OpenVPN: Route traffic via Remote client
-
Hey, I have been searching for days in forums and pretty much everywhere with no result, so I decided to post and see if it is even possible to do this, what I want to do is route my virtual Machine/s traffic which are running on ESXI Behind pfsense thru a remote client located in other country, where the virtual machine is a local client ( located within my server).
Basically I want to be able to make pairs of connections where I have Country_Remote_Client and Country_VM_Client so it can be like this lets say, MX_Remote_Client and MX_VM_client so here what hapens is that Traffic of MX_VM_Client located in my server will use MX_Remote_client IP/Connection to exit the internet, lets say the opossite of normal commercial VPN services, instead of using the server IP, the remote client will be used to share its ip to some VM in my server.Any help will be greatly appreciated as I am going nuts trying to solve this
Thanks in advanced here is an example of what I am trying to achieve:
http://d.pr/i/DZNJ
-
I may be confused.
To simplify this:
You have a machine (physical or VM, doesn't matter) and you want to use openvpn such that machine1 can act as a client to machine2 and then share the IP it picks up with other machines? If so, thats easy.
But, why do you with to reverse the order of things?
-
Hello kejianshi, I have ESXI using pfsense, inside that ESXI I have many machines (VMs) all this is a single physical server, then I will want to send to the Remote clients ( who will share their ip with the VMs) their openvpn configs, then all traffic of VMs will go thru the Remote VPN clients, basically using their IP.
I want to reverse the order of things as I need to be able to have access to certain IPs in specific countries but they cannot be commercial IPs but residential IPs, also I need to be able to make this happen with easy so the REMOTE client only needs to install openvpn and load the config file, as the remote clients will be users with no technical background which will be leasing me their IP.
Also as seen in the diagram, always will be in pairs, MX_Remote_Client will always and only share with MX_VM_Client, if for some reason MX_Remote_client is not connected then MX_VM Client wont have a way to exit to the internet.
Thanks for your help, any suggestion on how to do this implementation?
-
No. Impossible. I'd suggest that you install pfsense on a cheap embedded device, preload it with the settings you need, an Openvpn server that is preconfigured and tested by you and a Dynamic DNS client and send it to them in the mail. Basicly, you would be sending them a new router to replace the one they currently use and this would allow your machines to become a client to that router, grab their IP and then you could NAT all of your machines behind their IP.
-
Hello, that looks like a great and feasible idea to the point they have to replace their router, that just wont work and I dont see that happening, I had in mind something like that before using UG802 or some other similar Android dongle. Also I have seen it working as one of our admins made a PoF using only linux and 2 endpoints only, openvpnserver and remote client, then remote client was able to share its ip to the openvpn server, but we lost the config files after he left and besides that it wasnt done using windoes as remote client, he was planning on doing the same concept on windows by enabling internet sharing on the remote client as well and then just doing some iptables routes in the openvpn server according to him but was never done. So I think it may be tricky but possible in some way if we already tested something that was able to use some remote ip from the client in the past.
No. Impossible. I'd suggest that you install pfsense on a cheap embedded device, preload it with the settings you need, an Openvpn server that is preconfigured and tested by you and a Dynamic DNS client and send it to them in the mail. Basicly, you would be sending them a new router to replace the one they currently use and this would allow your machines to become a client to that router, grab their IP and then you could NAT all of your machines behind their IP.
-
That sounds like a lot of configuring and you did say that these end points wouldn't want to be configuring anything.
Here is another option which I have actually already done and might work for you now that we have established in fact that you don't mind a little configuring.
1. This will require that your distant ends computer have a multiprocessor computer with enough ram to allow you to load vmware onto their machine.
2. Load their computer with team viewer. For them, its a easy click and install. They give you the teamviewer number and password.
3. You log into their computer with teamviewer.
4. Load their computer with VMplayer and create a 1 core 500MB VM
5. You load the VM with PFsense.
6. You install pfsense with openvpn in that VM. (1 core at 500MB Ram won't be much drag on most modern computers)
7. You open a port to that openvpn through their router. Should be easy, since you will have desktop access through teamviewer.
8. Your router on your end becomes a VPN client to the pfsense VM you made on their end and so, you now have their IP.
9. Share that IP with as many of your machines as you like.I have a current working version of exactly this now. Very reliable but I only use it as backup.
To them, it just looks like a little black box on their screen that they keep minimized. -
Hello kejianshi, thanks for the advice thats what currently is done somehow, I think using DDR-WRT may be the solution, as you said send a cheap device and as I understand DDR-WRT would support openvpn server, which I would configure previously then they will use that instead of the router they use now. I would preconfigure it with the user and then just connect using some dyndns service, what is your opinion in that?
Thanks
That sounds like a lot of configuring and you did say that these end points wouldn't want to be configuring anything.
Here is another option which I have actually already done and might work for you now that we have established in fact that you don't mind a little configuring.
1. This will require that your distant ends computer have a multiprocessor computer with enough ram to allow you to load vmware onto their machine.
2. Load their computer with team viewer. For them, its a easy click and install. They give you the teamviewer number and password.
3. You log into their computer with teamviewer.
4. Load their computer with VMplayer and create a 1 core 500MB VM
5. You load the VM with PFsense.
6. You install pfsense with openvpn in that VM. (1 core at 500MB Ram won't be much drag on most modern computers)
7. You open a port to that openvpn through their router. Should be easy, since you will have desktop access through teamviewer.
8. Your router on your end becomes a VPN client to the pfsense VM you made on their end and so, you now have their IP.
9. Share that IP with as many of your machines as you like.I have a current working version of exactly this now. Very reliable but I only use it as backup.
To them, it just looks like a little black box on their screen that they keep minimized. -
Yep - I'm not sure how much bandwidth you need, but a cheap ($10 or so used) E1000 with a DDWRT VPN load can act as server or client.
I've had excellent results with them so long as I'm only pulling 5 Mbps or less through it. You can max out their CPUs pretty fast after that and be sure to put it somewhere where it can breath. They get warm because openvpn is a cpu user.I would probably use pfsense as a client on your end to the ddwrt router you send to their end acting as server.
There would just have to be a little cutting and pasting of certs and CA between the two before you sent it.For dynamic dns, I have had good luck with dyndns.com but there are MANY that work.
freedns.afraid.org also works.