Hi, On 11/10/16 15:04, Jan Just Keijser wrote: > Hi, > > On 11/10/16 15:48, debbie10t wrote: >> Hi >> >> according to this forum post: >> https://forums.openvpn.net/viewtopic.php?f=4&t=22599#p64917 >> >> OpenVPN --port-share cannot be used by fail2ban because >> the source port seen by fail2ban is always 127.0.0.1 >> >> I do use fail2ban so I know it is highly customisable but >> I do not know if or how it could use the --port-share [dir] >> option from openvpn to apply the real source IP from the >> file created by openvpn. >> >> I am not expecting to be provided an actual config that >> does this but simply to know if it is possible ? >> >> If anybody can shed a lttle light it would be appreciated. >> > what I suspect that you/the user wants to do is to use fail2ban to > filter out unwanted HTTPS connections on a connection/port shared with > OpenVPN. > The way port-sharing works is that openvpn listens on port 443, > determines whether it's an OpenVPN packet or not, and if it is not, then > forwards the packet/connection to some-ip:some-port. However, OpenVPN > does not set any proxy headers when forwarding the connection, as it > cannot 'interfere' with the SSL connection. The result is that the > server will always see as the source address the IP address of the > OpenVPN server, and not of the actual client. This makes it impossible > to use fail2ban to filter out unwanted HTTPS/SSL connections. > I cannot think of a way around this, nor of a way to patch OpenVPN to > allow this to work - other port-sharing software such as sslh suffers > from the same limitation. >
Thanks for your reply JJK and what you say makes obvious sense. I do wonder however, the OPs original comment that Quote: --- A) ubuntu 14.04 with openvpn 2.3.2 B) ubuntu 16.04 with openvpn 2.3.10 Both use Port 443 for OpenVPN and share that port with apache at port 10443. So Both Servers use the OPENVPN-Config "port-share 10443" parameter It works perfect both servers. But Server A logs any https access in the appache-access-log log with the correct IP from the access-client Server B logs allways 127.0.0.1 --- That reads to me as: ovpn-2.3.2 forwards the packet with the source IP of the client ! That is why I was more than usually curious .. Is it likely that ovpn-2.3.2 did port-sharing incorrectly ? (I understand 2.3.2 is a long time ago but possibly a Dev remembers something useful here) Thanks ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
