-1

I run a pretty basic OpenVPN server that is set up along the lines of the guide from DigitalOcean. It uses UFW to only allow incoming connections for OpenVPN (default port) and SSH.

Now, I also want to run a VNC service on the same system (port 5901). That's working fine with a firewall rule that allows access to the VNC port from anywhere, however I want the VNC server to be accessible only from when I'm connected to the VPN. I'm slightly dumbfounded about how such a firewall rule would have to look like. I can see in the syslog that even when I'm connected to the VPN, connection attempts from the VNC client are received from my public IP and not the internal IP given to me by OpenVPN.

Does anyone have an idea how to do this? My best guess is that I'll have to set up a source NAT, but I hope there's a simpler solution.

morph
  • 51
  • 7
  • 1
    *connection attempts from the VNC client are received from my public IP* - You haven't configured routing properly in the VPN. If VNC sees your public address and not the VPN address, then your packets are not using the VPN. Oh, and your to connect to the VPN IP with your client software. – Zoredache Nov 03 '17 at 22:03
  • The VNC server doesn't see the connection attempts at all, they get dropped by UFW because the rules don't match. I doubt anything doesn't go through the tunnel because of all the testing I did, it always worked perfectly. How would I check if the routing is correct? – morph Nov 03 '17 at 22:35

1 Answers1

2

Okay, I solved it by simply connecting the VNC client to OpenVPN's internal IP (10.8.0.1) and adding a UFW rule that allows connections from tun0 on that specific port. Sometimes it's really easier than you think...

morph
  • 51
  • 7