You are not logged in.
Hi,
I have searched and searched for couple hours now and nowhere could I find solution to my particular issue.
I do have a public facing server running an OpenVPN server, http server and couple other things. There is just one client for the OpenVPN server which is running in my LAN.
What I want to do is to forward Servers port 22 to the Clients port 22 so I can SSH into my box inside the LAN. The issue is that I do not use the allmighty redirect-gateway def1 in the vpn server configuration and thus the clients traffic is not routed through the vpn.
OpenVPN server config:
port 1139
proto udp
dev tap
client-config-dir ccd
ca ca.crt
cert server.crt
key server.key
dh dh4096.pem
ifconfig-pool-persist openvpn.ipp
server 10.147.0.0 255.255.0.0
push "route 10.147.0.0 255.255.0.0"
client-to-client
keepalive 10 60
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
tmp-dir /tmp
status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20OpenVPN Client conf:
client
remote 1.2.3.4 1139
proto udp
dev tap
;dev-node OpenVPN-TAP
cert client.crt
key client.key
ca ca.crt
;ns-cert-type server
resolv-retry infinite
nobind
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
tmp-dir /tmp
log-append /var/log/openvpn/openvpn.log
;mute-replay-warnings
verb 3
mute 20Client Route:
default via 192.168.0.1 dev ens3 proto static metric 100
10.147.0.0/16 via 10.147.0.1 dev tap0
192.168.0.0/24 dev ens3 proto kernel scope link src 192.168.0.19 metric 100Server iptables
# Generated by iptables-save v1.4.21 on Sat Jan 21 17:15:14 2017
*mangle
:PREROUTING ACCEPT [10797:2017141]
:INPUT ACCEPT [10023:1970793]
:FORWARD ACCEPT [774:46348]
:OUTPUT ACCEPT [9237:3465761]
:POSTROUTING ACCEPT [9641:3490607]
COMMIT
# Completed on Sat Jan 21 17:15:14 2017
# Generated by iptables-save v1.4.21 on Sat Jan 21 17:15:14 2017
*filter
:INPUT DROP [47:3088]
:FORWARD DROP [131:7796]
:OUTPUT ACCEPT [3002:1165998]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 1139 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A FORWARD -d 10.147.0.2/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Sat Jan 21 17:15:14 2017
# Generated by iptables-save v1.4.21 on Sat Jan 21 17:15:14 2017
*nat
:PREROUTING ACCEPT [38:2310]
:INPUT ACCEPT [16:904]
:OUTPUT ACCEPT [4:304]
:POSTROUTING ACCEPT [4:304]
-A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.147.0.2:22
-A POSTROUTING -d 10.147.0.2/32 -p tcp -m tcp --dport 22 -j SNAT --to-source 10.147.0.1
COMMIT
# Completed on Sat Jan 21 17:15:14 2017No iptables rules on the Client
So what I have done so far is add the three iptable rules for FORWARD, PREROUTING and POSTROUTING, ofcourse moved the server SSHD port to 2222 so I can still connect to it.
What I see is the connections correctly making it to the Client(tcpdump)
16:57:11.329519 IP 10.147.0.1.40892 > 10.147.0.2.ssh: Flags [S], seq 1096073233, win 29200, options [mss 1336,sackOK,TS val 2718080 ecr 0,nop,wscale 7], length 0
16:57:11.329605 IP 10.147.0.2.ssh > 10.147.0.1.40892: Flags [S.], seq 3795791047, ack 1096073234, win 28960, options [mss 1460,sackOK,TS val 6690436 ecr 2718080,nop,wscale 7], length 0
16:57:12.355558 IP 10.147.0.2.ssh > 10.147.0.1.40892: Flags [S.], seq 3795791047, ack 1096073234, win 28960, options [mss 1460,sackOK,TS val 6690744 ecr 2718080,nop,wscale 7], length 0
16:57:14.515742 IP 10.147.0.2.ssh > 10.147.0.1.40892: Flags [S.], seq 3795791047, ack 1096073234, win 28960, options [mss 1460,sackOK,TS val 6691392 ecr 2718080,nop,wscale 7], length 0
16:57:16.336762 ARP, Request who-has 10.147.0.2 tell 10.147.0.1, length 28
16:57:16.336796 ARP, Reply 10.147.0.2 is-at ae:33:5c:58:d9:93 (oui Unknown), length 28
16:57:16.435535 ARP, Request who-has 10.147.0.1 tell 10.147.0.2, length 28
16:57:16.459335 ARP, Reply 10.147.0.1 is-at 16:b0:13:49:12:92 (oui Unknown), length 28But the connection does not make it out
ssh -vvvvv 1.2.3.4
OpenSSH_7.4p1, OpenSSL 1.0.2j 26 Sep 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "1.2.3.4" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 1.2.3.4 [1.2.3.4] port 22.
debug1: connect to address 1.2.3.4 port 22: Connection timed out
ssh: connect to host 1.2.3.4 port 22: Connection timed outConnection from the Server to the Client work OK.
What am I missing? I really want to avoid having all of my traffic routed through the VPN.
In case somebody is wondering why I am doing this exorcise the LAN computer is running a gitlab instance and that is why I sort of need to be able to SSH into the box. The frontend is forwarded without issues using apache proxy.
Edit:
To make it complete:
Server Public IP: 1.2.3.4
Server VPN IP: 10.147.0.1
Client VPN IP: 10.147.0.2
Solution:
For some reason adding
iptables -A FORWARD -i tap0 -j ACCEPTSolves the issue, leaving this open for now as I am not sure it is not overkill or if it can be locked down a bit more
Last edited by aknarts (2017-01-21 19:04:43)
Offline