[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] port-share with

  • Subject: Re: [Openvpn-users] port-share with
  • From: christian <openvpn-users@xxxxxxxxxxx>
  • Date: Sat, 27 Oct 2007 20:10:35 +0200

On Sat, Oct 27, 2007 at 01:27:31PM -0400, Colin Ryan wrote:
> To me your description of what you are using it for is in all practical 
> cases not different than mine.


> This sounds all right "remembering connections", and "reponses to right 
> outbound connection", but in what I'm seeing it simply redirects the web 
> client to the port-share targets, which ultimately must be directly 
> accessible for public IP's and port forwardings/NAT etc.

no, unless the client can reach the target machine *directly*, in 
which case not openvpn would do such a thing, but the tcp/ip stack 
itself (tcpdump/wireshark would show you how).

good - let's see what i'm doing:

- my frontend - one external address - accepts incoming port 443.
- on my frontend, an openvpn server 2.1_rc4 is running with 'port-share'.
- the openvpn server accepts connection requests meant for him.
- the openvpn server proxies/passes on/ reroutes/whatever requests 
  meant for my apache server to the *internal* address of my web server.


       V        (external ip, 443)
| frontend with |
| nat/routing   |
| &firewall     |
       ^        (internal ip, second interface)
       V        (internal ip, 443)
| backend with  |
| web server    |

the firewall rules on the frontend do not reflect an external 
accessability other than '(tcp) external_ip:443'.

> Again, I don't have to have both applications running on 443 but I do 
> wish to have to only have 1 external port available on 1 external IP 
> address and have access to both the web and ovpn service.

that's exactly what i'm doing, i think... ;-)

btw: how do you test it?
not from the 'inside', i hope?
OpenVPN mailing lists