it (e.g. 10.8.0.1 instead of 1.2.3.4). Ideally this would be done with a DNS server on the VPN server providing split DNS to VPN clients.
  2. Use a dedicated IP address for the VPN server.
  3. Configure port based policy routing on the client so only packets destined for the VPN server on the VPN port number are routed directly onto the Internet.
mgorven
  • 30,615
  • 7
  • 79
  • 122