This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Installation and Upgrades / Can't reach zentyal webadmin via vpn network on virtual nic client net [SOLVED]
« on: January 15, 2014, 07:53:38 pm »
Hi,
I try to harden my zentyal webserver installation against attacks from outside.
What I like to do is: accessing the webadmin interface on a single nic internet server via the vpn network from my vpn-client-pc.
So I decided to install the vpn server.
I also added a virtual network card to the system which is part of the tun0 device, so it is only accessible via vpn.
The vpn server is working, the virtual interface is working.
If I connect to vpn and open the browser I should be able to browse
and access the admin interface.
But I can't.
What works: I can reach the admin interface from within the server with (e.g in a ssh session)
Any ideas? I think, this is a nat or firewall issue reaching the ip / port from outside of the local network, because the vpn network is not known by the firewall.
I already tried this whith the follwoing rules, which helped me reaching ports from outside when using bridged networking on a n other server. But this DOES NOT WORK for the vpn network.
I also tried this:
and this:
Greets
Axel
I try to harden my zentyal webserver installation against attacks from outside.
What I like to do is: accessing the webadmin interface on a single nic internet server via the vpn network from my vpn-client-pc.
So I decided to install the vpn server.
I also added a virtual network card to the system which is part of the tun0 device, so it is only accessible via vpn.
The vpn server is working, the virtual interface is working.
If I connect to vpn and open the browser I should be able to browse
Code: [Select]
https://192.168.55.1:ADMINPORT
and access the admin interface.
But I can't.
Code: [Select]
vpn-client (192.168.50.3) (can NOT connect to webadmin interface on eth0:vpn:ADMINPORT)
|
vpn server (via single nic server)
|
eth0:vpn (virtual nic on eth0)
|
zentyal webadmin interface on port ADMINPORT
|
eth0 (localhost on server via ssh) (can connect to webadmin interface on eth0:vpn:ADMINPORT)
Code: [Select]
eth0 (== server ip) XXX.XXX.35.201 (WAN address for internet services)
eth0:vpn 192.168.55.1 (virtual nic, webadmin interface should listen only here)
vpn net 192.168.50.0
tap0 192.168.50.1
advertised net 192.168.55.0
local-vpn-client 192.168.50.3
What works: I can reach the admin interface from within the server with (e.g in a ssh session)
Code: [Select]
root@vserver:> lynx https://192.168.55.1:ADMINPORT
Any ideas? I think, this is a nat or firewall issue reaching the ip / port from outside of the local network, because the vpn network is not known by the firewall.
I already tried this whith the follwoing rules, which helped me reaching ports from outside when using bridged networking on a n other server. But this DOES NOT WORK for the vpn network.
Code: [Select]
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 4444 -j DNAT --to-destination 192.168.55.1:4444
iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 4444 -j DNAT --to-destination 192.168.55.1:4444
iptables -t nat -A PREROUTING -j premodules
iptables -t nat-A FORWARD -d 192.168.55.1/32 -p tcp -m state --state NEW -m tcp --dport 4444 -j ACCEPT
iptables -t nat -A FORWARD -j preforward
I also tried this:
Code: [Select]
route add -net 192.168.50.0/24 dev tun0
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t filter -A FORWARD -p tcp -d 192.168.55.1 --dport 4444 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 4444 -j DNAT --to 192.168.55.1
and this:
Code: [Select]
iptables -A ffwdrules -s 192.168.55.0/24 -j ACCEPT
Code: [Select]
iptables -A FORWARD -i tap0 -j ACCEPT
Greets
Axel
Pages: [1]