# OpenVPN 2.0.6 and multiple IP addresses



## jedwards (Dec 1, 2009)

Hi all,

I have a /29 subnet of IP addresses from my provider.  I have all 5 usable public IP addresses aliased to the public bge0 interface, as I am using jails on the host.

I have OpenVPN installed on the host, explicitly stating to listen on 1 IP address, but when I use a client to connect to the OpenVPN server, my public address randomly shown as one of my 5 useable addresses.  NAT is being used for the VPN clients.

From /etc/rc.conf (IP addresses have been changed):

```
ifconfig_bge0="inet 10.10.1.26  netmask 255.255.255.248"
ifconfig_bge0_alias0="inet 10.10.1.27 netmask 255.255.255.248"
ifconfig_bge0_alias1="inet 10.10.1.28 netmask 255.255.255.248"
ifconfig_bge0_alias2="inet 10.10.1.29 netmask 255.255.255.248"
ifconfig_bge0_alias3="inet 10.10.1.30 netmask 255.255.255.248"
```

Is there a way to make sure it ONLY uses the .26 address?

Thanks,
James


----------



## DutchDaemon (Dec 1, 2009)

First, set your IP aliases to netmask 255.255.255.255.

Are you sure OpenVPN is actually bound to a single IP address? Check with sockstat (port is probably 1194).

And I don't get this line:


> when I use a client to connect to the OpenVPN server, my public address randomly shown as one of my 5 useable addresses


I'm assuming you connect to IP .26, so where do the 5 IPs 'show randomly'?


----------



## jedwards (Dec 1, 2009)

I changed the netmask for the alias interfaces to 255.255.255.255.

OpenVPN is listening on the correct IP address:

```
openvpn  openvpn    7830  5  udp4   10.10.1.26:1194    *:*
```



			
				DutchDaemon said:
			
		

> And I don't get this line:
> 
> I'm assuming you connect to IP .26, so where do the 5 IPs 'show randomly'?



I apologize about being unclear on this. If I go to a website, such as whatsmyip.org, it will show a random address ranging from .26 - .30.  If I refresh the page, the IP address will change.  Sometimes it will start with my .28 address, then if I refresh the page, it will change maybe to .27 or .29, but ultimately it will finally show my .26 address.  I hope that this clears that up a bit.


----------



## DutchDaemon (Dec 1, 2009)

Are you NAT'ing to the external interface in general, or to a single IP address on the external interface? In PF, using $ext_if:0 would bind outbound traffic to the primary IP address only, not to any aliases.


----------



## jedwards (Dec 1, 2009)

I will give that a try.  I thought PF may have been the culprit here, because I was just using bge0, not $ext_if:0

This what is currently there for the NAT'd clients:

```
ext_if="bge0"
vpn_if="tun0"
vpn_network="10.8.0.0/24"

nat on $ext_if from $vpn_network to any -> ($ext_if)

pass in on $ext_if proto udp from any to port 1194 keep state
pass quick on $vpn_if
```

I thought that it could be pf, but I wasn't sure.  I will change that and see how it goes.  Thanks!


----------



## DutchDaemon (Dec 1, 2009)

I think you can even set the IP address there, so either


```
-> $ext_if:0
```
or even

```
-> 10.10.1.26
```

That way you can associate certain NAT traffic with certain outbound IPs.


----------



## jedwards (Dec 2, 2009)

I went back and changed the nat rules, so now I have:


```
nat on $ext_if from $vpn_network to any -> 10.10.1.26
```

Now everything is working as it should.  Thanks for your assistance!


----------

