OpenVPN not masking users public IP (to the public IP of the gateway)



  • I cannot for the life of me figure this out.
    I connect to my OpenVPN server using Viscosity and can browse the internet fine, and access the firewall / internal IP's AND their external hostnames, but when it comes to locking directories etc.. down via public IP, I need to be able to have each connected client show the same public IP, not their current ISP-provided ones.

    Here's my setup:

        Server mode: Remote Access (SSL/TLS + User Auth)
        Backend for authentication:  Local Database
        Protocol: UDP
        Device mode:  tun
        Interface: WAN1
        Local port: 1194
    
        IPv4 Tunnel Network: 10.8.255.0/24
        IPv6 Tunnel Network: Blank
        IPv4 Local network(s): 10.8.1.0/24,10.8.2.0/24,10.8.3.0/24 (Management, VM's, Storage)
        IPv6 Local network(s): Blank
        Concurrent connections: 5
    
        Duplicate Connection: Yes
    
        Dynamic IP: Yes
        Address Pool Provide a virtual adapter IP...: Yes
        Topology: Subnet - One IP address per client in a common subnet
        DNS Server enable Provide a DNS server list to clients
        DNS Server 1  8.8.8.8
        DNS Server 2  8.8.4.4
    
        Verbosity level: 3
    

    Currently I'm on my Bell Canada (Canadian ISP) connection, my public IP is 1.1.1.1, if I connect to my OpenVPN I can access my private network but if I go to whatismyip.org, I still have an address of 1.1.1.1 not 1.2.3.4.

    On some of my webservers I have nginx access rules set up on a subdirectory (admin directories) restricting it via IP - (example.org can be accessed anywhere on the internet, example.org/admin can only be accessed via my public IP of my office, but I'd like to open it to any of my VPN users).

    I should clarify the pfSense box is handling both my IP assignments / NAT for all of my virtual machines, and hypervisors, as well as the OpenVPN service.

    When "Redirect Gateway" is unchecked I have the option to define IPv4 Local network(s), which I have defined as "10.8.1.0/24,10.8.2.0/24,10.8.3.0/24", this allows me access to each of my storage, vm, and management networks.

    When I enable "Redirect Gateway" that option is removed so I cannot access any network but the network pfSense is on (the IPv4 Tunnet Network of 10.8.255.0/24).

    I've tried pushing a route via the custom option box, but no luck:

    push “route 10.8.1.0 255.255.255.0″;
    push “route 10.8.2.0 255.255.255.0″;
    push “route 10.8.3.0 255.255.255.0″;

    No DNS resolution while connected still, and I cannot access any defined subnet on the firewall that isn't the SAME subnet as the firewall (10.8.255.0).

    I will note that I've tried "DNS Server enable" and provided Google's public resolvers (8.8.8.8, 8.8.4.4) and I still cannot get outbound DNS resolution working when "Redirect Gateway" is enabled.

    To summarize what I need:

    My public IP to be that of the OpenVPN server (pfSense firewall)
    To be able to access all three subnets on my network (above)
    To be able to have outbound DNS resolution so I can still browse the internet while on VPN
    To be able to go to websites I host on the LAN side of the firewall (at some point while I was picking around with settings if I went to example.org when connected to VPN, which is in my external DNS provider as the public IP but of course being NAT'd to an internal IP controlled by the pfSense firewall, I am redirected to the firewalls admin page.)



  • Any assistance would be appreciated.



  • I think you need TAP Mode not TUN Mode to hide your IP.

    https://community.openvpn.net/openvpn/wiki/BridgingAndRouting



  • You dont need to use TAP, TUN will work.

    When you set the VPN server as default gateway (redirect gateway) your public IP will be the WAN IP of the VPN server.

    Can you ping all the remote networks you want to be able to reach from your Pfsense? Does the remote networks you want to reach use the Pfsense as default gateway? Depending on your setup, you may hit your remote networks OK but they do not have a route back to your VPN client range.


Log in to reply