New CentOS v7x64 Server configuring static IP/Port Forwarding

[MrLimo]

I have what amounts to a Raspberry Pi running as a canned OpenVPN Client and a commercial VPN account with a Static IP.
The reason for the static IP is that I can forward public ports back to the VPN Client.

I can run the device behind my home NAT successfully with the following config. The device basically needs a port trigger it sets up a session on a specific port but the audio returns on a range of ports (Or a router that can be configured for port triggering). Thus a VPN with a public static IP that forwards all ports back to the client works as expected.
Public TCP Port 80
Public UDP Ports 2074-2093
Public TCP Ports 15425-15427
Public UDP Ports 5198-5200
Public TCP Ports 5198-5200

If I start the VPN client on the device I can reach the device from its public IP HTTP://{staic-ip}

I have set up a new CentOS v7 64 server {Not married to CentOS} via the AS 2.6.1 For CentOS 7. 64 bits RPM. And it works with Tunnelblink/OpenVPN Client as expected!

This is a redacted version of a working client config file for my Raspberry Pi OpenVPN client from my Commerical VPN Account.

View Originalclient

1

2

3

remote {SERVER-IP} 443 tcp

4

5

remote {SERVER-IP} 3690 tcp

6

7

remote {SERVER-IP} 2401 tcp

8

9

remote {SERVER-IP} 8443 tcp

10

11

key-direction 1

12

13

cipher AES-256-CBC

14

15

client

16

17

dev tun

18

19

resolv-retry infinite

20

21

nobind

22

23

persist-key

24

25

persist-tun

26

27

;http-proxy-retry

28

29

;http-proxy {SERVER-IP} 80

30

31

verb 3

32

33

reneg-sec 86400

34

35

echo vpn-ServerID account777

36

37

tun-mtu 1500

38

39

route-method exe

40

41

route-delay 2

42

43

redirect-gateway def1

44

45

comp-lzo adaptive

46

47

hand-window 30

48

49

<ca>

50

--STRIPPED INLINE CA CERT--

51

</ca>

52

53

<key>

54

--STRIPPED INLINE KEY--

55

</key>

56

57

<cert>

58

--STRIPPED INLINE CERT--

59

</cert>

60

61

<tls-auth>

62

--STRIPPED INLINE TLS-AUTH KEY--

63

</tls-auth>

64

1

remote {SERVER-IP} 443 tcp

2

remote {SERVER-IP} 3690 tcp

3

remote {SERVER-IP} 2401 tcp

4

remote {SERVER-IP} 8443 tcp

5

key-direction 1

6

cipher AES-256-CBC

7

client

8

dev tun

9

resolv-retry infinite

10

nobind

11

persist-key

12

persist-tun

13

verb 3

14

reneg-sec 86400

15

echo vpn-ServerID account777

16

tun-mtu 1500

17

route-method exe

18

route-delay 2

19

redirect-gateway def1

20

comp-lzo adaptive

21

hand-window 30

22

<ca>

23

--STRIPPED INLINE CA CERT--

24

</ca>

25

<key>

26

--STRIPPED INLINE KEY--

27

</key>

28

<cert>

29

--STRIPPED INLINE CERT--

30

</cert>

31

<tls-auth>

32

--STRIPPED INLINE TLS-AUTH KEY--

33

</tls-auth>

This is a redacted version of a non-working config file generated by my OpenVPN Server.

