https access to remote OpenVPN clients via OpenVPn server

Discussion in 'Installation/Configuration' started by chillifire, Jun 4, 2008.

  1. chillifire

    chillifire New Member

    http access to remote OpenVPN clients via OpenVPn server

    Hi,

    The situation:
    I have a number of OpenWRT (Linux distro for embedded devices) based routers out there, which I manage via Ubuntu 8.04 LINUX server they all connect to. The Ubuntu server has a public IP address, the router do not. To be able to address them the Ubuntu server is running an OpenVPN server, the routers connect to the server on start-up. I can ping and ssh into the routers from my server - no problem.

    What I want to achieve:
    The routers have a web GUI which is accessed via normal http. I would like to connect remotely to the routers' web interface through a browser. I would like to do so without having to have OpenVPN installed on the accessing PC/workstation. This would obviously have to work through the Ubuntu server, as only the Ubuntu server with the OpenVPN server has any knowledge of the OpenVPN network and clients.

    I figure this should be possible with port and/or IP forwarding, once I am connected via http or https to the Ubuntu server, but I do not understand enough about networking to make this happen.

    Can anyone provide some ideas/hints how this can be achieved?

    Any input is welcome.

    Cheers
     
    Last edited: Jun 4, 2008
  2. chillifire

    chillifire New Member

    No one?

    Hi forume members,

    151 readers and no one has any idea how this could be achieved? Come on folks, you are better, than that. Can anyone give me a hint how this could be achieved? should something like this not be possible with ip forwarding and masquerading?
     
  3. just.another.alex

    just.another.alex New Member

    Hello, I can give a solution to you, but since you gave relatively little info about the configuration of the network, I'll assume some things.
    So, assuming that your Ubuntu server is a gateway between Internet and some local network(the IPs of the VPN are also "private" IPs), this meaning that an iptables nat/masquerade script is running on the server, you can use "iptables" to make your OpenWRT routers' web interfaces available from outside.

    For illustrating the solution, I'll consider that your OpenWRT routers have IPs of the form 10.1.99.*, and that your Ubuntu server is accesible from Internet with, let's say "my-ubuntu-server.org" host name. I'm also assuming that you'd need access to web-interface of two of your routers, with IPs 10.1.99.10 and 10.1.99.20
    In the firewall script, add the following lines:

    Code:
    #access OpenWRT-1 router on the port 5678 of your Ubuntu server
    $IPTABLES -t nat -A PREROUTING  -d $IP_INET -p tcp --dport 5678 -j DNAT --to-destination 10.1.99.10:80
    $IPTABLES -t nat -A OUTPUT -p tcp -d $IP_INET --dport 5678 -j DNAT --to-destination 10.1.99.10:80
    $IPTABLES -t nat -A POSTROUTING -p tcp -d 10.1.99.10 --dport 80 -j SNAT  --to-source $IP_LAN
    
    #access OpenWRT-2 router on the port 7890 of your Ubuntu server
    $IPTABLES -t nat -A PREROUTING  -d $IP_INET -p tcp --dport 7890 -j DNAT --to-destination 10.1.99.20:80
    $IPTABLES -t nat -A OUTPUT -p tcp -d $IP_INET --dport 7890 -j DNAT --to-destination 10.1.99.20:80
    $IPTABLES -t nat -A POSTROUTING -p tcp -d 10.1.99.20 --dport 80 -j SNAT  --to-source $IP_LAN
    
    The variable IP_INET should contain the public IP of your Ubuntu server(the IP that ISP gave to you), and the variable IP_LAN should contain the private IP of your Ubuntu server(the IP of the gateway used by your internal network hosts).

    After you'll run the firewall script modified as shown above, you should be able to connect to your web-interfaces of your routers, by simply pointing a web-browser to:
    http://my-ubuntu-server.org:5678
    (your first OpenWRT router, with 10.1.99.10 vpn ip)

    or
    http://my-ubuntu-server.org:7890
    (your second OpenWRT router, with 10.1.99.20 vpn ip)

    The iptables code above simply forwarded ports 5678 and 7890 of your Ubuntu to ports 80 of your OpenWRT-1 router, respectively OpenWRT-2 router.
    Good luck! :)
     
  4. just.another.alex

    just.another.alex New Member

    :))
    And..uhmm..one last notice:
    The variable IPTABLES used in the post above can be replace with your /sbin/iptables(very possible to be exact) program on your Ubuntu server.
    Too much bash scripting from me :p
     
  5. chillifire

    chillifire New Member

    not quite the setup I thought I described :)

    Thanks for the response. This describes a scenario similar to what I am looking for. Well, I thought I was reasonably clear, but may be I was not.

