Advanced Search
Hosting, Domains»,Server Administration
6-03-2024, 06:01

Hide a VDS web server behind a VPN

Hide a VDS web server behind a VPN

Hide a VDS web server behind a VPN


There is a VDS server with CentOS 7, iptables, apache, ssh. There is a purchased VPN account with a dedicated ip. It is necessary that the VDS is automatically connected to the VPN. Apache should only work via VPN. SSH should only work over a real IP.

I installed OpenVPN on VDS; I filled in the config, certificates and the key from the VPN provider in /etc/openvpn. After connecting the VDS to the VPN, the server stops pinging, the web page does not open either on the real IP or on the dedicated VPN. I turned off Iptables, it didn't help.

Can you tell me what to do? I didn't find any articles on the Internet, maybe I didn't search correctly, but all the articles on the topic "how to raise your VPN server".


You send ssh communication to the interface with the "real" IP and wrap all the rest of the traffic into your VPN (you register the default route on the openvpn interface). At the second end, you write a rule for the 80th port and forward it to the vds connected to the VPN.

Still, the problem was with port forwarding on the VPN server side. Now the VDS connects to the VPN, the site opens. It remains to make ssh work directly.

The hoster recommended deleting the default route in the ovpn config, but then it is not clear how to forward the route for the WEB server via ovpn?

OpenVPN Config

client
remote 77.77.77.202 443
proto tcp
dhcp-option DNS 8.8.8.8
redirect-gateway def1
ca in_ca.crt
cert in_123.crt
key in_123.key
ns-cert-type server
dev tap
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 4
mute 20

iptables configuration script

#!/bin/bash
#
# Declaring variables
export IPT="iptables"

# The interface that looks at the Internet
export WAN=eth0
export WAN_IP=40.30.20.198

# VPN connection interface
export VPN=tap0
export VPN_IP=10.10.10.200

# Clearing all iptables chains
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

# Set default policies for traffic that does not comply with any of the rules
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# allowing local traffic for loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# We allow outgoing connections from the server itself
$IPT -A OUTPUT -o $WAN -j ACCEPT
$IPT -A OUTPUT -o $VPN -j ACCEPT

# The ESTABLISHED status indicates that this is not the first packet in the connection.
# Skip all already initiated connections, as well as their children
$IPT -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
# Skip new, as well as already initiated and their child connections
$IPT -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow forwarding for already initiated and their child connections
$IPT -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enabling packet fragmentation. It is necessary because of the different MTU values
$IPT -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# Discard all packets that cannot be identified
# and therefore cannot have a certain status.
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP

# Leads to the linking of system resources, so that the real
# data exchange becomes impossible, we cut it off
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

# Opening the SSH port
$IPT -A INPUT -i $WAN -p tcp --dport 2082 -j ACCEPT
$IPT -A INPUT -i $VPN -p tcp --dport 2082 -j ACCEPT

# Opening the port for DNS
$IPT -A INPUT -i $WAN -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i $VPN -p udp --dport 53 -j ACCEPT


# Opening the port for NTP
$IPT -A INPUT -i $WAN -p udp --dport 123 -j ACCEPT
$IPT -A INPUT -i $VPN -p udp --dport 123 -j ACCEPT


# We allow you to respond to PING
$IPT -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 8/0 -j ACCEPT
# VPN pings do not pass in any case

# Opening a port for the WEB
$IPT -A INPUT -i $WAN -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $VPN -p tcp --dport 80 -j ACCEPT

# Opening the FTP port
# $IPT -A INPUT -i $WAN -p tcp --dport 21 -j ACCEPT
# $IPT -A INPUT -i $VPN -p tcp --dport 21 -j ACCEPT

# Logging
# Everything that is not allowed, but breaks, will be sent to the undef chain

# $IPT -N undef_in
# $IPT -N undef_out
# $IPT -N undef_fw
# $IPT -A INPUT -j undef_in
# $IPT -A OUTPUT -j undef_out
# $IPT -A FORWARD -j undef_fw

# Log everything from undef

# $IPT -A undef_in -j LOG --log-level info --log-prefix "-- IN -- DROP "
# $IPT -A undef_in -j DROP
# $IPT -A undef_out -j LOG --log-level info --log-prefix "-- OUT -- DROP "
# $IPT -A undef_out -j DROP
# $IPT -A undef_fw -j LOG --log-level info --log-prefix "-- FW -- DROP "
# $IPT -A undef_fw -j DROP

# Writing down the rules
/sbin/iptables-save > /etc/sysconfig/iptables

Routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.10.10.1      128.0.0.0       UG    0      0        0 tap0
0.0.0.0         40.30.20.193    0.0.0.0         UG    0      0        0 eth0
10.96.0.0       0.0.0.0         255.224.0.0     U     0      0        0 tap0
40.30.20.193    0.0.0.0         255.255.255.255 UH    0      0        0 eth0
77.77.77.202    40.30.20.193    255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       10.10.10.1      128.0.0.0       UG    0      0        0 tap0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0

ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 40.30.20.198  netmask 255.255.255.255  broadcast 40.30.20.255
        inet6 fe80::5054:ff:fe0c:3f41  prefixlen 64  scopeid 0x20<link>
        ether 52:54:00:0c:3f:41  txqueuelen 1000  (Ethernet)
        RX packets 4046  bytes 893834 (872.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1974  bytes 175476 (171.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.200  netmask 255.224.0.0  broadcast 10.127.255.255
        inet6 fe80::40a7:62ff:fe2c:81be  prefixlen 64  scopeid 0x20<link>
        ether 42:a7:62:2c:81:be  txqueuelen 100  (Ethernet)
        RX packets 2972  bytes 489800 (478.3 KiB)
        RX errors 0  dropped 18  overruns 0  frame 0
        TX packets 103  bytes 25054 (24.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

⚠ Information

Visitors who are in the group Guests they can't download files.
Log in to the site under your login and password or if you are a new user go through the process registrations on the website.
+1
1
Previous Next

1 comments
  1. WebDill
    WebDill
    22 March 2024 07:27
    0