http access to remote OpenVPN clients via OpenVPn server Hi, The situation: I have a number of OpenWRT (Linux distro for embedded devices) based routers out there, which I manage via Ubuntu 8.04 LINUX server they all connect to. The Ubuntu server has a public IP address, the router do not. To be able to address them the Ubuntu server is running an OpenVPN server, the routers connect to the server on start-up. I can ping and ssh into the routers from my server - no problem. What I want to achieve: The routers have a web GUI which is accessed via normal http. I would like to connect remotely to the routers' web interface through a browser. I would like to do so without having to have OpenVPN installed on the accessing PC/workstation. This would obviously have to work through the Ubuntu server, as only the Ubuntu server with the OpenVPN server has any knowledge of the OpenVPN network and clients. I figure this should be possible with port and/or IP forwarding, once I am connected via http or https to the Ubuntu server, but I do not understand enough about networking to make this happen. Can anyone provide some ideas/hints how this can be achieved? Any input is welcome. Cheers
No one? Hi forume members, 151 readers and no one has any idea how this could be achieved? Come on folks, you are better, than that. Can anyone give me a hint how this could be achieved? should something like this not be possible with ip forwarding and masquerading?
Hello, I can give a solution to you, but since you gave relatively little info about the configuration of the network, I'll assume some things. So, assuming that your Ubuntu server is a gateway between Internet and some local network(the IPs of the VPN are also "private" IPs), this meaning that an iptables nat/masquerade script is running on the server, you can use "iptables" to make your OpenWRT routers' web interfaces available from outside. For illustrating the solution, I'll consider that your OpenWRT routers have IPs of the form 10.1.99.*, and that your Ubuntu server is accesible from Internet with, let's say "my-ubuntu-server.org" host name. I'm also assuming that you'd need access to web-interface of two of your routers, with IPs 10.1.99.10 and 10.1.99.20 In the firewall script, add the following lines: Code: #access OpenWRT-1 router on the port 5678 of your Ubuntu server $IPTABLES -t nat -A PREROUTING -d $IP_INET -p tcp --dport 5678 -j DNAT --to-destination 10.1.99.10:80 $IPTABLES -t nat -A OUTPUT -p tcp -d $IP_INET --dport 5678 -j DNAT --to-destination 10.1.99.10:80 $IPTABLES -t nat -A POSTROUTING -p tcp -d 10.1.99.10 --dport 80 -j SNAT --to-source $IP_LAN #access OpenWRT-2 router on the port 7890 of your Ubuntu server $IPTABLES -t nat -A PREROUTING -d $IP_INET -p tcp --dport 7890 -j DNAT --to-destination 10.1.99.20:80 $IPTABLES -t nat -A OUTPUT -p tcp -d $IP_INET --dport 7890 -j DNAT --to-destination 10.1.99.20:80 $IPTABLES -t nat -A POSTROUTING -p tcp -d 10.1.99.20 --dport 80 -j SNAT --to-source $IP_LAN The variable IP_INET should contain the public IP of your Ubuntu server(the IP that ISP gave to you), and the variable IP_LAN should contain the private IP of your Ubuntu server(the IP of the gateway used by your internal network hosts). After you'll run the firewall script modified as shown above, you should be able to connect to your web-interfaces of your routers, by simply pointing a web-browser to: http://my-ubuntu-server.org:5678 (your first OpenWRT router, with 10.1.99.10 vpn ip) or http://my-ubuntu-server.org:7890 (your second OpenWRT router, with 10.1.99.20 vpn ip) The iptables code above simply forwarded ports 5678 and 7890 of your Ubuntu to ports 80 of your OpenWRT-1 router, respectively OpenWRT-2 router. Good luck!
