LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 04-16-2011, 04:40 AM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Rep: Reputation: 30
OpenVPN on 2 networks


I have a webserver running on my laptop.
I also want to connect via VPN for my email and internet (port 80 and 1935). However, as soon as I connect via VPN, users lose access to my webserver.
Is there a way to be connected to 2 networks at once or use a setting in the openvpn client to only route traffic on email ports and 80/1935?
 
Old 04-16-2011, 07:58 PM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
Would you please clarify:
Quote:
However, as soon as I connect via VPN, users lose access to my webserver.
Do you mean when you connect (remotely) via OpenVPN, that others can't connect to your server via port 80?
 
Old 04-17-2011, 04:29 AM   #3
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Noway2 View Post
Would you please clarify:
Do you mean when you connect (remotely) via OpenVPN, that others can't connect to your server via port 80?
Yes, because when I connect via VPN all traffic is routed through the VPN.
 
Old 04-18-2011, 04:04 AM   #4
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
ie is there a way to route specific ports from the OpenVPN client only?
 
Old 04-18-2011, 05:40 AM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
I been thinking about your setup. It is admittedly a little confusing. To summarize my understanding (and please correct me if I am wrong), you are using your laptop for a server, with inbound connections to port 80. You then use openVPN client on this laptop to connect to another openVPN server. When you establish this connection, inbound traffic to port 80 (your web server) on the laptop fails, presumably because of routing conflicts caused by the VPN connection.

The first place I would look is to issue the "route" command and see if you can confirm that this is what is happening.

The second thing I would look into is the configuration, on the server side, of the OpenVPN configuration. I was under the impression that openVPN, by default ONLY routes traffic destined to the VPN via the virtual interfaces. This is what is confusing me as I would think that the return path to the established connections would be via the normal interface, not the virtual VPN interface. This is where the route command may shed some light. Two directives I would look for are:
Code:
 
push "redirect-gateway def1"
and
push "route-gateway 192.168.0.1" (or whatever your VPN gateway is)
I think that these may cause you problems. The first causes ALL traffic to route via the VPN gateway, not just VPN traffic. The second, changes the routing gateway and this may impact your ability to route via your normal interface. These get pushed via the server and would be in the server.conf.

I don't know of any way to route via port on openVPN. I am near absolute in certainty that OpenVPN works by manipulating the routing table to redirect traffic. Consequently, you should be able to tweak it somehow to correct the situation, either manually or via the openVPN configuration using the PUSH directives.
 
Old 04-29-2011, 10:48 AM   #6
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Can the OpenVPN server do it or must something be configured on a client firewall?
I want the client to route *.*.*.*:80 through the VPN but all other ports should go to the normal ISP.
I don't understand how making server configuration changes will do anything. The server can only drop ports other than 80 or bounce them back to the client. If the ports are bounced back to the client, the client will not know what to do with and cannot therefore route them to the ISP.
 
Old 04-29-2011, 11:17 AM   #7
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
Quote:
I don't understand how making server configuration changes will do anything.
OpenVPN has a special syntax used in the server configuration file for these types of commands. What happens is that these commands are pushed to the client machines during the connection setup. This means that the route commands get executed on the client side, but in a manner that is dictated by the server configuration. One thing that I just remembered is that you can specify scripts that get run at the startup and shutdown of the connection. This may be a key factor here because one problem that I think you are facing is that you can't use the route command to route per port. However, you can do this with iptables. In order to get this to happen on the client end, you would need to write the script and have it execute on the client side to change the per-port routing. If I recall correctly, these scripts are typically called up.sh and down.sh.

See this link for some more information on how to do the per-port routing: http://www.linuxquestions.org/questi...not-ip-486823/
also take a look at this document: http://openvpn.net/index.php/open-so...8-1xhowto.html
Specifically, look at the part titled Configure Firewall and NAT, which caught my attention because it seems related to your objective where you perform iptables modifications for the server and clients.
 
Old 04-29-2011, 12:54 PM   #8
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Noway2 View Post
OpenVPN has a special syntax used in the server configuration file for these types of commands. What happens is that these commands are pushed to the client machines during the connection setup. This means that the route commands get executed on the client side, but in a manner that is dictated by the server configuration. One thing that I just remembered is that you can specify scripts that get run at the startup and shutdown of the connection. This may be a key factor here because one problem that I think you are facing is that you can't use the route command to route per port. However, you can do this with iptables. In order to get this to happen on the client end, you would need to write the script and have it execute on the client side to change the per-port routing. If I recall correctly, these scripts are typically called up.sh and down.sh.

See this link for some more information on how to do the per-port routing: http://www.linuxquestions.org/questi...not-ip-486823/
also take a look at this document: http://openvpn.net/index.php/open-so...8-1xhowto.html
Specifically, look at the part titled Configure Firewall and NAT, which caught my attention because it seems related to your objective where you perform iptables modifications for the server and clients.
I don't see how an iptables script can be executed on the client, surely all virus software and firewall software would prevent that? Especially a Linux server executing a script on a Windows client?
 
Old 04-29-2011, 12:57 PM   #9
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
Quote:
I don't see how an iptables script can be executed on the client
The script has to be installed during the setup, likely at the same time that you install the client configuration file. These don't get pushed via the server, only routing commands do and would be a different approach entirely.
 
Old 04-29-2011, 01:20 PM   #10
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Noway2 View Post
The script has to be installed during the setup, likely at the same time that you install the client configuration file. These don't get pushed via the server, only routing commands do and would be a different approach entirely.
So, I would need to compile an OpenVPN installation script, which also runs a Windows routing script on installation?
 
Old 04-29-2011, 03:15 PM   #11
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
You may already have one for both start up and shut down. Here is some Ubuntu wiki documentation, but it shouldn't matter if you are using Ubuntu or not. Look for up.sh, which will appear in two places. In one place, it is the server configuration and it shows that there is a command called up (down) that runs a script that you create located in /etc/openVPN/up.sh (down.sh). This will show you an example of creating a script that will run at these times. I believe it works on the client too, but you would need a different script for Linux and XP clients to handle your port routing.
 
Old 04-29-2011, 03:40 PM   #12
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Noway2 View Post
You may already have one for both start up and shut down. Here is some Ubuntu wiki documentation, but it shouldn't matter if you are using Ubuntu or not. Look for up.sh, which will appear in two places. In one place, it is the server configuration and it shows that there is a command called up (down) that runs a script that you create located in /etc/openVPN/up.sh (down.sh). This will show you an example of creating a script that will run at these times. I believe it works on the client too, but you would need a different script for Linux and XP clients to handle your port routing.
And when they disconnect from the VPN, another script needs to be run to reset the routing? This all sounds a bit complicated not to mentione I'm not sure the routing on clients should be able to be changed without the client computer's permission plus firewall, etc.
It seems to me that OpenVPN should have the option to route only specific client ports.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN, Squid and two networks. How to setup routing? telepups Linux - Networking 2 10-12-2010 07:37 AM
Iptables + Forwarding + Vlan + OpenVPN & L2 junk switch /L3 extreme networks switch feloniousj Linux - Networking 3 03-15-2010 10:27 PM
How does OpenVPN Linux server issues IP and netmask to OpenVPN clients on Windows XP pssompura Linux - Networking 0 12-24-2009 03:42 AM
openVPN routing where local and remote networks clash andrewdodsworth LinuxQuestions.org Member Success Stories 0 09-11-2007 03:59 AM
LXer: How to bridge networks with OpenVPN LXer Syndicated Linux News 0 11-22-2006 05:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration