3

My main aim is the following: Install a VPN server on a server, and a website on that server should be accessible only to users that are using the VPN on that same server.

First, the two server case works.

That is, I have two servers, A and B. The PPTP VPN server is installed in A, and the nginx is on B.

I have set up allow rules for my nginx site as follows and they work OK:

allow ip_of_a;
deny all;

However, when I try to connect a site on A (the vpn server has an nginx server too), my remote IP appears as my original IP, not the IP I get when I connect through VPN and I get a 403 Forbidden page on nginx. The error logs show a connection attempt from my original ip, not the VPN's IP.

I understand that the VPN still knows my original IP instead of the ip it gave to me, but there should be a workaround for this situation.

The VPN assigns local IP's of the form allow 10.80.80.*, so I put another allow of the form

allow 10.80.80.0/24;

That did not do the trick.

I also tried directly adding the local ip the VPN gives to me, but again it did not work:

allow 10.80.80.100;

Does this need to fixed from the pptp server somehow or can it be fixed from an nginx rule?

Edit: The routing tables on the client (OS X) before and afterconnecting to the vpn:

Before:

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.1.1        UGSc           18        0     en0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH             17 12724964     lo0
169.254            link#4             UCS             0        0     en0
192.168.1          link#4             UCS             3        0     en0
192.168.1.1        0:25:9c:4a:c6:44   UHLWIir        19    28906     en0   1000
192.168.1.126      0:88:65:5c:6a:f4   UHLWIi          0       33     en0    440
192.168.1.129      127.0.0.1          UHS             1        0     lo0
192.168.1.255      ff:ff:ff:ff:ff:ff  UHLWbI          0       24     en0

After:

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            10.99.99.99        UGSc           16        0    ppp0
default            192.168.1.1        UGScI          11        0     en0
10                 ppp0               USc             1        0    ppp0
10.99.99.99        10.99.99.100       UHr            17        8    ppp0
SERVER_IP_HERE      192.168.1.1        UGHS            1      299     en0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH             17 12724968     lo0
169.254            link#4             UCS             0        0     en0
192.168.1          link#4             UCS             3        0     en0
192.168.1.1        0:25:9c:4a:c6:44   UHLWIir        13    28987     en0    988
192.168.1.126      0:88:65:5c:6a:f4   UHLWIi          0       33     en0    428
192.168.1.129      127.0.0.1          UHS             0        0     lo0
192.168.1.255      ff:ff:ff:ff:ff:ff  UHLWbI          0       38     en0
ustun
  • 205
  • 2
  • 4
  • 13
  • What does a VPN client's routing table look like once connected to the VPN? – Flup Jul 30 '13 at 11:17
  • very confusing explanation. How is connecting the server A and B? And what do you want to get? – ALex_hha Jul 30 '13 at 11:27
  • @ALex_hha I want to access a website on A through A. If I don't connect via vpn, it should not be accessible. – ustun Jul 30 '13 at 11:51
  • @Flup The VPN client is OS X. Is there a way to obtain it through the server? (Ubuntu) – ustun Jul 30 '13 at 11:51
  • @ustun `netstat -rn` in an OS X terminal will get you the routing table. – Flup Jul 30 '13 at 11:52
  • @Flup posted the routing tables before and after. – ustun Jul 30 '13 at 11:57
  • As I understand site on the server A must be not accessible from the world (only via VPN). Am I right? – ALex_hha Jul 30 '13 at 13:45
  • Yes, server A exposes only VPN. Once you connect to it with VPN, it should expose the http server too. So, in some sense, A is both the bastion host and the target site. (Using A as a bastion to connect B works fine, which is probably the most common use case, but there is a site on A (a jenkins server) that I want to secure this way too). – ustun Jul 30 '13 at 14:23
  • The alternative would be to set up another machine whose sole purpose is being the VPN server that will act as a bastion, but I wanted to see if this use case can be fixed. – ustun Jul 30 '13 at 14:24
  • I see, one more thing, is it possible to set DNS server (I mean set on the client side your own dns server) when clients connected to your VPN server? – ALex_hha Jul 30 '13 at 15:29
  • @ALex_hha It is a bit harder, I haven't any experience with managing dns servers. Maybe it could simply be a hosts entry though? How would that help in this case? – ustun Jul 30 '13 at 15:41

2 Answers2

2

VPN server don't redirect web trafic by default, as explained here, adding the line

push "redirect-gateway def1"

on your openvpn.conf will permit you to have the VPN server IP as your remote IP, and with that your web server should let you pass.

Kane
  • 131
  • 7
0

Actually you don't need to setup DNS server. I have tried the following scenario

VPN server

Create alias

# ifconfig eth0:1 192.168.127.10 netmask 255.255.255.255 up

Configure nginx to the alias address

server {
    listen      192.168.127.10:80;
    server_name  site1.example.net;

    location / {
        root          /var/www/html;
    }
}

Configure iptables

# iptables -t nat -I PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to-destination 192.168.127.10:80

where xxx.xxx.xxx.xxx public ip address of the server A and ip address of the site

ALex_hha
  • 7,025
  • 1
  • 23
  • 39
  • This seemed promising, but didn't do the trick. How does this prevent a non-vpn user from accessing the user? I issued the iptables command, and it ran fine but I'm using ufw (though I think ufw is just a wrapper, so that shouldn't be a problem, right?) I also issued ufw reload after the iptables command. – ustun Jul 30 '13 at 17:16
  • nginx will listening only on the local ip address and will be not accessible from the world – ALex_hha Jul 30 '13 at 17:24
  • Thanks, I think I understand, but for some reason, it didn't work. It basically fails and redirects to the last page nginx handles. Also won't this redirect all port 80 traffic on A? There are some public sites served by nginx there. – ustun Jul 30 '13 at 17:48
  • do you need to close access only to one site? – ALex_hha Jul 30 '13 at 18:09
  • yes, but even closing access to all sites doesn't seem to work for me. the nginx rule just fails and the last site is used instead, so I get the last site served on that server. It is running on port 443 instaed of 80, so I changed all 80's in your example to 443. But I would assume that wouldn't change anything. – ustun Jul 30 '13 at 20:24
  • sorry, it was my fault. I forgot that route to the VPN server can't through vpn tunnel himself. So without dns split, I think, it would be not possible at all. – ALex_hha Jul 30 '13 at 22:25