VPN and really private network
I installed and configured OpenVPN. The question is: how can I allow ONLY people in the VPN to access "delicated" services like ssh?
ifconfig
...
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:336 (336.0 B)
...
But if I bind ssh to "10.8.0.1" it doesn't work.
Also, is there a way for VPN users to access to the applications binded on the private LAN IP given by linode?
Thanks for the reply.
3 Replies
In my opinion, the best way to do this would be to use iptables rules. Add some like the following:
iptables -I INPUT -i tun0 -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -j DROP
That will accept all connections from your VPN network, and will drop any connection to port 22 from the public network. You could then put the iptables commands in a shell script and execute it using the /etc/rc.local file. That should work across most linux distributions. Alternatively, you could save the iptables rules like so:
iptables-save >/etc/iptables.rules
Now, run this command to restore them.
iptables-restore
Also, you may want to check out the following article:
There may be alternative methods, and probably more secure ones too. You could, for instance, only accept incoming connections from certain VPN ip addresses with iptables and allow those connections to access certain ports, but I assume you'd trust anyone on your VPN network.
Good luck, and feel free to respond with any questions you might have. The excellent community here is happy to help.
