New CentOS v7x64 Server configuring static IP/Port Forwarding

This is the forum to post your config. Include diagrams, usage graphs, and all the other goodies to show off your network.
Post Reply
MrLimo
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 18, 2019 3:25 am

New CentOS v7x64 Server configuring static IP/Port Forwarding

Post by MrLimo » Mon Mar 18, 2019 5:37 am

I have what amounts to a Raspberry Pi running as a canned OpenVPN Client and a commercial VPN account with a Static IP.
The reason for the static IP is that I can forward public ports back to the VPN Client.

I can run the device behind my home NAT successfully with the following config. The device basically needs a port trigger it sets up a session on a specific port but the audio returns on a range of ports (Or a router that can be configured for port triggering). Thus a VPN with a public static IP that forwards all ports back to the client works as expected.
Public TCP Port 80
Public UDP Ports 2074-2093
Public TCP Ports 15425-15427
Public UDP Ports 5198-5200
Public TCP Ports 5198-5200

If I start the VPN client on the device I can reach the device from its public IP HTTP://{staic-ip}

I have set up a new CentOS v7 64 server {Not married to CentOS} via the AS 2.6.1 For CentOS 7. 64 bits RPM. And it works with Tunnelblink/OpenVPN Client as expected!

This is a redacted version of a working client config file for my Raspberry Pi OpenVPN client from my Commerical VPN Account.
client

remote {SERVER-IP} 443 tcp
remote {SERVER-IP} 3690 tcp
remote {SERVER-IP} 2401 tcp
remote {SERVER-IP} 8443 tcp
key-direction 1
cipher AES-256-CBC
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
;http-proxy-retry
;http-proxy {SERVER-IP} 80
verb 3
reneg-sec 86400
echo vpn-ServerID account777
tun-mtu 1500
route-method exe
route-delay 2
redirect-gateway def1
comp-lzo adaptive
hand-window 30
<ca>
-----BEGIN CERTIFICATE-----
Common Name: account777
Organization: host.com
Locality: City
State: CA
Country: US
Valid From: February 28, 2018
Valid To: February 26, 2028
Issuer: account777, host.com
Serial Number: 11298481264535981185 (0x9ccc44d92212cc81)
-----END CERTIFICATE-----
</ca>
<key>
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAM1lC+HmxsmpDO1y
ZCwyTttSSUfZtKLWADH4IeEEDVe0IAJlEwnhPL0ikdbfrZUJoeq0m66irRFf/B3k
....
05qVSRHTh83mL5ohHFK0QbC7WHe1yckWP8TPVRc7pvjNd8XZE61MJ70EmnkeZ69Y
JQBt2jTYi6geaVE=
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
Common Name: account777
Organization: host.com
Locality: City
State: CA
Country: US
Valid From: February 28, 2018
Valid To: February 26, 2028
Issuer: account777, host.com
Serial Number: 2 (0x2)
-----END CERTIFICATE-----
</cert>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
f70989f0b61dd64c39fd5b26333d7afe
90848ffd025ddb65d58f7b02bc026942
....
5eb675ffa98336bab1dbd6fc68954491
fb6fa4daa70eb3ff85ae7f5fcfe612f2
-----END OpenVPN Static key V1-----
</tls-auth>
-----------------------------------------------------------------------

This is a redacted version of a non-working config file generated by my OpenVPN Server.
server
# Automatically generated OpenVPN client config file
# Generated on Sat Mar 16 20:51:45 2019 by vpnhost.com

# Default Cipher
cipher AES-256-CBC
# Note: this config file contains inline private keys
# and therefore should be kept confidential!
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=Account44
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE={email}/AUTOLOGIN
# OVPN_ACCESS_SERVER_AUTOLOGIN=1
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=vpnhost.com:443
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
# iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
#
# Common Name: Sectigo RSA Domain Validation Secure Server CA
# Organization: Sectigo Limited
# Locality: Salford
# State: Greater Manchester
# Country: GB
# Valid From: November 1, 2018
# Valid To: December 31, 2030
# Issuer: USERTrust RSA Certification Authority, The USERTRUST Network Write review of Sectigo
# Serial Number: 7d5b5126b476ba11db74160bbc530da7
#
# yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
# 00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
# MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
#
# Common Name: USERTrust RSA Certification Authority
# Organization: The USERTRUST Network
# Locality: Jersey City
# State: New Jersey
# Country: US
# Valid From: May 30, 2000
# Valid To: May 30, 2020
# Issuer: AddTrust External CA Root, AddTrust AB Write review of Sectigo
# Serial Number: 13ea28705bf4eced0c36630980614336
#
# Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
# 0fKtirOMxyHNwu8=
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=0
# OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN, Inc.
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote vpnhost.com 1194 udp
remote vpnhost.com 1194 udp
remote vpnhost.com 443 tcp
remote vpnhost.com 1194 udp
remote vpnhost.com 1194 udp
remote vpnhost.com 1194 udp
remote vpnhost.com 1194 udp
remote vpnhost.com 1194 udp
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 0
rcvbuf 0
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO

