Accessing a webserver hosted behind vpn with closed ports remotely?

networking vpn virtualization webserver remote-access
19,563

Yes, it can be done thanks to the fact that you are running your Web Server in a Linux VM. The first fact (that you are using Linux) is an absolute prerequisite, the second one (that it is a VM, not a physical machine) makes it easier and less expensive.

When you set up a VPN, it changes your routing table, establishing (in your case) that all traffic must go through a different server. If a connection comes in through your local router, the Mint VM will try to answer by following the routing instructions of the only table it knows, i.e through the VPN. However, the pc trying to contact your Web server will see that its query to your non-VPN address has been answered by a distinct, third party, the VPN server. For obvious security reasons, these replies are immediately discarded.

To solve this problem, Linux has the ability to handle two (or more) distinct routing tables, with rules specifying when each is to be used. So what you want to do is to create a second interface on your Mint VM (let's call it eth1), and make sure that it has an IP address on your LAN (if you are using VirtualBox, that means creating a bridged interface.

Now all you have to do is to set up two routing tables, in such a way that if a communication comes in via the OpenVPN, it is answered by the routing table set up by the OpenVPN, but if comes in through the LAN (the NIC we called eth1) it is answered by a different routing table that routes traffic where it came from, i.e your local router, not the OpenVPN server.

You do this as follows:

before starting the VPN, create two tables: we will call them main (the one destined to be used by the OpenVPN) and NONVPN:

 echo 200 main >> /etc/iproute2/rt_tables
 echo 201 NONVPN >> /etc/iproute2/rt_tables

Add a gateway to each routing table (if needed):

 ip route add 192.168.1.0/24 dev eth0 src <SRC1> table main
 ip route add 192.168.1.0/24 dev eth1 src <SRC2> table NONVPN

Then a default route:

 ip route add default via 192.168.1.1 table main
 ip route add default via 192.168.1.1 table NONVPN

where I assumed 192.168.1.1 is your local router, and 192.168.1.0/24 the LAN.

Now you may start your VPN: it will modify your main routing table.

Lastly you the rules to select the route table based on the source address:

 ip rule add from 10.0.0.0/24 table main
 ip rule add from 192.168.1.0/24 table NONVPN

where I assumed your OpenVPN tunnel has addresses in the 10.0.0.0/24 range, modify accordingly.

You are done.

Share:
19,563

Related videos on Youtube

Admin
Author by

Admin

Updated on September 18, 2022

Comments

  • Admin
    Admin over 1 year

    I currently have the following setup:

    Win Server 2008

    -------> Mint 16 Cinnamon VM tunneled through external VPN (using OpenVPN)

    ---------------> Webserver inside for local network access

    Is there any possible way to access that web server using my external ISP ip address when the webserver is tunneled behind a VPN... without needing to port forward on the VPN side?

    As an example, Would it be possible to host a webserver on another VM or the host OS which redirects to or acts as a pointer (... like mod_rewrite or redirect?) to that local server, so it can be accessed externally without needing to have access to configuring firewall rules on the VPN server?

    EG:

    Host OS

    -----> VM 1, VPN + Webserver, local adaptor IP is 192.168.1.2 (home network), VPN tunnel IP is 10.x.x.x, all external traffic routed though the VPN.

    --------------> VM 2, local adaptor IP is 192.168.1.3, Webserver running on port 80, points to page hosted on 192.168.1.2:80 and allows for external viewing via port forwarding local router.

    Currently, all devices on the local network can access this webserver fine.

    Failing that idea, is there anyway to force certain programs to only send traffic over specific interfaces (ie, the local ethernet interface), or forcing certain ports to route through the ISPs gateway instead of the VPNs (on an OS level).

    Appreciate your feedback.

    • Nippey
      Nippey almost 10 years
      You can use the actual webserver on VM2 as 'proxy' by requesting data from this host.
    • Thalys
      Thalys almost 10 years
      You're a unregistered user in both cases - Register, and use the contact us link at the bottom to get your accounts merged.
    • 100rabh
      100rabh almost 10 years
      You have 2 accounts 1. superuser.com/users/319950/anditpainsme 2. superuser.com/users/323002/anditpaintsme, please use the contact form and select "I need to merge" to merge your accounts. That way you can gain control over your question & post comments.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Access workstations without public IP - maybe with VPN
Why won't my VPN connect?
Setup VPN in docker
DrayTek Vigor 2920(n): VPN with VLAN restrictions?
How to route traffic from a VirtualBox VM only over a VPN?
Can connect through Watchguard mobile VPN, but can't ping or access network drives
Can't connect from outside to guest [VirtualBox]
Corrupted MAC on input. ssh_dispatch_run_fatal:message authentication code incorrect unable to ssh jupyter notebook on remote server
Making websites visible to outside networks with Ubuntu Server 12.04
Send all OpenVPN traffic through proxy or TOR proxy?