Redirect my FTP server to VPN server

Issues related to configuring your network
nesa1212
Posts: 10
Joined: 2017/02/17 03:36:15

Redirect my FTP server to VPN server

Post by nesa1212 » 2017/07/11 11:09:12

I have FTP server with IP 192.168.122.219 and my VPN server have 2 IP, public IP( 103.19.207.x) and my private ip 192.168.122.172. When my client connect to VPN server, my local IP in VPN server is 192.168.1.1 and my client get IP from VPN server 192.168.1.2.


How to make my client connect to FTP over my VPN tunnel? I use openswan for VPN server.
Last edited by nesa1212 on 2017/07/15 03:57:57, edited 3 times in total.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Redirect my FTP server to VPN server

Post by jlehtone » 2017/07/11 12:22:30

The VPN should not be an issue.

How does the client (192.168.1.2) connect to anything?
The 192.168.1.1 is clearly on the local subnet of the client, isn't it?
How does the client send to, say 8.8.8.8?
The answer lies in routing, in the client.


The "VPN server" probably acts as a router.
Does it allow forwarding traffic from 192.168.1.0/x into 192.168.2.0/y?

nesa1212
Posts: 10
Joined: 2017/02/17 03:36:15

Re: Redirect my FTP server to VPN server

Post by nesa1212 » 2017/07/11 12:42:59

jlehtone wrote:The VPN should not be an issue.

How does the client (192.168.1.2) connect to anything?
The 192.168.1.1 is clearly on the local subnet of the client, isn't it?
How does the client send to, say 8.8.8.8?
The answer lies in routing, in the client.


The "VPN server" probably acts as a router.
Does it allow forwarding traffic from 192.168.1.0/x into 192.168.2.0/y?
I want to connect 192.168.1.2 -> 192.168.1.1 (VPN server local IP) -> 192.168.122.172 (VPN IP private) -> 192.168.122.219 (ftp IP private)

Yes. 192.168.1.1 is local IP from VPN.

I don't know how to allow it. When i tried that, the error no chains .... appear.
Last edited by nesa1212 on 2017/07/15 03:58:41, edited 1 time in total.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Redirect my FTP server to VPN server

Post by jlehtone » 2017/07/11 19:55:30

1. What routes does the client (192.168.1.2) have?
Assuming it is CentOS,

Code: Select all

ip ro
2. What firewall rules does the VPN server have?
Assuming it is CentOS,

Code: Select all

iptables -S
iptables -t nat -S

PS. I have no idea whether openswan does something fishy.

nesa1212
Posts: 10
Joined: 2017/02/17 03:36:15

Re: Redirect my FTP server to VPN server

Post by nesa1212 » 2017/07/13 01:47:22

jlehtone wrote:1. What routes does the client (192.168.1.2) have?
Assuming it is CentOS,

Code: Select all

ip ro
2. What firewall rules does the VPN server have?
Assuming it is CentOS,

Code: Select all

iptables -S
iptables -t nat -S

PS. I have no idea whether openswan does something fishy.
I do rule iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.2.2.

That's connect but when i do sniffing on other client, it doesn't encrypt.

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: Redirect my FTP server to VPN server

Post by Whoever » 2017/07/13 02:31:57

You should not have to do anything. OpenSWAN should set up the appropriate routes to access 192.168.2.2 via the VPN tunnel. But it's been a long time since I looked at any of the *SWAN implementations. OpenVPN is much simpler to set up.

I don't think that you can achieve this with IPTABLES. Instead, you need to manipulate the routing table so that the packets go via the appropriate VPN tunnel network adapter (probably tun0).

That's why you should answer the questions posed by jlehtone.

nesa1212
Posts: 10
Joined: 2017/02/17 03:36:15

Re: Redirect my FTP server to VPN server

Post by nesa1212 » 2017/07/15 01:58:09

nesa1212 wrote:
jlehtone wrote:1. What routes does the client (192.168.1.2) have?
Assuming it is CentOS,

Code: Select all

ip ro
2. What firewall rules does the VPN server have?
Assuming it is CentOS,

Code: Select all

iptables -S
iptables -t nat -S

PS. I have no idea whether openswan does something fishy.
I do rule iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.2.2.

That's connect but when i do sniffing on other client, it doesn't encrypt.