<ca>
-----BEGIN CERTIFICATE-----
MIICuDCCAaCgAwIBAgIEXI3E5jANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApP
cGVuVlBOIENBMB4XDTE5MDMxMDAzNTQxNFoXDTI5MDMxNDAzNTQxNFowFTETMBEG
Common Name: OpenVPN CA
Valid From: March 9, 2019
Valid To: March 13, 2029
Serial Number: 1552794854 (0x5c8dc4e6)
g69YpY+C79OWxl96DLxzjBz3o6Atl7sPixccAH1nOypIjRX2Is3aia3xvvQnN5J8
WikzzcgJt1yJZ2czcAw90UL93+QXj/E8TORQ3A==
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
MIICyzCCAbOgAwIBAgIBBDANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApPcGVu
VlBOIENBMB4XDTE5MDMxMDA0NTEzMVoXDTI5MDMxNDA0NTEzMVowGzEZMBcGA1UE
Common Name: Account44_AUTOLOGIN
Valid From: March 9, 2019
Valid To: March 13, 2029
Serial Number: 4 (0x4)
tcMdNdzO5zkUy77bCMlHdAfKcwYikwbegLTE6g4beUWeJi0Vr9NGxAnM4u9A4q6C
UbyJMJIQhcUaPucufvw8ngcc6ZXZR89E/fCeWynZzqy2Lu5YU3E78it01ztEhMc=
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCc8Cnb64NElY1h
nQ+Ul3LJpmlKnOufl0LVXDcXy5Uuil0WqRIlytO+uH+R3CBki8cMC6GZEyjM33yG
.....
.....
.....
SdkJxegO/2sG6VZ/GpuTWzA0lNJVbx8LDOkz2BT/SDGu53Xmk1xn6f/I+0bO5Nec
VaeEbAEUNuWWrmRITEQai70=
-----END PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
6a9387e399c8009599aa9eccc219cfb1
1b6048ad7467d729407d6a2a207af5ca
.....
.....
.....
68662f52aeb49bcd3ed1e561b996e2ff
cb96dd88ef2baa15553b6e6f9e30e64e
-----END OpenVPN Static key V1-----
</tls-auth>

## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
## BFh7/UbfKB7xp9/7Qz82y8mAWQJteUGIK8HiAvB4maiEab+Hqv
## KyL6i8B2PPGdetWDbvgdoqiTSMt2Ev8hNU6CnEDMb9RoF5mm6o
## ln992qhbauHyBj0xd+8f3qdRytFjNWQRjlTG2fKKtGIfjvfc5w
## uNvn5wI7h0R5PkYiCqc2N0fSfpIgP1zJlqR6ZmqSk3cE0eymsx
## 8Kan3CD86lQdSusNPxtb5giKqqaWSpUWUnofkUmezeDxPlI3PE
## +FLukn2xjnGbh6FlHmK3XidTCs1TAD48GadXYBXNnJ4WbCmNaW
## c1aIZgBJNbonxMZt0VxyNTNudjeERKPDtdnRGdqK3A==
## -----END RSA SIGNATURE-----
## -----BEGIN CERTIFICATE-----
## MIIF9DCCBNygAwIBAgIQY7ftFB/F3TbCmmrleTpa4TANBgkqhkiG9w0BAQsFADCB
## jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
##
## Common Name: vpnhost.com
## Subject Alternative Names: vpnhost.com, www.vpnhost.com
## Organization Unit: Domain Control Validated
## Valid From: March 16, 2019
## Valid To: March 16, 2020
## Issuer: Sectigo RSA Domain Validation Secure Server CA, Sectigo Limited Write review of Sectigo
## Serial Number: 63b7ed141fc5dd36c29a6ae5793a5ae1
##
## ij5r4oP8kmHKBRdGLOIc7R4yu6mUU4ehZa3fVt9mY0q/3Z3lWYhsudDxWIkmpy44
## J35JpAmAaeKZdzUvGl3io1l2GbPhBL5o23WOWp6xhx1qLFyDw+6WKw==
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
## iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
##
## Common Name: Sectigo RSA Domain Validation Secure Server CA
## Organization: Sectigo Limited
## Locality: Salford
## State: Greater Manchester
## Country: GB
## Valid From: November 1, 2018
## Valid To: December 31, 2030
## Issuer: USERTrust RSA Certification Authority, The USERTRUST Network Write review of Sectigo
## Serial Number: 7d5b5126b476ba11db74160bbc530da7
##
## yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
## 00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
## MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
##
## Common Name: USERTrust RSA Certification Authority
## Organization: The USERTRUST Network
## Locality: Jersey City
## State: New Jersey
## Country: US
## Valid From: May 30, 2000
## Valid To: May 30, 2020
## Issuer: AddTrust External CA Root, AddTrust AB Write review of Sectigo
## Serial Number: 13ea28705bf4eced0c36630980614336
##
## Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
## Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
## 0fKtirOMxyHNwu8=
## -----END CERTIFICATE-----


