Configuration Open VPN Server

[walther_the_nerd]

Hello,

i config a OpenVPN Server and connect with a client. In my server.conf i redirect my traffic trough the vpn gateway. but i still need to open my firewall ports on my client like 80/443 for http/s. How is that.

After my understanding i only need the OpenVPN Port to open to get my traffic trough?!

I hope you can help me with that.

Best regards

[openvpn_inc]

Hi Walther,

First off, your Subject mentions "Access Server", and if you mean the commercial product OpenVPN Access Server, you're asking in the wrong forum. We have subforums for the commercial products. This one is for the open source project.

Since you mention "server.conf" I will assume we are in the right place, because Access Server does not have that file.

I am not sure why you are asking about opening firewall ports on your client? That's not an openvpn question; that would be one for a place which supports your client OS.

The server needs to have the openvpn port (usually udp/1194, but can be whatever you set it to) open in the external firewall, possibly being forwarded to the server host from an external-facing router. The client connects to your.ip.add.ress:port and is given a VPN address, plus routes to be able to use it with.

Perhaps these two wiki pages will help:
https://community.openvpn.net/openvpn/w ... edwithOVPN
https://community.openvpn.net/openvpn/wiki/HOWTO

Good luck, regards, rob0

[walther_the_nerd]

yes, the problem is the routing i think, cause i open 1194 already but cant access the internet from client when i dont open port 80,443 for surfing. so for me the server.config is not doing what it should do, redirect all traffic thought my openvpn server. i dont see a reason to open the ports 80,443 for my client when i tunneling though my vpn. for my opinion i need to open the ports on the server to get through?! where is the failure?

[openvpn_inc]

yes, the problem is the routing i think, cause i open 1194 already but cant access the internet from client when i dont open port 80,443 for surfing. so for me the server.config is not doing what it should do, redirect all traffic thought my openvpn server. i dont see a reason to open the ports 80,443 for my client when i tunneling though my vpn. for my opinion i need to open the ports on the server to get through?! where is the failure?

Hi Walther,

The server OS must be configured to do IP forwarding, and its firewall would have to be configured to do source NAT for VPN clients. This is covered in the HOWTO linked above.

The server would get a new interface typically called "tun0". You should not have firewall restrictions on that interface. Packets (inside the tunnel) from clients would come in on tun0, and if destined for the Internet, they would go out on the interface of the server's default route.

regards, rob0

[walther_the_nerd]

thats alright, and works.

but there is one point for me:

after my understanding the openvpn server should handel all traffic so all incoming and outgoing, so when there is a https request it should go through the 1194 port and ends up on the other site at the openvpn, after that the openvpn server should send the request as itself. so how can it be that i need to open the https port on the client when the traffic goes through port 1194 shouldnt i open the port for https on the openvpn server for the https request? thats my understanding for the functionality of that technic?!

[openvpn_inc]

Walther, don't confuse the tunnel's traffic with the traffic inside the tunnel. Think of the udp/1194 as a transport layer. The server has to receive the client's openvpn packet on udp/1194, but then openvpn creates a virtual interface with the tunneled packets.

These tunneled packets have a different source and destination IP address, and can be any port or protocol. To your server or client OS the virtual interface just looks like another NIC.

I looked for a good diagram of the process, but I didn't find one. But maybe it will help you to think of openvpn as a transport layer for the tun interface driver.

regards, rob0