All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to Install VPN on VPS with Two Public IP addresses - One for "inbound", one for "outbound"?
I have a VPS with two public IP addresses. I would like to configure a VPN where one IP address is used by the people who connect to the VPN, and the other IP address would be the side of the VPN that connects to websites, etc.
I used the terms "inbound" and "outbound" because they fit on the subject line. In reality, the two IP addresses would be dedicated to the "private connection" and "public" sides of the VPN respectively. Let's be clear that both IP addresses are visible from the internet. Anyone here can ping both addresses.
Is there a simple, straightforward way to accomplish it? Can someone point me to a step-by-step guide, or a list of tasks to perform for setup, or other documentation on how to do it?
Yes, I understand that it can be fairly easy to set up a VPN with a single IP, but that is not my goal.
Comments
ip route change default via GATEWAY_IP src OUTBOUND_IPYou can also set up source policy routing/multiple routing tables if you want finer control on the outbound route (e.g. you want to use different source IPs whether the traffic is from the server itself or is being forwarded from the VPN interface).
Which VPN server do you use? V2Ray? ShadowSocks? WireGuard? IPSec/IKEv2?
Good question. I have not chosen one, but was leaning towards OpenVPN because I have used it in the past. It appears to be popular and well-supported. I am intimately familiar with IPSec/IKEv2. It is good to see that you did NOT offer PPTP.
V2Ray, ShadowSocks, and WireGuard are newer protocols, and I am not familiar with them. You just gave me an interesting homework assignment. Thank you. :-)
The choice may be dependent on which protocols the home client supports.
-> Which protocol would you recommend?
Ease of installation and management on the server side is a serious consideration as long as the protocol is secure, actively used, and well-maintained. I have deep technical knowledge in many areas and I am a good learner, but my Linux system administration experience is "just enough to get by."
This VPN will be for personal and family use. I am not starting a business or anything like that.
As always, I encourage everyone here to offer their thoughts, ideas, suggestions, recommendations, etc. Keep the posts coming! ... and thank you!
Maybe only need to set a static route of 0.0.0.0
I guess you want to access host A and let host B access the Internet. In this case, you can configure VPN on host B, and then forward traffic to host B on the route of host A. I suggest you go to the V2ray Wiki for this part of the description
v2ray and Shadowsocks can accomplish this easily,just configure it in their config.jsons
For maximum speed: Shadowsocks
For Safety (e.g. if you have to bypass strict censorship): v2ray vmess with HTTP/2 or WebSocket
This has been a very helpful and productive thread for me. I reviewed the protocols suggested above.
V2Ray and Shadowsocks are not as good a fit for my needs as they would be for others. I live in the US and my VPS is also in the US. My threat model does not include a great firewall or a well-funded adversary that can monitor and correlate separated inputs and outputs.
WireGuard shows a lot of innovation and promise, but I need more time for detailed study here. I saw no red flags, but want to reassure myself that flaws from past protocols are not in this one. I have high confidence in the capabilities of some of the people involved. This is simply "trust, but verify."
Besides, WireGuard is currently unsupported by my firewall or the VPN client that I have now. Yeah, time to dump them and find better replacements. Wireguard support will be on the radar when I replace them.
In the meantime, it would be nice to choose a protocol that the firewall and VPN client both support, and that leads me back to OpenVPN, for now. I know that OpenVPN is slower, more complex, and arguably less secure than Wireguard due to code size and attack surface.
Thanks!
So just setup OpenVPN using one of the quick scripts, and then NAT the outbound VPN client IPs
to use your secondary IP as the exit. Most commercial VPN providers already implement this, i.e.
the IP you are connecting to and the IP you exit from are different. This is true for Mullvad/IVPN/AirVPN.