    So here is a diagram of the network setup and a second diagram of the request handling I am thinking of. Don't worry about the iptables magic that has to happen on the router. There is tons of info out there on that, so that I can handle.

    But what has to be configured with IPTABLES or otherwise on the Ubuntu server (the one in the middel of the diagram with address 1.2.3.4)? Does the setup shown in the diagrams require a change in the solution proposed above? I should think so, but what does it look like?

    So let me try and understand the lines from above:
    Code:
    IPTABLES -t nat -A PREROUTING  -d $IP_INET -p tcp --dport 5678 -j DNAT --to-destination 10.1.99.10:80
    so here you are doing the forwarding and I guess to saty with my example this should be something like:
    Code:
    IPTABLES -t nat -A PREROUTING  -d 1.2.3.4 -p tcp --dport u -j DNAT --to-destination 10.8.x.b:8080
    Right?
    OK, so I guess
    Code:
    $IPTABLES -t nat -A OUTPUT -p tcp -d $IP_INET --dport 5678 -j DNAT --to-destination 10.1.99.10:80
    should become
    Code:
    $IPTABLES -t nat -A OUTPUT -p tcp -d 1.2.3.4 --dport u -j DNAT --to-destination 10.1.x.b:8080
    Right?
    I am not sure why I need this rule, so would appreciate some enlightenment. :) And why is there no FORWARD rule? The noob I am in this I would have assumed I need a FORWARD rule to , well, basically forward. Is that not so? and why not?
    and with
    Code:
    $IPTABLES -t nat -A POSTROUTING -p tcp -d 10.1.99.10 --dport 80 -j SNAT  --to-source $IP_LAN
    
    you totally surpas my understanding. What is that rule achieving? And since there is no local network involved there is no sensible value for $IP_LAN I can make out in my own mind. Does that mean this rule is superflous for my scenario?

    Thanks again for bothering to respond. I would be greatful, if you could stick with me and maybe I am a bit clearer on what I am trying to achieve now, so you can give some further advice.

    Cheers

    chillifire
     

    Attached Files:

    Last edited: Jun 8, 2008
  6. just.another.alex

    just.another.alex New Member

    Hello again!
    OK, now I have enough information to tell you a real solution.
    First, let me explain the last iptables line, the one that "totally surpas" your understanding:

    Code:
    $IPTABLES -t nat -A POSTROUTING -p tcp -d 10.1.99.10 --dport 80 -j SNAT  --to-source $IP_LAN
    The line above works when the server(Ubuntu server in your case) is a gateway between a LAN and the Internet. And the role of the line is to provide what is called "complete forwarding", meaning that a specific port forward is available from outside as well as from the LAN behind the server.
    Since you don't have a LAN behind your Ubuntu server, you can IGNORE that line completely! Don't think about it anymore...;)

    So, with the information that you provided, I can say that the solution you created, by replacing the generic port numbers I gave with your port numbers, is CORRECT!
    I'll list it once again, for the sake of completness :D

    Code:
    IPTABLES -t nat -A PREROUTING  -d 1.2.3.4 -p tcp --dport u -j DNAT --to-destination 10.8.x.b:8080
    $IPTABLES -t nat -A OUTPUT -p tcp -d 1.2.3.4 --dport u -j DNAT --to-destination 10.1.x.b:8080
    Put this in a text file, make that file executable, execute it as a bash script, and the connection to your OpenWRT router 10.8.x.b:8080 should work from a remote PC by typing "http://1.2.3.4:u" in your browser.

    Add a pair of iptabes for each router, be sure you modify the "u" port and 10.8.x.x IPs to be different for each router, and you'll be able to manage all your routers remotely!

    Waiting to hear the results from you! ;)
     
  7. chillifire

    chillifire New Member

    Dealing with next problem

    Thank you for your response just.another.alex

    I have tried to implement it, but ran into problems getting these two new rules into the Bastille firewall manager (see here). So for the moment I cannot really give feedback but I will be in touch once I can test the solution. I will be in touch ...
     
  8. chillifire

    chillifire New Member

    No cigar

    Hi,
    this did not work once installed, even with the firewall otherwise switched off and completely open - for 30 secs :D - with only those two entries.

    Now, can you recommend an analytic tool, that I could use on my Ubuntu server to see how traffic is flowing and why and where the traffic forwarding fails?
     
  9. just.another.alex

    just.another.alex New Member

    Hello again!
    I'm surprised it didn't worked. I managed to forward a port from a real IP to a VPN station, by adding those two iptables rules to the existing firewall script.
    Did you specifically check that the rules were written syntactically correct, and that they can be seen with "iptables -t nat -L" ?
    What's the default policy of iptables, on your Ubuntu system? (ACCEPT or DENY/DROP)

    For now, I think that checking the stuff i've written above could be helpful.
    If the stuff it's correct, and forward still dont work maybe you should begin traffic analysis.
    For this, I recommend the following tools: tcpdump(it's a command line tool) or wireshark(aka ethereal), which is a GUI tool.