View Originalserver

1

# Automatically generated OpenVPN client config file

2

3

# Generated on Sat Mar 16 20:51:45 2019 by vpnhost.com

4

5

6

7

# Default Cipher

8

9

cipher AES-256-CBC

10

11

# Note: this config file contains inline private keys

12

13

# and therefore should be kept confidential!

14

15

# Note: this configuration is user-locked to the username below

16

17

# OVPN_ACCESS_SERVER_USERNAME=Account44

18

19

# Define the profile name of this particular configuration file

20

21

# OVPN_ACCESS_SERVER_PROFILE={email}/AUTOLOGIN

22

23

# OVPN_ACCESS_SERVER_AUTOLOGIN=1

24

25

# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True

26

27

# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False

28

29

# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True

30

31

# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True

32

33

# OVPN_ACCESS_SERVER_WSHOST=vpnhost.com:443

34

35

# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START

36

37

# -----BEGIN CERTIFICATE-----

38

39

# MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB

40

41

# iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl

42

43

#

44

45

# Common Name: Sectigo RSA Domain Validation Secure Server CA

46

47

# Organization: Sectigo Limited

48

49

# Locality: Salford

50

51

# State: Greater Manchester

52

53

# Country: GB

54

55

# Valid From: November 1, 2018

56

57

# Valid To: December 31, 2030

58

59

# Issuer: USERTrust RSA Certification Authority, The USERTRUST Network Write review of Sectigo

60

61

# Serial Number: 7d5b5126b476ba11db74160bbc530da7

62

63

#

64

65

# yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K

66

67

# 00u/I5sUKUErmgQfky3xxzlIPK1aEn8=

68

69

# -----END CERTIFICATE-----

70

71

# -----BEGIN CERTIFICATE-----

72

73

# MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv

74

75

# MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk

76

77

#

78

79

# Common Name: USERTrust RSA Certification Authority

80

81

# Organization: The USERTRUST Network

82

83

# Locality: Jersey City

84

85

# State: New Jersey

86

87

# Country: US

88

89

# Valid From: May 30, 2000

90

91

# Valid To: May 30, 2020

92

93

# Issuer: AddTrust External CA Root, AddTrust AB Write review of Sectigo

94

95

# Serial Number: 13ea28705bf4eced0c36630980614336

96

97

#

98

99

# Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p

100

101

# 0fKtirOMxyHNwu8=

102

103

# -----END CERTIFICATE-----

104

105

# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP

106

107

# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=0

108

109

# OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN, Inc.

110

111

setenv FORWARD_COMPATIBLE 1

112

113

client

114

115

server-poll-timeout 4

116

117

nobind

118

119

remote vpnhost.com 1194 udp

120

121

remote vpnhost.com 1194 udp

122

123

remote vpnhost.com 443 tcp

124

125

remote vpnhost.com 1194 udp

126

127

remote vpnhost.com 1194 udp

128

129

remote vpnhost.com 1194 udp

130

131

remote vpnhost.com 1194 udp

132

133

remote vpnhost.com 1194 udp

134

135

dev tun

136

137

dev-type tun

138

139

ns-cert-type server

140

141

setenv opt tls-version-min 1.0 or-highest

142

143

reneg-sec 604800

144

145

sndbuf 0

146

147

rcvbuf 0

148

149

# NOTE: LZO commands are pushed by the Access Server at connect time.

150

151

# NOTE: The below line doesn't disable LZO.

152

153

comp-lzo no

154

155

verb 3

156

157

setenv PUSH_PEER_INFO

158

159

160

161

<ca>

162

--STRIPPED INLINE CA CERT--

163

</ca>

164

165

166

167

<cert>

168

--STRIPPED INLINE CERT--

169

</cert>

170

171

172

173

<key>

174

--STRIPPED INLINE KEY--

175

</key>

176

177

178

179

key-direction 1

180

181

<tls-auth>

182

--STRIPPED INLINE TLS-AUTH KEY--

183

</tls-auth>

184

185

186

187

## -----BEGIN RSA SIGNATURE-----

188

189

## DIGEST:sha256

190

191

## BFh7/UbfKB7xp9/7Qz82y8mAWQJteUGIK8HiAvB4maiEab+Hqv

192

193

## KyL6i8B2PPGdetWDbvgdoqiTSMt2Ev8hNU6CnEDMb9RoF5mm6o

194

195

## ln992qhbauHyBj0xd+8f3qdRytFjNWQRjlTG2fKKtGIfjvfc5w

196

197

## uNvn5wI7h0R5PkYiCqc2N0fSfpIgP1zJlqR6ZmqSk3cE0eymsx

198

199

## 8Kan3CD86lQdSusNPxtb5giKqqaWSpUWUnofkUmezeDxPlI3PE

200

201

## +FLukn2xjnGbh6FlHmK3XidTCs1TAD48GadXYBXNnJ4WbCmNaW

202

203

## c1aIZgBJNbonxMZt0VxyNTNudjeERKPDtdnRGdqK3A==

204

205

## -----END RSA SIGNATURE-----

206

207

## -----BEGIN CERTIFICATE-----

208

209

## MIIF9DCCBNygAwIBAgIQY7ftFB/F3TbCmmrleTpa4TANBgkqhkiG9w0BAQsFADCB

210

211

## jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G

212

