Serve resources only to VPN clients.

[Nick_]

I have a Debian Server setup with OpenVPN and apache running great. Currently the apache services are accessible to everyone. I want to restrict them to only be accessible to clients connected via the VPN.

Here is my incorrect UFW settings

Code: Select all

Status: active
Logging: off
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
53                         ALLOW IN    Anywhere
60000:61000/udp            ALLOW IN    Anywhere
1194/udp                   ALLOW IN    Anywhere
2812/tcp                   ALLOW IN    Anywhere
22/tcp                     ALLOW IN    Anywhere
80/tcp on tun0             ALLOW IN    Anywhere
443/tcp on tun0            ALLOW IN    Anywhere
80/tcp                     ALLOW IN    10.8.0.0/24
443/tcp                    ALLOW IN    10.8.0.0/24
80/tcp                     ALLOW IN    10.1.0.0/16
443/tcp                    ALLOW IN    10.1.0.0/16
53                         ALLOW IN    Anywhere (v6)
60000:61000/udp            ALLOW IN    Anywhere (v6)
1194/udp                   ALLOW IN    Anywhere (v6)
2812/tcp                   ALLOW IN    Anywhere (v6)
22/tcp                     ALLOW IN    Anywhere (v6)
80/tcp on tun0             ALLOW IN    Anywhere (v6)
443/tcp on tun0            ALLOW IN    Anywhere (v6)
  
80/tcp                     ALLOW OUT   10.1.0.0/16
443/tcp                    ALLOW OUT   10.1.0.0/16
80/tcp                     ALLOW OUT   Anywhere on tun0
443/tcp                    ALLOW OUT   Anywhere on tun0
80/tcp                     ALLOW OUT   Anywhere (v6) on tun0
443/tcp                    ALLOW OUT   Anywhere (v6) on tun0

Anyone have any idea how to accomplish what I'm trying to do? I feel like it should be pretty easy, but I have wasted a lot of time on this so far.

[Traffic]

Here is my incorrect UFW settings

Personally, I would use iptables and set rules to block packets to your services except for the VPN packets.

It is relatively easy to do ..

[marceloramone]

Hello,

I'M trying to do the same config!

Here is my incorrect setup to close apache access:

Code: Select all

22                         ALLOW       Anywhere 
1194/udp                   ALLOW       Anywhere
80/tcp                     ALLOW       10.8.0.0/24 »» this rule should be fine in order to allow apache access for openvpn clients but ufw block the traffic.

Also I did this steps:

in /etc/default/ufw conf:

Code: Select all

DEFAULT_FORWARD_POLICY="ACCEPT"

in /etc/ufw/before.rules conf:

Code: Select all

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0] 
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

Syslog:



Any idea please?
I need just close apache access for public, only ovpn connected clients should be able to access.

[sierracircle]

..Just a thought, but I believe you can achieve this with a few lines in your .htaccess file:


Order Deny,Allow
Deny from all
Allow from 192.168.1.1/24 ##or whatever your subnet