Why server sees real ip instead of VPN ip?

V

Vitaly2020-04-20 21:27:38

linux

Vitaly, 2020-04-20 21:27:38

There is server-1 with openvpn-server; server-2 with apache, mongod, etc.

The VPN client is running on the computer. I check my ip through whatismyipaddress.com, or any other online service - the ip-address of server-1 is determined, everything is ok.

I go to the site running on server-2 and look at the apache log. Instead of the ip address of server-1 (with openvpn), my real ip address from the provider is determined.

I repeat the test with mongodb. I go under vpn and look at the log - there is also an ip-address from the provider instead of the ip-address of the openvpn server.

Why is that? And what is it called anyway? IP leakage? But why is only my server seeing the leak, but whatismyipaddress.com, for example, is not?
Actually, I needed to set up rules in iptables so that access to mongo, postgresql was allowed only through VPN.

server.conf

port 1194

proto udp
dev tun
ca ca.crt
cert rdv-strasbourg.crt
key rdv-strasbourg.key  # This file should be kept secret

dh dh.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

client-to-client

keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log

verb 3
explicit-exit-notify 1%

iptables rules regarding openvpn:

*nat
# :PREROUTING ACCEPT [0:0]
# :INPUT ACCEPT [0:0]
# :OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A OUTPUT -o tun+ -j ACCEPT
COMMIT


*filter
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A OUTPUT -j ACCEPT

# Openvpn
-A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT

-A INPUT -j REJECT
-A FORWARD -j REJECT

--policy INPUT DROP
--policy FORWARD DROP
--policy OUTPUT ACCEPT

COMMIT

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

N

nApoBo3, 2020-04-20
@nApoBo3

By itself, a vpn hides nothing. Hides either nat or proxy. Plus, your external address cannot be reached through vpn at all, because for traffic inside the tunnel, the source address is the address of the tunnel interface, and not the address of your Internet connection.
Most likely, the traffic to the services you need does not go through the tunnel. See trace.

K

Karpion, 2020-04-20
@Karpion

I understand that there are two computers between which there is a VPN connection. Those. they have IP addresses from providers; and IP addresses from the VPN connection.
And from one - there is an appeal to the second.
In the simplest case:

If the first computer accesses the VPN IP address of the second, then the access goes through the VPN; source = VPN IP address of the first computer.
If the first computer accesses the provider's IP address of the second, then the appeal goes through the Internet; source = ISP IP address of the first computer; this is so because. This is so because otherwise - the IP packets generated by the VPN will not reach the second computer as expected.

Explain the phrase "I go to the site running on server-2" - I will think further.
In order for some services to be available only with a VPN, the easiest way is to block their ports (you decide which ones) on the physical interface. If it's unclear, ask.