[Solved] WWW, Mail Server via OpenVPN to VPS

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.
Locked
User avatar
UTAVATU
OpenVpn Newbie
Posts: 4
Joined: Tue Mar 19, 2019 2:49 pm

[Solved] WWW, Mail Server via OpenVPN to VPS

Post by UTAVATU » Tue Mar 19, 2019 3:17 pm

Dear Friends

First of all hello to everybody, I am new User here! :) Nice to meet you all!

I own WWW (Apache), Mail (Postfix, Dovecot) server on CentOS. This server is behind Router connected to ISP with service of Dynamic IP. This is a problem for Mail server, because there is no possibility to set revDNS. I also own very cheap VPS with Static IP and revDNS. This VPS is very weak, so I would like to connect my WWW, Mail server via OpenVPN. On VPS there is OpenVPN server and on the WWW, Mail server side there is OpenVPN client. I have configured and connected it without problems. I can ping outside world from WWW, Mail server, but when I try to open via browser any of my site on Apache, I have an information, that Connection was refused by server and any of my site isn't opening. Below I will present my OpenVPN server.conf and client.conf, and also Iptables rules from VPS and WWW, Mail server, maybe someone will see something is wrong or missing. I would be glad for any help and support.

I. VPS with Static IP, revDNS:

- Static IP: XXX.XXX.XXX.XXX
- Interface: eth0 with inet XXX.XXX.XXX.XXX/32
- Interface: tun0 with inet 10.8.0.1/24

- OpenVPN - server.conf:

Code: Select all

port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dhparam.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth /etc/openvpn/server/ta.key 0
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
- iptables:

Code: Select all

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -j DROP
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
II. Server WWW, Mail with Dynamic IP:

- Dynamic IP form ISP on router: YYY.YYY.YYY.YYY

- Local IP of WWW, Mail server (behind router): 192.168.50.10
- Interface: enp2s0 with inet 192.168.50.10/24
- Interface: tun0 with inet 10.8.0.2/24 (when connection is made from OpenVPN client)

- Apache listens on 80, 443.

- OpenVPN - client.conf:

Code: Select all

client
dev tun
proto udp
remote XXX.XXX.XXX.XXX 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/client.crt
key /etc/openvpn/client/client.key
remote-cert-tls server
tls-auth /etc/openvpn/client/ta.key 1
cipher AES-256-CBC
verb 3
- iptables:

Code: Select all

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -j DROP
COMMIT
Sincerely
Last edited by UTAVATU on Wed Mar 20, 2019 8:41 am, edited 1 time in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8966
Joined: Fri Jun 03, 2016 1:17 pm

Re: WWW, Mail Server via OpenVPN to VPS

Post by TinCanTech » Tue Mar 19, 2019 3:27 pm

UTAVATU wrote:
Tue Mar 19, 2019 3:17 pm
I have configured and connected it without problems. I can ping outside world from WWW, Mail server, but when I try to open via browser any of my site on Apache, I have an information, that Connection was refused by server and any of my site isn't opening.
You do not show what you have tried, IP/Port etc ..

User avatar
UTAVATU
OpenVpn Newbie
Posts: 4
Joined: Tue Mar 19, 2019 2:49 pm

Re: WWW, Mail Server via OpenVPN to VPS

Post by UTAVATU » Tue Mar 19, 2019 3:45 pm

Dear TinCanTech

When connection is established between WWW, Mail server and VPS, I can send e-mail via mail command to let say gmail.com account and that e-mail is send successfuly and I receive it via my gmail.com account. But when I try to send from gmail.com account to my WWW, Mail server, that e-mail never reaches.

Here is log from terminal after connection is made:

Code: Select all

Tue Mar 19 16:33:12 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 19 16:33:12 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Tue Mar 19 16:33:12 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Mar 19 16:33:12 2019 UDP link local: (not bound)
Tue Mar 19 16:33:12 2019 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Tue Mar 19 16:33:12 2019 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Tue Mar 19 16:33:12 2019 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=b1704d4c d3fb3726
Tue Mar 19 16:33:12 2019 VERIFY OK: depth=1, CN=Unicorn
Tue Mar 19 16:33:12 2019 VERIFY KU OK
Tue Mar 19 16:33:12 2019 Validating certificate extended key usage
Tue Mar 19 16:33:12 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Mar 19 16:33:12 2019 VERIFY EKU OK
Tue Mar 19 16:33:12 2019 VERIFY OK: depth=0, CN=server
Tue Mar 19 16:33:12 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Mar 19 16:33:12 2019 [server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
Tue Mar 19 16:33:14 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Mar 19 16:33:14 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Tue Mar 19 16:33:14 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 19 16:33:14 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 19 16:33:14 2019 OPTIONS IMPORT: route options modified
Tue Mar 19 16:33:14 2019 OPTIONS IMPORT: route-related options modified
Tue Mar 19 16:33:14 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Mar 19 16:33:14 2019 OPTIONS IMPORT: peer-id set
Tue Mar 19 16:33:14 2019 OPTIONS IMPORT: adjusting link_mtu to 1624
Tue Mar 19 16:33:14 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Mar 19 16:33:14 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Mar 19 16:33:14 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Mar 19 16:33:14 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Mar 19 16:33:14 2019 ROUTE_GATEWAY 192.168.50.1/255.255.255.0 IFACE=enp2s0
Tue Mar 19 16:33:14 2019 TUN/TAP device tun0 opened
Tue Mar 19 16:33:14 2019 TUN/TAP TX queue length set to 100
Tue Mar 19 16:33:14 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Mar 19 16:33:14 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Tue Mar 19 16:33:14 2019 /sbin/ip route add XXX.XXX.XXX.XXX/32 via 192.168.50.1
Tue Mar 19 16:33:14 2019 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Tue Mar 19 16:33:14 2019 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Tue Mar 19 16:33:14 2019 GID set to nobody
Tue Mar 19 16:33:14 2019 UID set to nobody
Tue Mar 19 16:33:14 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Mar 19 16:33:14 2019 Initialization Sequence Completed
XXX.XXX.XXX.XXX - is a Static IP public from VPS
192.168.50.1 is a router LAN IP
192.168.50.10 is WWW, Mail server IP

