# web server behind openvpn tunnel



## norbi771 (Jan 25, 2014)

Hello,

I am in the need to create the following setup.
I have Master server which acts as Open VPN server .
I have Slave server establishing VPN tunnel to the master.

I'd like to open web pages located on the slave servers, however accessing slaves via VPN tunnel established to the master.

So with one master and only one slave it would look like that
Internet ===== [WAN_IP] MASTER [OVPN_IP] ==== OVPN Slave1

At this moment my OpenVPN setup is like default one and tunnel is working fine. master and slave can ping each other. From the master I can telnet port 80 on the slave and see the response.


Now, assuming that tunnel is established  I would like to telnet WAN_IP 80 and reach slave's web server in that way (telnet 10.1.0.26 80 ).
It doesn't work 
How can I achieve that?

I thought it would be simple rdr rule, but it does not work or I don;t understand something.
I was thinking that it might be related to tun0 device so I disabled the openvpn and tried to redir to the other machine in the same network and it did not work either?
I am running FreeBSD 9.2, forwarding and redirect are set properly
net.inet.ip.forwarding: 1
net.inet.ip.redirect: 1

What is wrong? 
Could it be that the problem occurs when I am testing my rules from LAN?
From LAN the setup looks like that:

my workstation: 10.1.0.66 (from that workstation I am trying to open browser with address http://10.1.0.26, which should open the web page server by the slave)
master: 10.1.0.26
slave: 192.168.11.129  ( 10.8.0.6 - address from VPN tunnel) 


My pf.conf


```
ext_if  = "re0"
ext_ip  = "10.1.0.26"
vpn_if  = "tun0"
vpn_ip = "10.8.0.6"
vpn_net = "10.8.0.0/24"
vpn_out = "{ http, https, ssh }"
udp_services = "{ domain, ntp }"

rdr pass on $ext_if proto tcp  from any to any port 80 -> $vpn_ip

pass in all
pass out all
```


Please give me advice.

Best regards
Norbert


----------



## free-and-bsd (Jan 25, 2014)

Found this thread here. And this one explaining the matter of redirection and the issues involved. Issues like trying your external interface from localhost or local LAN. It says specifically:


> The reason is that redirection rules apply only to packets that pass through the specified interface ($ext_if, the external interface, in the example). Connecting to the external address of the firewall from a host on the LAN, however, does not mean the packets will actually pass through its external interface. The TCP/IP stack on the firewall compares the destination address of incoming packets with its own addresses and aliases and detects connections to itself as soon as they have passed the internal interface. *Such packets do not physically pass through the external interface, and the stack does not simulate such a passage in any way*. Thus, PF never sees these packets on the external interface, and the redirection rule, specifying the external interface, does not apply.


The above seems to apply if you're trying your server's outbound interface from the server itself.


----------

