How to achieve multi-user versus multi-IP?

[qwer]

On the server where the VPN is deployed, there are 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 Four public IP addresses and four users of a.b.c.d
How to implement a user VPN login Use 1.1.1.1 IP to access the Internet. c User user VPN login, use 2.2.2.2 IP to access the Internet.

[qwer]

Can anyone help me?

[cmd wh0ami]

Im only guessing here...Cuz I can't wrap my mind around how each user accesses their own public IP. Do they each have their own Network adapter? What are you trying to build VPN's for the IP addresses and thinking it'd be better to have one VPS with multiple public IP's? Rather than rent multiple VPS's...

But if its possible, your going to have to build a bridge to TAP_INTERFACE for each IP. So for each IP your going to need a Virtual Hub and a corresponding TAP_INTERFACE.

Then you'll have to enable forwarding for IPv4 in /etc/sysctl.conf

Code: Select all

# For binary values, 0 is disabled, 1 is enabled.
# To save changes run command  sysctl -p
# For more information, see sysctl.conf(5) and sysctl.d(5).

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Then your going to have install and use dnsmasq to do the DHCP for clients which would take me too long to explain but it would look like this times 4....

Code: Select all

##################################################################################
# SoftEther VPN server dnsmasq.conf
################################################################################## Interface Settings

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=tap_soft

# If you want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
bind-interfaces

################################################################################## Options

# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
dhcp-range=192.168.30.10,192.168.30.255,12h

# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
dhcp-option=3,192.168.30.1

Then you'd have to do forwarding in iptables using NAT so that the traffic goes from the correct interface for each connection.

Code: Select all

# NAT using Local Bridge
# 192.168.30.0/24 = Local Bridge & SoftEther VPN Clients (dnsmasq)
# 192.168.0.12 = SoftEther VPN Server's network interface (Local IP if behind NAT or Public IP of VPS)
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -j SNAT --to-source 192.168.0.12

But when it comes down to it, you better off renting multiple VPS's to get IP's.

[qwer]

我知道你说的原理，但我想要知道如何通过SOFTETHER VPN，来实现一个用户对应一个固定不变的IP.并且IPTABLES SNAT功能还能实现。

[cmd wh0ami]

I've never attempted to try it.... But I would think you would do it by making a Virtual Hub and TAP INTERFACE for each user. Then you would give each TAP INTERFACE a local IP like:

tap_1 = 192.168.30.1 bridge to virtual hub #1
tap_2 = 192.168.31.1 bridge to virtual hub #2
tap_3 = 192.168.32.1 bridge to virtual hub #3
tap_4 = 192.168.33.1 bridge to virtual hub #4

Which I would do in the /etc/init.d/vpnserver script... Ie.

Code: Select all

#!/bin/sh
### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $network $remote_fs
# Required-Stop:     $network $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: SoftEther VPN Server
### END INIT INFO

DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
TAP_1_ADDR=192.168.30.1
TAP_2_ADDR=192.168.31.1
TAP_3_ADDR=192.168.32.1
TAP_4_ADDR=192.168.33.1
TAP_1_INTERFACE=tap_1
TAP_2_INTERFACE=tap_2
TAP_3_INTERFACE=tap_3
TAP_4_INTERFACE=tap_4

