How to access services on VPS only for vpn (softether) users?

S

sarvatas2015-06-21 15:30:48

VPN

sarvatas, 2015-06-21 15:30:48

Good afternoon. Please help me solve my vpn problem. Set up vpn (softether via local bridge) on vps. Everything works external ip changes to ip vps. But the task is to make sure that only users who connected via vpn have access to services on this vps (ssh, etc.). I set up ufw for this, but I can’t make it so that users who logged in via vpn on the server use the vpn ip addresses issued (now according to the ufw logs, vpn ip users have the external ip address of the provider). Server - ubuntu 14.
ifconfig:
eth0 Link encap:Ethernet HWaddr 02:00:00:0b:56:25
inet addr:149.202.136.25 Bcast:149.202.136.25 Mask:255.255.255.255
inet6 addr: fe80::ff:fe0b: 7615/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:225165 errors:0 dropped:0 overruns:0 frame:0
TX packets:215388 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:52659957 (52.6 MB) TX bytes:55214766 (55.2 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:906840 errors:0 dropped: 0 overruns:0 frame:0
TX packets:906840 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:80771058 (80.7 MB) TX bytes:80771058 (80.7 MB)
tap_soft Link encap:Ethernet HWaddr 00:ac:fd:35:42:5b
inet addr:192.168.7.1 Bcast:192.168.7.255 Mask:255.255.255.0
inet6 addr: fe80::2ac:fdff:fe35:427b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:234186 errors:0 dropped:0 overruns:0 frame:0
TX packets:107663 errors: 0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:26655604 (26.6 MB) TX bytes:21447057 (21.4 MB)
ufw status
Status: active
To Action From
-- ------ -- --
67 ALLOW Anywhere
53 ALLOW Anywhere
500 ALLOW Anywhere
4500 ALLOW Anywhere
1541/tcp ALLOW 149.202.136.25
1541/tcp ALLOW 192.168.7.0/24
67 (v6) ALLOW Anywhere (v6)
53 (v6) ALLOW Anywhere (v6)
500 ( v6) ALLOW Anywhere (v6)
4500 (v6) ALLOW Anywhere (v6)
iptables -t nat -L POSTROUTING --line-numbers
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 192.168.7.0/24 anywhere
2 MASQUERADE all -- anywhere
3 MASQUERADE all -- 192.168.7.0/24 anywhere 4
MASQUERADE all -- 192.168.7.0/24 anywhere
5 MASQUERADE all -- 192.168.7.0/24 anywhere
6 MASQUERADE all -- 192.168.anywhere7.0/24 anywhere
7 MASQUERADE all -- 192.168.7.0/24 anywhere
8 SNAT all -- 192.168.7.0/24 anywhere to:149.202.136.25
In /etc/ufw/before.rules I tried, but failed:
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.7.0/24 -o tap_soft -j MASQUERADE
COMMIT
Thank you in advance.
PS ip changed

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

Dmitry Luponos, 2015-06-21
@Bessome

Of course, I can be wrong, but MASQUERADE is just designed to change the IP address. Therefore, you have the address of the provider.
It is not entirely clear which services need access with a VPN. You can make access through 127.0.0.1 or create a virtual address on which the necessary services will take off, for example Apache. Those who are not logged in via VPN simply do not have access to this address from the outside.