OpenVPN & port forwarding options

Carlton23 · 01-14-2013, 04:36 PM

Hello,

I've been struggling with an idea, but I cant work out if it is possible or not! I've done lots of research, but just scrambled my brain instead.

I want to run openVPN on a server to act as a hub/switch, it will link together 5 or 6 machines creating a 192.* network. I think I've managed this bit.

Next, four of those 4 of those 5 machines are listening on a TCP/IP port which transmit CCTV images when the 5th machine connects (I've written the software, that bit works!).

I want to use iptables to create a route between the 5th machine and ONE of the CCTV machines. I will then change the routing table to select a different CCTV machine, and so on. If I add a 6th machine it will behave the same as the 5th (it will be a CCTV 'viewer').

My requirements are that nobody else on the network has access to the CCTV (hence VPN) and that the CCTV machines cant 'see' each other. I may add more machines at a later date.

Also, I want get experience with VPN & iptables, which is the main reason I want to do it like this.

So, my question: is this possible!?!?!? Do iptables work ok within a VPN (some answers on here suggest not, for reasons I dont yet understand).

My current thinking:
VPN server, normal config (I think I have)

port forwarding with iptables - IP address based, not eth interface:

Code:

iptables -A INPUT -p tcp -s 192.168.1.123 -d 192.168.1.321 --sport 513:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s 192.168.1.321 -d 192.168.1.123 --sport 123 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

#Allow TCP connection to port 123 on host 192.168.1.321 (CCTV machine) when the source (5th or 6th PC) has IP 192.168.1.123

After that I want to route everything else to nowhere;

Code:

iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

I'll probably need some routes for DHCP too...

So - again, does that seem possible? Or am I wasting my time?

I'd really appreciate any info.
Thank you.

scheidel21 · 01-16-2013, 08:13 AM

Why are you messing with the routing, as long as you turn on the OpenVPN option to allow connected client communication you should be able to use the viewer software to just connect to the connected CCTV client you want. The OpenVPN server will route the traffic for you it actually doesn't even need to route the traffic if they are all on the same logical subnet (IP scheme).

Carlton23 · 01-16-2013, 08:53 AM

Thank you for your reply.

The only option I could find that matches your description is '--client-to-client'

Quote:

--client-to-client
Because the OpenVPN server mode handles multiple clients through a single tun or tap interface, it is effectively a router. The --client-to-client flag tells OpenVPN to internally route client-to-client traffic rather than pushing all client-originating traffic to the TUN/TAP interface.
When this option is used, each client will "see" the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules.

The reason I dont want to use this, is that I DO want per-client rules, and I do NOT want each client to "see" the other clients.

For example, what if my viewer software allowed me to look at my house while I'm out, but a different viewer I give access to my neighbour so they can record the cars on the driveway. I dont want them to be able to view my front room

Pushing routes to clients isnt ideal either, because they could guess IPs for themselves if they wanted (unlikely yeah, but you get the idea).

This is how I ended up with the iptables idea. As mentioned before, this is much to do with learning as anything.

Do you think it'll work as I've described, or should I just try and see what happens?

Thanks again.

scheidel21 · 01-16-2013, 08:55 AM

Then use static IP assigning to the viewer clients and use IPtable to handle access, it will be way easier than trying to use routes, which I don't even think wuld be possible.

Carlton23 · 01-16-2013, 09:03 AM

Quote:

Originally Posted by scheidel21

which I don't even think wuld be possible.

That's what I'm getting at. Is VPN data not routable? even if I have the source and destination IPs?

darkxer0x · 01-16-2013, 11:16 AM

Read this

Anyway, if I have understood what you want to do, I´d do the following:
- Each CCTV machine has a tunnel to the server.
- When a viewer wants to see a CCTV, it connects to the server, and the server forwards the traffic from the viewer to the CCTV machine.

Carlton23 · 01-16-2013, 11:47 AM

Thanks, I'll have a read.

