How to set public IP for tap devices

[parwin]

Hello,

I really need help about my vpn server.

I have VPN server (SoftEther) that currently installed on my ec2 instance (OS Ubuntu)

I have 2 virtual hubs that I already set local bridge to separate tap interfaces.

I do have concern about how to set public ip for that tap interfaces. ( i should have 2 public ip address since i have 2 tap devices)

Kindly need step by step how to get it done.

Thank you.

[cmd wh0ami]

I use dnsmasq to push public ip's to the client connecting to tap_interface. To push a public ip to tap_interface it's self I use the /etc/init.d/vpnserver script by adding this code below.

Code: Select all

TAP_ADDR=192.168.30.1
TAP_INTERFACE=tap_soft
IPV6_ADDR=fc00:0:2ac:7af1::1
IPV6_SUBNET=fc00:0:2ac:7af1::/64

# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET

[parwin]

Thanks for the response.


do you mind to share with me about step by step to push the ip public from dnsmaq


if we already using dnsmasq, should we still using the script that you've provided ??

Thanks

[cmd wh0ami]

1st you install dnsmasq...

Code: Select all

yum install dnsmasq

Then you change the dnsmasq.conf to dnsmasq.backup to get it out of the way.

Code: Select all

 mv /etc/dnsmasq.conf /etc/dnsmasq.backup

Then you make a dnsmasq.conf like this.

Code: Select all

##################################################################################
# SoftEther VPN server dnsmasq.conf
################################################################################## Interface Settings

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=tap_soft

# If you want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
bind-interfaces

################################################################################## Options

# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
dhcp-range=192.168.30.10,192.168.30.255,12h

# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
dhcp-option=3,192.168.30.1

# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
no-poll

# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
no-resolv

# Disable re-use of the DHCP servername and filename fields as
# extra option space. This makes extra space available in the
# DHCP packet for options but can, rarely, confuse old or broken
# clients. This flag forces "simple and safe" behavior to avoid
# problems in such a case.
dhcp-no-override

# Never forward addresses in the non-routed address spaces.
bogus-priv

# Do router advertisements for all subnets where we're doing DHCPv6
# Unless overridden by ra-stateless, ra-names, et al, the router
# advertisements will have the M and O bits set, so that the clients
# get addresses and configuration from DHCPv6, and the A bit reset, so the
# clients don't use SLAAC addresses.
enable-ra

# Enable DHCPv6. Note that the prefix-length does not need to be specified
# and defaults to 64 if missing/
dhcp-range=::100,::1ff,constructor:tap_soft, 64, 12h

################################################################################## External DNS Servers

# Use this DNS servers for incoming DNS requests = Cloudflare
server=1.1.1.1
server=1.0.0.1

# Use these IPv6 DNS Servers for lookups = Cloudflare
server=2606:4700:4700::1111
server=2606:4700:4700::1001

#########################################

################################################################################## Client DNS Servers

# Let's send these DNS Servers to clients.
# The first IP is the IPv4 address that are already assigned to the tap_soft

# Set IPv4 DNS server for client machines
dhcp-option=option:dns-server,192.168.30.1,1.1.1.1

# Send DHCPv6 option for namservers as the machine running
# dnsmasq and another.
dhcp-option=option6:dns-server,[fc00:0000:2ac:7af1::1],[2606:4700:4700::1111]

#########################################

Then you make a /etc/init.d/vpnserver init script like this.

Code: Select all

#!/bin/sh
### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $network $remote_fs
# Required-Stop:     $network $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: SoftEther VPN Server
### END INIT INFO

DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
TAP_ADDR=192.168.30.1
TAP_INTERFACE=tap_soft
IPV6_ADDR=fc00:0:2ac:7af1::1
IPV6_SUBNET=fc00:0:2ac:7af1::/64

test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 3
######################################################################################
#       Rules for IPTables.
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
#       End of IPTables Rules
#######################################################################################
sleep 3
service dnsmasq start
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 3
######################################################################################
#       Rules for IPTables.
######################################################################################
# Assign $TAP_ADDR to our tap interface
/sbin/ifconfig $TAP_INTERFACE $TAP_ADDR
#
# IPv6
# This is the IP we use to reply DNS requests.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_ADDR
#
# Without assigning the whole /64 subnet, Softether doesn't give connecting clients IPv6 addresses.
/sbin/ifconfig $TAP_INTERFACE inet6 add $IPV6_SUBNET
#
#######################################################################################
#       End of IPTables Rules
#######################################################################################
sleep 3
service dnsmasq restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

Then you enable forwarding for IPv4 and IPv6 in sysctl.config

Code: Select all

vi /etc/sysctl.config

then add this to the config file.

Code: Select all

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding=1

and load the changes by

Code: Select all

sysctl -p

Then you restart the vpnserver.

Code: Select all

service vpnserver restart

Then you finish it off with some NAT in iptables

Code: Select all

# NAT using Local Bridge
# 192.168.30.0/24 = Local Bridge & SoftEther VPN Clients (dnsmasq)
# 192.168.0.12 = SoftEther VPN Server's network interface (Local IP if behind NAT or Public IP of VPS)
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -j SNAT --to-source 192.168.0.12

# NAT using Local Bridge
# fc00:0000:2ac:7af1::/64 = Local Bridge & SoftEther VPN Clients (dnsmasq)
# 2603:6001:3c8a:700:596a:2ebc:472:7be6 = SoftEther VPN Server's network interface Global Unicast
ip6tables -t nat -A POSTROUTING -s fc00:0000:2ac:7af1::/64 -j SNAT --to-source 2603:6001:3c8a:700:596a:2ebc:472:7be6

If you can't figure it out from this... You might want to stick with SecureNAT and the virtual dhcp server function.

[parwin]

thank you so much for your help.