|
|
|||||||
| General software and network General OS-independent software and network questions, X11, MTA, routing, etc. |
|
|
Thread Tools | Display Modes |
1st April 2015
|
||||
|
||||
Secure Remote Access to an Internal Web Server
I just spent 12 hours trying unsuccessfully implement my solution for securing remote access to one of our internal web servers. I am soliciting ideas how to do it as I missed the deadline anyway so at least I want to get things right.
My starting point was assumption (possibly wrong) that the only way to give secure remote access to our internal server was using VPN. Namely my idea was to have Windows client connect to one of my firewalls using L2PT and there buy gain the access to my internal Web Server on the different subnet. As picture shows. -------- > VPN 10.9.0.0/24 -------> | | Windows Client ----> Internet 76.53.145.15 ----> OpenBSD firewall/L2PT ------> 192.168.1.0/24 Web Server I got L2PT server working on OpenBSD using npppd and ipsec in no time. Windows 7 has no problem to connect to it in secure fashion. Relevant ipsec.conf file Code:
ike passive esp transport \
proto udp from $external_ip to any port 1701 \
main auth "hmac-sha1" enc "aes" group modp2048 \
quick auth "hmac-sha1" enc "3des" \
psk "secret_key"
Code:
pass quick proto { esp, ah } from any to any
pass in quick on egress proto udp from any to any port {500, 4500, 1701} keep state
pass on enc0 from any to any keep state (if-bound)
pass quick on $vpn_if
without the last rule which I have not seen in any of L2PT howtos on the Internet I could not get VPN client to be able to see Internet or use Unbound resolver on my firewall. It looks like the problem is that L2TP VPN is not able push route configuration for client during connected to my private network 192.168.1.0/24 as I can't ping my web server from Windows machine. I played with rdr traffic from $vpn_if to the private address but it doesn't work. This setup is trivial with OpenVPN and I am running something similar internally but installing certificate on Window is a customer service nightmare for a guy like me so I thought I bypass the nonsense using Windows friendly VPN solution. Any thought, comments, rude remarks? I am open for any suggestion short of compromising the security of the setup. This post seems to be on something but I am too tired to make something out of it. http://serverfault.com/questions/574...ent-during-con Cheers, Oko BTW I will post complete configuration files for L2PT on misc once I am done with this nonsense. The answers I received on the question I posted few days ago were very good. Last edited by Oko; 1st April 2015 at 02:53 AM. 
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Apache hole allows attackers to access internal servers | J65nko | News | 0 | 6th October 2011 05:50 PM |
| PF cannot access Internet from internal network | gpatrick | OpenBSD Security | 3 | 29th August 2010 10:59 PM |
| 500 Internal Server Error. | Mr-Biscuit | Off-Topic | 12 | 12th May 2010 10:23 PM |
| Setup Remote Access VPN | plexter | OpenBSD Security | 54 | 4th September 2009 06:33 PM |
| Remote Access to File Server | Oko | OpenBSD Security | 7 | 23rd June 2008 05:17 PM |
Threaded Mode