Hi,
On 31/05/21 11:29, Bo Berglund wrote:
Say that I have a tunnel-only OVPN configuration to enable clients to "reach"
each other using client-to-client directive on the OVPN server.
If I connect two Linux clients to the tunnel and one has a webserver running,
will the website be available to the other client (provided he uses the tunnel
IP address)? Apache is started *before* the VPN connection has been made.
Or is there something one has to do in order for the webservice (apache) to also
work over the tunnel interface once it connects?
Note that neither of the clients will reach the LAN on the VPN server side,
IPTABLES are set up to DROP such packets coming from the tunnel.
that can be made to work - but it depends on routing and on your apache
config; if your webserver is listening on 0.0.0.0.:80 then it will "just
work" if you go to http://<tunnel-ip>
If you are using https and the server is listening on 0.0.0.0:443 (or
::443) then you will need to ensure that <tunnel-ip> resolves to the web
server certificate name
If your web server is listening on <lan-ip>:{80,443} then you can still
make it work, but it will get tricky:
then OpenVPN client has a *direct* route to the OpenVPN server ,
bypassing the tunnel. This means that even with the tunnel up, the
client will still attempt a *direct* connection to the web server IP.
Most likely this will fail. With a Linux client you can use port based
routing to make sure that traffic for ports 80&443 *is* sent over the
tunnel, regardless of any direct routes. Read up e.g. at
https://unix.stackexchange.com/questions/239172/route-on-specific-interface-based-on-port
HTH,
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
