Join Log in
Score:0
erwann le guevedec avatar Server

OpenVPN SSH and Apache to local lan

as flag
erwann le guevedec

I have a firewall/openvpn server which has 3 network interfaces. One public, and two private, on a different network each.

I would like to do two things:

  • Forward the http stream to apache servers that are in both networks
  • be able to connect in ssh on each of these servers.

Here is my firewall iptables config:

# Generated by xtables-save v1.8.2 on Wed Jan 18 10:46:58 2023
*mangle
:PREROUTING ACCEPT [4193126:502857262]
:INPUT ACCEPT [4119886:457643549]
:FORWARD ACCEPT [73236:45213425]
:OUTPUT ACCEPT [3693537:3871171982]
:POSTROUTING ACCEPT [3765254:3916290323]
COMMIT
# Completed on Wed Jan 18 10:46:58 2023
# Generated by xtables-save v1.8.2 on Wed Jan 18 10:46:58 2023
*raw
:PREROUTING ACCEPT [4193126:502857262]
:OUTPUT ACCEPT [3693537:3871171982]
COMMIT
# Completed on Wed Jan 18 10:46:58 2023
# Generated by xtables-save v1.8.2 on Wed Jan 18 10:46:58 2023
*nat
:PREROUTING ACCEPT [1024383:44878945]
:INPUT ACCEPT [979336:41726815]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [113573:8314461]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.167
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.10.167
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.223
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.223
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Wed Jan 18 10:46:58 2023
# Generated by xtables-save v1.8.2 on Wed Jan 18 10:46:58 2023
*filter
:INPUT DROP [147979:7290253]
:FORWARD DROP [354:19913]
:OUTPUT DROP [1106:71865]
:LOGACCEPT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 2/sec --limit-burst 30 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22185 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m multiport --dports 67,68 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 1/hour -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 10.8.20.0/24 -d 192.168.10.0/24 -i tun0 -j ACCEPT
-A FORWARD -s 10.8.10.0/24 -d 192.168.0.0/24 -i tun0 -j ACCEPT
-A FORWARD -s 10.8.10.0/24 -d 192.168.10.0/24 -i tun0 -j ACCEPT
-A FORWARD -s 10.8.20.0/24 -d 192.168.0.0/24 -i tun0 -j DROP
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -o tun+ -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth0 -o eth2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.223/32 -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A FORWARD -d 192.168.10.167/32 -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A FORWARD -d 192.168.0.206/32 -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A FORWARD -d 192.168.0.2/32 -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A FORWARD -d 192.168.0.63/32 -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22185 -j ACCEPT
-A OUTPUT -p udp -m multiport --dports 1197,1198,1199 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 1197,1198,1199 -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m multiport --dports 67,68 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -j ACCEPT
-A OUTPUT -s 192.168.10.0/24 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A LOGACCEPT -m limit --limit 2/min -j LOG --log-prefix "iptables:"
-A LOGACCEPT -j ACCEPT
COMMIT

and that of my openvpn server:

local XXX.XXX.XXX.XXX
port 1194
proto tcp
dev tun

# Misc
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
status /var/log/openvpn/status.log
verb 5
tcp-queue-limit 256

# Openvpn certs
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
cipher AES-256-CBC
crl-verify crl.pem

# Network
topology subnet
mode server
server 10.8.0.0 255.255.255.0
keepalive 10 120
### DNS
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 208.67.222.22"
push "dhcp-option DNS 192.168.0.94"
push "dhcp-option DNS 213.186.33.99"
#ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"

### Clients
client-config-dir /etc/openvpn/ccd
###### sysadmin
route 10.8.10.0 255.255.255.0
###### dev
route 10.8.20.0 255.255.255.0

### Private network
client-to-client
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.10.0 255.255.255.0"

But it doesn't work, because if I'm well connected in vpn, I don't have access to my servers (and this configuration works on another firewall). I don't see what is blocking.

Thanks for any help

62
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.