Networking – Accessing a webserver hosted behind vpn with closed ports remotely

networkingremote accessvirtualizationvpnwebserver

I currently have the following setup:

Win Server 2008

——-> Mint 16 Cinnamon VM tunneled through external VPN (using OpenVPN)

—————> Webserver inside for local network access

Is there any possible way to access that web server using my external ISP ip address when the webserver is tunneled behind a VPN… without needing to port forward on the VPN side?

As an example, Would it be possible to host a webserver on another VM or the host OS which redirects to or acts as a pointer (… like mod_rewrite or redirect?) to that local server, so it can be accessed externally without needing to have access to configuring firewall rules on the VPN server?

EG:

Host OS

—–> VM 1, VPN + Webserver, local adaptor IP is 192.168.1.2 (home network), VPN tunnel IP is 10.x.x.x, all external traffic routed though the VPN.

————–> VM 2, local adaptor IP is 192.168.1.3, Webserver running on port 80, points to page hosted on 192.168.1.2:80 and allows for external viewing via port forwarding local router.

Currently, all devices on the local network can access this webserver fine.

Failing that idea, is there anyway to force certain programs to only send traffic over specific interfaces (ie, the local ethernet interface), or forcing certain ports to route through the ISPs gateway instead of the VPNs (on an OS level).

Appreciate your feedback.

Best Answer

Yes, it can be done thanks to the fact that you are running your Web Server in a Linux VM. The first fact (that you are using Linux) is an absolute prerequisite, the second one (that it is a VM, not a physical machine) makes it easier and less expensive.

When you set up a VPN, it changes your routing table, establishing (in your case) that all traffic must go through a different server. If a connection comes in through your local router, the Mint VM will try to answer by following the routing instructions of the only table it knows, i.e through the VPN. However, the pc trying to contact your Web server will see that its query to your non-VPN address has been answered by a distinct, third party, the VPN server. For obvious security reasons, these replies are immediately discarded.

To solve this problem, Linux has the ability to handle two (or more) distinct routing tables, with rules specifying when each is to be used. So what you want to do is to create a second interface on your Mint VM (let's call it eth1), and make sure that it has an IP address on your LAN (if you are using VirtualBox, that means creating a bridged interface.

Now all you have to do is to set up two routing tables, in such a way that if a communication comes in via the OpenVPN, it is answered by the routing table set up by the OpenVPN, but if comes in through the LAN (the NIC we called eth1) it is answered by a different routing table that routes traffic where it came from, i.e your local router, not the OpenVPN server.

You do this as follows:

before starting the VPN, create two tables: we will call them main (the one destined to be used by the OpenVPN) and NONVPN:

 echo 200 main >> /etc/iproute2/rt_tables
 echo 201 NONVPN >> /etc/iproute2/rt_tables

Add a gateway to each routing table (if needed):

 ip route add 192.168.1.0/24 dev eth0 src <SRC1> table main
 ip route add 192.168.1.0/24 dev eth1 src <SRC2> table NONVPN

Then a default route:

 ip route add default via 192.168.1.1 table main
 ip route add default via 192.168.1.1 table NONVPN

where I assumed 192.168.1.1 is your local router, and 192.168.1.0/24 the LAN.

Now you may start your VPN: it will modify your main routing table.

Lastly you the rules to select the route table based on the source address:

 ip rule add from 10.0.0.0/24 table main
 ip rule add from 192.168.1.0/24 table NONVPN

where I assumed your OpenVPN tunnel has addresses in the 10.0.0.0/24 range, modify accordingly.

You are done.

Related Solutions

Networking – Enable DNS Hostname resolution with OpenVPN and DNSMasq

With great complexity, I have something approximating DNS over the VPN.