Being that this is basically my private VPN server is there a way to configure the server/client setup that will mimic a static IP Ie. forward all or the subset of ports necessary when a specific client signs on. I will also have another client that does not need the inward port forwarding.

And what do I need to tweek in my config/server setting/web interface setting etc. etc. to get this working on my Raspberry Pi?

Greg
Last edited by ecrist on Mon Mar 18, 2019 12:54 pm, edited 1 time in total.

MrLimo
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 18, 2019 3:25 am

Re: New CentOS v7x64 Server configuring static IP/Port Forwarding

Post by MrLimo » Tue Mar 19, 2019 5:05 am

Both redacted files are actually client files. Greg.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 9024
Joined: Fri Jun 03, 2016 1:17 pm

Re: New CentOS v7x64 Server configuring static IP/Port Forwarding

Post by TinCanTech » Tue Mar 19, 2019 2:23 pm

MrLimo wrote:
Mon Mar 18, 2019 5:37 am
Being that this is basically my private VPN server is there a way to configure the server/client setup that will mimic a static IP Ie. forward all or the subset of ports necessary when a specific client signs on
Openvpn does not do port forwarding, use your firewall -- iptables.
MrLimo wrote:
Mon Mar 18, 2019 5:37 am
what do I need to tweek in my config/server setting/web interface setting etc. etc. to get this working on my Raspberry Pi?
There are no settings in openvpn for this but you will probably need to call a script when the client connects, use your firewall -- iptables.

MrLimo
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 18, 2019 3:25 am

Re: New CentOS v7x64 Server configuring static IP/Port Forwarding

Post by MrLimo » Thu Mar 21, 2019 6:04 pm

Ok I can work on the IPtables as suggested, any guidance about how to call a script and where I might find a base script to play around with. But the profile created by AS 2.6.1 For CentOS 7. 64 bits RPM version is much more complex and the Pi Client will not even connect. I need a point in the right direction in order to create a lightweight .ovpn configuration that will even connect.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 9024
Joined: Fri Jun 03, 2016 1:17 pm

Re: New CentOS v7x64 Server configuring static IP/Port Forwarding

Post by TinCanTech » Thu Mar 21, 2019 6:18 pm

MrLimo wrote:
Thu Mar 21, 2019 6:04 pm
the profile created by AS 2.6.1 For CentOS 7. 64 bits RPM version is much more complex and the Pi Client will not even connect
So this is an Access Server problem?

