VPN and local Apache port forwarding

apache-http-serveropenvpnportport-forwardingvpn

I have the following configuration, Apache Web host that is running on my local PC at port 4444.

I've registered at noip.com for DDNS, and I've done setup correctly.

Was wondering, since I am little paranoid of exposing my IP to the public when representing web app to clients, so is it possible for me to run VPN localy, so when DDNS resolves IP it will point at my VPN connection?

I have only basic knowledge of iptables, which is not sufficient for this task.
Currently using Debian 8.

Thanks for your help!

Best Answer

In case you want to hide your web server's port using a VPN (openvpn) on the web server host

In that case, you could

configure a vpn server, e. g. openvpn, to listen on your host's ip, e. g. 192.168.1.1, port 1194
configure your web server to listen only to 192.168.1.1, port 4444
stop the port forwarding in your router which forwards traffic from the internet to the web server
configure a port forwarding in your router which forwards traffic from the internet to the vpn server on port 1194 (I personally use a different port on the outside, so that the router will forward e. g. port 11945 to port 1194 on the host)
connect to your vpn via internet
point your browser to your web app at 192.168.1.1, port 4444

In that scenario, you probably don't even need iptables. Your router only knows to forward that one port (1194) to your host, and that one port can only be established or connected to with the correct keys and certificates. All other ports don't need to be closed, because they cannot be reached via your router.

In case you want to make your web server connectable only from the VPN IP address

I assume from your comments, however, that you use the VPN from your laptop, and that your web server is connected to "plain" internet. In that scenario, you open up your firewall/iptables only for your VPN IP, e. g. 3.2.2.2

iptables -A INPUT -s 3.2.2.2/32 -j ACCEPT

or, more fine granular iptables -A INPUT -p tcp -s 3.2.2.2/32 --dport 4444 -j ACCEPT

Attention: this must not be the only rule. You probably want to access your host via SSH from your local network, or generally allow everything from your local network:

iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

Also, you want to allow localhost traffic:

iptables -A INPUT -i lo -j ACCEPT

After that, you can close every other incoming port:

iptables -P INPUT DROP

Be sure to check this thoroughly against your own IP address range and your own VPN IP address.

Also, you have to configure your router/modem to forward any port, e. g. 4444 or 44444 to your web server port 4444.

In case you want to run your VPN service (private internet access) and your web server on the same host

Looking up privateinternetaccess.com, I figured out that

there is client programs for various operating systems, among them Linux. (see here)
PIA recommends, however, to use openVPN in case you always want to have the same VPN IP address (see here)

So to

run VPN locally, so when DDNS resolves IP it will point at your VPN connection

you would

install openVPN
edit the ovpn file provided by PIA to connect to always the same VPN server
start the openVPN connection to PIA
configure your DDNS client that it looks up and updates the IP address only after the VPN connection is established. The DDNS client should now find 3.2.2.2 as your IP address, update it in the DDNS server, and your clients can resolve yourhost.yourddns.com to 3.2.2.2.
Whilst PIA does not recommend to to so (see here), you should be able to enable port forwarding in PIA as described here for port 4444.

Related Solutions

Running VPN server and Apache conflicting ports

The problem is that Windows 7 tries to accept incoming VPN connections using all protocol it could support, and this includes SSTP (Secure Socket Tunneling Protocol). SSTP is basically PPP tunneled over SSL, and by default it uses the same port 443 as usual HTTPS connections. Such usage of port 443 allows SSTP to pass through many HTTP proxies which allow connecting to HTTPS servers. Unfortunately, this also means that it will conflict with running an HTTPS server on the same machine as the SSTP VPN server — unless the HTTPS server is Microsoft IIS, which uses the same http.sys kernel driver as the SSTP server to process HTTP and HTTPS requests.

Note that incoming SSTP connections will most likely fail, because your machine probably does not have an appropriate server certificate to accept them. You would probably see RasSstp/18 warning events in the System event log informing about these problems. However, this does not stop the system from occupying the port 443, even if SSTP client connections to it will actually fail.

There are some useful articles about SSTP in the Routing and Remote Access Blog. However, I have not been able to find a method to disable SSTP usage just for the VPN server. It is possible to disable the ”WAN Miniport (SSTP)” device in the Device Manager (after enabling the “Show Hidden Devices” option), however, this could also affect outgoing VPN connections from the same machine.

But there is an article about SSTP server configuration, and also KB947054, which describe a way to change the port used by the SSTP server to accept incoming connections. Using a registry editor, find the following subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters

Then set the ListenerPort DWORD value to the port number which should be used for incoming SSTP connections. Be sure to specify it as a decimal value (by default the “Hex” radio button is selected). Select a port which will not conflict with other ports used by the system or your applications.

To apply the new setting, restart the “Routing and Remote Access” service. Check the output of the netstat -aon command to confirm that the newly specified port is now in use, and the port 443 is no longer used.

Networking – How to chain two OpenVPN servers

So, I figure it out. In order to do so, one have to use custom routing tables and iptables rules to mark all the packages that you want to forward.

For example, to forward one port on TCP, you could use something like:

iptables -t mangle -I PREROUTING -p tcp -m multiport --dport 9999 -j MARK --set-mark 0x9999

Then, create an routing table on /etc/iproute2/rt_tables for that marked packets: Let's say 9999 tableToForward.

Finally, add two rules to forward all marked packets to on that table through the tun1 interface:

ip route add 0.0.0.0/0 dev tun1 table tableToForward
ip rule add from all fwmark 1 table tableToForward