First, I had to run a script upon the addition of an address to OpenVPN. In the server configuration:

ifconfig-pool-persist ip-pool # Store mappings of CN,IP, 1 per line
script-security 2             # Allow OpenVPN to run user scripts
learn-address /path/to/learn-address.sh

I started with the learn-address.sh script from an old OpenVPN thread, but since I was running a TAP interface, I had to add script to parse the ip-pool file as well:

#!/bin/sh
# openvpn learn-address script to manage a hosts-like file
# - intended to allow dnsmasq to resolve openvpn clients
#   addn-hosts=/etc/hosts.openvpn-clients
#
# Changelog
# 2006-10-13 BDL original
# 2018-12-10 Palswim change to query OpenVPN Persistent pool for TAP interfaces

# replace with a sub-domain of your domain, use a sub-domain to
# prevent VPN clients from stealing existing names
DOMAIN=example

HOSTS=/etc/openvpn/hosts

h="hosts-openvpn-$DOMAIN"
LOCKFILE="/var/run/$h.lock"

IP="$2"
CN="$3"

if [ -z "$IP" ]; then
    echo "$0: IP not provided" >&2
    exit 1
else
    # In TAP mode, OpenVPN passes MAC instead of IP, since with TAP, clients can use protocols other than IP
    MAC="$IP"
    IP=$(grep "^$CN[[:space:]]*," ip-pool | head -n 1 | cut -d, -f 2)
    if [ -z "$IP" ]; then
        echo "$0: Failed to find IP in ipconfig-pool" >&2
        exit 0
    else
        echo "$0: Translated MAC ($MAC) to IP ($IP)"
    fi
fi

case "$1" in
    add|update)
        if [ -z "$CN" ]; then
            echo "$0: Common Name not provided" >&2
            exit 0
        fi
    ;;
    delete)
    ;;
    *)
        echo "$0: unknown operation [$1]" >&2
        exit 1
    ;;
esac

# serialise concurrent accesses
[ -x /bin/lock ] && /bin/lock "$LOCKFILE"

# clean up IP if we can
[ -x /bin/ipcalc ] && eval $(ipcalc "$IP")

FQDN="$CN"

# busybox mktemp must have exactly six X's
t=$(/bin/mktemp "/run/shm/$h.XXXXXX")
if [ $? -ne 0 ]; then
    echo "$0: mktemp failed" >&2
    exit 1
fi


case "$1" in
    add|update)
        /usr/bin/awk '
            # update/uncomment address|FQDN with new record, drop any duplicates:
            $1 == "'"$IP"'" || $1 == "#'"$IP"'" || $2 == "'"$FQDN"'" \
            { if (!m) print "'"$IP"'\t'"$FQDN"'"; m=1; next }
            { print }
            END { if (!m) print "'"$IP"'\t'"$FQDN"'" }           # add new address to end
        ' "$HOSTS" > "$t" && cat "$t" > "$HOSTS"
    ;;

    delete)
            /usr/bin/awk '
            # no FQDN, comment out all matching addresses (should only be one)
            $1 == "'"$IP"'" { print "#" $0; next }
            { print }
        ' "$HOSTS" > "$t" && cat "$t" > "$HOSTS"
    ;;

esac

# signal dnsmasq to reread hosts file
kill -HUP $(cat /var/run/dnsmasq/dnsmasq.pid)

rm "$t"

[ -x /bin/lock ] && /bin/lock -u "$LOCKFILE"
exit 0

I ended up running DNSMasq on one server for my own LAN, and a different server for the VPN. I had to update my configuration (/etc/dnsmasq.conf) on the VPN DNS server:

no-resolv                     # Didn't want to serve anything but VPN requests
interface=tap0
no-hosts                      # Don't use /etc/hosts
addn-hosts=/etc/openvpn/hosts # Target the output of the learn-address.sh script
expand-hosts
domain=example

Once I had this, I then had to push a few options via OpenVPN's DHCP server. Again, in the OpenVPN server configuration:

server 192.168.254.0 255.255.255.0 # Assuming this VPN network
push "dhcp-option DNS 192.168.254.1"
push "dhcp-option DOMAIN example"  # Push domain to clients

Unfortunately, only the Windows version of OpenVPN supports setting these options automatically. Linux clients will need to configure scripts to run on connection up/down. If you Linux system uses /etc/resolv.conf, ultimately, you need your VPN domain to appear in your search list, and your server IP to appear as a nameserver:

search example # you may have other strings here too, separated by a space
# ... other nameservers, then:
nameserver 192.168.254.1

Best Answer

Related Solutions

Networking – Enable DNS Hostname resolution with OpenVPN and DNSMasq

Related Question