Right here is my set up:
I’ve a server MYSRV in my 192.168.1.x LAN, its IP is 192.168.1.110. It additionally runs openvpn consumer to hook up with an openvpn server REMOTESRV. 10.0.0.x is the openvpn personal LAN.
On MYSRV I’ve dovecot and mysql operating on it and I must have entry to it from exterior.
MYSRV connects accurately to the openvpn server,and I get a tun interface and the next route desk:
Kernel IP routing desk Vacation spot Gateway Genmask Flags Metric Ref Use Iface default 188.8.131.52 184.108.40.206 UG 0 0 Zero tun0 default gateway 0.0.0.0 UG 0 0 Zero eth0 220.127.116.11 18.104.22.168 22.214.171.124 UG 0 0 Zero tun0 link-local * 255.255.0.0 U 1000 0 Zero lo 126.96.36.199 gateway 255.255.255.255 UGH 0 0 Zero eth0 188.8.131.52 * 255.255.255.192 U 0 0 Zero tun0 192.168.1.0 * 255.255.255.0 U 0 0 Zero eth0
When the openvpn server consumer on MYSRV is stopped I can entry from exterior to the 143/993/3306 ports due to the port forwarding on the ADSL router and the FQDN of the router (for instance myserver.from-outside.com). In fact I can even entry these ports from contained in the LAN. Nonetheless when the openvpn server consumer on MYSRV is began, if I do
nmap -sS myserver.from-outside.com
all ports are filtered however some:
Not proven: 989 filtered ports PORT STATE SERVICE 25/tcp open smtp 53/tcp closed area 80/tcp open http 113/tcp closed ident 135/tcp closed msrpc 139/tcp closed netbios-ssn 443/tcp open https 445/tcp closed microsoft-ds 465/tcp open smtps 587/tcp open submission 631/tcp open ipp
Whereas doing the identical from contained in the LAN exhibits that the 143/993/3306 ports are certainly obtainable:
Not proven: 983 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 24/tcp open priv-mail 53/tcp open area 81/tcp open hosts2-ns 111/tcp open rpcbind 139/tcp open netbios-ssn 143/tcp open imap 444/tcp open snpp 445/tcp open microsoft-ds 993/tcp open imaps 2049/tcp open nfs 3306/tcp open mysql 5050/tcp open mmcc 9091/tcp open xmltec-xmlmail 10000/tcp open snet-sensor-mgmt 12345/tcp open netbus
It seems like there’s a drawback with openvpn filtering ports.
I attempted a number of methods utilizing iptables like:
iptables -t nat -A PREROUTING -p tcp --dport 143 -j DNAT --to 10.0.0.1
however nothing labored.
The consumer config is beneath (keys are embedded and never proven right here).
consumer ;explicit-exit-notify proto tcp distant at2-ovpn-tcp.pointtoserver.com 80 dev tun ;up /and so forth/openvpn/scripts/up.sh.bak ;down /and so forth/openvpn/scripts/down.sh.bak auth-user-pass go persist-key persist-tun nobind ;block-outside-dns key-direction 1 remote-cert-tls server cipher AES-256-CBC route-method exe route-delay 0 route 0.0.0.Zero 0.0.0.0 script-security 2client ;explicit-exit-notify proto tcp distant at2-ovpn-tcp.pointtoserver.com 80 dev tun ;up /and so forth/openvpn/scripts/up.sh.bak ;down /and so forth/openvpn/scripts/down.sh.bak auth-user-pass go persist-key persist-tun nobind ;block-outside-dns key-direction 1 remote-cert-tls server cipher AES-256-CBC route-method exe route-delay 0 route 0.0.0.Zero 0.0.0.0 script-security 2
May you assist me on this? Is it potential to limit openvpn to use to particular functions, in order that some visitors wouldn’t be thought-about in each instructions (inside/exterior), or not? If not, I suppose it’s obligatory so as to add port forwarding iptables guidelines associated to the openvpn set up? What sort of guidelines?