Redirect my FTP server to VPN server
Redirect my FTP server to VPN server
I have FTP server with IP 192.168.122.219 and my VPN server have 2 IP, public IP( 103.19.207.x) and my private ip 192.168.122.172. When my client connect to VPN server, my local IP in VPN server is 192.168.1.1 and my client get IP from VPN server 192.168.1.2.
How to make my client connect to FTP over my VPN tunnel? I use openswan for VPN server.
How to make my client connect to FTP over my VPN tunnel? I use openswan for VPN server.
Last edited by nesa1212 on 2017/07/15 03:57:57, edited 3 times in total.
Re: Redirect my FTP server to VPN server
The VPN should not be an issue.
How does the client (192.168.1.2) connect to anything?
The 192.168.1.1 is clearly on the local subnet of the client, isn't it?
How does the client send to, say 8.8.8.8?
The answer lies in routing, in the client.
The "VPN server" probably acts as a router.
Does it allow forwarding traffic from 192.168.1.0/x into 192.168.2.0/y?
How does the client (192.168.1.2) connect to anything?
The 192.168.1.1 is clearly on the local subnet of the client, isn't it?
How does the client send to, say 8.8.8.8?
The answer lies in routing, in the client.
The "VPN server" probably acts as a router.
Does it allow forwarding traffic from 192.168.1.0/x into 192.168.2.0/y?
Re: Redirect my FTP server to VPN server
I want to connect 192.168.1.2 -> 192.168.1.1 (VPN server local IP) -> 192.168.122.172 (VPN IP private) -> 192.168.122.219 (ftp IP private)jlehtone wrote:The VPN should not be an issue.
How does the client (192.168.1.2) connect to anything?
The 192.168.1.1 is clearly on the local subnet of the client, isn't it?
How does the client send to, say 8.8.8.8?
The answer lies in routing, in the client.
The "VPN server" probably acts as a router.
Does it allow forwarding traffic from 192.168.1.0/x into 192.168.2.0/y?
Yes. 192.168.1.1 is local IP from VPN.
I don't know how to allow it. When i tried that, the error no chains .... appear.
Last edited by nesa1212 on 2017/07/15 03:58:41, edited 1 time in total.
Re: Redirect my FTP server to VPN server
1. What routes does the client (192.168.1.2) have?
Assuming it is CentOS,
2. What firewall rules does the VPN server have?
Assuming it is CentOS,
PS. I have no idea whether openswan does something fishy.
Assuming it is CentOS,
Code: Select all
ip ro
Assuming it is CentOS,
Code: Select all
iptables -S
iptables -t nat -S
PS. I have no idea whether openswan does something fishy.
Re: Redirect my FTP server to VPN server
I do rule iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.2.2.jlehtone wrote:1. What routes does the client (192.168.1.2) have?
Assuming it is CentOS,2. What firewall rules does the VPN server have?Code: Select all
ip ro
Assuming it is CentOS,Code: Select all
iptables -S iptables -t nat -S
PS. I have no idea whether openswan does something fishy.
That's connect but when i do sniffing on other client, it doesn't encrypt.
Re: Redirect my FTP server to VPN server
You should not have to do anything. OpenSWAN should set up the appropriate routes to access 192.168.2.2 via the VPN tunnel. But it's been a long time since I looked at any of the *SWAN implementations. OpenVPN is much simpler to set up.
I don't think that you can achieve this with IPTABLES. Instead, you need to manipulate the routing table so that the packets go via the appropriate VPN tunnel network adapter (probably tun0).
That's why you should answer the questions posed by jlehtone.
I don't think that you can achieve this with IPTABLES. Instead, you need to manipulate the routing table so that the packets go via the appropriate VPN tunnel network adapter (probably tun0).
That's why you should answer the questions posed by jlehtone.
Re: Redirect my FTP server to VPN server
nesa1212 wrote:I do rule iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.2.2.jlehtone wrote:1. What routes does the client (192.168.1.2) have?
Assuming it is CentOS,2. What firewall rules does the VPN server have?Code: Select all
ip ro
Assuming it is CentOS,Code: Select all
iptables -S iptables -t nat -S
PS. I have no idea whether openswan does something fishy.
That's connect but when i do sniffing on other client, it doesn't encrypt.
My VPN server rules:
Code: Select all
[root@localhost ~]# iptables -S
ip_tables: (C) 2000-2006 Netfilter Core Team
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
[root@localhost ~]# iptables -t nat -S
-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
Re: Redirect my FTP server to VPN server
The equivalent Windows command is:nesa1212 wrote:nesa1212 wrote:
And ip route in client is empty. Client using Windows 7
Code: Select all
route print
Re: Redirect my FTP server to VPN server
My client:Whoever wrote:The equivalent Windows command is:nesa1212 wrote:nesa1212 wrote:
And ip route in client is empty. Client using Windows 7Note that your VPN server needs to push a route to the FTP server to the VPN clients. What's in your OpenSWAN configuration files?Code: Select all
route print
https://ibb.co/je1pVF
https://ibb.co/e5Vmcv
my configuration:
- ipsec.conf
Code: Select all
version 2
#
# Manual: ipsec.conf.5
# basic configuration
config setup
protostack=netkey
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:
25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
conn L2TP-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
ikelifetime=8h
keylife=1h
ike=aes256-sha1;modp1024!
phase2alg=aes256-sha1;modp1024
rekey=no
type=transport
left=103.19.208.247 (my ip vpn server)
right=%any
rightprotoport=17/1701
dpddelay=10
dpdtimeout=90
dpdaction=clear
Code: Select all
include /etc/ipsec.d/*.secrets
103.19.208.247 %any: PSK "vpnku"
Code: Select all
[global]
listen-addr=103.19.208.247
ipsec saref = yes
force userspace = yes
[lns default]
ip range = 192.168.1.2-192.168.1.254
local ip = 192.168.1.1
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
Code: Select all
# Secrets for authentication using CHAP
# client server secret IP addresses
lili l2tpd R1R11234567891234 *
Verifying installed system and configuration files
Code: Select all
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-642.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
Re: Redirect my FTP server to VPN server
You don't have a route to 192.168.122.X on the client, so it will use the default route (not the secure tunnel).
Take a look at this page:
http://blog.jameskyle.org/2012/07/confi ... ec-server/
Also, take a look at this page:
https://serverfault.com/questions/57412 ... during-con
and, finally the last comment on this page:
http://users.openswan.narkive.com/IFwVp ... 2tpd-setup
As I said before, and at the risk of sounding like a troll, use OpenVPN. It's much simpler to set up and configure and it just works. It doesn't require storage of the client secrets in clear text on the VPN endpoint. Instead, the clients have a private key, which may be optionally encrypted. There are clients for Linux, Windows and Mac.
Take a look at this page:
http://blog.jameskyle.org/2012/07/confi ... ec-server/
Also, take a look at this page:
https://serverfault.com/questions/57412 ... during-con
and, finally the last comment on this page:
http://users.openswan.narkive.com/IFwVp ... 2tpd-setup
I am not sure if I understand the web pages properly, but I think that you should configure the VPN so that the client gets an IP address in the 192.168.122.0/24 network. Obviously you will have to take care that the client doesn't get an IP address that is already assigned.You shouldnt need any route, because you "live" in the remote network via the
IP given via L2TP. For all practical purposes, you are a machine at the office end.
As I said before, and at the risk of sounding like a troll, use OpenVPN. It's much simpler to set up and configure and it just works. It doesn't require storage of the client secrets in clear text on the VPN endpoint. Instead, the clients have a private key, which may be optionally encrypted. There are clients for Linux, Windows and Mac.