|
General software and network General OS-independent software and network questions, X11, MTA, routing, etc. |
|
Thread Tools | Display Modes |
|
||||
Secure Remote Access to an Internal Web Server
I just spent 12 hours trying unsuccessfully implement my solution for securing remote access to one of our internal web servers. I am soliciting ideas how to do it as I missed the deadline anyway so at least I want to get things right.
My starting point was assumption (possibly wrong) that the only way to give secure remote access to our internal server was using VPN. Namely my idea was to have Windows client connect to one of my firewalls using L2PT and there buy gain the access to my internal Web Server on the different subnet. As picture shows. -------- > VPN 10.9.0.0/24 -------> | | Windows Client ----> Internet 76.53.145.15 ----> OpenBSD firewall/L2PT ------> 192.168.1.0/24 Web Server I got L2PT server working on OpenBSD using npppd and ipsec in no time. Windows 7 has no problem to connect to it in secure fashion. Relevant ipsec.conf file Code:
ike passive esp transport \ proto udp from $external_ip to any port 1701 \ main auth "hmac-sha1" enc "aes" group modp2048 \ quick auth "hmac-sha1" enc "3des" \ psk "secret_key" Code:
pass quick proto { esp, ah } from any to any pass in quick on egress proto udp from any to any port {500, 4500, 1701} keep state pass on enc0 from any to any keep state (if-bound) pass quick on $vpn_if without the last rule which I have not seen in any of L2PT howtos on the Internet I could not get VPN client to be able to see Internet or use Unbound resolver on my firewall. It looks like the problem is that L2TP VPN is not able push route configuration for client during connected to my private network 192.168.1.0/24 as I can't ping my web server from Windows machine. I played with rdr traffic from $vpn_if to the private address but it doesn't work. This setup is trivial with OpenVPN and I am running something similar internally but installing certificate on Window is a customer service nightmare for a guy like me so I thought I bypass the nonsense using Windows friendly VPN solution. Any thought, comments, rude remarks? I am open for any suggestion short of compromising the security of the setup. This post seems to be on something but I am too tired to make something out of it. http://serverfault.com/questions/574...ent-during-con Cheers, Oko BTW I will post complete configuration files for L2PT on misc once I am done with this nonsense. The answers I received on the question I posted few days ago were very good. Last edited by Oko; 1st April 2015 at 02:53 AM. |
|
||||
Quote:
I specifically want people to have to log into our network before they can access the content of the web server through an encrypted tunnel. |
|
||||
I run two private websites with public facing addresses. Client certificates are required to obtain any communication at all. One of the two applications also requires userid/pw for additional authentication.
Last edited by jggimi; 1st April 2015 at 03:56 AM. Reason: auto correct typo |
|
||||
Yeah, as jggimi pointed out, you would use client-side certificates (as a hard requirement, not a soft requirement) in nginx such that traffic couldn't hit the actual backend webserver until the client presented a valid signed certificate (which you could sign if you ran your own internal CA).
But like you said, distribution of the client-side certs would be a headache.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
||||
My clients are Firefox and Chrome browsers, and these both install pkcs#12 client certificates. The certs are encrypted with a pre-shared key, allowing the .p12 files to be transmitted insecurely. However, as always, the management of pre-shared keys is left to the administrator and user to deal with.
|
|
||||
I made more progress. I nailed down to the static routing problem on web server now. I can ping internal private interface 192.168.1.1 from Windows vpn 10.0.0.2 but not further into internal network (I can't ping
192.168.1.2 web server). It took adding static routes to Window laptop even for that. |
|
||||
I got things to work as originally designed. Thanks to everyone who helped. I will post howto here and on misc over the weekend. I am still have few deadlines to beat.
BTW OpenBSD IPsec stack and npppd are true gems comparing with other "user friendly" OS implementations. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Apache hole allows attackers to access internal servers | J65nko | News | 0 | 6th October 2011 05:50 PM |
PF cannot access Internet from internal network | gpatrick | OpenBSD Security | 3 | 29th August 2010 10:59 PM |
500 Internal Server Error. | Mr-Biscuit | Off-Topic | 12 | 12th May 2010 10:23 PM |
Setup Remote Access VPN | plexter | OpenBSD Security | 54 | 4th September 2009 06:33 PM |
Remote Access to File Server | Oko | OpenBSD Security | 7 | 23rd June 2008 05:17 PM |