Port Forwarding by SQL

How to customize and extend your OpenVPN installation.
Post Reply
neoaurel
OpenVpn Newbie
Posts: 7
Joined: Sat Jan 07, 2012 11:35 am

Port Forwarding by SQL

Post by neoaurel » Sat Jan 07, 2012 11:46 am

Hi all,

(I'm French sorry for by bad English)

I try to open port with OpenVPN i explain (port forwarding client).

We have a intranet with user and password to connect to VPN.

We want to open some port choosen by user:

Exemple :

Client 1 want to open port 10000
Client 2 want to open port 20000

How can we do that ?
Values 10000 and 20000 is accessible on a Msql database, but how can I transfer this parameter to VPN server when the client connect, and forwarding the correct port by client ?

I see a subject here but not exactly what we want : topic7823.html

How can i proceed ?

Something like that :

iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 10.66.66.6
iptables -A FORWARD -s 10.66.66.6 -p tcp --dport 1234 -j ACCEPT

But how can i know if client 1 is 10.66.66.6 or something else ?

User avatar
Mimiko
Forum Team
Posts: 1568
Joined: Wed Sep 22, 2010 3:18 am

Re: Port Forwarding by SQL

Post by Mimiko » Sat Jan 07, 2012 5:50 pm

Using common certificate name and ccd files you can assign static IPs from VPN pool to any client.

neoaurel
OpenVpn Newbie
Posts: 7
Joined: Sat Jan 07, 2012 11:35 am

Re: Port Forwarding by SQL

Post by neoaurel » Sat Jan 07, 2012 7:32 pm

Hi Mimiko,

Thanks for the response,

My config file is this one:

Code: Select all

local 82.x.x.x
proto tcp
port 443
dev tun
mode server
tls-server

ca ca.crt
cert server.crt
key server.key
tls-auth ta.key 0
dh dh2048.pem
mssfix 1500
cipher AES-256-CBC

server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key

plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
script-security 2
chroot /empty
What do i have to add ? to redirect one port for exemple i want to have the same IP for both client but two different port open.
(I need a script because is for thousand of person)

Client 1 and Client 2 have IP adresse 10.20.30.40

But Client 1 have port 10000 open for him
and Client 2 have port 20000 open for him

Is it possible and if yes How ?

thanks a lot

User avatar
Mimiko
Forum Team
Posts: 1568
Joined: Wed Sep 22, 2010 3:18 am

Re: Port Forwarding by SQL

Post by Mimiko » Sat Jan 07, 2012 7:38 pm

In the server's config you have
client-cert-not-required
How you are differentiating which is client 1 and which is client2 ?

neoaurel
OpenVpn Newbie
Posts: 7
Joined: Sat Jan 07, 2012 11:35 am

Re: Port Forwarding by SQL

Post by neoaurel » Sat Jan 07, 2012 7:40 pm

With this line :

Code: Select all

username-as-common-name
Client1 have :

username : client1
password : pass1

and Client2 have

username : client2
password : pass2

User avatar
Mimiko
Forum Team
Posts: 1568
Joined: Wed Sep 22, 2010 3:18 am

Re: Port Forwarding by SQL

Post by Mimiko » Sat Jan 07, 2012 8:42 pm

Then read this: http://openvpn.net/index.php/open-sourc ... tml#policy
and assign via ccd to every client its IP and with iptables route the desired port to needed IP.

neoaurel
OpenVpn Newbie
Posts: 7
Joined: Sat Jan 07, 2012 11:35 am

Re: Port Forwarding by SQL

Post by neoaurel » Sat Jan 07, 2012 9:56 pm

Thanks,

But i would like to know how can i know what is the IP adresse of the Client who's connecting ?

And do a script like that:


iptables -t nat -A PREROUTING -p tcp --dport 10000 -j DNAT --to-destination IP_CLIENT
iptables -A FORWARD -s IP_CLIENT -p tcp --dport 10000 -j ACCEPT


But i have to know, how to retrieved :
IP_CLIENT

User avatar
Mimiko
Forum Team
Posts: 1568
Joined: Wed Sep 22, 2010 3:18 am

Re: Port Forwarding by SQL

Post by Mimiko » Sun Jan 08, 2012 8:13 am

Read the manual for this:
ifconfig_pool_remote_ip
The remote virtual IP address for the TUN/TAP tunnel taken from an --ifconfig-push directive if specified, or otherwise from the ifconfig pool (controlled by the --ifconfig-pool config file directive). This option is set on the server prior to execution of the --client-connect and --client-disconnect scripts.

neoaurel
OpenVpn Newbie
Posts: 7
Joined: Sat Jan 07, 2012 11:35 am

Re: Port Forwarding by SQL

Post by neoaurel » Sun Jan 08, 2012 12:28 pm

So to confirm i understand english well^^

IP_CLIENT = ifconfig_pool_remote_ip ?

So i have to add into server.conf :

Code: Select all

client-connect /etc/openvpn/clientconnect.sh
client-disconnect /etc/openvpn/clientdisconnect.sh
And i put : clientconnect.sh

Code: Select all

#!/bin/bash
PORT = 10000 ??
iptables -A FORWARD -p tcp -i eth0 -d $ifconfig_pool_remote_ip --dport $PORT -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d $ifconfig_local --dport $PORT -j DNAT --to-destination $ifconfig_pool_remote_ip:$PORT
but question how do I know Client 1 is port 10000 and Client2 is port 20000 ?

neoaurel
OpenVpn Newbie
Posts: 7
Joined: Sat Jan 07, 2012 11:35 am

Re: Port Forwarding by SQL

Post by neoaurel » Wed Jan 25, 2012 7:55 pm

No response ? :(

User avatar
Mimiko
Forum Team
Posts: 1568
Joined: Wed Sep 22, 2010 3:18 am

Re: Port Forwarding by SQL

Post by Mimiko » Wed Jan 25, 2012 8:18 pm

You have to create a simple csv file where you will put the client-port concordance, for example:
client1,10000
client2,20000
where first column is cname of the client and second is the port. Then in the script files you read this file untill the respective client cname and use the port number in iptables command. The common_name variable in the connect and disconnect scripts holds the cname of the client.

Post Reply