0

I've been trying really hard to allow a distant pc to access to my web server hosted on a vpn client (openvpn access server).

I'd like to make this setup possible:

network setup.

The VPS's os is debian 8 btw

I have ip forward enabled echo 1 > /proc/sys/net/ipv4/ip_forward

I know I will have to use iptables but I've tried adding PREROUTE, POSTROUTE, SNAT and SNAT entries but it was unsuccessfull.

iptables -t nat -A  PREROUTING -d 98.76.54.32/32 -p tcp -dport 25565 -j DNAT –to-destination 172.27.240.2
iptables -t nat -A POSTROUTING -s 172.27.240.2/32 -p tcp -dport 25565 -j SNAT –to-source 98.76.54.32

I must be doing something wrong or lacking something...

chicks
  • 3,793
  • 10
  • 27
  • 36
Furest
  • 11
  • 3
  • Have you done a tcpdump on the VPS when a 'web client' connects to your 'web server'? Do you see the incoming packets? Do you see it being forwared out the VPN link with the correct addresses? Do you see the packet counters increase in the netfilter table `iptables -nvL -t nat`? – Zoredache Apr 26 '17 at 21:48
  • I've used wireshark on my vps and I've seen multiple TCP incoming packets on the port but nothing going back nor forwarded unfortunately... I makes me think the port is not open but isn't it already open? – Furest Apr 26 '17 at 21:52
  • Oh, one other thing, are you testing this setup from a client outside of the network where the 'web server' is hosted? Testing it from a client on the same network as the 'web server' would possibly have some weird results. Also, **cough**, Bungeecord. – Zoredache Apr 26 '17 at 21:52
  • Yep. Web server hosted on the 'school network', test client on 4G (android) – Furest Apr 26 '17 at 21:53
  • (also, I don't see my port at all with the `netstat -an` command :/) – Furest Apr 26 '17 at 21:55

1 Answers1

1

Okay, I got it! I just had to enable a DMZ for the user in openvpn-as. You just need the public interface's IP (for me it's because it's the public interface) along with the port and protocol. 12.23.34.45:TCP/25565 did the trick.

(for anyone who asks details : you can find it in https://yourserver:943/admin. Then in User Management->User Permissions->username->show. Just click "yes, enable DMZ" and enter the parameters.)

Furest
  • 11
  • 3