M
M
Max Payne2017-12-05 23:59:43
linux
Max Payne, 2017-12-05 23:59:43

Why won't OpenVPN start?

I set up a server (on a KVM VPS) and an OpenVPN client according to this manual. Then I connected as a client to the server, and in the server logs I saw the following line

primary virtual IP for client/ip_сервера:18766: 10.8.0.6

I need all requests coming to
http://ip_сервера # 80 port
https://ip_сервера # 443 port

went to the client server. Configured iptables (which for some reason was not installed on the VPS) as follows:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.8.0.6:80
iptables -t nat -A PREROUTING -p udp --dport 80 -j DNAT --to-destination 10.8.0.6:80
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.8.0.6:443
iptables -t nat -A PREROUTING -p udp --dport 443 -j DNAT --to-destination 10.8.0.6:443
iptables -t nat -A POSTROUTING -j MASQUERADE

But for some reason it doesn't work.
netstat -tuwpan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      544/sshd
tcp        0    276 ip_сервера:22         37.45.244.85:48312      ESTABLISHED 771/1
tcp        0      0 ip_сервера:22         37.45.211.79:31138      ESTABLISHED 572/0
tcp6       0      0 :::22                   :::*                    LISTEN      544/sshd
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           333/openvpn

Answer the question

In order to leave comments, you need to log in

2 answer(s)
M
Max Payne, 2017-12-29
@YardalGedal

I found a solution for myself by refusing to use iptables All
manipulations were performed on VPS 1.
First I cleared iptables so that outdated rules would not affect future work in any way redirecting to a local server without a static IP

user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
        worker_connections 768;
        multi_accept on;
}
http {
        sendfile on;
        keepalive_timeout 15;
        proxy_buffers 8 64k;
        proxy_intercept_errors on;
        proxy_connect_timeout 1s;
        proxy_read_timeout 3s;
        proxy_send_timeout 3s;
        server {
            listen 80;
            server_name a.ru b.ru;
            access_log /var/log/nginx/1.access_log;
            error_log /var/log/nginx/1.error_log warn;
            charset utf-8;
            ssi on;
            ssi_value_length 1024;
            location / {
                proxy_pass http://10.8.0.6:9000;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_intercept_errors off;
                proxy_read_timeout 5s;
                proxy_send_timeout 3s;
                gzip on;
                gzip_min_length 1024;
                gzip_proxied expired no-cache no-store private auth;
                gzip_types text/plain application/xml;
            }
        }
}

M
Maxim Grishin, 2017-12-06
@vesper-bot

Packets going to the VPN cannot be hit. Add in POSTROUTING to the beginning of the rule for ACCEPT'a packets that should climb into the VPN.
Besides, where is the filtering by destination IP in SNAT rules? Otherwise, all HTTP/S traffic along with transit traffic (possibly excluding OpenVPN, but not really) will be sent to 10.8.0.6.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question