    And, as an alternative solution for forwarding, you can use ssh, or putty. There are tutorials on the Internet about this topic.
    Good luck!
     
  10. chillifire

    chillifire New Member

    Output of the test

    After trying several solutions adding the following to my iptables did the trick:

    Code:
    # allows forwarded packages to go through the firewall, which otherwise only allows established connections to be forwarded 
    iptables -A FORWARD -o tun+ -j ACCEPT
    # this the magic that does the IP address and port translation - obviouslys you need one for every router
    iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8004 -j DNAT --to-destination 10.8.0.4:8080
    iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8005 -j DNAT --to-destination 10.8.0.5:8080
    iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8006 -j DNAT --to-destination 10.8.0.6:8080
    iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8007 -j DNAT --to-destination 10.8.0.7:8080
    # you'll need one generic rule so that the pakets can find their way back properly 
    iptables -A POSTROUTING --table nat -o tun+ -j MASQUERADE
    
    I got the hint with the postrouting from the Ubuntu forums, the Forwarding filter ACCEPT was my addition. I begin to understand what is going on here. Scary :0
     
    Last edited: Jun 10, 2008
  11. chillifire

    chillifire New Member

    Even better solution ...

    I can now offer a better solution that is based on a script from the Bastille guys as well (see code below). What I added was the MASQUERADE rule and the switch that ensures that port forwarding is actually activated on your LINUX server (tested for Ubuntu/Debian, please check with your LINUX distro the same switch exists in the same location or adjust the script accordingly in the line starting with "echo 1 > ...". Other than being fully compliant with iptables and Bastille the script offers the additional advantage that only port forwarding for explicitly specificied ports is opened, as opposed to the entire tun+ interfaces as was done in my solution. Here goes:

    Code:
    mkdir /etc/Bastille/firewall.d
    mkdir /etc/Bastille/firewall.d/pre-chain-split.d
    touch portforward.sh
    chmod 755 /etc/Bastille/firewall.d/pre-chain-split.d/portforward.sh
    Now copy all the following code into the file portforward.sh
    The magic is happening in the lines under item 1. Adjust to suit your port forwarding needs. The explanation in the script should be quite sufficient. This script should be able to handle port forwarding within your network, to connected VPN networks, and to external servers (the latter may require the activation of another line in the script under section0 in some cases).