) And..uhmm..one last notice: The variable IPTABLES used in the post above can be replace with your /sbin/iptables(very possible to be exact) program on your Ubuntu server. Too much bash scripting from me
not quite the setup I thought I described Thanks for the response. This describes a scenario similar to what I am looking for. Well, I thought I was reasonably clear, but may be I was not. So here is a diagram of the network setup and a second diagram of the request handling I am thinking of. Don't worry about the iptables magic that has to happen on the router. There is tons of info out there on that, so that I can handle. But what has to be configured with IPTABLES or otherwise on the Ubuntu server (the one in the middel of the diagram with address 1.2.3.4)? Does the setup shown in the diagrams require a change in the solution proposed above? I should think so, but what does it look like? So let me try and understand the lines from above: Code: IPTABLES -t nat -A PREROUTING -d $IP_INET -p tcp --dport 5678 -j DNAT --to-destination 10.1.99.10:80 so here you are doing the forwarding and I guess to saty with my example this should be something like: Code: IPTABLES -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport u -j DNAT --to-destination 10.8.x.b:8080 Right? OK, so I guess Code: $IPTABLES -t nat -A OUTPUT -p tcp -d $IP_INET --dport 5678 -j DNAT --to-destination 10.1.99.10:80 should become Code: $IPTABLES -t nat -A OUTPUT -p tcp -d 1.2.3.4 --dport u -j DNAT --to-destination 10.1.x.b:8080 Right? I am not sure why I need this rule, so would appreciate some enlightenment. And why is there no FORWARD rule? The noob I am in this I would have assumed I need a FORWARD rule to , well, basically forward. Is that not so? and why not? and with Code: $IPTABLES -t nat -A POSTROUTING -p tcp -d 10.1.99.10 --dport 80 -j SNAT --to-source $IP_LAN you totally surpas my understanding. What is that rule achieving? And since there is no local network involved there is no sensible value for $IP_LAN I can make out in my own mind. Does that mean this rule is superflous for my scenario? Thanks again for bothering to respond. I would be greatful, if you could stick with me and maybe I am a bit clearer on what I am trying to achieve now, so you can give some further advice. Cheers chillifire
Hello again! OK, now I have enough information to tell you a real solution. First, let me explain the last iptables line, the one that "totally surpas" your understanding: Code: $IPTABLES -t nat -A POSTROUTING -p tcp -d 10.1.99.10 --dport 80 -j SNAT --to-source $IP_LAN The line above works when the server(Ubuntu server in your case) is a gateway between a LAN and the Internet. And the role of the line is to provide what is called "complete forwarding", meaning that a specific port forward is available from outside as well as from the LAN behind the server. Since you don't have a LAN behind your Ubuntu server, you can IGNORE that line completely! Don't think about it anymore... So, with the information that you provided, I can say that the solution you created, by replacing the generic port numbers I gave with your port numbers, is CORRECT! I'll list it once again, for the sake of completness Code: IPTABLES -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport u -j DNAT --to-destination 10.8.x.b:8080 $IPTABLES -t nat -A OUTPUT -p tcp -d 1.2.3.4 --dport u -j DNAT --to-destination 10.1.x.b:8080 Put this in a text file, make that file executable, execute it as a bash script, and the connection to your OpenWRT router 10.8.x.b:8080 should work from a remote PC by typing "http://1.2.3.4:u" in your browser. Add a pair of iptabes for each router, be sure you modify the "u" port and 10.8.x.x IPs to be different for each router, and you'll be able to manage all your routers remotely! Waiting to hear the results from you!
Dealing with next problem Thank you for your response just.another.alex I have tried to implement it, but ran into problems getting these two new rules into the Bastille firewall manager (see here). So for the moment I cannot really give feedback but I will be in touch once I can test the solution. I will be in touch ...
No cigar Hi, this did not work once installed, even with the firewall otherwise switched off and completely open - for 30 secs - with only those two entries. Now, can you recommend an analytic tool, that I could use on my Ubuntu server to see how traffic is flowing and why and where the traffic forwarding fails?