My VPN server rules:

Code: Select all

[root@localhost ~]# iptables -S
ip_tables: (C) 2000-2006 Netfilter Core Team
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
[root@localhost ~]# iptables -t nat -S
-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
And ip route in client is empty. Client using Windows 7

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: Redirect my FTP server to VPN server

Post by Whoever » 2017/07/15 03:27:09

nesa1212 wrote:
nesa1212 wrote:
And ip route in client is empty. Client using Windows 7
The equivalent Windows command is:

Code: Select all

route print
Note that your VPN server needs to push a route to the FTP server to the VPN clients. What's in your OpenSWAN configuration files?

nesa1212
Posts: 10
Joined: 2017/02/17 03:36:15

Re: Redirect my FTP server to VPN server

Post by nesa1212 » 2017/07/15 03:48:09

Whoever wrote:
nesa1212 wrote:
nesa1212 wrote:
And ip route in client is empty. Client using Windows 7
The equivalent Windows command is:

Code: Select all

route print
Note that your VPN server needs to push a route to the FTP server to the VPN clients. What's in your OpenSWAN configuration files?
My client:
https://ibb.co/je1pVF

https://ibb.co/e5Vmcv

my configuration:

- ipsec.conf

Code: Select all

version 2
#
# Manual:     ipsec.conf.5

# basic configuration
config setup
	
	protostack=netkey
	dumpdir=/var/run/pluto/
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:
25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
conn L2TP-PSK
	authby=secret
	pfs=no
	auto=add
	keyingtries=3
	ikelifetime=8h
	keylife=1h
	ike=aes256-sha1;modp1024!
	phase2alg=aes256-sha1;modp1024
	rekey=no
	type=transport
	left=103.19.208.247 (my ip vpn server)
	right=%any
	rightprotoport=17/1701
	dpddelay=10
	dpdtimeout=90
	dpdaction=clear
- ipsec.secrets

Code: Select all

include /etc/ipsec.d/*.secrets
103.19.208.247	%any:	PSK	"vpnku"
- /etc/xl2tpd/xl2tpd.conf

Code: Select all

[global]
listen-addr=103.19.208.247
ipsec saref = yes
force userspace = yes
[lns default]
ip range = 192.168.1.2-192.168.1.254
local ip = 192.168.1.1
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
- /etc/ppp/chap-secrets

Code: Select all

# Secrets for authentication using CHAP
# client	server	secret			IP addresses
lili		l2tpd	R1R11234567891234	     *
- ipsec verify

Verifying installed system and configuration files

Code: Select all

Version check and ipsec on-path                   	[OK]
Libreswan 3.15 (netkey) on 2.6.32-642.el6.x86_64
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[OK]
         ICMP default/accept_redirects            	[OK]
         XFRM larval drop                         	[OK]
Pluto ipsec.conf syntax                           	[OK]
Hardware random device                            	[N/A]
Two or more interfaces found, checking IP forwarding	[OK]
Checking rp_filter                                	[OK]
Checking that pluto is running                    	[OK]
 Pluto listening for IKE on udp 500               	[OK]
 Pluto listening for IKE/NAT-T on udp 4500        	[OK]
 Pluto ipsec.secret syntax                        	[OK]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options          	[OK]
Opportunistic Encryption                          	[DISABLED]

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: Redirect my FTP server to VPN server

Post by Whoever » 2017/07/15 05:38:21

You don't have a route to 192.168.122.X on the client, so it will use the default route (not the secure tunnel).

Take a look at this page:
http://blog.jameskyle.org/2012/07/confi ... ec-server/

Also, take a look at this page:
https://serverfault.com/questions/57412 ... during-con
and, finally the last comment on this page:
http://users.openswan.narkive.com/IFwVp ... 2tpd-setup
You shouldnt need any route, because you "live" in the remote network via the
IP given via L2TP. For all practical purposes, you are a machine at the office end.
I am not sure if I understand the web pages properly, but I think that you should configure the VPN so that the client gets an IP address in the 192.168.122.0/24 network. Obviously you will have to take care that the client doesn't get an IP address that is already assigned.

As I said before, and at the risk of sounding like a troll, use OpenVPN. It's much simpler to set up and configure and it just works. It doesn't require storage of the client secrets in clear text on the VPN endpoint. Instead, the clients have a private key, which may be optionally encrypted. There are clients for Linux, Windows and Mac.

Post Reply