Ubuntu 16.04 router VPN and rdp

George Townsend

7/31/24, 3:27 PM

I have been running my own home-brew router for a number of years. My ISP provided equipment running in bridge mode so my own router just connects to their gateway using a public static IP. I also use a VPN service. Everything works fine, but I'm trying to add something new where I have a windows machine on the LAN through another router. The LAN is the typical 192.168.0.0/24 network address. I can easily rdp to it from any machine on this network. What I want to do which is new, is I want to rdp in remotely from the internet using the static ip of my router, lets say it is 24.109.2.1 for argument's sake. Even though the VPN is still up and running when I do this, it doesn't seem to be interfering because tcpdump shows this when I attempt a connection:

10:48:47.655403 IP REMOTE_IP.56432 > 24.109.2.1.3389: Flags [S], seq 4099036643, win 8192, options [mss 1380,nop,nop,sackOK], length 0

I've spent a few days scouring the internet for solutions, but nothing I've tried works so it seems there is no point in regurgitating all these failed attempts. Rather, I'll provide my current iptables and just ask what rule(s) need to be added to get this working. my interfaces area as follows:

tun0 is the VPN tunnel enp1s0 is the ethernet interface to the WAN and it's ip number is 24.109.2.1 enp2s0 is the ethernet interface to the LAN and it's ip number is 192.168.0.1

The tcpdump command I used to show the arrival of my rdp attempt was:

tcpdump -N -i any "port 3389"

Here is the iptables contents:

*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i enp1s0 -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp1s0 -o enp2s0 -j REJECT --reject-with icmp-port-unreachable
*mangle
*nat
-A POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE

When the VPN is turned off (which I can't really do anymore since there is live equipment running 24/7 that needs to run anonymously) the tun0 rule is replaced with this rule:

-A POSTROUTING -o enp1s0 -j MASQUERADE

but this rule is absent when the VPN is running.

I am told that when this is sorted out, tcpdump will not only show the incoming rdp attempt, but will also show the modified packet rewritten for the destination machine, 192.168.0.130 ... I have not seen anything other than the incoming rdp attempt with ANYTHING that I've tried.

NOTE: I have flushed all my attempts out of iptables and shown above only the working table that I am starting with since nothing came close to working so far. It is best not to bias the answers to my question by including attempts that did not work - I want to start fresh.

Note also that I've removed the REAL remote ip above and replaced it with REMOTE_IP and have altered the real last two octets of the static ip to just .2.1 for security.

Can someone give me something to try and I'll do it and report back with the results? Thanks in advance.

-gt-

0 + 6

ubuntu

rdp

iptables

tsc_chazz

7/31/24, 3:56 PM

What you're looking to do is create a "port forward" rule on port 3389 that accepts connections on your static IP at 3389 and forwards them to your RDP server 192.168.0.130. I will note that creating an open port forward to an RDP server is asking for your network to be inundated with password crack attempts. You haven't said whether your VPN is client or server at the Ubuntu machine; if it's a server I'd recommend establishing a VPN to it from your client machine and routing RDP through that; otherwise I'd consider adding a VPN server to your Ubuntu machine specifically for this.

George Townsend

7/31/24, 5:23 PM

The Router is running openvpn and uses a VPN provider. I plan to use passwd protected website with cgi script to open rdp for my current ip and close it after. I've tired the forward to no avail, but I will do this again and post the rule and the tcpdump for further help. Thanks.

George Townsend

7/31/24, 6:16 PM

@tsc_chazz ... can you be more specific? Looking back over my notes of what I've tried, there were many variations of attempting a forward including FORWARD and POST/PREROUUTING ... can you suggest a specific rule? Thanks.

tsc_chazz

7/31/24, 6:29 PM

Unfortunately I can't, because while I'm aware of the general outline, I have never directly tried this. But have you looked at https://serverfault.com/questions/268634/port-forward-openvpn-iptables ?

George Townsend

7/31/24, 10:39 PM

I had a look at the link, but it is one of the approaches I already tried. I would have given up long ago, but I do see the attempt arriving in tcpdump, so at least I know I'm able to "sneak" past the VPN. Something is then tossing the packet out, and I don't know what.

George Townsend

8/1/24, 12:40 AM

I think the appearance of the arrival of the rdp packet is a red herring. All that means is that it got through the ISP's router and made it into my router. If OpenVPN (running on my own router) grabs the packet and tosses it out so that it never gets a chance to be examined against the rules in iptables, then it is hopeless. The only reason I was perusing this is I saw that the packet arrived and (incorrectly) assumed that it made it through OpenVPN. I now don't believe it did. So I think I need to look more closely at OpenVPN and not iptables.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Ubuntu 16.04 router VPN and rdp

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.