Hello again! I'm surprised it didn't worked. I managed to forward a port from a real IP to a VPN station, by adding those two iptables rules to the existing firewall script. Did you specifically check that the rules were written syntactically correct, and that they can be seen with "iptables -t nat -L" ? What's the default policy of iptables, on your Ubuntu system? (ACCEPT or DENY/DROP) For now, I think that checking the stuff i've written above could be helpful. If the stuff it's correct, and forward still dont work maybe you should begin traffic analysis. For this, I recommend the following tools: tcpdump(it's a command line tool) or wireshark(aka ethereal), which is a GUI tool. And, as an alternative solution for forwarding, you can use ssh, or putty. There are tutorials on the Internet about this topic. Good luck!
Output of the test After trying several solutions adding the following to my iptables did the trick: Code: # allows forwarded packages to go through the firewall, which otherwise only allows established connections to be forwarded iptables -A FORWARD -o tun+ -j ACCEPT # this the magic that does the IP address and port translation - obviouslys you need one for every router iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8004 -j DNAT --to-destination 10.8.0.4:8080 iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8005 -j DNAT --to-destination 10.8.0.5:8080 iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8006 -j DNAT --to-destination 10.8.0.6:8080 iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8007 -j DNAT --to-destination 10.8.0.7:8080 # you'll need one generic rule so that the pakets can find their way back properly iptables -A POSTROUTING --table nat -o tun+ -j MASQUERADE I got the hint with the postrouting from the Ubuntu forums, the Forwarding filter ACCEPT was my addition. I begin to understand what is going on here. Scary :0
Even better solution ... I can now offer a better solution that is based on a script from the Bastille guys as well (see code below). What I added was the MASQUERADE rule and the switch that ensures that port forwarding is actually activated on your LINUX server (tested for Ubuntu/Debian, please check with your LINUX distro the same switch exists in the same location or adjust the script accordingly in the line starting with "echo 1 > ...". Other than being fully compliant with iptables and Bastille the script offers the additional advantage that only port forwarding for explicitly specificied ports is opened, as opposed to the entire tun+ interfaces as was done in my solution. Here goes: Code: mkdir /etc/Bastille/firewall.d mkdir /etc/Bastille/firewall.d/pre-chain-split.d touch portforward.sh chmod 755 /etc/Bastille/firewall.d/pre-chain-split.d/portforward.sh Now copy all the following code into the file portforward.sh The magic is happening in the lines under item 1. Adjust to suit your port forwarding needs. The explanation in the script should be quite sufficient. This script should be able to handle port forwarding within your network, to connected VPN networks, and to external servers (the latter may require the activation of another line in the script under section0 in some cases). Code: # portforward.sh # # designed for bastille-firewall # Copyright (c) 2002 Peter Watkins # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # place in /etc/Bastille/firewall.d/pre-chain-split.d # as portforward.sh (directory name and .sh suffix are critical) # ########################################################################### # 0) Addition to Peter Watkins script by Hanno Scihupp July 2008 # # a) Switch on port forwarding for your server # Ensure port forwarding is actually switched on - other wise nothing works # Having it in this script ensures the setting survives a reboot # This is working on Ubutu/Debian. Check the filesystem and doku of your # favourite Linux distro that this switch exixts and is valid echo 1 > /proc/sys/net/ipv4/ip_forward # # b) Enable port forwardiing to an address outside your external network # (i.e. to a VPN network address or an external server) # The line below enables forwarding to tunnel connected severs # (i.e. servers connected through a VPN network) /sbin/iptables -A POSTROUTING --table nat -o