port sharing -> apache log source IP

[Koni]

Hi All,
i have 2 Ubuntu Servers:
A) ubuntu 14.04 with openvpn 2.3.2
B) ubuntu 16.04 with openvpn 2.3.10

Both use Port 443 for OpenVPN and share that port with apache at port 10443.
So Both Servers use the OPENVPN-Config "port-share 10443" parameter
It works perfect both servers.

But Server A logs any https access in the appache-access-log log with the correct IP from the access-client
Server B logs allways 127.0.0.1
Server B logs an HTTP-acceess correct with the client-IP, if i do an access to Server B direct to Port 10443 ( https:domain.com:10443)
Server B does it also WITH 127.0.0.1, if i use the openvpn-conf-file from Server A

In my oppinion, OpenVPN 2.3.10 does something different as 2.3.2.

Is there a way, that openvpn Version 2.3.10 does it like Version 2.3.2 ??

Or is there an other way, to get the correct client IP ?
I need this to ban clients with fail2ban .. to secure owncloud and other logins

Regards and thanks for help.
Koni

[TinCanTech]

i have 2 Ubuntu Servers:
A) ubuntu 14.04 with openvpn 2.3.2

Dated: 31-May-2013

Please keep OpenVPN up to date.

Is there a way, that openvpn Version 2.3.10 does it like Version 2.3.2 ??

See --port-share in The Manual v23x .. Read it carefully.

Likewise 2.3.10 ..

[Koni]

Yes, i read that, i think it does not help me ..
I see no way, to combine these temporary files to readout and share the information with the correct line (with connection-info) in the apache logfile.

Does anyone see a way to impelement OpenVPN, sharing a Port in a way, that fail2ban stays usable th secure the server ??

--port-share host port [dir]
When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh.
dir specifies an optional directory where a temporary file with name N containing content C will be dynamically generated for each proxy connection, where N is the source IP:port of the client connection and C is the source IP:port of the connection to the proxy receiver. This directory can be used as a dictionary by the proxy receiver to determine the origin of the connection. Each generated file will be automatically deleted when the proxied connection is torn down.

Not implemented on Windows.

[TinCanTech]

dir specifies an optional directory where a temporary file with name N containing content C will be dynamically generated for each proxy connection, where N is the source IP:port of the client connection and C is the source IP:port of the connection to the proxy receiver. This directory can be used as a dictionary by the proxy receiver to determine the origin of the connection

Which is what you want to know .. the source IP of the client

[Koni]

hm ..
I need the IP of the client in combination of the error, the attacked service delivers.

you know fail2ban ? It detects lof-files with Regular expressions, you can parameter the levels and numbers of attacks for a ip in a time period.
If that level is reached, it banns the ip in the cervers-Firewall.

So no change to do a brut force attack or anything, that needs more tries.

For example : if a IP enters 3 times a wrong password in owncloud, the IP is banned for 24h,

FAIL2BAN reads lines of files.

I need the sourceip of the intruder, in the same line the error form the attacked programm

the owncloud-log for example :

{"remoteAddr":"127.0.0.1","app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1')","level":2,"time":"2016-10-10T11:46:57+00:00","method":"POST","url":"\/oc9\/index.

I can check the lines of the log-files with Regular expressions, to find error and IP.
Than ail2ban banns that IP.

But OPENVPN in Newer Versions alway writes the IP of localhost 127.0.0.1
Older Versions write the IP of the intruder-client.

So no chanche, to secure any service of the server with fail2ban, if port-sharing is used.

regards
K.

[TinCanTech]

This is all I can offer:

>>> according to this forum post:
>>> viewtopic.php?f=4&t=22599#p64917
>>>
>>> OpenVPN --port-share cannot be used by fail2ban because
>>> the source port seen by fail2ban is always 127.0.0.1
>>>
>>> I do use fail2ban so I know it is highly customisable but
>>> I do not know if or how it could use the --port-share [dir]
>>> option from openvpn to apply the real source IP from the
>>> file created by openvpn.
>>>
>>> I am not expecting to be provided an actual config that
>>> does this but simply to know if it is possible ?
>>>
>>> If anybody can shed a lttle light it would be appreciated.
>>>
>> what I suspect that you/the user wants to do is to use fail2ban to
>> filter out unwanted HTTPS connections on a connection/port shared with
>> OpenVPN.
>> The way port-sharing works is that openvpn listens on port 443,
>> determines whether it's an OpenVPN packet or not, and if it is not, then
>> forwards the packet/connection to some-ip:some-port. However, OpenVPN
>> does not set any proxy headers when forwarding the connection, as it
>> cannot 'interfere' with the SSL connection. The result is that the
>> server will always see as the source address the IP address of the
>> OpenVPN server, and not of the actual client. This makes it impossible
>> to use fail2ban to filter out unwanted HTTPS/SSL connections.
>> I cannot think of a way around this, nor of a way to patch OpenVPN to
>> allow this to work - other port-sharing software such as sslh suffers
>> from the same limitation.
>>
>
> Thanks for your reply JJK and what you say makes obvious sense.
>
> I do wonder however, the OPs original comment that Quote:
>
> ---
> A) ubuntu 14.04 with openvpn 2.3.2
> B) ubuntu 16.04 with openvpn 2.3.10
>
> Both use Port 443 for OpenVPN and share that port with apache at port 10443.
> So Both Servers use the OPENVPN-Config "port-share 10443" parameter
> It works perfect both servers.
>
> But Server A logs any https access in the appache-access-log log with the correct IP from the access-client
> Server B logs allways 127.0.0.1
> ---
>
> That reads to me as:
> ovpn-2.3.2 forwards the packet with the source IP of the client !
>
> That is why I was more than usually curious ..
> Is it likely that ovpn-2.3.2 did port-sharing incorrectly ?
>
> (I understand 2.3.2 is a long time ago but possibly a Dev remembers
> something useful here)
>
I've just downloaded and built 2.3.2 and see no difference between 2.3.2 and 2.3.10 - the remote address logged by the HTTPS server is the address of the OpenVPN server (acting as proxy), not that of the actual client. Also, AFAIK the port-sharing code has not been touched in a long time (I've used it in v2.1+) so my bet is that this behaviour has not changed.
It could be that Debian/Ubuntu added a patch to OpenVPN 2.3.2 but I doubt it.

HTH,

JJK

I would be curious to see the difference you claim between openvpn versions.
Can you share your fail2ban log or some evidence showing the difference ?