It looks as though you are correct in your understanding, and I like the suggestion of the viewers connecting directly to the server. However I'm unsure as to how I'd configure the server/NAT for each session; At least if they are all on the VPN, I can trust that they are who they say they are (I could also look them up in DNS or something). Without the VPN, I'd have to authenticate the viewer some other way.

To put it another way, if I use VPN, I can garuntee two viewers have different IPs. If there are two on the same IP, I would be unable to set the new routes on demand.

*Note: When I say 'I can', I mean I'd write a script to do it

Thanks for your input.

darkxer0x · 01-17-2013, 04:49 AM

Here there is a big problem, and it´s that you are trying to use VPN in a scenario where VPN is not required (and not recommended).

You need each CCTV to send the video to the server. And the server, to send the video to the viewers. Why you need here a VPN? The purpose of a VPN is to communicate two LANs remotely, or a computer to a LAN remotely.
But connect a server and a client? You don´t need VPN.

So, what should you do? Easy:
- CCTV machines send video only to the server.
- The server send the video only to the authorized machines.
- You can tunnelize (with stunnel, for exampel), all the communications.

The idea here is that the server manages all the authentication and forwarding logic, the complex part. The CCTV machines should be very simple.

Carlton23 · 01-17-2013, 05:02 AM

I have no control over the CCTV/viewer software, I didnt write it. Also I would expect creating some man in the middle software would take longer than configuring a VPN router. It is peer-to-peer, ie each CCTV is its own encapsulated server. If it was on the open internet, you could use the viewer software, type in an IP, and the CCTV data would start streaming. Additionally, the comms are unsecure.

Is the conclusion essentially that routing would work, but it's a horrible solution? Or that the whole idea is a waste of time?

Thanks.

scheidel21 · 01-17-2013, 07:16 AM

Routing is not the solution, there is no security in routing. Assigning IP addresses statically via OpenVPN configuration and utilizing firewall rules is the way to go. The only other, more secure way I can think of doing this would be to run multiple instances of OpenVPN, and have the CCTV machines connect to multiple VPNs on the server, and have the client viewer machines connect to the appropriate VPN.

So if you have 6 CCTV machines they all connect to VPN 1, the VPN you also connect to
3 of those machines connect to VPN 2 as well, and your neighbor connects to that VPN, they can only access those machines.

The only way routing would work is again using multipe VPNs, CCTV servers connect to one, and viewers connect to others. You can then push out routes per individual VPN, and again specify that the specific IP addresses that the connecting viewer is allowed to view are reachable by routing through the VPN connection.

Carlton23 · 01-17-2013, 08:05 AM

Ok, I think I understand you.

Quote:

Is the conclusion essentially that routing would work, but it's a horrible solution?

'routing' should have been 'iptables'. If iptables == firewall then it ties in with what you say;

Quote:

Assigning IP addresses statically via OpenVPN configuration and utilizing firewall rules is the way to go.

Same thing?

scheidel21 · 01-17-2013, 08:22 AM

Yes IPtables is the firewall

darkxer0x · 01-17-2013, 08:59 AM

Now I think I understand the situation more or less.
I.E:
CCTV Viewer IP: 5.5.5.5
Server Public IP Address: 1.1.1.1
Server Internal IP Address (through vpn or whaever): 192.168.1.1
CCTV Machine: 192.168.1.2
CCTV Mache port: 100

- CCTV Viewer enter the server ip address (1.1.1.1)
- Server forwards traffic from the CCTV Viewer to the CCTV machine for that client, doing dnat:
iptables -A FORWARD -p tcp -s 5.5.5.5 -d 192.168.1.2 -dport 100 -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -j DROP (better if you have a POLICY DROP)
iptables -A PREROUTING -p tcp -s 5.5.5.5 --dport 100 -j DNAT --to-destination 192.168.1.2

I think this should do what you´re looking for.