Webserver exposes client real IP address in OpenVPN network

Question

One of our corporate websites run on Linux server, built with Apache2 and PHP5.

Several web pages can only be accessed from OpenVPN subnet (addresses 10.8.0.1/24). To check each request, php script compares $_SERVER["REMOTE_ADDR"] value supplied by apache and decide to grant or deny further execution.

Purpose is to deny access to these pages from devices not configured to work through server's VPN.

OpenVPN server is running on same machine, that's why PHP receive addresses like 10.8.0.25 from clients inside VPN and real addresses for other requests.

~~Is it correct method to "protect" page from public access?~~

Testing this system i have found an odd thing that if i request one of these "protected" pages using Windows machine, connected to our OpenVPN network, server is able to see real IP address (not 10.8.0.xx), while doing same on Android device works as expected (server cannot see real IP address and get 10.8.0.xx in php).

I use OpenVPN Connect app on Android and OpenVPN GUI on windows. In both cases client routes its traffic through the VPN server, and "What is my IP?" services show VPN address and not the real address of my ISP.

But somehow Windows client gets identified by its real (provider) address on webserver, and cannot access secured pages, regardless VPN is on or off.

What are possible reasons for that?

I have suspicions that OpenVPN does not work properly on that Windows PC. Otherwise, why server recognizes Android and Windows vpn clients differently?

Thank you.

UPD: iptables -L on VPN/websrv machine

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  10.8.0.0/24          anywhere             tcp dpts:63000:64000
REJECT     tcp  --  anywhere             anywhere             tcp dpts:63000:64000 reject-with icmp-port-unreachable
ACCEPT     udp  --  10.8.0.0/24          anywhere             udp dpts:64000:65000
REJECT     tcp  --  anywhere             anywhere             tcp dpts:64000:65000 reject-with icmp-port-unreachable
DROP       all  --  anywhere             anywhere             match-set banned_ips src

UPD:: cmd /k route print on Windows machine

Interface List
  5...54 04 a6 3d 36 ff ......Realtek PCIe GBE Family Controller
  7...fc 75 16 86 ad 84 ......Microsoft Wi-Fi Direct Virtual Adapter
 17...00 ff b7 66 85 11 ......TAP-Windows Adapter V9
 12...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
 13...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
  6...fc 75 16 86 ad 82 ......D-Link DWA-125 Wireless N 150 USB Adapter(rev.A3)
  1...........................Software Loopback Interface 1
  2...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
  3...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
  8...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.137.1   192.168.137.97     25
          0.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6     20
         10.8.0.0    255.255.255.0         10.8.0.5         10.8.0.6     20
         10.8.0.4  255.255.255.252         On-link          10.8.0.6    276
         10.8.0.6  255.255.255.255         On-link          10.8.0.6    276
         10.8.0.7  255.255.255.255         On-link          10.8.0.6    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        128.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6     20
    xxx.53.xxx.yy  255.255.255.255    192.168.137.1   192.168.137.97     25
     192.168.10.0    255.255.255.0         10.8.0.5         10.8.0.6     20
     192.168.20.0    255.255.255.0         10.8.0.5         10.8.0.6     20
    192.168.137.0    255.255.255.0         On-link    192.168.137.97    281
   192.168.137.97  255.255.255.255         On-link    192.168.137.97    281
  192.168.137.255  255.255.255.255         On-link    192.168.137.97    281
    192.168.171.0    255.255.255.0         On-link     192.168.171.1    276
    192.168.171.1  255.255.255.255         On-link     192.168.171.1    276
  192.168.171.255  255.255.255.255         On-link     192.168.171.1    276
    192.168.229.0    255.255.255.0         On-link     192.168.229.1    276
    192.168.229.1  255.255.255.255         On-link     192.168.229.1    276
  192.168.229.255  255.255.255.255         On-link     192.168.229.1    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.171.1    276
        224.0.0.0        240.0.0.0         On-link     192.168.229.1    276
        224.0.0.0        240.0.0.0         On-link          10.8.0.6    276
        224.0.0.0        240.0.0.0         On-link    192.168.137.97    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.171.1    276
  255.255.255.255  255.255.255.255         On-link     192.168.229.1    276
  255.255.255.255  255.255.255.255         On-link          10.8.0.6    276
  255.255.255.255  255.255.255.255         On-link    192.168.137.97    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table

xxx.53.xxx.yy is VPN/websrv machine IP.

