Jump to content
Not connected, Your IP: 3.136.22.204
Sign in to follow this  
NaDre

faking static local VPN addess using --client-nat and --ifconfig

Recommended Posts

 

 

I would like to be able to specify a fixed local IP address for the "TAP-Windows Adapter V9" interface, which would be the same for any server I log onto. This could be specified in a fashion similar to how forwarded ports are set up.

 

I believe it is possible to specify a client-specific local IP address when configuring the OpenVPN server?

 

I want this because I use the VPN only for my torrent clients. After starting the VPN I add 4 routing table entries with a 192.0.0.0 net mask to put back my default gateway. Then I configure the torrent clients to use the VPN. Unfortunately uTorrent requires me to specify the full IP address of the IP interface to use (no way to just identify the IP interface). This is only a minor nuisance, but still an irritation.

 

Thanks for the opportunity to ask for this.

 

If you add these routes with OpenVPN directives, look at the OpenVPN docs about the "route" directive: you can use "vpn_gateway" as alias of the assigned VPN IP, so it doesn't matter if they are dynamic.

Note that we implemented recently custom directives in our configuration generator.

Feel free to open a separate topic for this if you need more help.

 

Anyway, a new client 2.0 is under development. It provides the user the option to choose a range of IP (route) and choose if it must be it tunneled or not. So, detection of the VPN IP interface is done automatically.

Note: the new client will be released for Windows, Linux and OSX, under GPL.

 

 

I am already aware of "vpn_gateway" and have been using it to set up custom routes for quite a while now. And before you added "prefix" and "custom directives" to the config generator (again thanks for this) I just used a bash script to rename and modify the files myself. This is not the issue.

 

The issue is that I have to change the IP address in my uTorrent instances when I change servers.

 

As I have said, I can live without this. But I want to be sure that the issue is clear.

 

===

 

I have looked at using a combination of "--client-nat snat|dnat network netmask alias" and "--ifconfig l rn", in order to fake a static IP address. If there was an alias (similar to "vpn_gateway") for "network" in "client-nat", I think this might be possible. But there is no such alias, so far as I can see. Also, I am not sure whether "client-nat" will work on Windows. Do you guys have any advice to offer here?

 

 

UPDATE:

 

The procedure below in "Original Post" NO LONGER WORKS due to changes to the configuration of the AirVPN servers made on March 27, 2015. They switched from topology "net30" to "subnet".

 

I got it to work again after some changes. I am not sure that anyone else wants to know. But I will provide a bit of an update.

 

For reference, the documentation for OpenVPN configuration directives is here:

 

https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

 

The configuration change involves dropping the "client" line in the configuration files, and replacing it with:

tls-client
dhcp-option DNS 10.44.0.1
route-gateway 10.44.0.1
ifconfig 10.44.0.2 10.44.0.1
client-nat snat 10.44.0.2 255.255.255.255 10.4.8.227
client-nat dnat 10.44.0.1 255.255.255.255 10.4.0.1
client-nat dnat 10.44.0.0 255.255.255.255 10.4.0.0
Here "10.4.8.227" is the local address and "10.4.0.1" is the remote gateway address that the server "would have" told the OpenVPN client to configure its IP interface to.

 

The "client" directive (which combines "tls-client" plus "pull") has be changed to "tls-client" in order to be allowed to use the "ifconfig" directive. There is unfortunately no "ifconfig-nopull" option comparable to the "route-nopull" option. But then the problem is that without "client"/"pull", the client does not ask the server for the local and remote addresses. But if we connect first using the "client" option, then we can make a note of what these addresses are (they will not change again for a long time once the server assigns them), and edit the configuration. We can also examine the OpenVPN log to see the response to the "pull" request that came from the server to see what sorts of directives we may need to add in place of the "pull". The response I receive from AirVPN looks like this.

PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.8.227 255.255.0.0'
 

Because there is now no "pull" directive, I also have to provide the rest of the options that "would have" been sent by the server. These are: 

redirect-gateway def1 bypass-dhcp
comp-lzo no
topology subnet
ping 10
ping-restart 60
Note that the configuration options will be the same for all servers, except for the one line containing "10.4.8.227", which will be different for each server.

 

Original Post:

 

I saw one or two other people ask about having a fixed local VPN address, so I thought I would mention that I have been able to get pretty much the same effect just by configuring the OpenVPN client on my PC.

 

I use this OpenVPN configuration together with the technique I described in my post "Guide to Setting Up VPN Just for Torrenting on Windows":

 

https://airvpn.org/topic/9491-guide-to-setting-up-vpn-just-for-torrenting-on-windows/?do=findComment&comment=10317

 

This is a bit brief. I can provide more explanation if someone asks for it.

