Hi,
On 21/09/15 16:15, Nikolaos Milas wrote:
> On 21/9/2015 2:22 μμ, debbie...@gmail.com wrote:
>
>> You could use OpenVPN --client-connect script to assign specific
>> iptables NAT rules on a per client basis:
>>
>> Client-connect - client 1:
>> iptables -t nat -A POSTROUTING -s 10.10.112.101/32 -j SNAT --to-source
>> 194.xxx.xxx.151
> Thank you for this idea. I am thinking of using a client-connect script
> with the following logic:
>
> $n = $number_of_clients_connected (before this new one)
> $ip = $((150+n%6))
> $local_ip = $trusted_ip
>
> iptables -t nat -A POSTROUTING -s $local_ip -j SNAT --to-source
> 194.xxx.xxx.$ip
>
> This would assign a session-long public ip address to each client. In
> case there are more than 6 clients connected at the same time, new
> clients will be assigned the same public addresses for a second time, etc.
>
> But: Is there an environment variable to denote
> $number_of_clients_connected ? If there's not, I could deduce it this way:
>
> cat /var/log/openvpn-status.log | awk '/^CLIENT_LIST/{print $1}' | wc -l
>
> (assuming a directive: status /var/log/openvpn-status.log), but this is
> not accurate, because this file is only written once per minute and does
> not guarantee real info.
>
> Any ideas on it?
>
as for using iptables SNAT'ting with a range: this depends a bit on the
Linux kernel you are using. If you are using a 3.x or 4.x series kernel
in 'tickless' mode then SNAT'ting a range often does not work as expected.
A client-connect script would be a much better option in this case.
Unfortunately, there is no env var that contains the number of connected
clients. Remember that a lost client-connection does not appear in the
status/logs until the client session has expired. Personally I'd use a
simple file-based counter to figure out which source IP address to use:
count=`cat /var/log/clientcount.txt`
let count++
if [ $count -lt 6 ] ; then count=1 ; fi
echo $count > /var/log/clientcount.txt
HTH,
JJK
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
