Secure LAN www server with VPN
Posted: Mon Mar 20, 2017 3:26 pm
Hello everybody!
I have setup small www server machine based on debian for testing purposes. It has main interface eth0 with IP 192.168.0.210 on which there is our project set (Apache is set on this IP). Me and my coworker have access to it from 192.168.0.x adresses. Ive also set second eth0:0 interface with 192.168.0.200 on this server without any services on it yet.
Recently we got public static IP. On our router (192.168.0.1 which is also defalut gateway and DHCP sever) I forwarded port 80 from outside to 192.168.0.210 so now outside users can access WWW server.
Now i want to secure this outside connection with VPN so all outside traffic from router to sever would be forwarded trough VPN server. The plan is:
1. Set up OpenVPN on 192.168.0.200
2. Set forwarding on router -> outside IP A.B.C.D:80 to 192.168.0.200:1194
3. Set OpenVPN redirections to 192.168.0.210 where actual server is.
This way LAN users (me and my coworker) would connect to 210 without any hassle (directly) but all incomming trafiic from 192.168.0.1 (router) to 192.168.0.210:80 would have to go trough OpenVPN (192.168.0.200).
Questions
A. Is it good approach?
B. Steps 1 and 2 are easy, building certificates seems easy as well but im confused how to make redirections. I have some basic knowedge about IPTABLES and Ive read and watch on youtube some tutorials about setup OVPN for example...
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
which seems quite straightforward but all of them showing how to just pass ALL traffic to ALL internet trough OVPN, or make redirections for gateways not SPECIFIC IP to another SPECIFIC IP. How to do this?
I have setup small www server machine based on debian for testing purposes. It has main interface eth0 with IP 192.168.0.210 on which there is our project set (Apache is set on this IP). Me and my coworker have access to it from 192.168.0.x adresses. Ive also set second eth0:0 interface with 192.168.0.200 on this server without any services on it yet.
Recently we got public static IP. On our router (192.168.0.1 which is also defalut gateway and DHCP sever) I forwarded port 80 from outside to 192.168.0.210 so now outside users can access WWW server.
Now i want to secure this outside connection with VPN so all outside traffic from router to sever would be forwarded trough VPN server. The plan is:
1. Set up OpenVPN on 192.168.0.200
2. Set forwarding on router -> outside IP A.B.C.D:80 to 192.168.0.200:1194
3. Set OpenVPN redirections to 192.168.0.210 where actual server is.
This way LAN users (me and my coworker) would connect to 210 without any hassle (directly) but all incomming trafiic from 192.168.0.1 (router) to 192.168.0.210:80 would have to go trough OpenVPN (192.168.0.200).
Questions
A. Is it good approach?
B. Steps 1 and 2 are easy, building certificates seems easy as well but im confused how to make redirections. I have some basic knowedge about IPTABLES and Ive read and watch on youtube some tutorials about setup OVPN for example...
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
which seems quite straightforward but all of them showing how to just pass ALL traffic to ALL internet trough OVPN, or make redirections for gateways not SPECIFIC IP to another SPECIFIC IP. How to do this?