 

For reference, the documentation for OpenVPN configuration directives is here:

 

https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

 

The configuration change involves dropping the "client" line in the configuration files, and replacing it with:

tls-client
ifconfig 10.4.88.2 10.4.88.1
client-nat snat 10.4.88.2 255.255.255.255 10.4.15.126
client-nat dnat 10.4.88.1 255.255.255.255 10.4.15.125
Here "10.4.15.126" is the local address and "10.4.15.125" is the remote address that the server "would have" told the OpenVPN client to configure its IP interface to.

 

I use the address "10.4.88.2" as the bind address in my bittorrent clients (which I never have to change now). You can use anything here that does not conflict with AirVPN. I hope that my choice does not conflict with AirVPN, but I cannot be certain. I could go to a completely different subnet like "10.88.0.0/16", but then I would have to modify my Windows firewall settings. So I will wait until I see a problem.

 

The "client" directive (which combines "tls-client" plus "pull") has be changed to "tls-client" in order to be allowed to use the "ifconfig" directive. There is unfortunately no "ifconfig-nopull" option comparable to the "route-nopull" option. But then the problem is that without "client"/"pull", the client does not ask the server for the local and remote addresses. But if we connect first using the "client" option, then we can make a note of what these addresses are (they will not change again for a long time once the server assigns them), and edit the configuration. We can also examine the OpenVPN log to see the response to the "pull" request that came from the server to see what sorts of directives we may need to add in place of the "pull". The response I receive from AirVPN looks like this.

PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.?.10 10.4.?.9'
Because there is now no "pull" directive, I also have to set up the routing table myself. These are the directives for that (contents of file "common\myroute.ovpni" in what follows):
route-nopull
redirect-gateway def1
route   0.0.0.0 192.0.0.0 net_gateway
route  64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
Note that these routing directives do not provide access to the AirVPN DNS server (the parts of the "pull" response containing 10.4.0.1 relate to using AirVPN's DNS server), because I use my own DNS server running on my PC to avoid DNS leaks. See this post:

 

https://airvpn.org/topic/9289-dns-leaks-and-how-to-fix-them/?do=findComment&comment=9978

 

To preserve routability to the AirVPN DNS server you would also need to add this line to "common\myroute.ovpni""

route 10.4.0.1
To avoid having to edit the configuration by hand, when I use the "client" directive I also use an "up" directive to run a script which edits the OpenVPN configuration. So the first time I connect to a server, my IP interface will not be set to the IP address I want. But once I disconnect and reconnect, it will be. And it will be from then on. The OpenVPN directives for this are (contents of file "common\no_nat.ifconfig" in what follows):
client
script-security 2
up 'common\\myipconfig.bat'
The file "common\\myipconfig.bat" is my "up" script. It looks like this
@rem echo up script called ...
@rem echo arguments: %0 %*
@rem echo Í%
@rem set
@rename %config%.ifconfig %config%.ifconfig_no_nat
@echo config common/nat.ifconfig > %config%.ifconfig
@echo client-nat snat 10.4.88.2 255.255.255.255 %ifconfig_local% >> %config%.ifconfig
@echo client-nat dnat 10.4.88.1 255.255.255.255 %ifconfig_remote% >> %config%.ifconfig
@echo up script replaced file %config%.ifconfig
Here is an example of what it produces (in "1_AirVPN_SG-Wasat_UDP-443.ovpn.ifconfig"):
config common/nat.ifconfig 
client-nat snat 10.4.88.2 255.255.255.255 10.4.15.126 
client-nat dnat 10.4.88.1 255.255.255.255 10.4.15.125 
The original file "1_AirVPN_SG-Wasat_UDP-443.ovpn.ifconfig" (see below) gets renamed to ""1_AirVPN_SG-Wasat_UDP-443.ovpn.ifconfig_no_nat" rather than overwritten so that I can easily restore the "pre-NAT" configuration in order to obtain the addresses from the server again if I think they may have changed.

