this post was submitted on 19 Dec 2023
20 points (85.7% liked)

Selfhosted

40246 readers
561 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I want to set up a VPN that uses the client's IP when sending data out of the VPN server. I am able to use either OpenVPN (open-source edition), or Wireguard.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 11 months ago (1 children)

That's not possible. There's only one route to an IP. Those may lead to different machines depending on where the request originates, and you more or less can't choose which one, your ISP and their upstream ISPs decide and it's usually the shortest or cheapest route. The Internet is stateless, it just moves packets around. Each step makes an independent decision as to where to send it next.

So your VPN server can try spoofing its outbound traffic to use the client's IP, but it'll most likely get discarded by the ISP because it only allows your IP to go out. But even if you can, the answer to those packets will go to the client's IP, which will go directly to the client and not the VPN. The other end doesn't know where it originated from, it just has a number, and it sends it back into the Internet and the Internet figures it out.

And if you can properly port the IP to your server, then the client can no longer use that IP because anything directed at it will end up at the server.

It's theoretically possible to pull off with some clever iptables rules but both ends need to be configured for it so it'll never leave your private network. In which case, it's just not worth the hassle to avoid making a new subnet.

[–] [email protected] 3 points 11 months ago (1 children)

There’s only one route to an IP.

That's not true. There's an infinite numer of ways to route IP addresses on the internet in fact. Most of them are useless however.

your VPN server can try spoofing its outbound traffic to use the client’s IP, but it’ll most likely get discarded by the ISP because it only allows your IP to go out. But even if you can, the answer to those packets will go to the client’s IP, which will go directly to the client and not the VPN.

Mission accomplished? This may be what OP wants? Really not sure.

[–] [email protected] 4 points 11 months ago* (last edited 11 months ago) (1 children)

That's not true. There's an infinite numer of ways to route IP addresses on the internet

I think what they were trying to say is that packets are usually routed one particular way, which is true (routes normally don't suddenly change unless there's a major change like an outage or cost change). This part of their comment makes me think they do understand that there's many possible routes:

you more or less can't choose which one, your ISP and their upstream ISPs decide and it's usually the shortest or cheapest route.

[–] [email protected] 2 points 11 months ago

Yeah, I almost talked about anycast IPs but it just added unnecessary complexity.

OP's question is a bit weird but it sounds like they want to connect to a VPN server and then that server uses the client's IP instead of its own for outbound traffic, like some sort of forwarding?

For all I know OP may be asking for a bridged VPN and it really just means to forward the remote client as if it's on the local network.

But the way it's worded, the same IP would be used to both talk to the server and by the server itself going outbound. It's possible on a local network with iptables hacks but why would you even want to do this?