OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Port Forwarding by SQL

https://forums.openvpn.net/viewtopic.php?t=9535

Page 1 of 1

Port Forwarding by SQL

Posted: Sat Jan 07, 2012 11:46 am
by neoaurel
Hi all,

(I'm French sorry for by bad English)

I try to open port with OpenVPN i explain (port forwarding client).

We have a intranet with user and password to connect to VPN.

We want to open some port choosen by user:

Exemple :

Client 1 want to open port 10000
Client 2 want to open port 20000

How can we do that ?
Values 10000 and 20000 is accessible on a Msql database, but how can I transfer this parameter to VPN server when the client connect, and forwarding the correct port by client ?

I see a subject here but not exactly what we want : topic7823.html

How can i proceed ?

Something like that :

iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 10.66.66.6
iptables -A FORWARD -s 10.66.66.6 -p tcp --dport 1234 -j ACCEPT

But how can i know if client 1 is 10.66.66.6 or something else ?

Re: Port Forwarding by SQL

Posted: Sat Jan 07, 2012 5:50 pm
by Mimiko
Using common certificate name and ccd files you can assign static IPs from VPN pool to any client.

Re: Port Forwarding by SQL

Posted: Sat Jan 07, 2012 7:32 pm
by neoaurel
Hi Mimiko,

Thanks for the response,

My config file is this one:

Code: Select all

local 82.x.x.x
proto tcp
port 443
dev tun
mode server
tls-server

ca ca.crt
cert server.crt
key server.key
tls-auth ta.key 0
dh dh2048.pem
mssfix 1500
cipher AES-256-CBC

server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key

plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
script-security 2
chroot /empty
What do i have to add ? to redirect one port for exemple i want to have the same IP for both client but two different port open.
(I need a script because is for thousand of person)

Client 1 and Client 2 have IP adresse 10.20.30.40

But Client 1 have port 10000 open for him
and Client 2 have port 20000 open for him

Is it possible and if yes How ?

thanks a lot

Re: Port Forwarding by SQL

Posted: Sat Jan 07, 2012 7:38 pm
by Mimiko
In the server's config you have
client-cert-not-required
How you are differentiating which is client 1 and which is client2 ?

Re: Port Forwarding by SQL

Posted: Sat Jan 07, 2012 7:40 pm
by neoaurel
With this line :

Code: Select all

username-as-common-name
Client1 have :

username : client1
password : pass1

and Client2 have

username : client2
password : pass2

Re: Port Forwarding by SQL

Posted: Sat Jan 07, 2012 8:42 pm
by Mimiko
Then read this: http://openvpn.net/index.php/open-sourc ... tml#policy
and assign via ccd to every client its IP and with iptables route the desired port to needed IP.

Re: Port Forwarding by SQL

Posted: Sat Jan 07, 2012 9:56 pm
by neoaurel
Thanks,

But i would like to know how can i know what is the IP adresse of the Client who's connecting ?

And do a script like that:


iptables -t nat -A PREROUTING -p tcp --dport 10000 -j DNAT --to-destination IP_CLIENT
iptables -A FORWARD -s IP_CLIENT -p tcp --dport 10000 -j ACCEPT


But i have to know, how to retrieved :
IP_CLIENT

Re: Port Forwarding by SQL

Posted: Sun Jan 08, 2012 8:13 am
by Mimiko
Read the manual for this:
ifconfig_pool_remote_ip
The remote virtual IP address for the TUN/TAP tunnel taken from an --ifconfig-push directive if specified, or otherwise from the ifconfig pool (controlled by the --ifconfig-pool config file directive). This option is set on the server prior to execution of the --client-connect and --client-disconnect scripts.

Re: Port Forwarding by SQL

Posted: Sun Jan 08, 2012 12:28 pm
by neoaurel
So to confirm i understand english well^^

IP_CLIENT = ifconfig_pool_remote_ip ?

So i have to add into server.conf :

Code: Select all

client-connect /etc/openvpn/clientconnect.sh
client-disconnect /etc/openvpn/clientdisconnect.sh
And i put : clientconnect.sh

Code: Select all

#!/bin/bash
PORT = 10000 ??
iptables -A FORWARD -p tcp -i eth0 -d $ifconfig_pool_remote_ip --dport $PORT -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d $ifconfig_local --dport $PORT -j DNAT --to-destination $ifconfig_pool_remote_ip:$PORT
but question how do I know Client 1 is port 10000 and Client2 is port 20000 ?

Re: Port Forwarding by SQL

Posted: Wed Jan 25, 2012 7:55 pm
by neoaurel
No response ? :(

Re: Port Forwarding by SQL

Posted: Wed Jan 25, 2012 8:18 pm
by Mimiko
You have to create a simple csv file where you will put the client-port concordance, for example:
client1,10000
client2,20000
where first column is cname of the client and second is the port. Then in the script files you read this file untill the respective client cname and use the port number in iptables command. The common_name variable in the connect and disconnect scripts holds the cname of the client.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/