UPD: Two more facts - Webserver and protected pages use SSL cert (https) - DNS on Windows/Android devices is set to Google DNS only.

How do you connect to your protected page on the webserver? (using internal or external IP?) Can you share your OpenVPN client config? — eKKiM, Nov 01 '15 at 22:09
@eKKiM Clients route all their traffic through the VPN sever. Simply visiting webserver page in browser. Client config: http://pastebin.com/Xq21z30z — Croll, Nov 01 '15 at 22:28
Yes all traffic is routed trough VPN but how do you connect to your webserver? http://10.8.0.1 or http://xxx.53.xxx.yy — eKKiM, Nov 01 '15 at 22:44
I connect to webserver using domain name, resolved to external server IP (public). — Croll, Nov 03 '15 at 12:02

score 1 · Answer 1 · answered Nov 05 '15 at 16:58

What I see is just a DNS problem. When you try to connect to the website, you resolve the internet IP, not the VPN IP. Thy the following: edit C:\Windows\System32\drivers\etc\hosts and add an entry like

10.8.0.X   www.yourdomain.com

That should make the Windows machine to resolve to the right IP and route accordingly. If that works, then you must configure the VPN server to tell the clients to use a DNS server inside of 10.8.0.0/24 (I think dhcp-option is the name of the directive, but you should make some research). The DNS server should be configured to resolve www.yourdomain.com to the your internal server IP address.

score 1 · Answer 2 · answered Nov 06 '15 at 18:48

Your VPN is using the 10.8.0.0/24 subnet but the route to the xxx.53.xxx.yy address uses the gateway 192.168.137.1 instead of 10.8.0.5 which means that the web requests to the server from the Windows client are going over the Internet, not the VPN. To fix that you either need to disable split-tunneling in your Windows OpenVPN client to send all your traffic through the VPN or change the gateway on the static route for xxx.53.xxx.yy to be 10.8.0.5.

score 1 · Accepted Answer · answered Nov 08 '15 at 20:24

Install bind on the Openvpn/web server. Add a zone for www.example.com to point to the internal IP of the web server and set forwarders for 8.8.8.8 and 8.8.4.4, also make sure it is listening and set as a resolver for internal/VPN subnets.

A basic zone for the Specific subdomain, be sure to replicate any duplicate details as needed.

named.conf.options

forwarders { 8.8.8.8; 8.8.4.4; };
allow-recursion { 10.8.0.0/24; };
allow-query { 10.8.0.0/24; };
listen-on { any; }

Zone File

$TTL 300   
@       IN      SOA     www.example.com. dnsadmin.example.com. (
                        2015000000       ; serial, YYYYMMDDRR
                        8H              ; refresh, seconds
                        2H              ; retry, seconds
                        4W              ; expire, seconds
                        1D )            ; minimum, seconds
@ IN NS ns1
ns1 IN A 10.8.0.5
@ IN A 10.8.0.5

make sure you test and configure openvpn to push this dns server.

score 0 · Answer 4 · answered Oct 31 '15 at 22:18

0

On the Windows machine, did you check the metric and see if the VPN route is on a lower metric so higher priority? Maybe it is an issue with the metric.

One more thing you could try is set the openvpn config on the server so the clients will route ALL traffic through the VPN connection.

answered Oct 31 '15 at 22:18

lbanz

1,579
4
18
30

Its already done (reroute). I am not sure what is "metric" but "what is my ip" services show VPNs IP and not ISP address on both devices. – Croll Oct 31 '15 at 22:20
@DmitrijA Is it showing the VPN external IP? Or is it showing the internal one on 10.8.0.0/24? – lbanz Nov 01 '15 at 13:55
external vpn server ip. (both android and windows). I use different certificates for client connection but all settings are the same – Croll Nov 01 '15 at 19:24
Can you post a screenshot of your routing table for your Windows PC? – lbanz Nov 01 '15 at 20:00

Webserver exposes client real IP address in OpenVPN network

4 Answers4