How to limit admin panel to private ip?

Post Reply
cinnaroll
OpenVpn Newbie
Posts: 3
Joined: Thu May 19, 2016 11:14 pm

How to limit admin panel to private ip?

Post by cinnaroll » Thu May 19, 2016 11:14 pm

I've installed an OpenVPN Access Server on an Amazon EC2 instance. Everything seems to work fine but if possible I want to restrict the access to admin panel to the private ip that is connected to assigned elastic IP. A tutorial I've watched suggests doing this by unchecking Service Forwarding options under Server Network Settings. However that doesn't seem to do anything, the panel is still accessible via public IP. Is there a way to fix this?

novaflash
OpenVPN Expert
Posts: 436
Joined: Fri Apr 13, 2012 8:43 pm

Re: How to limit admin panel to private ip?

Post by novaflash » Fri May 20, 2016 7:16 am

On Amazon EC2, your instance only has a private IP. Amazon's systems redirect all incoming traffic on the public IP address to that private IP address.

So, restricting access to that private IP address is just not going to work when you have an Elastic IP tied to it. Unless you are able to add a second private IP address to your instance that isn't tied to an Elastic IP.

cinnaroll
OpenVpn Newbie
Posts: 3
Joined: Thu May 19, 2016 11:14 pm

Re: How to limit admin panel to private ip?

Post by cinnaroll » Fri May 20, 2016 11:10 am

I see. I'm a total beginner when it comes to OpenVPN- would you consider leaving admin panel on the public IP a security risk?

novaflash
OpenVPN Expert
Posts: 436
Joined: Fri Apr 13, 2012 8:43 pm

Re: How to limit admin panel to private ip?

Post by novaflash » Fri May 20, 2016 11:55 am

Only if you use very bad passwords. It has an automatic lockout system in place to prevent bruteforcing.

If you like, though, you can set the Admin UI to a different TCP port. That leaves the Client UI still working and the Connect Client will work properly then, but separate the Admin section to another port. If you set it for example to port 1234 then you have to access it like so: https://yourserver.address.com:1234/ (drop the admin part of the URL - that only happens when both Client UI and Admin UI are running on the same port). Be sure to disable service forwarding for the Admin UI.

Then, using security groups in Amazon's management panel, you can allow only certain IP addresses and ranges access to the Admin UI on port TCP 1234.

cinnaroll
OpenVpn Newbie
Posts: 3
Joined: Thu May 19, 2016 11:14 pm

Re: How to limit admin panel to private ip?

Post by cinnaroll » Sat May 21, 2016 9:58 am

Good idea! Thanks for the advice.

novaflash
OpenVPN Expert
Posts: 436
Joined: Fri Apr 13, 2012 8:43 pm

Re: How to limit admin panel to private ip?

Post by novaflash » Sat May 21, 2016 11:11 am

It's only one of a multitude of possibilities. You can also add a dummy adapter to your system and assign a unique private IP to it and have the Admin UI listen there, and give access to certain VPN users to that IP. Then it won't be accessible from anywhere but through a VPN connection.

saliency
OpenVpn Newbie
Posts: 1
Joined: Tue Nov 01, 2016 5:35 pm

Re: How to limit admin panel to private ip?

Post by saliency » Tue Nov 01, 2016 5:35 pm

novaflash wrote:If you like, though, you can set the Admin UI to a different TCP port. That leaves the Client UI still working and the Connect Client will work properly then, but separate the Admin section to another port. If you set it for example to port 1234 then you have to access it like so: https://yourserver.address.com:1234/ (drop the admin part of the URL - that only happens when both Client UI and Admin UI are running on the same port). Be sure to disable service forwarding for the Admin UI.
What are the exact steps to do this?

tcaetano
OpenVpn Newbie
Posts: 5
Joined: Tue Mar 28, 2017 1:32 pm

Re: How to limit admin panel to private ip?

Post by tcaetano » Tue Apr 04, 2017 8:03 pm

what i did to solve this was blocking the port 943 (used for admin) from outside traffic.. just the lan could access it.. just use the security group to do that and you should be fine

Post Reply