HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (
-   Installation/Configuration (
-   -   https access to remote OpenVPN clients via OpenVPn server (

chillifire 4th June 2008 03:04

http access to remote OpenVPN clients via OpenVPn server

The situation:
I have a number of OpenWRT (Linux distro for embedded devices) based routers out there, which I manage via Ubuntu 8.04 LINUX server they all connect to. The Ubuntu server has a public IP address, the router do not. To be able to address them the Ubuntu server is running an OpenVPN server, the routers connect to the server on start-up. I can ping and ssh into the routers from my server - no problem.

What I want to achieve:
The routers have a web GUI which is accessed via normal http. I would like to connect remotely to the routers' web interface through a browser. I would like to do so without having to have OpenVPN installed on the accessing PC/workstation. This would obviously have to work through the Ubuntu server, as only the Ubuntu server with the OpenVPN server has any knowledge of the OpenVPN network and clients.

I figure this should be possible with port and/or IP forwarding, once I am connected via http or https to the Ubuntu server, but I do not understand enough about networking to make this happen.

Can anyone provide some ideas/hints how this can be achieved?

Any input is welcome.


chillifire 7th June 2008 23:12

No one?
Hi forume members,

151 readers and no one has any idea how this could be achieved? Come on folks, you are better, than that. Can anyone give me a hint how this could be achieved? should something like this not be possible with ip forwarding and masquerading?

just.another.alex 8th June 2008 01:13

Hello, I can give a solution to you, but since you gave relatively little info about the configuration of the network, I'll assume some things.
So, assuming that your Ubuntu server is a gateway between Internet and some local network(the IPs of the VPN are also "private" IPs), this meaning that an iptables nat/masquerade script is running on the server, you can use "iptables" to make your OpenWRT routers' web interfaces available from outside.

For illustrating the solution, I'll consider that your OpenWRT routers have IPs of the form 10.1.99.*, and that your Ubuntu server is accesible from Internet with, let's say "" host name. I'm also assuming that you'd need access to web-interface of two of your routers, with IPs and
In the firewall script, add the following lines:


#access OpenWRT-1 router on the port 5678 of your Ubuntu server
$IPTABLES -t nat -A PREROUTING  -d $IP_INET -p tcp --dport 5678 -j DNAT --to-destination
$IPTABLES -t nat -A OUTPUT -p tcp -d $IP_INET --dport 5678 -j DNAT --to-destination
$IPTABLES -t nat -A POSTROUTING -p tcp -d --dport 80 -j SNAT  --to-source $IP_LAN

#access OpenWRT-2 router on the port 7890 of your Ubuntu server
$IPTABLES -t nat -A PREROUTING  -d $IP_INET -p tcp --dport 7890 -j DNAT --to-destination
$IPTABLES -t nat -A OUTPUT -p tcp -d $IP_INET --dport 7890 -j DNAT --to-destination
$IPTABLES -t nat -A POSTROUTING -p tcp -d --dport 80 -j SNAT  --to-source $IP_LAN

The variable IP_INET should contain the public IP of your Ubuntu server(the IP that ISP gave to you), and the variable IP_LAN should contain the private IP of your Ubuntu server(the IP of the gateway used by your internal network hosts).

After you'll run the firewall script modified as shown above, you should be able to connect to your web-interfaces of your routers, by simply pointing a web-browser to:
(your first OpenWRT router, with vpn ip)

(your second OpenWRT router, with vpn ip)

The iptables code above simply forwarded ports 5678 and 7890 of your Ubuntu to ports 80 of your OpenWRT-1 router, respectively OpenWRT-2 router.
Good luck! :)

just.another.alex 8th June 2008 01:16

:)) last notice:
The variable IPTABLES used in the post above can be replace with your /sbin/iptables(very possible to be exact) program on your Ubuntu server.
Too much bash scripting from me :P

chillifire 8th June 2008 02:30

not quite the setup I thought I described :-)
2 Attachment(s)
Thanks for the response. This describes a scenario similar to what I am looking for. Well, I thought I was reasonably clear, but may be I was not.

So here is a diagram of the network setup and a second diagram of the request handling I am thinking of. Don't worry about the iptables magic that has to happen on the router. There is tons of info out there on that, so that I can handle.

But what has to be configured with IPTABLES or otherwise on the Ubuntu server (the one in the middel of the diagram with address Does the setup shown in the diagrams require a change in the solution proposed above? I should think so, but what does it look like?