test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
sleep 3
######################################################################################
#       Rules for IPTables.
######################################################################################
# Assign $TAP_1_ADDR to our tap interface
/sbin/ifconfig $TAP_1_INTERFACE $TAP_1_ADDR
#
# Assign $TAP_2_ADDR to our tap interface
/sbin/ifconfig $TAP_2_INTERFACE $TAP_2_ADDR
#
# Assign $TAP_3_ADDR to our tap interface
/sbin/ifconfig $TAP_3_INTERFACE $TAP_3_ADDR
#
# Assign $TAP_4_ADDR to our tap interface
/sbin/ifconfig $TAP_4_INTERFACE $TAP_4_ADDR
#
#######################################################################################
#       End of IPTables Rules
#######################################################################################
sleep 3
service dnsmasq start
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
sleep 3
######################################################################################
#       Rules for IPTables.
######################################################################################
# Assign $TAP_1_ADDR to our tap interface
/sbin/ifconfig $TAP_1_INTERFACE $TAP_1_ADDR
#
# Assign $TAP_2_ADDR to our tap interface
/sbin/ifconfig $TAP_2_INTERFACE $TAP_2_ADDR
#
# Assign $TAP_3_ADDR to our tap interface
/sbin/ifconfig $TAP_3_INTERFACE $TAP_3_ADDR
#
# Assign $TAP_4_ADDR to our tap interface
/sbin/ifconfig $TAP_4_INTERFACE $TAP_4_ADDR
#
#######################################################################################
#       End of IPTables Rules
#######################################################################################
sleep 3
service dnsmasq restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

Then you would need to do the same in dnsmasq to give the clients a local IP from each subnet .

Code: Select all

##################################################################################
# SoftEther VPN server dnsmasq.conf
################################################################################## Interface Settings
###### Interface 1

interface=tap_1
dhcp-range=tap_1,192.168.30.10,192.168.30.20,12h
dhcp-option=tap_1,3,192.168.30.1

###### Interface 2

interface=tap_2
dhcp-range=tap_2,192.168.31.10,192.168.31.20,12h
dhcp-option=tap_2,3,192.168.31.1

###### Interface 3

interface=tap_3
dhcp-range=tap_3,192.168.32.10,192.168.32.20,12h
dhcp-option=tap_3,3,192.168.32.1

###### Interface 4

interface=tap_4
dhcp-range=tap_4,192.168.33.10,192.168.33.20,12h
dhcp-option=tap_4,3,192.168.33.1

################################################################################## End

Then you would need to enable IPv4 forwarding in sysctl.conf

Code: Select all

# For binary values, 0 is disabled, 1 is enabled.
# To save changes run command  sysctl -p
# For more information, see sysctl.conf(5) and sysctl.d(5).

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Then you would need to use nat in iptables to forward the packets to the correct places.

Code: Select all

# NAT using Local Bridge
# 192.168.30.0/24 = Local Bridge & SoftEther VPN Clients (dnsmasq)
# 11.11.11.11 = SoftEther VPN Server's network interface (Local IP if behind NAT or Public IP of VPS)
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -j SNAT --to-source 11.11.11.11

iptables -t nat -A POSTROUTING -s 192.168.31.0/24 -j SNAT --to-source 22.22.22.22

iptables -t nat -A POSTROUTING -s 192.168.32.0/24 -j SNAT --to-source 33.33.33.33

iptables -t nat -A POSTROUTING -s 192.168.33.0/24 -j SNAT --to-source 44.44.44.44

[qwer]

谢谢，我大概明白原理了，我马上去实现。

[qwer]

你好，没有实现。
我建立了4个HUB分别对应192.168.10.0/24 192.168.20.0/24 192.168.30.0/24 192.168.40.0/24

34 iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 58.82.243.21
35 iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -j SNAT --to-source 58.82.243.38
36 iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -j SNAT --to-source 58.82.243.51
37 iptables -t nat -A POSTROUTING -s 192.168.40.0/24 -j SNAT --to-source 58.82.243.183
38 echo "1">/proc/sys/net/ipv4/ip_forward
麻烦看看什么问题
---------------------------------------
58.82.243.183
子网掩码：255.255.255.128
网 关：58.82.243.129
系统类型：CentOS6
系统账号：root
系统密码：sjd3hyug-

[cmd wh0ami]

You only have 1 public IP address...
网 关：58.82.243.129 ssh times out

Code: Select all

eth0      Link encap:Ethernet  HWaddr 00:24:EC:F0:F4:EC
          inet addr:58.82.243.183  Bcast:58.82.243.255  Mask:255.255.255.128
          inet6 addr: fe80::224:ecff:fef0:f4ec/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:179425 errors:0 dropped:0 overruns:0 frame:0
          TX packets:41762 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:16569425 (15.8 MiB)  TX bytes:6850978 (6.5 MiB)

eth1      Link encap:Ethernet  HWaddr 00:24:EC:F0:F4:ED
          inet addr:192.168.1.35  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::224:ecff:fef0:f4ed/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:4422 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:401848 (392.4 KiB)  TX bytes:7111 (6.9 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:367 errors:0 dropped:0 overruns:0 frame:0
          TX packets:367 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:146165 (142.7 KiB)  TX bytes:146165 (142.7 KiB)