MrLimo
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 18, 2019 3:25 am

Re: New CentOS v7x64 Server configuring static IP/Port Forwarding

Post by MrLimo » Sat Mar 30, 2019 6:58 pm

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet xxx.yyy.zzz.187/24 brd xxx.yyy.zz.255 scope global eth0
valid_lft forever preferred_lft forever

DHCP Low/21 1/2 of the /20
13: as0t0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 200
inet 172.27.224.1/21 brd 172.27.231.255 scope global as0t0
valid_lft forever preferred_lft forever

DHCP High/21 1/2 or the /20
14: as0t1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 200
inet 172.27.232.1/21 brd 172.27.239.255 scope global as0t1
valid_lft forever preferred_lft forever
Static IP Range: 172.28.0.0/19
DHCP Range: 172.27.224.0/19
Advanced VPN:
Private Routed Subnet 172.28.0.0/19

OSI Layer: 3 (routing/NAT)
Clients access private subnets using: Routing
Static IP Address Network (Optional) 172.28.0.0/19

Advanced VPN:
Private Routed Subnets (Optional) 172.28.0.0/19

[root@vpn ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default gateway 0.0.0.0 UG 0 0 0 eth0
link-local 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
172.27.224.0 0.0.0.0 255.255.248.0 U 0 0 0 as0t0
172.27.232.0 0.0.0.0 255.255.248.0 U 0 0 0 as0t1
xxx.yyy.zzz.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
[root@vpn ~]#

So I have a working client configuration that has a static IP assigned from openvpnas. I can't seem to figure out how to route a couple of ports from the PUBLIC Server's IP to the private static IP. The static IP's seem not to show up in the routing table. The static IP client has internet access outbound.

I'm using CentOS 7 at the moment but not married to continuing if another distribution is preferable. Found some information about IPTables and/or Firewalld configurations. I think I'm fighitng something to do with processes tied to the NAT engine and it's binding to the public IP but I can't find the path from my StaticIP to publicIP.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 9024
Joined: Fri Jun 03, 2016 1:17 pm

Re: New CentOS v7x64 Server configuring static IP/Port Forwarding

Post by TinCanTech » Sat Mar 30, 2019 7:10 pm

TinCanTech wrote:
Thu Mar 21, 2019 6:18 pm
MrLimo wrote:
Thu Mar 21, 2019 6:04 pm
the profile created by AS 2.6.1 For CentOS 7. 64 bits RPM version is much more complex and the Pi Client will not even connect
So this is an Access Server problem?
viewtopic.php?f=30&t=22603

MrLimo
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 18, 2019 3:25 am

Re: New CentOS v7x64 Server configuring static IP/Port Forwarding

Post by MrLimo » Sun Mar 31, 2019 6:12 am

I have a working Pi Client and I believe it is fully connecting to the OpenVPN Server. I can ping and transfer data to/from the Pi Client. I did reduce the complexity of the system generated file into a simplified version. I have another VPN that has a static IP and based on that config I was able to create a working client.conf/client.ovpn.

I'm now working on trying to pass traffic directed to a small list of Ports on the public IP thru OpenVPN for delivery to the static IP of the Pi Client.

I can reach the Pi Client from OpenVPNAS & the Client can reach the server and public resources.

Server's Public IP -> Route/NAT/Forward -> Pi Client Static
Server's Public IP -> TCP Port 80 -> Pi Client Static
Server's Public IP -> UDP Ports 2074-2093 -> Pi Client Static
Server's Public IP -> TCP Ports 15425-15427 -> Pi Client Static
Server's Public IP -> UDP Ports 5198-5200 -> Pi Client Static
Server's Public IP -> TCP Ports 5198-5200 -> Pi Client Static

My connection results are as follows:
Pi Client ping it's assigned static IP
root@localhost:~# ping 172.28.28.28
PING 172.28.28.28 (172.28.28.28) 56(84) bytes of data.
64 bytes from 172.28.28.28: icmp_req=1 ttl=64 time=0.217 ms

Pi Client to my IP address reflector
root@localhost:~# curl http://ip.limo.net
<html><title>IP.Limo.Net</title><font size="18">209.182.218.187</font> "OpenVPNas Server's IP"
root@localhost:~#
-----------------------
VPN Server towards Pi Client
[root@vpn ~]# ping 172.28.28.28
PING 172.28.28.28 (172.28.28.28) 56(84) bytes of data.
64 bytes from 172.28.28.28: icmp_seq=1 ttl=64 time=270 ms
64 bytes from 172.28.28.28: icmp_seq=2 ttl=64 time=193 ms

VPN Server back to Pi Client's Static IP
root@localhost:~# curl 172.28.28.28
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
.............. Port 80 Webpage as expected ..............

I believe I have the client fully functional. But I need some guidance about routing the Public ports back towards the Pi Client.

Greg

Post Reply