Page 1 of 1
How to limit admin panel to private ip?
Posted: Thu May 19, 2016 11:14 pm
by cinnaroll
I've installed an OpenVPN Access Server on an Amazon EC2 instance. Everything seems to work fine but if possible I want to restrict the access to admin panel to the private ip that is connected to assigned elastic IP. A tutorial I've watched suggests doing this by unchecking Service Forwarding options under Server Network Settings. However that doesn't seem to do anything, the panel is still accessible via public IP. Is there a way to fix this?
Re: How to limit admin panel to private ip?
Posted: Fri May 20, 2016 7:16 am
by novaflash
On Amazon EC2, your instance only has a private IP. Amazon's systems redirect all incoming traffic on the public IP address to that private IP address.
So, restricting access to that private IP address is just not going to work when you have an Elastic IP tied to it. Unless you are able to add a second private IP address to your instance that isn't tied to an Elastic IP.
Re: How to limit admin panel to private ip?
Posted: Fri May 20, 2016 11:10 am
by cinnaroll
I see. I'm a total beginner when it comes to OpenVPN- would you consider leaving admin panel on the public IP a security risk?
Re: How to limit admin panel to private ip?
Posted: Fri May 20, 2016 11:55 am
by novaflash
Only if you use very bad passwords. It has an automatic lockout system in place to prevent bruteforcing.
If you like, though, you can set the Admin UI to a different TCP port. That leaves the Client UI still working and the Connect Client will work properly then, but separate the Admin section to another port. If you set it for example to port 1234 then you have to access it like so:
https://yourserver.address.com:1234/ (drop the admin part of the URL - that only happens when both Client UI and Admin UI are running on the same port). Be sure to disable service forwarding for the Admin UI.
Then, using security groups in Amazon's management panel, you can allow only certain IP addresses and ranges access to the Admin UI on port TCP 1234.
Re: How to limit admin panel to private ip?
Posted: Sat May 21, 2016 9:58 am
by cinnaroll
Good idea! Thanks for the advice.
Re: How to limit admin panel to private ip?
Posted: Sat May 21, 2016 11:11 am
by novaflash
It's only one of a multitude of possibilities. You can also add a dummy adapter to your system and assign a unique private IP to it and have the Admin UI listen there, and give access to certain VPN users to that IP. Then it won't be accessible from anywhere but through a VPN connection.
Re: How to limit admin panel to private ip?
Posted: Tue Nov 01, 2016 5:35 pm
by saliency
novaflash wrote:If you like, though, you can set the Admin UI to a different TCP port. That leaves the Client UI still working and the Connect Client will work properly then, but separate the Admin section to another port. If you set it for example to port 1234 then you have to access it like so:
https://yourserver.address.com:1234/ (drop the admin part of the URL - that only happens when both Client UI and Admin UI are running on the same port). Be sure to disable service forwarding for the Admin UI.
What are the exact steps to do this?
Re: How to limit admin panel to private ip?
Posted: Tue Apr 04, 2017 8:03 pm
by tcaetano
what i did to solve this was blocking the port 943 (used for admin) from outside traffic.. just the lan could access it.. just use the security group to do that and you should be fine
Re: How to limit admin panel to private ip?
Posted: Sat Jun 15, 2019 2:07 pm
by nullsteph
Perhaps I missed something but changing the port still leaves the Admin to respond on 443 which has to remain open to all IPs in order to function.
Re: How to limit admin panel to private ip?
Posted: Sat Jun 15, 2019 2:12 pm
by novaflash
The client web interface and the admin web interface are 2 different things and by default run on the same port (943) and are shared through the TCP OpenVPN daemon at port TCP 443 as well. If you disable admin UI port sharing in the server network settings page, that last part gets disabled for the admin UI so the admin UI can only be reached through port TCP 943. If you also put the admin UI on a different port from the client UI, you can further separate them and define firewall rules to block access to one or the other.
It is recommended to leave at least the client web UI reachable through the TCP openvpn daemon. The settings are all in the server network settings page. If you mess with it, and you make a mistake, you can lock yourself out of the web interface. So have a backup ready or read documentation on how to change these settings via the command line to recover from mistakes.
Re: How to limit admin panel to private ip?
Posted: Fri Oct 23, 2020 8:11 am
by marie-dk
novaflash wrote: ↑Sat Jun 15, 2019 2:12 pm
The client web interface and the admin web interface are 2 different things and by default run on the same port (943) and are shared through the TCP OpenVPN daemon at port TCP 443 as well. If you disable admin UI port sharing in the server network settings page, that last part gets disabled for the admin UI so the admin UI can only be reached through port TCP 943. If you also put the admin UI on a different port from the client UI, you can further separate them and define firewall rules to block access to one or the other.
It is recommended to leave at least the client web UI reachable through the TCP openvpn daemon. The settings are all in the server network settings page. If you mess with it, and you make a mistake, you can lock yourself out of the web interface. So have a backup ready or read documentation on how to change these settings via the command line to recover from mistakes.
I added rules to UFW to prevent access to the admin panel from the outside world. Then discovered that iptables i overruling my UFW config.
I then changed the ports for both admin and client GUI, and edited the UFW rules to reflect that change... Just to discover that OpenVPN AS also added the new ports to iptables leaving these new ports open to the outside world as well.
So it seems that the only way to prevent public access - if you (like me) is not comfortable mangling with iptables - is to have the GUIs listening to the local network only.
I strongly recommend that this inappropriateness is fixed in OpenVPN AS. People who value security may not appreciate revealing certain services to the public.
Re: How to limit admin panel to private ip?
Posted: Tue Dec 29, 2020 3:52 am
by peterlecki
novaflash wrote: ↑Sat Jun 15, 2019 2:12 pm
I strongly recommend that this inappropriateness is fixed in OpenVPN AS. People who value security may not appreciate revealing certain services to the public.
I second that recommendation. Now I have to lose a feature to close this hole. I have to block the admin port from outside. Although downloading client software is also done on that port. But I have to block this for security. It's a side-effect of patching that hole.