Re: [Openvpn-users] Dynamic NAT uses only the last IP Address in range

[Nikolaos Milas]

On 21/9/2015 6:17 μμ, Jan Just Keijser wrote:

> A client-connect script would be a much better option in this case. 
> Unfortunately, there is no env var that contains the number of 
> connected clients. Remember that a lost client-connection does not 
> appear in the status/logs until the client session has expired. 
> Personally I'd use a simple file-based counter to figure out which 
> source IP address to use:
>
> count=`cat /var/log/clientcount.txt`
> let count++
> if  [ $count -lt 6 ] ; then count=1 ; fi
> echo $count > /var/log/clientcount.txt 

Thank you Jan,

I like your suggestion. (By the way, how did you get the output of the 
env variables you listed?)

If we start from a value of 0 in the file (though it could be anything 
in the range 0-5), I understand the script then should be:

    count=`cat /var/log/clientcount.txt`
    let count++
    if  [ $count -eq 6 ] ; then count=0 ; fi
    echo $count > /var/log/clientcount.txt

(Note: -eq and not -lt.) Right?

Then, the last octet of the public ip address to assign (in our case) 
would be: (150 + $count).

I would also like to mention that the local_ip to use in the ip tables 
statement should not be the $trusted_ip but the $ifconfig_pool_local_ip, 
which, however, is not available at client-connect time, so the script 
should be run as a learn-address script. Please correct me if I'm wrong, 
or suggest otherwise.

[Ref.: https://openvpn.net/archive/openvpn-users/2004-10/msg00780.html]

Also, the iptables statement should be removed on client disconnect, so 
I imagine the whole setup as follows:

  learn-address script:
  ---------------------

    count=`cat /var/log/clientcount.txt`
    let count++
    if  [ $count -eq 6 ] ; then count=0 ; fi
    echo $count > /var/log/clientcount.txt

    ip = $((150+count))
    local_ip = $ifconfig_pool_local_ip
    remote_ip = $trusted_ip

    iptables -t nat -A POSTROUTING -s $local_ip -j SNAT --to-source 
194.xxx.xxx.$ip

    remove_nat_command = iptables -t nat -D POSTROUTING -s $local_ip -j 
SNAT --to-source 194.xxx.xxx.$ip

    echo $remove_nat_command > /var/log/openvpn/$remote_ip.txt

    exit 0

  client-disconnect script:
  -------------------------

    remote_ip = $trusted_ip
    client_info_file = /var/log/openvpn/$remote_ip.txt

    if [ -f $client_info_file ]
    then
      /var/log/openvpn/$client_info_file
      rm -f /var/log/openvpn/$client_info_file
    fi

    exit 0

Nick


------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users