View Single Post
  #1   (View Single Post)  
Old 1st April 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default Secure Remote Access to an Internal Web Server

I just spent 12 hours trying unsuccessfully implement my solution for securing remote access to one of our internal web servers. I am soliciting ideas how to do it as I missed the deadline anyway so at least I want to get things right.

My starting point was assumption (possibly wrong) that the only way to give secure remote access to our internal server was using VPN. Namely my idea was to have Windows client connect to one of my firewalls using L2PT and there buy gain the access to my internal Web Server on the different subnet. As picture shows.

-------- > VPN ------->
| |
Windows Client ----> Internet ----> OpenBSD firewall/L2PT ------> Web Server

I got L2PT server working on OpenBSD using npppd and ipsec in no time. Windows 7 has no problem to connect to it in secure fashion.

Relevant ipsec.conf file

ike passive esp transport \
        proto udp from $external_ip to any port 1701 \
        main auth "hmac-sha1" enc "aes" group modp2048 \
        quick auth "hmac-sha1" enc "3des" \
        psk "secret_key"
I have two new interfaces tun0 and enc0. I appended pf.conf file with the following
pass quick proto { esp, ah } from any to any
pass in quick on egress proto udp from any to any port {500, 4500, 1701} keep state
pass on enc0 from any to any keep state (if-bound)

pass quick on $vpn_if
where vpn_if="tun0"

without the last rule which I have not seen in any of L2PT howtos on the Internet I could not get VPN client to be able to see Internet or use Unbound resolver on my firewall.

It looks like the problem is that L2TP VPN is not able push route configuration for client during connected to my private network as I can't ping my web server from Windows machine. I played with rdr traffic from $vpn_if to the private address but it doesn't work.

This setup is trivial with OpenVPN and I am running something similar internally but installing certificate on Window is a customer service nightmare for a guy like me so I thought I bypass the nonsense using Windows friendly VPN solution.

Any thought, comments, rude remarks? I am open for any suggestion short of compromising the security of the setup. This post seems to be on something but I am too tired to make something out of it.


BTW I will post complete configuration files for L2PT on misc once I am done with this nonsense. The answers I received on the question I posted few days ago were very good.

Last edited by Oko; 1st April 2015 at 02:53 AM.
Reply With Quote