 

The file "common\nat.ifconfig" refered to in the "up" script contains this:

tls-client
ifconfig 10.4.88.2 10.4.88.1
comp-lzo no
topology net30
ping 10
ping-restart 60
Note that these directives do not configure the VPN interface to use the AirVPN DNS server (the parts of the "pull" response containing 10.4.0.1 relate to using AirVPN's DNS server), because I use my own DNS server running on my PC to avoid DNS leaks. See this post:

 

https://airvpn.org/topic/9289-dns-leaks-and-how-to-fix-them/?do=findComment&comment=9978

 

To use the AirVPN DNS server you would also need to add this line to "common\nat.config":

dhcp-option DNS 10.4.0.1
For information on writing ".bat" scripts see:

 

http://technet.microsoft.com/en-us/library/bb490954.aspx

 

I also use a .bat script to modify the configuration files I get from AirVPN. My .bat script looks like this:

@echo off
if not exist _backup mkdir _backup
for %%f in (*.ovpn) do (
echo %%f
move %%f _backup > nul
echo config %%f.ifconfig > %%f
echo config common/myroute.ovpni >> %%f
findstr /b /v /c:client _backup\%%f >> %%f
echo config common/no_nat.ifconfig > %%f.ifconfig
)
pause
Here is a sample of what it produces (in "1_AirVPN_SG-Wasat_UDP-443.ovpn"):
config 1_AirVPN_SG-Wasat_UDP-443.ovpn.ifconfig 
config common/myroute.ovpni 
# --------------------------------------------------------
# Air VPN | https://airvpn.org | Sunday 2nd of June 2013 07:45:51 PM
# OpenVPN Client Configuration
# 1_AirVPN_SG-Wasat_UDP-443
# --------------------------------------------------------

dev tun
proto udp
remote 119.81.1.126 443
resolv-retry infinite
nobind
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
explicit-exit-notify 5
ca "ca.crt"
cert "1_user.crt"
key "1_user.key"
And also (in "1_AirVPN_SG-Wasat_UDP-443.ovpn.ifconfig"):
config common/no_nat.ifconfig 
Brief, as I said. I just wanted to provide enough stuff that someone with a technical orientation could use this post to get a jump start on setting up their own scheme.

 

In case anyone wants to try this, I have attached a zip file ("AirVPN_NAT_config.zip") with the files that I have shown above. This is what is in the top folder:

08/06/2013  10:23 AM    <DIR>          common
04/06/2013  10:41 PM               285 _reprocess_config_files.bat
08/06/2013  10:24 AM                 0 __1 copy config files here
08/06/2013  10:24 AM                 0 __2 run reprocess script
08/06/2013  10:26 AM                 0 __3 copy this folder to OpenVPN config folder
And this is what is in the "common" sub-folder:
04/06/2013  10:35 PM               416 myipconfig.bat
17/05/2013  08:44 PM               195 myroute.ovpni
02/06/2013  10:36 AM               144 nat.ifconfig
04/06/2013  10:26 PM                53 no_nat.ifconfig
I use Windows 7. When the "up" script gets run on Windows 7, the message from it goes into the OpenVPN log. I tested this on Windows Vista (I did not try Windows XP), and there the output from the "up" script appears to get dropped. This would make trouble shooting any changes you might want to make more difficult.

 

                                                                                                               

 

I find myself thinking at this point I could have called this post "(Stupid?) OpenVPN Configuration Tricks". So let me share one last trick that I use. I have a second AirVPN member account which I use to stream video from one country while at the same time running my torrent clients over the account I use for P2P, via some other country. In order to do this I need to configure the routing table so as not to conflict with the entries made by the first connection, while making the gateway for the second connection the default gateway. To do this I add these OpenVPN directives:

route-nopull
redirect-private def1
route   0.0.0.0 224.0.0.0
route  32.0.0.0 224.0.0.0
route  64.0.0.0 224.0.0.0
route  96.0.0.0 224.0.0.0
route 128.0.0.0 224.0.0.0
route 160.0.0.0 224.0.0.0
route 192.0.0.0 224.0.0.0
route 224.0.0.0 224.0.0.0
route 10.4.0.1
UPDATE:

 

I should also have pointed out that you need a second "TAP-Windows Adapter" interface in order to have a second connection at the same time. You can install an additional adapter by running (as "Administrator" - right mouse-click on the script to see the option to do this) this script:

 

"C:\Program Files\TAP-Windows\bin\addtap.bat"

 

 

AirVPN_NAT_config.zip

Share this post


Link to post

For anyone that may be interested in this, note that I have expanded the first post and attached a zip file that I hope will make it easier to try this out.

Share this post


Link to post

Hey Man,

 

I have followed your Torrent guide perfectly but I am struggling to implement this part. Thanks for the help in constructing these.

 

I assume I had the tls-client and the text below into the config file I get from AirVPN?

 

Then I need to change the "10.4.8.227" in yours to a different IP.

 

Do I connect using the regular config file and whatever IP I get assigned, I swap that with the "10.4.8.227"?

 

Then the other piece of code for redirect-gateway, does that also go in the config file?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...