How to keep some port out of the scope of a VPN connection ?

sylver.bruneau@gmail.com · 10-31-2010, 03:16 PM

Hello,
I have a server (192.168.1.9) in my network that is running a http server on port 5000.
This server port have been opened (on my router 192.168.1.1) to be available from my public IP (on port 80).

I have recently installed openvpn to connect to a vpn, but I'd like to keep my http server available from my public IP (no need to have it available to the VPN network).

I'm completely lost and I don't know where to start ... Could someone point me a direction to dig into ?

Here are some details about the route configuration :

Code:

Server1> iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Server1> route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
178.71.215.230  192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
178.71.208.0    *               255.255.255.0   U     0      0        0 tap0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
default         v4-link.vpntunn 128.0.0.0       UG    0      0        0 tap0
128.0.0.0       v4-link.vpntunn 128.0.0.0       UG    0      0        0 tap0
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

Thanks,
Sylver

feinbein · 10-31-2010, 04:30 PM

Maybe I am getting this wrong but you dont seem to have problem here.
Even if you use a vpn over your wan-connection, portforwarding on the wan-address will still work as before. So the http-server will still be available via the Wan IP and to the lan(or vpn)-network via the local address.
Could you describe a little what actually is not working for you at the moment?

sylver.bruneau@gmail.com · 10-31-2010, 04:47 PM

Quote:

Originally Posted by feinbein

Maybe I am getting this wrong but you dont seem to have problem here.
Even if you use a vpn over your wan-connection, portforwarding on the wan-address will still work as before. So the http-server will still be available via the Wan IP and to the lan(or vpn)-network via the local address.
Could you describe a little what actually is not working for you at the moment?

Hello,
If I use an online port scanner, my port 80 is shown as closed, and if I try to connect to this port from an external network, I have no answer from the server.

If I try to connect to my public ip and port 80 from my LAN, the server responds ...

This is a strange behavior, but if I shut down openvpn, the server become responsive again on my public IP (from external network) immediatly ...

feinbein · 11-01-2010, 12:40 AM

Now I see, you start the tunnel from your server not your router.
Lets see, this could possible solved with another nic dedicated to the http-server or a nic-alias. Can you post ifconfig?

sylver.bruneau@gmail.com · 11-02-2010, 12:39 AM

Yes openvpn is installed on the server not on the router
Here is my ifconfig :

Code:

Server1> ifconfig
eth0      Link encap:Ethernet  HWaddr 00:11:32:XX:XX:XX  
          inet addr:192.168.1.9  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST NOTRAILERS RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:70075005 errors:0 dropped:0 overruns:0 frame:0
          TX packets:58280041 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:2548806328 (2.3 GiB)  TX bytes:3988761380 (3.7 GiB)
          Interrupt:18 Memory:bfff8000-0 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:1500  Metric:1
          RX packets:40293 errors:0 dropped:0 overruns:0 frame:0
          TX packets:40293 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4928151 (4.6 MiB)  TX bytes:4928151 (4.6 MiB)

tap0      Link encap:Ethernet  HWaddr 00:FF:F2:XX:XX:XX  
          inet addr:178.71.208.50  Bcast:178.71.208.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:60014339 errors:0 dropped:0 overruns:0 frame:0
          TX packets:43504750 errors:0 dropped:485110 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:1005763215 (959.1 MiB)  TX bytes:4071794605 (3.7 GiB)

Thanks,
Sylver

feinbein · 11-03-2010, 11:12 AM

Quote:

Originally Posted by sylver.bruneau@gmail.com

Hello,
If I use an online port scanner, my port 80 is shown as closed

I think we are getting there...
If you use an online scanner, it will scan the ip of your gateway to the internet. I suppose, while you are connected to the vpn , your gateway changes to the one of your vpn-server.
You can easily verify this by comparing http://canyouseeme.org before and after the vpn-connection. It should give two different ips.
Can you confirm that?

sylver.bruneau@gmail.com · 11-04-2010, 01:54 AM

Quote:

Originally Posted by feinbein

I think we are getting there...
If you use an online scanner, it will scan the ip of your gateway to the internet. I suppose, while you are connected to the vpn , your gateway changes to the one of your vpn-server.
You can easily verify this by comparing http://canyouseeme.org before and after the vpn-connection. It should give two different ips.
Can you confirm that?

I confirm that when connected to the VPN, my public ip is the one of the VPN Internet gateway ! The problem is that I'm not allowed to configure anything on this VPN (no port forwarding) so I have to find a way to keep port 80 available from my ISP public ip !

feinbein · 11-04-2010, 04:23 PM

So you ran the online-portscan while you where connected to the vpn in your browser?
That means you are scanning your vpn gateway, not the public IP of your ISP.
Ring a friend to check your http-service next time you use the vpn. I'm pretty sure he'll find it working.
If I'm wrong (which could well be possible) I am definately out of ideas here

.