0

I am currently running a VPN Gateway by Strongswan on a CentOS 6.5 VPS.

The CentOS server has one eth port.

The VPN is using IKEv2 and the connections between clients and server are established. The clients are assigned virtual IPs drawn from a 10.0.0.0/24 pool. The clients can also access each other without a problem. However I notice that the server itself which acts as the VPN Gateway does not have a virtual IP address.

I am running some services on the VPS server which I would like to secure them by the VPN tunnel. If possible, I wouldn't expose them directly to the internet.

So I am wondering if there is a way for the connected VPN clients to access services on the server which acts as the VPN gateway through the tunnel? Thank you in advance.

Improve this question
2
  • How does your config look like? In particular the leftsubnet setting on the server and the rightsubnet setting on the client. If you use 0.0.0.0/0 then the clients can access your server as usual because all traffic is tunneled.
    – ecdsa
    Commented Nov 24, 2014 at 9:42
  • Thank you for your reply. I use 0.0.0.0/0 for leftsubnet on the server. And I use the windows 7 VPN client in IKEv2 mode to connect. I also setup the internet request from the clients to be forwarded on the eth0 port on server so I can access the service listen on the server eth0 port as normal. To be more specific, what I would like to achieve is that, running some services behind the firewall, and they listen on some ports on local network, say like localhost. And only the connected VPN users could access them. Could you please give me some suggestion for that?
    – Aries
    Commented Nov 25, 2014 at 15:40

1 Answer 1

Reset to default
0

If the clients route all the traffic to the server (i.e. with leftsubnet=0.0.0.0/0) you only have to make sure the private services are only accessible via VPN. This is quite simple to achieve with strongSwan. Just accept IKE and IPsec traffic (and possibly SSH and other protocols you want to allow) on the INPUT chain and then set the default policy to DROP:

# allow ESP
iptables -A INPUT -p 50 -j ACCEPT
# allow IKE
iptables -A INPUT -p udp --dport 500 -j ACCEPT
# allow NAT-T (IKE and ESP-in-UDP)
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
# allow SSH and other protocols
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
...
# drop packets by default
iptables -P INPUT DROP

Then configure leftfirewall=yes and lefthostaccess=yes in ipsec.conf so that strongSwan will automatically insert rules that allow your VPN clients to access the server. These rules use the IPsec policy matching module for iptables/Netfiler (-m policy) so they only apply to traffic coming from established IPsec tunnels.

Improve this answer
2
  • Thank you for your answer. Probably I did't clarify my question clearly. This is exactly the same iptables setup as mine. The problem I met was how the virtual subnet for the clients can securely connect to the service on the server since the server itself is not presented in that subnet. For example, I try to run a apache facing the virtual subnet. I am wondering which ip address should the httpd process listen to? Thank you.
    – Aries
    Commented Nov 29, 2014 at 7:05
  • You won't need any special IP address for apache, just use the public IP (same as the VPN server) to access it from clients. Since you block traffic from all but the VPN clients no one else can access the service. Of course, you could use a different IP, but since the clients route everything to the VPN server it really doesn't matter which IP that is.
    – ecdsa
    Commented Dec 1, 2014 at 8:49

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .