How to access a port via OpenVpn only
Posted
by
Andy M
on Server Fault
See other posts from Server Fault
or by Andy M
Published on 2012-11-24T16:11:10Z
Indexed on
2012/11/24
17:05 UTC
Read the original article
Hit count: 279
I've set up an openvpn server alongside an apache website that can only be accessed on port 8100 on the same machine. My /etc/openvpn/server.conf file looks like this:
port 1194
proto tcp
dev tun
ca ./easy-rsa2/keys/ca.crt
cert ./easy-rsa2/keys/server.crt
key ./easy-rsa2/keys/server.key # This file should be kept secret
dh ./easy-rsa2/keys/dh1024.pem # Diffie-Hellman parameter
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# make sure clients can still connect to the internet
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Now I tried to let only clients connected to the vpn network access the website on apache via port 8100. So I defined a few iptables rules:
#!/bin/sh
# My system IP/set ip address of server
SERVER_IP="192.168.0.2"
# Flushing all rules
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow incoming access to port 8100 from OpenVPN 10.8.0.1
iptables -A INPUT -i tun0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o tun0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# outgoing http
iptables -A OUTPUT -o tun0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
Now when I connect to the server from my client computer and try to access the website on 192.168.0.2:8100, my browser can't open it. Will I have to forward traffic from tun0 to eth0? Or is there anything else I'm missing?
© Server Fault or respective owner
