I want to set up a VPN that uses the client’s IP when sending data out of the VPN server. I am able to use either OpenVPN (open-source edition), or Wireguard.

  • computergeek125@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    edit-2
    11 months ago

    Going to summarize a lot of comments here with one - VPNs are very powerful tools that can do lots of things. Traffic can be configured to go in several directions. We really have to know more about your use case to advise you as to what config you might need.

    Going to just write a ton of words on paper here - OP, let me know if any of this sounds like what you’re trying to do, and I can try to give a better explanation (or if something was confusing, let me know).

    VPN that uses the client’s IP when sending data out of the VPN server

    That’s the specific sentence I’m getting caught on myself. It could mean several things, some of which have been mentioned, some haven’t.

    • Site to site VPN: Two (generally) fixed devices operate a VPN connection between them and utilize some form of non-NAT routing so that every child device behind each site sees it’s “real” counterpart without getting NATed. However, NAT is typically still configured for IPv4 facing the internet, so each device shows an internet “exit IP” matching the site it’s on. Typically, the device with the most powerful / most stable / most central / least restrictive would be the receiver, while the other nodes would be initiators pointed to that receiver. In larger maps, you could build multiple hub/spoke systems as needed.

    • Sub-type of site to site possible: where one site tunnels all of its data over to the second site, and the second site is the one that provides NAT. This is similar in nature to how GL.Inet routers operate their VPN switch, but IMHO more powerful of you have greater control over the server compared to subscribing to a public VPN service. Notably for you example, the internet NAT exit device can be either the initiator or the receiver.

    • Normal VPN but without NAT: this is another possible expansion of what you’ve written, with one word adjusted - it operates the VPN but preserves the client IP as it’s entering the network. This is how most corporate remote access VPNs operate, since it would be overloaded and pointless to have every remote worker from a small pool of IP addresses when you don’t even need to use a NAT engine for intranet.

    My remote access VPN for my home lab is of the latter type, and I have a few of the sites to site connections floating around with various protocols.

    For mine, I have two VPN servers: one internal server that works tightly with my home firewall, and one remote server running inside a VPS. Both the firewall and VPS apply NAT rules to egress traffic, but internal bound traffic is not NATed and simply passed along the site to site connections to wherever it needs to go. My home-side remote access VPN is simply a “dumb” VPN server that has the VPN protocol port forwarded back to it and passes almost raw traffic to the firewall for processing.

    For routing, since each VPN requires its own subnet, I use FRR with a mixture of OSPF and iBGP (depending on how old the link is)

    For VPN protocols, I currently am using strongSwan for IPsec, but it’s really easy to slap OpenVPN onto that routing stack I already set up and have the routes propagate inward.

    • tester1121 (moved)@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      11 months ago

      I think that it’s similar to the “Normal VPN without NAT”, but I want it to preserve the client IP all the way through to the server that the client wants to connect to (in other words, the website that the client wants to access will receive the IP of the client, not the VPN server).

      • r00ty@kbin.life
        link
        fedilink
        arrow-up
        3
        ·
        11 months ago

        So there’s three problems you are very likely to encounter.

        1. Most providers now almost certainly filter their egress for netblocks under their control to prevent ip spoofing. So it’s likely the packets would never make it out at all.

        2: if it does work the return path would be over the normal Internet route and not via the vpn. Only the sent packets would go via the vpn host.

        3: if the client is behind nat the router will not recognise the response packets as belonging to an open connection and will drop them.

        I’m really not sure what your intention is.

      • computergeek125@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        11 months ago
        1. Where is the server located? Are you looking at an intranet location or internet?

        2. Is the client connected to the VPN concentrator via IPv4 or IPv6?

        3. Is the VPN concentrator connected to the server via IPv4 or IPv6?

        What you ask may be possible depending on those answers.