DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 1st April 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,098
Default Secure Remote Access to an Internal Web Server

I just spent 12 hours trying unsuccessfully implement my solution for securing remote access to one of our internal web servers. I am soliciting ideas how to do it as I missed the deadline anyway so at least I want to get things right.

My starting point was assumption (possibly wrong) that the only way to give secure remote access to our internal server was using VPN. Namely my idea was to have Windows client connect to one of my firewalls using L2PT and there buy gain the access to my internal Web Server on the different subnet. As picture shows.



-------- > VPN 10.9.0.0/24 ------->
| |
Windows Client ----> Internet 76.53.145.15 ----> OpenBSD firewall/L2PT ------> 192.168.1.0/24 Web Server


I got L2PT server working on OpenBSD using npppd and ipsec in no time. Windows 7 has no problem to connect to it in secure fashion.

Relevant ipsec.conf file

Code:
ike passive esp transport \
        proto udp from $external_ip to any port 1701 \
        main auth "hmac-sha1" enc "aes" group modp2048 \
        quick auth "hmac-sha1" enc "3des" \
        psk "secret_key"
I have two new interfaces tun0 and enc0. I appended pf.conf file with the following
Code:
pass quick proto { esp, ah } from any to any
pass in quick on egress proto udp from any to any port {500, 4500, 1701} keep state
pass on enc0 from any to any keep state (if-bound)

pass quick on $vpn_if
where vpn_if="tun0"

without the last rule which I have not seen in any of L2PT howtos on the Internet I could not get VPN client to be able to see Internet or use Unbound resolver on my firewall.

It looks like the problem is that L2TP VPN is not able push route configuration for client during connected to my private network 192.168.1.0/24 as I can't ping my web server from Windows machine. I played with rdr traffic from $vpn_if to the private address but it doesn't work.


This setup is trivial with OpenVPN and I am running something similar internally but installing certificate on Window is a customer service nightmare for a guy like me so I thought I bypass the nonsense using Windows friendly VPN solution.


Any thought, comments, rude remarks? I am open for any suggestion short of compromising the security of the setup. This post seems to be on something but I am too tired to make something out of it.

http://serverfault.com/questions/574...ent-during-con


Cheers,
Oko


BTW I will post complete configuration files for L2PT on misc once I am done with this nonsense. The answers I received on the question I posted few days ago were very good.

Last edited by Oko; 1st April 2015 at 02:53 AM.
Reply With Quote
  #2   (View Single Post)  
Old 1st April 2015
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

If you hadn't mentioned client certificates specifically, I'd suggest perhaps a rdr-to an internal nginx reverse proxy that does client SSL certificate verification.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #3   (View Single Post)  
Old 1st April 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,098
Default

Quote:
Originally Posted by rocket357 View Post
If you hadn't mentioned client certificates specifically, I'd suggest perhaps a rdr-to an internal nginx reverse proxy that does client SSL certificate verification.
If I understand you correctly you would just set up Nginx reverse proxy with SSL certificates and have client connect through https tunnel to the website. Correct? How would you prevent other people who know the ip address of your Ngingx proxy to see the web site. Have them use some kind login interface for nginx?


I specifically want people to have to log into our network before they can access the content of the web server through an encrypted tunnel.
Reply With Quote
  #4   (View Single Post)  
Old 1st April 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,884
Default

I run two private websites with public facing addresses. Client certificates are required to obtain any communication at all. One of the two applications also requires userid/pw for additional authentication.

Last edited by jggimi; 1st April 2015 at 03:56 AM. Reason: auto correct typo
Reply With Quote
  #5   (View Single Post)  
Old 1st April 2015
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Yeah, as jggimi pointed out, you would use client-side certificates (as a hard requirement, not a soft requirement) in nginx such that traffic couldn't hit the actual backend webserver until the client presented a valid signed certificate (which you could sign if you ran your own internal CA).

But like you said, distribution of the client-side certs would be a headache.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #6   (View Single Post)  
Old 1st April 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,884
Default

My clients are Firefox and Chrome browsers, and these both install pkcs#12 client certificates. The certs are encrypted with a pre-shared key, allowing the .p12 files to be transmitted insecurely. However, as always, the management of pre-shared keys is left to the administrator and user to deal with.
Reply With Quote
  #7   (View Single Post)  
Old 1st April 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,098
Default

I made more progress. I nailed down to the static routing problem on web server now. I can ping internal private interface 192.168.1.1 from Windows vpn 10.0.0.2 but not further into internal network (I can't ping
192.168.1.2 web server). It took adding static routes to Window laptop even for that.
Reply With Quote
  #8   (View Single Post)  
Old 1st April 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,098
Default

I got things to work as originally designed. Thanks to everyone who helped. I will post howto here and on misc over the weekend. I am still have few deadlines to beat.


BTW OpenBSD IPsec stack and npppd are true gems comparing with other "user friendly" OS implementations.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache hole allows attackers to access internal servers J65nko News 0 6th October 2011 05:50 PM
PF cannot access Internet from internal network gpatrick OpenBSD Security 3 29th August 2010 10:59 PM
500 Internal Server Error. Mr-Biscuit Off-Topic 12 12th May 2010 10:23 PM
Setup Remote Access VPN plexter OpenBSD Security 54 4th September 2009 06:33 PM
Remote Access to File Server Oko OpenBSD Security 7 23rd June 2008 05:17 PM


All times are GMT. The time now is 09:33 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick