Hide a VDS web server behind a VPN
There is a VDS server with CentOS 7, iptables, apache, ssh. There is a purchased VPN account with a dedicated ip. It is necessary that the VDS is automatically connected to the VPN. Apache should only work via VPN. SSH should only work over a real IP.
I installed OpenVPN on VDS; I filled in the config, certificates and the key from the VPN provider in /etc/openvpn. After connecting the VDS to the VPN, the server stops pinging, the web page does not open either on the real IP or on the dedicated VPN. I turned off Iptables, it didn't help.
Can you tell me what to do? I didn't find any articles on the Internet, maybe I didn't search correctly, but all the articles on the topic "how to raise your VPN server".
You send ssh communication to the interface with the "real" IP and wrap all the rest of the traffic into your VPN (you register the default route on the openvpn interface). At the second end, you write a rule for the 80th port and forward it to the vds connected to the VPN.
Still, the problem was with port forwarding on the VPN server side. Now the VDS connects to the VPN, the site opens. It remains to make ssh work directly.
The hoster recommended deleting the default route in the ovpn config, but then it is not clear how to forward the route for the WEB server via ovpn?
OpenVPN Config
client
remote 77.77.77.202 443
proto tcp
dhcp-option DNS 8.8.8.8
redirect-gateway def1
ca in_ca.crt
cert in_123.crt
key in_123.key
ns-cert-type server
dev tap
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 4
mute 20
iptables configuration script
#!/bin/bash
#
# Declaring variables
export IPT="iptables"
# The interface that looks at the Internet
export WAN=eth0
export WAN_IP=40.30.20.198
# VPN connection interface
export VPN=tap0
export VPN_IP=10.10.10.200
# Clearing all iptables chains
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
# Set default policies for traffic that does not comply with any of the rules
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# allowing local traffic for loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# We allow outgoing connections from the server itself
$IPT -A OUTPUT -o $WAN -j ACCEPT
$IPT -A OUTPUT -o $VPN -j ACCEPT
# The ESTABLISHED status indicates that this is not the first packet in the connection.
# Skip all already initiated connections, as well as their children
$IPT -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
# Skip new, as well as already initiated and their child connections
$IPT -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow forwarding for already initiated and their child connections
$IPT -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enabling packet fragmentation. It is necessary because of the different MTU values
$IPT -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Discard all packets that cannot be identified
# and therefore cannot have a certain status.
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
# Leads to the linking of system resources, so that the real
# data exchange becomes impossible, we cut it off
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
# Opening the SSH port
$IPT -A INPUT -i $WAN -p tcp --dport 2082 -j ACCEPT
$IPT -A INPUT -i $VPN -p tcp --dport 2082 -j ACCEPT
# Opening the port for DNS
$IPT -A INPUT -i $WAN -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i $VPN -p udp --dport 53 -j ACCEPT
# Opening the port for NTP
$IPT -A INPUT -i $WAN -p udp --dport 123 -j ACCEPT
$IPT -A INPUT -i $VPN -p udp --dport 123 -j ACCEPT
# We allow you to respond to PING
$IPT -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 8/0 -j ACCEPT
# VPN pings do not pass in any case
# Opening a port for the WEB
$IPT -A INPUT -i $WAN -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $VPN -p tcp --dport 80 -j ACCEPT
# Opening the FTP port
# $IPT -A INPUT -i $WAN -p tcp --dport 21 -j ACCEPT
# $IPT -A INPUT -i $VPN -p tcp --dport 21 -j ACCEPT
# Logging
# Everything that is not allowed, but breaks, will be sent to the undef chain
# $IPT -N undef_in
# $IPT -N undef_out
# $IPT -N undef_fw
# $IPT -A INPUT -j undef_in
# $IPT -A OUTPUT -j undef_out
# $IPT -A FORWARD -j undef_fw
# Log everything from undef
# $IPT -A undef_in -j LOG --log-level info --log-prefix "-- IN -- DROP "
# $IPT -A undef_in -j DROP
# $IPT -A undef_out -j LOG --log-level info --log-prefix "-- OUT -- DROP "
# $IPT -A undef_out -j DROP
# $IPT -A undef_fw -j LOG --log-level info --log-prefix "-- FW -- DROP "
# $IPT -A undef_fw -j DROP
# Writing down the rules
/sbin/iptables-save > /etc/sysconfig/iptables
Routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.10.10.1 128.0.0.0 UG 0 0 0 tap0
0.0.0.0 40.30.20.193 0.0.0.0 UG 0 0 0 eth0
10.96.0.0 0.0.0.0 255.224.0.0 U 0 0 0 tap0
40.30.20.193 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
77.77.77.202 40.30.20.193 255.255.255.255 UGH 0 0 0 eth0
128.0.0.0 10.10.10.1 128.0.0.0 UG 0 0 0 tap0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 40.30.20.198 netmask 255.255.255.255 broadcast 40.30.20.255
inet6 fe80::5054:ff:fe0c:3f41 prefixlen 64 scopeid 0x20<link>
ether 52:54:00:0c:3f:41 txqueuelen 1000 (Ethernet)
RX packets 4046 bytes 893834 (872.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1974 bytes 175476 (171.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.200 netmask 255.224.0.0 broadcast 10.127.255.255
inet6 fe80::40a7:62ff:fe2c:81be prefixlen 64 scopeid 0x20<link>
ether 42:a7:62:2c:81:be txqueuelen 100 (Ethernet)
RX packets 2972 bytes 489800 (478.3 KiB)
RX errors 0 dropped 18 overruns 0 frame 0
TX packets 103 bytes 25054 (24.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0