213

##

214

215

## Common Name: vpnhost.com

216

217

## Subject Alternative Names: vpnhost.com, www.vpnhost.com

218

219

## Organization Unit: Domain Control Validated

220

221

## Valid From: March 16, 2019

222

223

## Valid To: March 16, 2020

224

225

## Issuer: Sectigo RSA Domain Validation Secure Server CA, Sectigo Limited Write review of Sectigo

226

227

## Serial Number: 63b7ed141fc5dd36c29a6ae5793a5ae1

228

229

##

230

231

## ij5r4oP8kmHKBRdGLOIc7R4yu6mUU4ehZa3fVt9mY0q/3Z3lWYhsudDxWIkmpy44

232

233

## J35JpAmAaeKZdzUvGl3io1l2GbPhBL5o23WOWp6xhx1qLFyDw+6WKw==

234

235

## -----END CERTIFICATE-----

236

237

## -----BEGIN CERTIFICATE-----

238

239

## MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB

240

241

## iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl

242

243

##

244

245

## Common Name: Sectigo RSA Domain Validation Secure Server CA

246

247

## Organization: Sectigo Limited

248

249

## Locality: Salford

250

251

## State: Greater Manchester

252

253

## Country: GB

254

255

## Valid From: November 1, 2018

256

257

## Valid To: December 31, 2030

258

259

## Issuer: USERTrust RSA Certification Authority, The USERTRUST Network Write review of Sectigo

260

261

## Serial Number: 7d5b5126b476ba11db74160bbc530da7

262

263

##

264

265

## yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K

266

267

## 00u/I5sUKUErmgQfky3xxzlIPK1aEn8=

268

269

## -----END CERTIFICATE-----

270

271

## -----BEGIN CERTIFICATE-----

272

273

## MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv

274

275

## MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk

276

277

##

278

279

## Common Name: USERTrust RSA Certification Authority

280

281

## Organization: The USERTRUST Network

282

283

## Locality: Jersey City

284

285

## State: New Jersey

286

287

## Country: US

288

289

## Valid From: May 30, 2000

290

291

## Valid To: May 30, 2020

292

293

## Issuer: AddTrust External CA Root, AddTrust AB Write review of Sectigo

294

295

## Serial Number: 13ea28705bf4eced0c36630980614336

296

297

##

298

299

## Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf

300

301

## Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p

302

303

## 0fKtirOMxyHNwu8=

304

305

## -----END CERTIFICATE-----

306

1

cipher AES-256-CBC

2

setenv FORWARD_COMPATIBLE 1

3

client

4

server-poll-timeout 4

5

nobind

6

remote vpnhost.com 1194 udp

7

remote vpnhost.com 1194 udp

8

remote vpnhost.com 443 tcp

9

remote vpnhost.com 1194 udp

10

remote vpnhost.com 1194 udp

11

remote vpnhost.com 1194 udp

12

remote vpnhost.com 1194 udp

13

remote vpnhost.com 1194 udp

14

dev tun

15

dev-type tun

16

ns-cert-type server

17

setenv opt tls-version-min 1.0 or-highest

18

reneg-sec 604800

19

sndbuf 0

20

rcvbuf 0

21

comp-lzo no

22

verb 3

23

setenv PUSH_PEER_INFO

24

<ca>

25

--STRIPPED INLINE CA CERT--

26

</ca>

27

<cert>

28

--STRIPPED INLINE CERT--

29

</cert>

30

<key>

31

--STRIPPED INLINE KEY--

32

</key>

33

key-direction 1

34

<tls-auth>

35

--STRIPPED INLINE TLS-AUTH KEY--

36

</tls-auth>

Being that this is basically my private VPN server is there a way to configure the server/client setup that will mimic a static IP Ie. forward all or the subset of ports necessary when a specific client signs on. I will also have another client that does not need the inward port forwarding.

And what do I need to tweek in my config/server setting/web interface setting etc. etc. to get this working on my Raspberry Pi?

Greg

[MrLimo]

Both redacted files are actually client files. Greg.

[TinCanTech]

Being that this is basically my private VPN server is there a way to configure the server/client setup that will mimic a static IP Ie. forward all or the subset of ports necessary when a specific client signs on

Openvpn does not do port forwarding, use your firewall -- iptables.

what do I need to tweek in my config/server setting/web interface setting etc. etc. to get this working on my Raspberry Pi?

There are no settings in openvpn for this but you will probably need to call a script when the client connects, use your firewall -- iptables.

[MrLimo]

Ok I can work on the IPtables as suggested, any guidance about how to call a script and where I might find a base script to play around with. But the profile created by AS 2.6.1 For CentOS 7. 64 bits RPM version is much more complex and the Pi Client will not even connect. I need a point in the right direction in order to create a lightweight .ovpn configuration that will even connect.