    Code:
    # portforward.sh
    #
    # designed for bastille-firewall
    # Copyright (c) 2002 Peter Watkins
    #
    #    This program is distributed in the hope that it will be useful,
    #    but WITHOUT ANY WARRANTY; without even the implied warranty of
    #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    #    GNU General Public License for more details.
    #
    #    You should have received a copy of the GNU General Public License
    #    along with this program; if not, write to the Free Software
    #    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
    #
    # place in /etc/Bastille/firewall.d/pre-chain-split.d
    # as portforward.sh (directory name and .sh suffix are critical)
    #
    ###########################################################################
    # 0) Addition to Peter Watkins script by Hanno Scihupp July 2008
    #
    # a) Switch on port forwarding for your server
    # Ensure port forwarding is actually switched on - other wise nothing works
    # Having it in this script ensures the setting survives a reboot
    # This is working on Ubutu/Debian. Check the filesystem and doku of your
    # favourite Linux distro that this switch exixts and is valid
    echo 1 > /proc/sys/net/ipv4/ip_forward
    #
    # b) Enable port forwardiing to an address outside your external network
    # (i.e. to a VPN network address or an external server)
    # The line below enables forwarding to tunnel connected severs
    # (i.e. servers connected through a VPN network)
    /sbin/iptables -A POSTROUTING --table nat -o tun+ -j MASQUERADE
    # The line below enables forwarding to external severs
    # /sbin/iptables -A POSTROUTING --table nat -o eth0 -j MASQUERADE
    #########################################################################
    #
    # Settings:
    #
    # 1) IP_FORWARDS (all OSes/kernel versions)
    #
    # List your port forwarding info here. This should be a whitespace
    # separated list. Each item in the list should be be a hyphen-separated
    # list including the following, in this order
    # - interface name, e.g. "eth0" (blank for all)
    # - destination address, e.g. "192.168.1.1" for the single
    #   address 192.168.1.1, "0.0.0.0" for any address, etc.
    #   (this address may contain a netmask, e.g. 192.168.1.1/24)
    # - the destination port number, e.g. "80" for standard HTTP
    # - the protocol type or number, e.g. "tcp"
    # - the forwarding service address, e.g. "172.19.1.2"
    # - the forwarding service port, e.g. "8000"
    #
    # Example:
    #   IP_FORWARDS="eth0-0.0.0.0-80-tcp-172.19.1.2-8000"
    #  This says we only have one forwarding rule to establish. Any TCP
    #  traffic destined for any address bound to the "eth0" interface's port
    #  80 will be forwarded to TCP port 8000 of 172.19.1.2. This is a typical
    #  rule for a site that wants to run its Web server on an internal
    #  machine, using a high port so the Web server can be started by a
    #  non-root user. Whether the forwarding or running on a high port are
    #  a *good* idea is a question we won't address here.
    #
    IP_FORWARDS="eth0-1.2.3.4-8004-tcp-10.8.0.4-8080 eth0-1.2.3.4-8005-tcp-10.8.0.5-8080"
    #
    #
    # 2) IPFWADM (Linux 2.2/ipchains only)
    #
    #
    # For 2.2-based kernels, where is ipfwadm?
    IPFWADM="/sbin/ipfwadm"
    #
    if [ -z "${IPCHAINS}" -a -z "${IPTABLES}" ]; then
      echo "Error: only good for iptables or ipchains/ipfwadm" > /dev/stderr
    elif [ -n "${IPCHAINS}" -a \( \! -x "${IPFWADM}" \) ]; then
      echo "Please install $IPFWADM for forwarding with 2.2/ipchains systems" >/dev/stderr
    else
      if [ -n "${IPCHAINS}" -a \( -x "${IPFWADM}" \) ]; then
        # flush ipfwadm rules
        ${IPFWADM} portfw -f
      fi
      for fw_rule in ${IP_FORWARDS} ; do
        # ugly awk hack
        fw_iface=`echo "$fw_rule" | awk -F\- '{print $1}'`
        fw_inaddr=`echo "$fw_rule" | awk -F\- '{print $2}'`
        fw_inport=`echo "$fw_rule" | awk -F\- '{print $3}'`
        fw_inproto=`echo "$fw_rule" | awk -F\- '{print $4}'`
        fw_outaddr=`echo "$fw_rule" | awk -F\- '{print $5}'`
        fw_outport=`echo "$fw_rule" | awk -F\- '{print $6}'`
    
        if [ -n "${fw_iface}" ]; then
          # we have an interface specified
          if [ -n "${IPTABLES}" ]; then
            ${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -i $fw_iface -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport
            ${IPTABLES} -A FORWARD -p $fw_inproto -i $fw_iface -d $fw_outaddr --dport $fw_outport -j ACCEPT
            ### debug ###
            #echo "${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -i $fw_iface -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport"
            #echo "${IPTABLES} -A FORWARD -p $fw_inproto -i $fw_iface -d $fw_outaddr --dport $fw_outport -j ACCEPT"
            ### debug ###
          else
            ${IPFWADM} portfw -P $fw_proto -L $fw_inaddr $fw_inport -R $fw_outaddr $fw_outport
          fi
        else
          # apply forward to all interfaces
          if [ -n "${IPTABLES}" ]; then
            ${IPTABLES} -t nat -A PREROUTING -p $fw_inproto  -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport
            ${IPTABLES} -A FORWARD -p $fw_inproto  -d $fw_outaddr --dport $fw_outport -j ACCEPT
          else
            # same as ipfwadm rule above, actually
            ${IPFWADM} portfw -P $fw_proto -L $fw_inaddr $fw_inport -R $fw_outaddr $fw_outport
          fi
        fi
      done
    fi
     
  12. just.another.alex

    just.another.alex New Member

    quite nice solutions you have there!

    Hello!
    Long time no hear from you! :)
    Excuse me for too much silence regarding this post!
    All began with you asking for help in the forwarding matter, me trying to help, and in the end...you helped me!

    So, regarding your first solution:
    -you added the MASQUERADE rule for the outgoing packages, so they can find their way back! Correct! I forgot about this in my proposed solution (I guess I considered it enabled by default) :eek:

    Regarding your second solution:
    I didn't know about it! (didn't used Bastille firewall sys). But, it's beautiful! :D
    THANKS for sharing it here!
    :)
    Cheers!
     
  13. id10t

    id10t Member

    Or to just do it on the fly...

    ssh -L8080:$IP:443 username@ubuntuhost

    Then open a browser, go to https://localhost:8080 and you should get it

    Replace $IP of the ddwrt box you are connecting to.

    You can do the same with the "tunneling" dialog in putty from a windows machine.
     

Share This Page