[root@localhost ~]#

[qwer]

[root@localhost ~]# ping 58.82.243.129
PING 58.82.243.129 (58.82.243.129) 56(84) bytes of data.
64 bytes from 58.82.243.129: icmp_seq=1 ttl=254 time=0.373 ms
64 bytes from 58.82.243.129: icmp_seq=2 ttl=254 time=0.279 ms
^C
--- 58.82.243.129 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1053ms
rtt min/avg/max/mdev = 0.279/0.326/0.373/0.047 ms
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:24:ec:f0:f4:ec brd ff:ff:ff:ff:ff:ff
inet 58.82.243.183/25 brd 58.82.243.255 scope global eth0
inet 58.82.243.21/25 brd 58.82.243.127 scope global eth0
inet 58.82.243.38/25 brd 58.82.243.127 scope global secondary eth0
inet 58.82.243.51/25 brd 58.82.243.127 scope global secondary eth0


[root@localhost ~]# ls /usr/local/https/
Authors.txt packet_log
backup.vpn_server.config ReadMeFirst_Important_Notices_cn.txt
chain_certs ReadMeFirst_Important_Notices_en.txt
code ReadMeFirst_Important_Notices_ja.txt
hamcore.se2 ReadMeFirst_License.txt
https security_log
lang.config server_log
lib vpncmd
Makefile vpn_server.config
[root@localhost ~]# /usr/local/https/https status
SoftEther VPN Server service program
Copyright (c) SoftEther VPN Project. All Rights Reserved.

vpnserver command usage:
vpnserver start - Start the SoftEther VPN Server service.
vpnserver stop - Stop the SoftEther VPN Server service if the service has been already started.

58.82.243.183 443 HUB DEFAULT password 123456

[qwer]

ping 58.82.243.129
PING 58.82.243.129 (58.82.243.129) 56(84) bytes of data.
64 bytes from 58.82.243.129: icmp_seq=1 ttl=254 time=0.373 ms
64 bytes from 58.82.243.129: icmp_seq=2 ttl=254 time=0.279 ms
^C
--- 58.82.243.129 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1053ms
rtt min/avg/max/mdev = 0.279/0.326/0.373/0.047 ms
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:24:ec:f0:f4:ec brd ff:ff:ff:ff:ff:ff
inet 58.82.243.183/25 brd 58.82.243.255 scope global eth0
inet 58.82.243.21/25 brd 58.82.243.127 scope global eth0
inet 58.82.243.38/25 brd 58.82.243.127 scope global secondary eth0
inet 58.82.243.51/25 brd 58.82.243.127 scope global secondary eth0
inet6 fe80::224:ecff:fef0:f4ec/64 scope link
ls /usr/local/https/
Authors.txt packet_log
backup.vpn_server.config ReadMeFirst_Important_Notices_cn.txt
chain_certs ReadMeFirst_Important_Notices_en.txt
code ReadMeFirst_Important_Notices_ja.txt
hamcore.se2 ReadMeFirst_License.txt
https security_log
lang.config server_log
lib vpncmd
Makefile vpn_server.config
[root@localhost ~]# /usr/local/https/https status
SoftEther VPN Server service program
Copyright (c) SoftEther VPN Project. All Rights Reserved.

vpnserver command usage:
vpnserver start - Start the SoftEther VPN Server service.
vpnserver stop - Stop the SoftEther VPN Server service if the service has been already started.
----------------------------------------------

58.82.243.183 default hub password 123456

thank you very much!!!!!

[qwer]

every one can help me?

[thisjun]

Did you try creating NAT?