So let me try and understand the lines from above:

IPTABLES -t nat -A PREROUTING  -d $IP_INET -p tcp --dport 5678 -j DNAT --to-destination
so here you are doing the forwarding and I guess to saty with my example this should be something like:

IPTABLES -t nat -A PREROUTING  -d -p tcp --dport u -j DNAT --to-destination 10.8.x.b:8080
OK, so I guess

$IPTABLES -t nat -A OUTPUT -p tcp -d $IP_INET --dport 5678 -j DNAT --to-destination
should become

$IPTABLES -t nat -A OUTPUT -p tcp -d --dport u -j DNAT --to-destination 10.1.x.b:8080
I am not sure why I need this rule, so would appreciate some enlightenment. :) And why is there no FORWARD rule? The noob I am in this I would have assumed I need a FORWARD rule to , well, basically forward. Is that not so? and why not?
and with

$IPTABLES -t nat -A POSTROUTING -p tcp -d --dport 80 -j SNAT  --to-source $IP_LAN
you totally surpas my understanding. What is that rule achieving? And since there is no local network involved there is no sensible value for $IP_LAN I can make out in my own mind. Does that mean this rule is superflous for my scenario?

Thanks again for bothering to respond. I would be greatful, if you could stick with me and maybe I am a bit clearer on what I am trying to achieve now, so you can give some further advice.



just.another.alex 8th June 2008 14:19

Hello again!
OK, now I have enough information to tell you a real solution.
First, let me explain the last iptables line, the one that "totally surpas" your understanding:


$IPTABLES -t nat -A POSTROUTING -p tcp -d --dport 80 -j SNAT  --to-source $IP_LAN
The line above works when the server(Ubuntu server in your case) is a gateway between a LAN and the Internet. And the role of the line is to provide what is called "complete forwarding", meaning that a specific port forward is available from outside as well as from the LAN behind the server.
Since you don't have a LAN behind your Ubuntu server, you can IGNORE that line completely! Don't think about it anymore...;)

So, with the information that you provided, I can say that the solution you created, by replacing the generic port numbers I gave with your port numbers, is CORRECT!
I'll list it once again, for the sake of completness :D


IPTABLES -t nat -A PREROUTING  -d -p tcp --dport u -j DNAT --to-destination 10.8.x.b:8080
$IPTABLES -t nat -A OUTPUT -p tcp -d --dport u -j DNAT --to-destination 10.1.x.b:8080

Put this in a text file, make that file executable, execute it as a bash script, and the connection to your OpenWRT router 10.8.x.b:8080 should work from a remote PC by typing "" in your browser.

Add a pair of iptabes for each router, be sure you modify the "u" port and 10.8.x.x IPs to be different for each router, and you'll be able to manage all your routers remotely!

Waiting to hear the results from you! ;)

chillifire 9th June 2008 10:00

Dealing with next problem
Thank you for your response just.another.alex

I have tried to implement it, but ran into problems getting these two new rules into the Bastille firewall manager (see here). So for the moment I cannot really give feedback but I will be in touch once I can test the solution. I will be in touch ...

chillifire 10th June 2008 00:41

No cigar
this did not work once installed, even with the firewall otherwise switched off and completely open - for 30 secs :D - with only those two entries.

Now, can you recommend an analytic tool, that I could use on my Ubuntu server to see how traffic is flowing and why and where the traffic forwarding fails?

just.another.alex 10th June 2008 01:24

Hello again!
I'm surprised it didn't worked. I managed to forward a port from a real IP to a VPN station, by adding those two iptables rules to the existing firewall script.
Did you specifically check that the rules were written syntactically correct, and that they can be seen with "iptables -t nat -L" ?
What's the default policy of iptables, on your Ubuntu system? (ACCEPT or DENY/DROP)

For now, I think that checking the stuff i've written above could be helpful.
If the stuff it's correct, and forward still dont work maybe you should begin traffic analysis.
For this, I recommend the following tools: tcpdump(it's a command line tool) or wireshark(aka ethereal), which is a GUI tool.

And, as an alternative solution for forwarding, you can use ssh, or putty. There are tutorials on the Internet about this topic.
Good luck!

chillifire 10th June 2008 06:31

Output of the test
After trying several solutions adding the following to my iptables did the trick:


# allows forwarded packages to go through the firewall, which otherwise only allows established connections to be forwarded
iptables -A FORWARD -o tun+ -j ACCEPT
# this the magic that does the IP address and port translation - obviouslys you need one for every router
iptables -A PREROUTING --table nat -d -p tcp --dport 8004 -j DNAT --to-destination
iptables -A PREROUTING --table nat -d -p tcp --dport 8005 -j DNAT --to-destination
iptables -A PREROUTING --table nat -d -p tcp --dport 8006 -j DNAT --to-destination
iptables -A PREROUTING --table nat -d -p tcp --dport 8007 -j DNAT --to-destination
# you'll need one generic rule so that the pakets can find their way back properly
iptables -A POSTROUTING --table nat -o tun+ -j MASQUERADE

I got the hint with the postrouting from the Ubuntu forums, the Forwarding filter ACCEPT was my addition. I begin to understand what is going on here. Scary :0

All times are GMT +2. The time now is 08:38.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.