Linode Forum
https://forum.linode.com/

VPN and really private network
https://forum.linode.com/viewtopic.php?f=19&t=8626		 Page 1 of 1
Author:  StrikeTwo [ Wed Mar 28, 2012 8:41 am ]
Post subject:  VPN and really private network
Hello,

I installed and configured OpenVPN. The question is: how can I allow ONLY people in the VPN to access "delicated" services like ssh?

# ifconfig

Code:
...
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:336 (336.0 B)
...


But if I bind ssh to "10.8.0.1" it doesn't work.

Also, is there a way for VPN users to access to the applications binded on the private LAN IP given by linode?

Thanks for the reply.
Author:  Tech10 [ Wed Mar 28, 2012 5:31 pm ]
Post subject: 
Hi,
In my opinion, the best way to do this would be to use iptables rules. Add some like the following:
iptables -I INPUT -i tun0 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
That will accept all connections from your VPN network, and will drop any connection to port 22 from the public network. You could then put the iptables commands in a shell script and execute it using the /etc/rc.local file. That should work across most linux distributions. Alternatively, you could save the iptables rules like so:
iptables-save >/etc/iptables.rules
Now, run this command to restore them.
iptables-restore </etc/iptables.rules

Also, you may want to check out the following article:
http://library.linode.com/security/firewalls/iptables

There may be alternative methods, and probably more secure ones too. You could, for instance, only accept incoming connections from certain VPN ip addresses with iptables and allow those connections to access certain ports, but I assume you'd trust anyone on your VPN network.

Good luck, and feel free to respond with any questions you might have. The excellent community here is happy to help.
Author:  StrikeTwo [ Thu Mar 29, 2012 11:49 am ]
Post subject: 
It doesn't work for me. I followed the guide on the linode library, thought.
Author:  Tech10 [ Thu Mar 29, 2012 12:11 pm ]
Post subject: 
Could you output the contents of your iptables rules? The command is
iptables -L
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/