WEBGUI Access from VPN

Hi

I’ve setup OpenVPN successfully, but now, I’d like to create an IPFIRE rule, in order to access to WEB UI from devices running openvpn and block all other attempts.
How can I do?
Thanks for your support
Vincenzo

Making a rule that allows connection from OpenVPN to 444 port?

Hi Pike

infact… I tried (source openVPN and dest. RED) but it worked only the SSH connection via putty because I forgot to put also the port 444.

Now I will create another rule, for port 444… and it worked.

In the end I have 2 rules: one for accessing SSH and one for WebUI.

Thanks

Vincenzo

Hi Pike

I was wrong… it seems not working.
My chain:

  1. mobile android with openVPN client and certificate installed from Ipfire-OpenVPN server.
  2. OpenVPN client successfully connected to IPF OpenVpn server
    3.Rules in place
  3. If I do hotspot with mobile and VPN on, to my PC, the ipaddress is always the public one and not the one of my router. and therefore I can’t connect to both ssh or webui.

Do you know how can I fix this?

thanks
vincenzo

OpenVPN Client on the PC? Maybe without having the connection OpenVPN open on the smartphone.

Hi Vincenzo

Not sure I understand what you are trying to accomplish, however from what I read….

You should not use a road warrior certificate on a device and then share it with another one.
This is defeating the security that comes with having VPN certificates on a per user/device basis, not to mention bring along all kinds on nat/masq etc issues.
If that is however what you need, then rather create a Net to Net certificate. That is what they are meant for.

If you want to use a mobile device as your “hotspot”, then add a OpenVPN client and certificate to each of your laptop/PC/Mac/what have you, that are supposed to get to the VPN network.

You won’t need to add any additional firewall rules, apart from defining what network the VPN users should have access to, if you have more than one network configuration, VLAN, etc. on the firewall.

For example, you want to give the VPN user only access to the XYZ server internal and not the rest of the network or servers.
Source VPN group (or defined user group within the VPN range)
Destination XYZ server IP.

Alternatively you can have
Source VPN
Destination GREEN
for everything within the LAN.

Seeing I tend to be lazy on some things, or try to keep things simple, I create my road warrior certificates with redirect all traffic via the VPN whilst in use. That way everything work related is handled via the company gateway and not the users home network.
Advantage, you have better monitoring and company policy enforcement options available, a whee bit more control.
Disadvantage, the user might get upset because the company gateway may block his/her pr0n surfing or torrent downloads.
Needs a few more rules to work correctly, as you want to also force the DNS requests to go via the VPN. You may need to edit the hosts files on any Windows workstations you have, as they have problems translating hostnames to IPs or don’t ask the firewall correctly. Who knows… M$ has issues.

I hope this helps you along. If no, let me know where I lost you :slight_smile:

Cheers
Andreas

thanks Andreas… I will try with net to net…