This site has been archived and will no longer be updated.
You can find my new profile at neilpahl.com. My new blog is at 808.ninja.
Browse Topics:
- Content Management Systems
- Cmd Line PHP Scripts For Processwire CMS
- Diagram Tools (2)
- Getting To Know Me ISOs and RFCs
- Hard Disk Management
- JVM
- Network With Windows Clients And Linux Admin (3)
- Ninja Skills (1)
- OS (1)
- Raspberry Pi (1)
- Remote Administration
- Security Projects (Public)
- Software Development
- Vim As My IDE (4)
- Web Design (1)
- Xen Based Cloud VPS (2)
OpenVPN on Ubuntu Server Behind Firewall
Subscribe to this topic: 
Entry #1: First Things First: Bridging or Routing?
Sun, 01 Jan 2012:
When you are using an internal server to manage your intranet and LAN resources, some of the services running on on your internal server will run web-based gui's.
Sure you can access those if you open up your intranet to the world wide web but that would defeat the whole purpose of your intranet. I host company resources over our intraweb, so it would be a bad thing to open them up to the world.
Right now I setup FOG to ghost and manage PC images in a small LAN. It works great when I access the web-interface while connected to our local network, but I wouldn't be able to access this remotely.
So, I'm seting up a VPN so that I can remotely connect to the intranet resources and web-gui's. I am planing on using OpenVPN.
My internal server runs Ubuntu 10.04 Server LTS and sits behind a router (firewalled router). So before setting up the VPN, I have to choose between a Routed or Bridged network.My understanding of those two concepts are as follows:
>> Adding the Bridging configurations to my Ubuntu Server, would make my server act as a ethernet switch. When the client connects, it will recieve an IP which on the main subnet.
>> A routing configuration would create a new subnet between the Ubuntu Server and the remote client. Then, the client and server could share resources together, but not with the rest of the network.
I'm not too sure yet how this would affect internet traffic. I think the traffic in a bridged configuration would go through the intranet's router. The routed configuration may not, please comment if you know.Having said that, In general, the bridged network is a little more powerfull, but harder to setup and for my purposes I might be able to ge away with just a routed configuration, since All my services and resources are run on the Ubunut Server.
I may just end up going for the bridged setup anyways since its 'better'.Entry #2: Where Is My Server If Its Behind A Firewall?
Thu, 03 May 2012:
If you are behind someone else's firewall, chances are you have a dynamic ip as well.
Usually to keep track of the external IP of a host with dynamic ip, I use a ddns service which is supported with my router. If my router doesn't support ddns, I use a simple script which will email me the external IP address of the host.
Behind a Firewall however, I have setup a reverse shh tunnel which can hold a persistent connection to an agent server. Then I can access the server which is behind the firewall by ssh'ing into the agent server at a specific port which will redirect me to the host behind the firewall. I will write a post on this when I get some time~
Similarly, there is a way to maintain an openVPN connection between two hosts. I will write about this in the coming future too.
Sorry for the short Log, but I just wanted to add a quick update to this topic.
Entry #3: Access Remote Intranet (Web Resources or GUIs) via SSH Tunnel
Tue, 24 Jul 2012:
Alot of the time I need to join via VPN just so that I can reach the web resources which are only offered on the remote LAN. In this case, seting up a complete VPN infrastructure can be overkill and more efffort than I would like.
So, instead I create an ssh tunnel and route my web traffic to the remote LAN. With just a simple ssh tunnel, and a little configuration to Firefox, I no longer have to add to the complexity of my server on that network. I believe that a simpler setup can reduce vulnerabilities down the line as there is less software you need to keep applying security patches for.
First I need to bind a port to the ssh tunnel. I'm going to use port 1080 since its the one used for the SOCKS proxy in firefox that allows us to use the remote dns. Other uses may require a different port to be bound.
In Linux, just add the -D option to your regular ssh command:
ssh -D 1080 username@remoteiporaddress.com -p 22
the -D is to bind port 1080. the -p is not needed as port 22 is default (my server is behind a firewall so I had to previously setup a reverse tunnel through a relaying agent and therefore usually I use a port other than 22).
In Windows,I use PuTTy. Enter the usual (Domain name, Username, port) to access the remote server via ssh. To create the tunnel for port 1080, add the configurations to:
Connection > SSH > Tunnels
Under "Add new forwarded port:" put:
source port: 1080
and select the "Dynamic" radio box.
click "Add"Once the ssh connection is made, the tunnel will be there too. Now, the only trick to this is seting up firefox to use SOCKs proxy with remote dns...
I'm using firefox 14, inthe url bar enter About:config, and click teh button saying you'll be careful (because you will). Now, search for something along the lines of socks_remote_dns and double click the result to make it true.
Now, go to Edit > Preferences
Advanced > Network > Connection > Settings
select the "manual proxy configuration" radio button and fill in:
SOCKS Host: locahost Port: 1080
And then, you should be able to find web guis which are onthe remote network. I find it particularly usefull for changing the router settings of a router that uses a web interface. for example if I go to their address like "192.168.1.1"
Also, in order to not allways mess with my firefox settings, I use a portable version of firefox which I can stick on a thumb drive. That combined with a portable version of putty can give me the ability to acces that network from anywhere.