If you want to have an Public IP address, you can have two technique :
- Reserved Public IP (High Cost)
- Reserved public VPS (Lower Cost)
Markdown :
- This
Markdown
will be sharing aboutReserved public VPS
Technique to have an Public IP on our Local VM. - This tutorial will make public ip on public vps that points to local VM.
- Ubuntu 20.04 LTS Public VPS
- Ubuntu 20.04 LTS Local VPS
- OpenVPN
- TCP Ingress & Egress on Standard Port (22, 80, 443)
- UDP Ingress & Egress on Port 1194
Execute on Public VPS with Public IP
apt update -y && apt-get full-upgrade -y
wget https://git.io/vpn1604 -O openvpn-install.sh
chmod +x openvpn-install.sh
sudo ./openvpn-install.sh
/etc/init.d/openvpn status
/etc/init.d/openvpn start
Save the client.ovpn
then move to your Local VM.
- for Ubuntu 2204 -> https://www.cyberciti.biz/faq/ubuntu-22-04-lts-set-up-openvpn-server-in-5-minutes/
Execute on Local VM with NO-Public IP
Make sure you have move the client.ovpn
from VPN Server to Client VPN VM
sudo apt-get install openvpn
sudo openvpn --config /path/to/config.ovpn
or you want to still use default gateway on your cluster while connecting VPN with
sudo openvpn --config /path/to/config.ovpn --route-nopull
or you can define --route-nopull
on your .ovpn
file :
192.168.0.0 255.255.255.0
is yournetwork pool
that you want to connectnano .ovpn
route-nopull route 192.168.0.0 255.255.255.0
or, for single ip you can define :
192.168.0.1 255.255.255.255
is yourip
that you want to connectnano .ovpn
route-nopull route 192.168.0.1 255.255.255.255
if You want to use DNS with Hairpin Condition, you can add this line on your .ovpn file.
dhcp-option DNS xxx.xxx.xxx.xxx
- check
ifconfig
, make suretun0
have an same ip address pool on both VM (Server & Client) - if it meets, please follow this forwarding tutorial :
- Execute this on
VPN Server VM
Markdown :
- 10.74.130.80 is
ens33
fromVPS VPN Server
- 10.8.0.2 is
tun0
address fromVM VPN CLIENT LOCAL
iptables -t nat -A PREROUTING -p tcp --dport 22 -d 10.74.130.80 -j DNAT --to-destination 10.8.0.2:22
iptables -t nat -A PREROUTING -p tcp --dport 80 -d 10.74.130.80 -j DNAT --to-destination 10.8.0.2:80
iptables -t nat -A PREROUTING -p tcp --dport 443 -d 10.74.130.80 -j DNAT --to-destination 10.8.0.2:443
You can add or remove forwarding rules, adjust to your needs. You can read on Here!
- You can access your local VM on port 22, 80, 443 with Public IP VPS
You can expose your Instance on OpenStack Cluster, with :
- Start
openvpn server
on yourOpenVPN Server Node
- Connect to
openvpn server
on yourOpenStack Cluster Node
- Make ip tables on
OpenVPN Server Node
with :- Assume
10.8.0.2
are OpenVPN Client IP - Assume
10.74.130.80
are OpenVPN Internal Node IP
iptables -t nat -A PREROUTING -p tcp --dport 22 -d 10.74.130.80 -j DNAT --to-destination 10.8.0.2:22 iptables -t nat -A PREROUTING -p tcp --dport 80 -d 10.74.130.80 -j DNAT --to-destination 10.8.0.2:80 iptables -t nat -A PREROUTING -p tcp --dport 443 -d 10.74.130.80 -j DNAT --to-destination 10.8.0.2:443
- Assume
- Make ip table on
OpenStack Cluster Node
- Assume 10.8.0.2 are
tun0
IP - Assume your Instance Floating IP are
172.24.4.124
you can use this for standard port (22, 80, 443) :
iptables -t nat -A PREROUTING -p tcp --dport 22 -d 10.8.0.2 -j DNAT --to-destination 172.24.4.124:22 iptables -t nat -A PREROUTING -p tcp --dport 80 -d 10.8.0.2 -j DNAT --to-destination 172.24.4.124:80 iptables -t nat -A PREROUTING -p tcp --dport 443 -d 10.8.0.2 -j DNAT --to-destination 172.24.4.124:443
- Assume 10.8.0.2 are
- Access your OpenStack Instance with PublicIP
OpenVPN Node
- You can add or remove forwarding rules, adjust to your needs.
