openvpn client preventing http server from serving web pages to WAN

Posted on

openvpn client preventing http server from serving web pages to WAN – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, openvpn, , , .

At first I thought this was a misconfigured IPTABLES but it is not. Note that this is not an issue with LAN web requests, only WAN.

I temporarily deactivated all iptables chains except logging of all inbound and outbound. iptables logs that incomming requests are coming in but no responses going out. I’ve tried my desired port 80 but also a handful of higher ports as well.

Once I shutdown the openvpn client, the webserver listening on port 80 (nginx) is able to serve web pages to all IPs external from my LAN.

I can’t find any logs on the machine that gives a clear answer. nginx logs indicate, or lack thereof, that no communication reaches it.

The impression that I am left with is that openvpn prevents all WAN ips from getting to any given port. Is there a way to prevent this behavior? at least on port 80?

Routing table prior to openvpn running:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Routing table while openvpn running:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.10.10.57     0.0.0.0         UG    0      0        0 tun0
10.10.10.1      10.10.10.57     255.255.255.255 UGH   0      0        0 tun0
10.10.10.57     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
63.142.161.7    192.168.0.1     255.255.255.255 UGH   0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Update2: After adding route-nopull to the openvpn client config file, I was able to serve web pages however the vpn has become useless. Almost there, but I do not know enough about routes to fix this issue.

Solution :

Your configuration of OpenVPN allow getting default gateway from remote system.

I pretend, that in the point of network, where is doing a NAT (on the ADSL modem or somwhere on the ISP server) you have mapping of public address to your internal server.

And there is a problem. Imagine this:

Someone from the internet with public IP address A.A.A.A want to see pages from your server, which like to be on the public address B.B.B.B. NAT point rewrite address B.B.B.B to real, but not public, address of your server, say 192.168.0.2, but source address is still the same – A.A.A.A. Your server serve this request, and will send answer – but answer will be send to address A.A.A.A from address 192.168.0.2 – through your default gateway!

If this scenario continues without OpenVPN, packet goes through default gateway of 192.168.0.1 and somewhere will be rewrited to have source address B.B.B.B instead of 192.168.0.2. Everythink goes well.

But if your scenario continues with OpenVPN, your server have to send packet to A.A.A.A via default gateway – but this is not 192.168.0.1, but 10.10.10.57. And in this case I cannot say, what will be with this packet done. Will it be rewritten to other source address, say C.C.C.C? Or will it be discarded?

Why you want have default gateway on the opposite site? You will need only route, which will fit addresses of opposite site, say 10.10.10.0/24 (maybe other, this is only example)…

In the configuration of OpenVPN server you have to remove line like:

push "redirect-gateway def1 bypass-dhcp"

Leave a Reply

Your email address will not be published.