[TinCanTech]

the profile created by AS 2.6.1 For CentOS 7. 64 bits RPM version is much more complex and the Pi Client will not even connect

So this is an Access Server problem?

[MrLimo]

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
inet xxx.yyy.zzz.187/24 brd xxx.yyy.zz.255 scope global eth0
valid_lft forever preferred_lft forever

DHCP Low/21 1/2 of the /20
13: as0t0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 200
inet 172.27.224.1/21 brd 172.27.231.255 scope global as0t0
valid_lft forever preferred_lft forever

DHCP High/21 1/2 or the /20
14: as0t1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 200
inet 172.27.232.1/21 brd 172.27.239.255 scope global as0t1
valid_lft forever preferred_lft forever
Static IP Range: 172.28.0.0/19
DHCP Range: 172.27.224.0/19
Advanced VPN:
Private Routed Subnet 172.28.0.0/19

OSI Layer: 3 (routing/NAT)
Clients access private subnets using: Routing
Static IP Address Network (Optional) 172.28.0.0/19

Advanced VPN:
Private Routed Subnets (Optional) 172.28.0.0/19

[root@vpn ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default gateway 0.0.0.0 UG 0 0 0 eth0
link-local 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
172.27.224.0 0.0.0.0 255.255.248.0 U 0 0 0 as0t0
172.27.232.0 0.0.0.0 255.255.248.0 U 0 0 0 as0t1
xxx.yyy.zzz.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
[root@vpn ~]#

So I have a working client configuration that has a static IP assigned from openvpnas. I can't seem to figure out how to route a couple of ports from the PUBLIC Server's IP to the private static IP. The static IP's seem not to show up in the routing table. The static IP client has internet access outbound.

I'm using CentOS 7 at the moment but not married to continuing if another distribution is preferable. Found some information about IPTables and/or Firewalld configurations. I think I'm fighitng something to do with processes tied to the NAT engine and it's binding to the public IP but I can't find the path from my StaticIP to publicIP.

[TinCanTech]

the profile created by AS 2.6.1 For CentOS 7. 64 bits RPM version is much more complex and the Pi Client will not even connect

So this is an Access Server problem?

viewtopic.php?f=30&t=22603

[MrLimo]

I have a working Pi Client and I believe it is fully connecting to the OpenVPN Server. I can ping and transfer data to/from the Pi Client. I did reduce the complexity of the system generated file into a simplified version. I have another VPN that has a static IP and based on that config I was able to create a working client.conf/client.ovpn.

I'm now working on trying to pass traffic directed to a small list of Ports on the public IP thru OpenVPN for delivery to the static IP of the Pi Client.

I can reach the Pi Client from OpenVPNAS & the Client can reach the server and public resources.

Server's Public IP -> Route/NAT/Forward -> Pi Client Static
Server's Public IP -> TCP Port 80 -> Pi Client Static
Server's Public IP -> UDP Ports 2074-2093 -> Pi Client Static
Server's Public IP -> TCP Ports 15425-15427 -> Pi Client Static
Server's Public IP -> UDP Ports 5198-5200 -> Pi Client Static
Server's Public IP -> TCP Ports 5198-5200 -> Pi Client Static

My connection results are as follows:
Pi Client ping it's assigned static IP
root@localhost:~# ping 172.28.28.28
PING 172.28.28.28 (172.28.28.28) 56(84) bytes of data.
64 bytes from 172.28.28.28: icmp_req=1 ttl=64 time=0.217 ms

Pi Client to my IP address reflector
root@localhost:~# curl http://ip.limo.net
<html><title>IP.Limo.Net</title><font size="18">209.182.218.187</font> "OpenVPNas Server's IP"
root@localhost:~#
-----------------------
VPN Server towards Pi Client
[root@vpn ~]# ping 172.28.28.28
PING 172.28.28.28 (172.28.28.28) 56(84) bytes of data.
64 bytes from 172.28.28.28: icmp_seq=1 ttl=64 time=270 ms
64 bytes from 172.28.28.28: icmp_seq=2 ttl=64 time=193 ms

VPN Server back to Pi Client's Static IP
root@localhost:~# curl 172.28.28.28
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
.............. Port 80 Webpage as expected ..............

I believe I have the client fully functional. But I need some guidance about routing the Public ports back towards the Pi Client.

Greg