Using ufw and openvpn to restrict access to applications running on a VPS

jim_s · 05-13-2017, 08:29 PM

Hi LinuxQuestions

I have a few Atlassian apps running on a VPS and I want to place them behind a VPN. I have successfully set up OpenVPN and my clients can connect as well as browse the Internet over it. But when accessing web applications running on the VPN box, the requests are blocked by ufw because they come directly from my ISP assigned IP instead of routing through the VPN.

A traceroute on the client shows what is happening. When hitting bbc.co.uk (or any other remote URL) my connection goes via the VPN:

Code:

> traceroute bbc.co.uk
traceroute to bbc.co.uk (212.58.246.78), 64 hops max, 52 byte packets
1  10.8.0.1 (10.8.0.1)  213.252 ms  214.909 ms  222.016 ms
...

But when trying to hit an app on my VPS it goes straight out via my ISP instead:

Code:

> traceroute -p8080 myvpsdomain.com
traceroute to myvpsdomain.com (172.XXX.XXX.XXX), 64 hops max, 52 byte packets
1  182.55.XXX.X (182.55.XXX.X)  5.096 ms  15.385 ms  3.156 ms
...

I can do the following to validate that the web app is accessible on port 8080, but of course this opens it up to anyone, not just VPN users.

Code:

ufw allow in 8080/tcp

Here is my current ufw setup:

Code:

    Status: active
    Logging: on (full)
    Default: deny (incoming), deny (outgoing), allow (routed)
    New profiles: skip
    
    To                         Action      From
    --                         ------      ----
    22/tcp (OpenSSH)           ALLOW IN    Anywhere
    Anywhere on tun0           ALLOW IN    Anywhere
    1194/udp                   ALLOW IN    Anywhere
    
    Anywhere                   ALLOW OUT   Anywhere on tun0
    1194/udp                   ALLOW OUT   Anywhere
    53                         ALLOW OUT   Anywhere
    10.0.0.0/8                 ALLOW OUT   Anywhere

And here is the ufw log showing the request being blocked:

Code:

    [1978012.574217] [UFW BLOCK] IN=venet0 OUT= MAC= SRC=XXX.XXX.XXX.XXX DST=YYY.YYY.YYY.YYY LEN=64 TOS=0x00 PREC=0x00 TTL=55 ID=16546 DF PROTO=TCP SPT=57929 DPT=8090 WINDOW=65535 RES=0x00 SYN URGP=0

XXX.XXX.XXX.XXX = my client's ISP assigned public IP

YYY.YYY.YYY.YYY = the IP of the VPS running OpenVPN and the webapp running on port 8090

Is there any way to force all traffic through the VPN connection, including traffic to the VPN box itself?

Any pointers would be greatly appreciated!

I found the same question asked almost a year ago on askubuntu but it has never been answered. Linking it here to help other lost souls: https://askubuntu.com/questions/8032.../914818#914818

UPDATE: So I realised I could access the application with no extra uwf rules via http://10.8.0.1:8080 (d'oh) so my setup works. I would still like my users to be able to access via the friendlier URL if possible.