I can ping any IP from WWW, Mail server after connection is made.

Code: Select all

[root@mail ~]# ping openvpn.com
PING openvpn.com (104.24.96.89) 56(84) bytes of data.
64 bytes from 104.24.96.89: icmp_seq=1 ttl=55 time=35.4 ms
64 bytes from 104.24.96.89: icmp_seq=2 ttl=55 time=36.0 ms
64 bytes from 104.24.96.89: icmp_seq=3 ttl=55 time=37.5 ms
64 bytes from 104.24.96.89: icmp_seq=4 ttl=55 time=43.9 ms
64 bytes from 104.24.96.89: icmp_seq=5 ttl=55 time=34.7 ms
64 bytes from 104.24.96.89: icmp_seq=6 ttl=55 time=36.2 ms
64 bytes from 104.24.96.89: icmp_seq=7 ttl=55 time=35.4 ms
64 bytes from 104.24.96.89: icmp_seq=8 ttl=55 time=36.0 ms
64 bytes from 104.24.96.89: icmp_seq=9 ttl=55 time=36.0 ms

Code: Select all

[root@mail ~]# dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
"XXX.XXX.XXX.XXX"
I have Roundcube as Webmail on WWW, Mail server and when I try to open it from browser, it refuses to open and every other site, which I host on my WWW, Mail server.

Sincerely

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8966
Joined: Fri Jun 03, 2016 1:17 pm

Re: WWW, Mail Server via OpenVPN to VPS

Post by TinCanTech » Tue Mar 19, 2019 3:54 pm

Once again, it is not clear what IPs you are trying to connect to ..

I'll just say this, you are redirecting your client default gateway .. so you probably cannot connect to it via anything other than it's VPN address 10.8.0.2

User avatar
UTAVATU
OpenVpn Newbie
Posts: 4
Joined: Tue Mar 19, 2019 2:49 pm

Re: WWW, Mail Server via OpenVPN to VPS

Post by UTAVATU » Tue Mar 19, 2019 4:10 pm

Dear TinCanTech

You mean, what is the IP of VPS, where I am trying to connect from my WWW, Mail server?

Sincerely

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8966
Joined: Fri Jun 03, 2016 1:17 pm

Re: WWW, Mail Server via OpenVPN to VPS

Post by TinCanTech » Tue Mar 19, 2019 4:49 pm

I am not interested in your VPS public IP, I am simply stating that, once you redirect your clients default gateway (See the items pushed from your server) you will not be able to connect to any service on your client's public IP address.

EG:
UTAVATU wrote:
Tue Mar 19, 2019 3:45 pm
XXX.XXX.XXX.XXX - is a Static IP public from VPS
192.168.50.1 is a router LAN IP
192.168.50.10 is WWW, Mail server IP
Only ping will work to XXX.XXX.XXX.XXX
-- I presume this is the public IP of your VPN client but could be wrong, but the rule still applies.
Nothing will work to 192.168.50.1 or 192.168.50.10

Try connecting to 10.8.0.2 instead.

Note: I am presuming that you initiate WWW connections from your VPN server to your VPN client public IP.

User avatar
UTAVATU
OpenVpn Newbie
Posts: 4
Joined: Tue Mar 19, 2019 2:49 pm

Re: WWW, Mail Server via OpenVPN to VPS

Post by UTAVATU » Tue Mar 19, 2019 7:11 pm

Dear Friends

OK. Those simple filters below do the job:

Code: Select all

-A PREROUTING -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.8.0.2:80
-A PREROUTING -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.8.0.2:443
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
XXX.XXX.XXX.XXX - Static IP of VPS
10.8.0.2 - IP of WWW, Mail server over tun0 interface

Thank you for your help and support.

Sincerely

Locked