- If your Instance on OpenStack can't access Internet lets do this :
- Do on your
OpenStack Cluster Node
- Assume
tun0
are name for yourOpenVPN Adapter
.
- Do on your
sudo sysctl net.ipv4.ip_forward=1
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
- Sometimes
IP Tables
is not working on different Public VPS. You can try This to try allternative Forwarding Rules Command. - If another command
IP Tables
rules not working too, you can use Nginx Reverse Proxy. This is example for Nginx Proxy Block, with this assume :- Do this on your
VPN Server Node
10.8.0.2
is Client VPN IP.app.bignetlab.com
is Example Domain Endpoint.
nano /etc/nginx/sites-enabled/default
server { listen 80; listen [::]:80; server_name app.bignetlab.com www.app.bignetlab.com; return 301 https://$host$request_uri; } server { listen 80; listen 443; listen [::]:443; if ($host != "app.bignetlab.com") { return 412; } server_name app.bignetlab.com www.app.bignetlab.com; ssl_certificate /etc/ssl/certs/app/app.bignetlab.com.crt; ssl_certificate_key /etc/ssl/certs/app/app.bignetlab.com.key; location / { proxy_pass http://10.8.0.2; proxy_set_header Host app.bignetlab.com; } location /posts { proxy_pass http://10.8.0.2; proxy_set_header Host app.bignetlab.com; } location /posts/?(.*)/comments { proxy_pass http://10.8.0.2; proxy_set_header Host app.bignetlab.com; } }
- Do this on your
- Add
ipp.txt
on ovpn server
nano /etc/openvpn/server.conf
ifconfig-pool-persist ipp.txt
- Configure
ipp.txt
nano /etc/openvpn/ipp.txt
---
username1,10.8.0.2
- Configre on client
nano profile.ovpn
---
ifconfig 10.8.0.2 255.255.255.0
---
- Download Package
##For i386
wget https://github.com/flant/ovpn-admin/releases/download/1.7.5/ovpn-admin-linux-386.tar.gz
##For amd64
wget https://github.com/flant/ovpn-admin/releases/download/1.7.5/ovpn-admin-linux-amd64.tar.gz
##For arm
wget https://github.com/flant/ovpn-admin/releases/download/1.7.5/ovpn-admin-linux-arm.tar.gz
##For arm64
wget https://github.com/flant/ovpn-admin/releases/download/1.7.5/ovpn-admin-linux-arm64.tar.gz
- Extract
sudo tar -xvzf ovpn-admin-linux-*.tar.gz
mv ovpn-admin /usr/local/bin/
- Enable management on openvpn server
sudo nano /etc/openvpn/server/server.conf
---
management 127.0.0.1 8989
---
sudo systemctl restart openvpn-server@server.service
- CP
ta.key
to/etc/openvpn/easyrsa/pki/
cp /etc/openvpn/ta.key /etc/openvpn/easyrsa/pki/
- Run
/usr/local/bin/ovpn-admin --easyrsa.path="/etc/openvpn/easy-rsa" --easyrsa.index-path=/etc/openvpn/easy-rsa/pki/index.txt --listen.host=127.0.0.1 --listen.port=9898 --ovpn.server=HOST:PORT:PROTOCOL
- Access
http://0.0.0.0:8080
- You can use Pritunl for alternate VPN