Skip to main content

Tutorial: Create a DMZ in Access Server

Abstract

Use DMZ with NAT to route one or more public IP addresses at the server through the VPN tunnel to a specific client. Here's how.

Overview

An Access Server demilitarized zone (DMZ) uses network address translation (NAT) to send requests coming in on a private or public IP address on the Access Server to a connected VPN client. The idea is to provide an external static IP for a service running on a VPN client in an internal network. Requests made on an IP address that Access Server manages can be forwarded to a service running on the VPN client.

This tutorial describes the two ways to configure a DMZ in the Access Server: via the web interface or via the command line.

Caution

On Amazon AWS, you must adjust the security groups to let traffic pass through. Also, you will have to use the EC2 instance's local private IP address instead of its public IP address.

Note

In our documentation, we use example IPv4 addresses and subnets reserved for documentation, such as 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24.

Ensure you replace them with valid IPv4 addresses and subnets for your network(s).

Prerequisites

  • An installed Access Server

  • Admin Web UI access or console access with root privileges.

  • Configured user accounts.

Option 1: Create a DMZ with the Admin Web UI

In this example, we forward traffic on TCP port 80 on public IP 192.0.2.10 on the Access Server to a particular VPN user.

  1. Sign in to the Admin Web UI.

  2. Click User Management > User Permissions.

  3. Locate the user you want to configure DMZ for and click the icon, More Settings.

  4. Under DMZ Settings, click Yes for Configure DMZ IP address.

  5. Enter the IP address and TCP or UDP port. For example, 192.0.2.10:tcp/80.

For more information about the User Permissions page, refer to User Permissions.User Permissions

Option 2: Create a DMZ with the command-line interface (CLI)

Like the example above, we will forward TCP traffic on port 80 on public IP 192.0.2.10 to a particular VPN user.

The config key dmz_ip.n in the user properties database defines which IP on the VPN server side must forward connections to this particular VPN user. The n indicates it is iterable, meaning you can specify multiple such records for a user. It starts with 0 and counts up from there. The key value is expected in the format of ip:protocol/port. In the examples below, this will become clear.

Caution

Specifying only an IP address to reroute all incoming requests is possible, but you should use this with caution, as it can block access to your Access Server.

  1. Connect to your console with root privileges.

  3. Forward incoming port TCP 80 on 192.0.2.10 to the user:

    ./sacli --user <USER> --key "dmz_ip.0" --value "123.45.67.89:tcp/80" UserPropPut
./sacli start

    • The DMZ rule is now operational for TCP port 80. If an HTTP server runs on that VPN client, you should now be able to access http://192.0.2.10 in your web browser, even outside the VPN system.

    • To remove the rule, delete its relevant key:

      ./sacli --user <USER> --key "dmz_ip.0" ConfigDel
./sacli start

Implementation Notes

  • Both the source and destination IP addresses are routed with NAT. The destination address of incoming packets is translated to the VPN IP address of the client. The source address is translated to the VPN gateway IP address of the first OpenVPN daemon of the Access Server. This means assuming a default configuration of 172.27.224.0/20 for the VPN subnet, the packets will have source IP 172.27.224.1.

  • The DMZ IP address can be any IP address that is on a network interface on the Access Server. When you specify a DMZ IP address with a specific protocol/port defined, only the traffic directed to that protocol/port is routed through. This means that if the DMZ IP address is also bound to an interface on the server, that interface can still handle other traffic.

  • Specifying an IP address only for the DMZ value will redirect all ports to the VPN client. Be aware that if you do this on the IP used by the Access Server itself for its web and VPN tunnel daemons, you would effectively be cutting yourself off from access to your Access Server. You should only do this on secondary IP addresses, not the primary IP address.

  • Clients connected to the VPN with reroute_gw defined can access a DMZ IP address through the tunnel.

  • A DMZ IP address works with a VPN client that uses either a static or dynamic VPN IP address.

  • Access Server ensures that clients don’t declare conflicting DMZ IP addresses.

  • A DMZ on Access Server heavily uses the iptables SNAT, DNAT, and MARK modules.

  • A DMZ on Access Server is subject to NAT limitations, and won’t work with protocols that have problems with NAT like SIP.

In this section: