Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 4th June 2008, 02:04
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
Question http access to remote OpenVPN clients via OpenVPn server

Hi,

The situation:
I have a number of OpenWRT (Linux distro for embedded devices) based routers out there, which I manage via Ubuntu 8.04 LINUX server they all connect to. The Ubuntu server has a public IP address, the router do not. To be able to address them the Ubuntu server is running an OpenVPN server, the routers connect to the server on start-up. I can ping and ssh into the routers from my server - no problem.

What I want to achieve:
The routers have a web GUI which is accessed via normal http. I would like to connect remotely to the routers' web interface through a browser. I would like to do so without having to have OpenVPN installed on the accessing PC/workstation. This would obviously have to work through the Ubuntu server, as only the Ubuntu server with the OpenVPN server has any knowledge of the OpenVPN network and clients.

I figure this should be possible with port and/or IP forwarding, once I am connected via http or https to the Ubuntu server, but I do not understand enough about networking to make this happen.

Can anyone provide some ideas/hints how this can be achieved?

Any input is welcome.

Cheers

Last edited by chillifire; 4th June 2008 at 03:58.
Reply With Quote
Sponsored Links
  #2  
Old 7th June 2008, 22:12
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
Default No one?

Hi forume members,

151 readers and no one has any idea how this could be achieved? Come on folks, you are better, than that. Can anyone give me a hint how this could be achieved? should something like this not be possible with ip forwarding and masquerading?
Reply With Quote
  #3  
Old 8th June 2008, 00:13
just.another.alex just.another.alex is offline
Junior Member
 
Join Date: Sep 2007
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via AIM to just.another.alex
Default

Hello, I can give a solution to you, but since you gave relatively little info about the configuration of the network, I'll assume some things.
So, assuming that your Ubuntu server is a gateway between Internet and some local network(the IPs of the VPN are also "private" IPs), this meaning that an iptables nat/masquerade script is running on the server, you can use "iptables" to make your OpenWRT routers' web interfaces available from outside.

For illustrating the solution, I'll consider that your OpenWRT routers have IPs of the form 10.1.99.*, and that your Ubuntu server is accesible from Internet with, let's say "my-ubuntu-server.org" host name. I'm also assuming that you'd need access to web-interface of two of your routers, with IPs 10.1.99.10 and 10.1.99.20
In the firewall script, add the following lines:

Code:
#access OpenWRT-1 router on the port 5678 of your Ubuntu server
$IPTABLES -t nat -A PREROUTING  -d $IP_INET -p tcp --dport 5678 -j DNAT --to-destination 10.1.99.10:80
$IPTABLES -t nat -A OUTPUT -p tcp -d $IP_INET --dport 5678 -j DNAT --to-destination 10.1.99.10:80
$IPTABLES -t nat -A POSTROUTING -p tcp -d 10.1.99.10 --dport 80 -j SNAT  --to-source $IP_LAN

#access OpenWRT-2 router on the port 7890 of your Ubuntu server
$IPTABLES -t nat -A PREROUTING  -d $IP_INET -p tcp --dport 7890 -j DNAT --to-destination 10.1.99.20:80
$IPTABLES -t nat -A OUTPUT -p tcp -d $IP_INET --dport 7890 -j DNAT --to-destination 10.1.99.20:80
$IPTABLES -t nat -A POSTROUTING -p tcp -d 10.1.99.20 --dport 80 -j SNAT  --to-source $IP_LAN
The variable IP_INET should contain the public IP of your Ubuntu server(the IP that ISP gave to you), and the variable IP_LAN should contain the private IP of your Ubuntu server(the IP of the gateway used by your internal network hosts).

After you'll run the firewall script modified as shown above, you should be able to connect to your web-interfaces of your routers, by simply pointing a web-browser to:
http://my-ubuntu-server.org:5678
(your first OpenWRT router, with 10.1.99.10 vpn ip)

or
http://my-ubuntu-server.org:7890
(your second OpenWRT router, with 10.1.99.20 vpn ip)

The iptables code above simply forwarded ports 5678 and 7890 of your Ubuntu to ports 80 of your OpenWRT-1 router, respectively OpenWRT-2 router.
Good luck!
Reply With Quote
  #4  
Old 8th June 2008, 00:16
just.another.alex just.another.alex is offline
Junior Member
 
Join Date: Sep 2007
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via AIM to just.another.alex
Default

)
And..uhmm..one last notice:
The variable IPTABLES used in the post above can be replace with your /sbin/iptables(very possible to be exact) program on your Ubuntu server.
Too much bash scripting from me :P
Reply With Quote
  #5  
Old 8th June 2008, 01:30
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
Default not quite the setup I thought I described :-)

Thanks for the response. This describes a scenario similar to what I am looking for. Well, I thought I was reasonably clear, but may be I was not.

So here is a diagram of the network setup and a second diagram of the request handling I am thinking of. Don't worry about the iptables magic that has to happen on the router. There is tons of info out there on that, so that I can handle.

But what has to be configured with IPTABLES or otherwise on the Ubuntu server (the one in the middel of the diagram with address 1.2.3.4)? Does the setup shown in the diagrams require a change in the solution proposed above? I should think so, but what does it look like?

So let me try and understand the lines from above:
Code:
IPTABLES -t nat -A PREROUTING  -d $IP_INET -p tcp --dport 5678 -j DNAT --to-destination 10.1.99.10:80
so here you are doing the forwarding and I guess to saty with my example this should be something like:
Code:
IPTABLES -t nat -A PREROUTING  -d 1.2.3.4 -p tcp --dport u -j DNAT --to-destination 10.8.x.b:8080
Right?
OK, so I guess
Code:
$IPTABLES -t nat -A OUTPUT -p tcp -d $IP_INET --dport 5678 -j DNAT --to-destination 10.1.99.10:80
should become
Code:
$IPTABLES -t nat -A OUTPUT -p tcp -d 1.2.3.4 --dport u -j DNAT --to-destination 10.1.x.b:8080
Right?
I am not sure why I need this rule, so would appreciate some enlightenment. And why is there no FORWARD rule? The noob I am in this I would have assumed I need a FORWARD rule to , well, basically forward. Is that not so? and why not?
and with
Code:
$IPTABLES -t nat -A POSTROUTING -p tcp -d 10.1.99.10 --dport 80 -j SNAT  --to-source $IP_LAN
you totally surpas my understanding. What is that rule achieving? And since there is no local network involved there is no sensible value for $IP_LAN I can make out in my own mind. Does that mean this rule is superflous for my scenario?

Thanks again for bothering to respond. I would be greatful, if you could stick with me and maybe I am a bit clearer on what I am trying to achieve now, so you can give some further advice.

Cheers

chillifire
Attached Images
  

Last edited by chillifire; 8th June 2008 at 07:19.
Reply With Quote
  #6  
Old 8th June 2008, 13:19
just.another.alex just.another.alex is offline
Junior Member
 
Join Date: Sep 2007
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via AIM to just.another.alex
Default

Hello again!
OK, now I have enough information to tell you a real solution.
First, let me explain the last iptables line, the one that "totally surpas" your understanding:

Code:
$IPTABLES -t nat -A POSTROUTING -p tcp -d 10.1.99.10 --dport 80 -j SNAT  --to-source $IP_LAN
The line above works when the server(Ubuntu server in your case) is a gateway between a LAN and the Internet. And the role of the line is to provide what is called "complete forwarding", meaning that a specific port forward is available from outside as well as from the LAN behind the server.
Since you don't have a LAN behind your Ubuntu server, you can IGNORE that line completely! Don't think about it anymore...

So, with the information that you provided, I can say that the solution you created, by replacing the generic port numbers I gave with your port numbers, is CORRECT!
I'll list it once again, for the sake of completness

Code:
IPTABLES -t nat -A PREROUTING  -d 1.2.3.4 -p tcp --dport u -j DNAT --to-destination 10.8.x.b:8080
$IPTABLES -t nat -A OUTPUT -p tcp -d 1.2.3.4 --dport u -j DNAT --to-destination 10.1.x.b:8080
Put this in a text file, make that file executable, execute it as a bash script, and the connection to your OpenWRT router 10.8.x.b:8080 should work from a remote PC by typing "http://1.2.3.4:u" in your browser.

Add a pair of iptabes for each router, be sure you modify the "u" port and 10.8.x.x IPs to be different for each router, and you'll be able to manage all your routers remotely!

Waiting to hear the results from you!
Reply With Quote
  #7  
Old 9th June 2008, 09:00
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
Arrow Dealing with next problem

Thank you for your response just.another.alex

I have tried to implement it, but ran into problems getting these two new rules into the Bastille firewall manager (see here). So for the moment I cannot really give feedback but I will be in touch once I can test the solution. I will be in touch ...
Reply With Quote
  #8  
Old 9th June 2008, 23:41
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
Default No cigar

Hi,
this did not work once installed, even with the firewall otherwise switched off and completely open - for 30 secs - with only those two entries.

Now, can you recommend an analytic tool, that I could use on my Ubuntu server to see how traffic is flowing and why and where the traffic forwarding fails?
Reply With Quote
  #9  
Old 10th June 2008, 00:24
just.another.alex just.another.alex is offline
Junior Member
 
Join Date: Sep 2007
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via AIM to just.another.alex
Default

Hello again!
I'm surprised it didn't worked. I managed to forward a port from a real IP to a VPN station, by adding those two iptables rules to the existing firewall script.
Did you specifically check that the rules were written syntactically correct, and that they can be seen with "iptables -t nat -L" ?
What's the default policy of iptables, on your Ubuntu system? (ACCEPT or DENY/DROP)

For now, I think that checking the stuff i've written above could be helpful.
If the stuff it's correct, and forward still dont work maybe you should begin traffic analysis.
For this, I recommend the following tools: tcpdump(it's a command line tool) or wireshark(aka ethereal), which is a GUI tool.

And, as an alternative solution for forwarding, you can use ssh, or putty. There are tutorials on the Internet about this topic.
Good luck!
Reply With Quote
  #10  
Old 10th June 2008, 05:31
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
 
Default Output of the test

After trying several solutions adding the following to my iptables did the trick:

Code:
# allows forwarded packages to go through the firewall, which otherwise only allows established connections to be forwarded 
iptables -A FORWARD -o tun+ -j ACCEPT
# this the magic that does the IP address and port translation - obviouslys you need one for every router
iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8004 -j DNAT --to-destination 10.8.0.4:8080
iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8005 -j DNAT --to-destination 10.8.0.5:8080
iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8006 -j DNAT --to-destination 10.8.0.6:8080
iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8007 -j DNAT --to-destination 10.8.0.7:8080
# you'll need one generic rule so that the pakets can find their way back properly 
iptables -A POSTROUTING --table nat -o tun+ -j MASQUERADE
I got the hint with the postrouting from the Ubuntu forums, the Forwarding filter ACCEPT was my addition. I begin to understand what is going on here. Scary :0

Last edited by chillifire; 10th June 2008 at 07:04.
Reply With Quote
The Following User Says Thank You to chillifire For This Useful Post:
falko (10th June 2008)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Public and private network + High Availability Apache Cluster teleted HOWTO-Related Questions 11 28th January 2008 14:29
subdomain and mail relay configuration aranthorn Installation/Configuration 24 3rd September 2007 22:53
postfix Relay access denied Jshel Installation/Configuration 4 30th March 2007 05:15
The Perfect Setup Suse 9.3 - Postfix problems new_bee05 HOWTO-Related Questions 20 25th November 2005 02:30
Restrict access to my SystemImager server cornelius Installation/Configuration 1 7th June 2005 11:35


All times are GMT +2. The time now is 13:33.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.