Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
04-16-2011, 04:40 AM
|
#1
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Rep:
|
OpenVPN on 2 networks
I have a webserver running on my laptop.
I also want to connect via VPN for my email and internet (port 80 and 1935). However, as soon as I connect via VPN, users lose access to my webserver.
Is there a way to be connected to 2 networks at once or use a setting in the openvpn client to only route traffic on email ports and 80/1935?
|
|
|
04-16-2011, 07:58 PM
|
#2
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
Would you please clarify:
Quote:
However, as soon as I connect via VPN, users lose access to my webserver.
|
Do you mean when you connect (remotely) via OpenVPN, that others can't connect to your server via port 80?
|
|
|
04-17-2011, 04:29 AM
|
#3
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
Quote:
Originally Posted by Noway2
Would you please clarify:
Do you mean when you connect (remotely) via OpenVPN, that others can't connect to your server via port 80?
|
Yes, because when I connect via VPN all traffic is routed through the VPN.
|
|
|
04-18-2011, 04:04 AM
|
#4
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
ie is there a way to route specific ports from the OpenVPN client only?
|
|
|
04-18-2011, 05:40 AM
|
#5
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
I been thinking about your setup. It is admittedly a little confusing. To summarize my understanding (and please correct me if I am wrong), you are using your laptop for a server, with inbound connections to port 80. You then use openVPN client on this laptop to connect to another openVPN server. When you establish this connection, inbound traffic to port 80 (your web server) on the laptop fails, presumably because of routing conflicts caused by the VPN connection.
The first place I would look is to issue the "route" command and see if you can confirm that this is what is happening.
The second thing I would look into is the configuration, on the server side, of the OpenVPN configuration. I was under the impression that openVPN, by default ONLY routes traffic destined to the VPN via the virtual interfaces. This is what is confusing me as I would think that the return path to the established connections would be via the normal interface, not the virtual VPN interface. This is where the route command may shed some light. Two directives I would look for are:
Code:
push "redirect-gateway def1"
and
push "route-gateway 192.168.0.1" (or whatever your VPN gateway is)
I think that these may cause you problems. The first causes ALL traffic to route via the VPN gateway, not just VPN traffic. The second, changes the routing gateway and this may impact your ability to route via your normal interface. These get pushed via the server and would be in the server.conf.
I don't know of any way to route via port on openVPN. I am near absolute in certainty that OpenVPN works by manipulating the routing table to redirect traffic. Consequently, you should be able to tweak it somehow to correct the situation, either manually or via the openVPN configuration using the PUSH directives.
|
|
|
04-29-2011, 10:48 AM
|
#6
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
Can the OpenVPN server do it or must something be configured on a client firewall?
I want the client to route *.*.*.*:80 through the VPN but all other ports should go to the normal ISP.
I don't understand how making server configuration changes will do anything. The server can only drop ports other than 80 or bounce them back to the client. If the ports are bounced back to the client, the client will not know what to do with and cannot therefore route them to the ISP.
|
|
|
04-29-2011, 11:17 AM
|
#7
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
Quote:
I don't understand how making server configuration changes will do anything.
|
OpenVPN has a special syntax used in the server configuration file for these types of commands. What happens is that these commands are pushed to the client machines during the connection setup. This means that the route commands get executed on the client side, but in a manner that is dictated by the server configuration. One thing that I just remembered is that you can specify scripts that get run at the startup and shutdown of the connection. This may be a key factor here because one problem that I think you are facing is that you can't use the route command to route per port. However, you can do this with iptables. In order to get this to happen on the client end, you would need to write the script and have it execute on the client side to change the per-port routing. If I recall correctly, these scripts are typically called up.sh and down.sh.
See this link for some more information on how to do the per-port routing: http://www.linuxquestions.org/questi...not-ip-486823/
also take a look at this document: http://openvpn.net/index.php/open-so...8-1xhowto.html
Specifically, look at the part titled Configure Firewall and NAT, which caught my attention because it seems related to your objective where you perform iptables modifications for the server and clients.
|
|
|
04-29-2011, 12:54 PM
|
#8
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
Quote:
Originally Posted by Noway2
OpenVPN has a special syntax used in the server configuration file for these types of commands. What happens is that these commands are pushed to the client machines during the connection setup. This means that the route commands get executed on the client side, but in a manner that is dictated by the server configuration. One thing that I just remembered is that you can specify scripts that get run at the startup and shutdown of the connection. This may be a key factor here because one problem that I think you are facing is that you can't use the route command to route per port. However, you can do this with iptables. In order to get this to happen on the client end, you would need to write the script and have it execute on the client side to change the per-port routing. If I recall correctly, these scripts are typically called up.sh and down.sh.
See this link for some more information on how to do the per-port routing: http://www.linuxquestions.org/questi...not-ip-486823/
also take a look at this document: http://openvpn.net/index.php/open-so...8-1xhowto.html
Specifically, look at the part titled Configure Firewall and NAT, which caught my attention because it seems related to your objective where you perform iptables modifications for the server and clients.
|
I don't see how an iptables script can be executed on the client, surely all virus software and firewall software would prevent that? Especially a Linux server executing a script on a Windows client?
|
|
|
04-29-2011, 12:57 PM
|
#9
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
Quote:
I don't see how an iptables script can be executed on the client
|
The script has to be installed during the setup, likely at the same time that you install the client configuration file. These don't get pushed via the server, only routing commands do and would be a different approach entirely.
|
|
|
04-29-2011, 01:20 PM
|
#10
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
Quote:
Originally Posted by Noway2
The script has to be installed during the setup, likely at the same time that you install the client configuration file. These don't get pushed via the server, only routing commands do and would be a different approach entirely.
|
So, I would need to compile an OpenVPN installation script, which also runs a Windows routing script on installation?
|
|
|
04-29-2011, 03:15 PM
|
#11
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
You may already have one for both start up and shut down. Here is some Ubuntu wiki documentation, but it shouldn't matter if you are using Ubuntu or not. Look for up.sh, which will appear in two places. In one place, it is the server configuration and it shows that there is a command called up (down) that runs a script that you create located in /etc/openVPN/up.sh (down.sh). This will show you an example of creating a script that will run at these times. I believe it works on the client too, but you would need a different script for Linux and XP clients to handle your port routing.
|
|
|
04-29-2011, 03:40 PM
|
#12
|
Senior Member
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013
Original Poster
Rep:
|
Quote:
Originally Posted by Noway2
You may already have one for both start up and shut down. Here is some Ubuntu wiki documentation, but it shouldn't matter if you are using Ubuntu or not. Look for up.sh, which will appear in two places. In one place, it is the server configuration and it shows that there is a command called up (down) that runs a script that you create located in /etc/openVPN/up.sh (down.sh). This will show you an example of creating a script that will run at these times. I believe it works on the client too, but you would need a different script for Linux and XP clients to handle your port routing.
|
And when they disconnect from the VPN, another script needs to be run to reset the routing? This all sounds a bit complicated not to mentione I'm not sure the routing on clients should be able to be changed without the client computer's permission plus firewall, etc.
It seems to me that OpenVPN should have the option to route only specific client ports.
|
|
|
All times are GMT -5. The time now is 09:49 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|