OpenVPN port-share with apache 443/10443 not working
I finally found the answer to this problem.
Despite firewall rules seems correct, the fact that openvpn were listening on a different host (public ip) than apache was the problem. Using same host (and public ip) for openvpn and apache solved it.
Comments
-
snowflake over 1 year
I configured openvpn (OpenVPN 2.1.0) and apache 2 ( to listen respectively on 443 and 10443 (with modssl). The two applications are listening well:
tcp 0 0 x.x.x.x:10443 0.0.0.0:* LISTEN 1130/apache2 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 7860/openvpn
But, for a reason I'm trying to determine, the port-share option configured as follow (with public ip) is not working:
port 443 port-share x.x.x.x 10443
The error in the openvpn log is:
TCP connection established with [AF_INET]y.y.y.y:3123 Socket Buffers: R=[131072->131072] S=[131072->131072] TCPv4_SERVER link local: [undef] TCPv4_SERVER link remote: [AF_INET]y.y.y.y:3123 y.y.y.y:3123 Non-OpenVPN client protocol detected PORT SHARE PROXY: connect to port-share server failed y.y.y.y:3123 SIGTERM[soft,port-share-redirect] received, client-instance exiting TCP/UDP: Closing socket
I suppose that openvpn has not the right to connect, but it is launched as root
root 7862 0.0 0.0 99552 924 ? S Sep22 0:00 /usr/sbin/openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf --script-security 2
The 443 and 10443 ports are open on the firewall.
Thank you for any comments and suggestion !
I already consulted:
Edit for iptables rules:
Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT udp -- anywhere anywhere udp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT udp -- anywhere anywhere udp dpt:25 ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:openvpn ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:mysql ACCEPT udp -- 10.0.0.0/8 anywhere udp dpt:mysql ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT udp -- anywhere anywhere udp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:10443 ACCEPT udp -- anywhere anywhere udp dpt:10443
Edit for better explanation of the error log: The openvpn remote connection is working (I connect successfully to the VPN on port 443). The port forward is not working. HTTPS connection on 10443 is working, but HTTPS connection on port 443 is not working with port-share option.
-
Greg Petersen over 12 yearsCould you please show us the
iptables
rules? -
snowflake over 12 yearsSure, I added input rules, feel free to ask for an other specific relevant section of iptables.
-
snowflake over 12 yearsMy chain ufw-user-forward is empty. apparmor is not running.
-
polynomial over 12 yearsAre you able to telnet x.x.x.x 10443? Can you include pcap/tcpdump output of the interface that x.x.x.x is on when openvpn attempts to connect? Does it just never get a SYN/ACK back? If you ufw disable does it work?
-
Giovanni Bajo over 12 yearsIs your public IP directly assigned to a network interface on the server, right? You're not behind some sort of 1:1 NAT?
-
snowflake over 12 years@polynomial telnet x.x.x.x 10443 is ok.
-
snowflake over 12 years@polynomial disabling ufw doesn't change anything.
-
snowflake over 12 years@polynomial the tcpdump output of x.x.x.x 10443 clearly indicates that openvpn does not attempts to connect. However, I get log when I connect myself throught x.x.x.x:10443
-
snowflake over 12 years@Giovanni Bajo: checked.
-