tun+ -j MASQUERADE # The line below enables forwarding to external severs # /sbin/iptables -A POSTROUTING --table nat -o eth0 -j MASQUERADE ######################################################################### # # Settings: # # 1) IP_FORWARDS (all OSes/kernel versions) # # List your port forwarding info here. This should be a whitespace # separated list. Each item in the list should be be a hyphen-separated # list including the following, in this order # - interface name, e.g. "eth0" (blank for all) # - destination address, e.g. "192.168.1.1" for the single # address 192.168.1.1, "0.0.0.0" for any address, etc. # (this address may contain a netmask, e.g. 192.168.1.1/24) # - the destination port number, e.g. "80" for standard HTTP # - the protocol type or number, e.g. "tcp" # - the forwarding service address, e.g. "172.19.1.2" # - the forwarding service port, e.g. "8000" # # Example: # IP_FORWARDS="eth0-0.0.0.0-80-tcp-172.19.1.2-8000" # This says we only have one forwarding rule to establish. Any TCP # traffic destined for any address bound to the "eth0" interface's port # 80 will be forwarded to TCP port 8000 of 172.19.1.2. This is a typical # rule for a site that wants to run its Web server on an internal # machine, using a high port so the Web server can be started by a # non-root user. Whether the forwarding or running on a high port are # a *good* idea is a question we won't address here. # IP_FORWARDS="eth0-1.2.3.4-8004-tcp-10.8.0.4-8080 eth0-1.2.3.4-8005-tcp-10.8.0.5-8080" # # # 2) IPFWADM (Linux 2.2/ipchains only) # # # For 2.2-based kernels, where is ipfwadm? IPFWADM="/sbin/ipfwadm" # if [ -z "${IPCHAINS}" -a -z "${IPTABLES}" ]; then echo "Error: only good for iptables or ipchains/ipfwadm" > /dev/stderr elif [ -n "${IPCHAINS}" -a \( \! -x "${IPFWADM}" \) ]; then echo "Please install $IPFWADM for forwarding with 2.2/ipchains systems" >/dev/stderr else if [ -n "${IPCHAINS}" -a \( -x "${IPFWADM}" \) ]; then # flush ipfwadm rules ${IPFWADM} portfw -f fi for fw_rule in ${IP_FORWARDS} ; do # ugly awk hack fw_iface=`echo "$fw_rule" | awk -F\- '{print $1}'` fw_inaddr=`echo "$fw_rule" | awk -F\- '{print $2}'` fw_inport=`echo "$fw_rule" | awk -F\- '{print $3}'` fw_inproto=`echo "$fw_rule" | awk -F\- '{print $4}'` fw_outaddr=`echo "$fw_rule" | awk -F\- '{print $5}'` fw_outport=`echo "$fw_rule" | awk -F\- '{print $6}'` if [ -n "${fw_iface}" ]; then # we have an interface specified if [ -n "${IPTABLES}" ]; then ${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -i $fw_iface -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport ${IPTABLES} -A FORWARD -p $fw_inproto -i $fw_iface -d $fw_outaddr --dport $fw_outport -j ACCEPT ### debug ### #echo "${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -i $fw_iface -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport" #echo "${IPTABLES} -A FORWARD -p $fw_inproto -i $fw_iface -d $fw_outaddr --dport $fw_outport -j ACCEPT" ### debug ### else ${IPFWADM} portfw -P $fw_proto -L $fw_inaddr $fw_inport -R $fw_outaddr $fw_outport fi else # apply forward to all interfaces if [ -n "${IPTABLES}" ]; then ${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport ${IPTABLES} -A FORWARD -p $fw_inproto -d $fw_outaddr --dport $fw_outport -j ACCEPT else # same as ipfwadm rule above, actually ${IPFWADM} portfw -P $fw_proto -L $fw_inaddr $fw_inport -R $fw_outaddr $fw_outport fi fi done fi
quite nice solutions you have there! Hello! Long time no hear from you! Excuse me for too much silence regarding this post! All began with you asking for help in the forwarding matter, me trying to help, and in the end...you helped me! So, regarding your first solution: -you added the MASQUERADE rule for the outgoing packages, so they can find their way back! Correct! I forgot about this in my proposed solution (I guess I considered it enabled by default) Regarding your second solution: I didn't know about it! (didn't used Bastille firewall sys). But, it's beautiful! THANKS for sharing it here! Cheers!
Or to just do it on the fly... ssh -L8080:$IP:443 username@ubuntuhost Then open a browser, go to https://localhost:8080 and you should get it Replace $IP of the ddwrt box you are connecting to. You can do the same with the "tunneling" dialog in putty from a windows machine.