1

I am trying to open specific ports for users so that they can use programs such as RDP. I have searched all over the internet, and have yet to find an answer to this question. I have tried every iptables rule in the books, and it still seems to fail. Do I need to use a specific interface to open ports for VPN users?

I am running OpenVPN as well as PPTPD. I am not using FreeRadius, as I have coded my own setup system. Any help would be greatly appreciated on getting ports opened. Thank you.

user185094
  • 11
  • 2

1 Answers1

0

I'm not sure whether I understand your question correctly. VPN clients need certain TCP port to be opened (1194 on OpenVPN by default). Probably you need to set up a redirection of this port to your OpenVPN server on your border router/firewall. Somewhere in port forwarding settings you'll need to redirect incoming traffic to this specific port on your OpenVPN server.

Other traffic (such as RDP) should then be tunneled via VPN. That means no extra opened ports for other services are required for connected VPN clients (that depends on configuration).

If you're not sure which port you should open, examine configuration files for server and clients. netstat tool on client side can help you determine which ports are needed to establish connection and are probably closed. 

netstat --tcp -n | grep SYN_SENT

Any connection in state: SYN_SENT listed by above command can point you to a blocked port.

  • Thank you for this information. To clear it up a bit, I am attempting to allow certain programs to use certain ports through the VPN. I guess an example would be someone trying to run a Minecraft server through the VPN. Binding it to, say 10.8.0.22 would succeed, but they wouldn't be able to access the server without the port 25565 being opened. Would what you're telling me to do help with that situation? – user185094 Aug 09 '13 at 22:46
  • This sounds like a LAN firewalling issue then. Once the user has successfully connected to the VPN, their source IP (probably that of the VPN's LAN IP) will need to be allowed to access 10.8.0.22 on port 25565 . Are there firewall rules that apply to the LAN interface? – inetplumber Aug 10 '13 at 01:21
  • Do you mean on like ppp0 and tun0? If so, what do you suggest I do. – user185094 Aug 10 '13 at 05:12
  • VPN clients should be assigned IP addresses of separate subnet within your LAN. e.g. let's say your LAN occupies 192.168.0,1,2,3,4.0/24 subnets, your VPN subnet could be 192.168.20.0/24. Using this sort of separation, you could do a local firewall within your LAN and allow only certain traffic from that subnet. The best thing would be to set up a firewall on the OpenVPN serwer. This you could do by employing IPTABLES or any other firewall software. –  Aug 12 '13 at 10:43
  • Another important thing: you need to add IP routes for the traffic to go between VPN and LAN subnets. –  Aug 12 '13 at 10:51
  • @niervol For instance, I have this rule -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE Is this what you are referring to? – user185094 Aug 13 '13 at 03:42
  • The masquerade rule is just so any client on VPN can communicate with the internet through the VPN server. You will still need port forwarding if anybody on the internet need to connect to a service hidden behind the VPN server. – Lasse Michael Mølgaard Feb 22 '20 at 07:35