Hello all, I'm having some issues with OpenVPN that I hope you can help me solve. I have a bit of a complicated setup to please let me try and explain.
On the outermost layer is an NGINX Reverse Proxy that sits on GCE. This proxy runs inside a Docker container on a small VM. My domain name, tjzimmerman.com, points at this proxy. This proxy then redirects all traffic to another domain name, tjzimmerman.dev, which points at the external IP of my house. Here are the firewall rules for this virtual machine. And here is the NGINX configuration.
There are two relevant sections, I'll comment on them here:
stream { server { proxy_connect_timeout 300s; proxy_timeout 300s; listen 9443; proxy_pass tjzimmerman.dev:9443; } server { proxy_connect_timeout 300s; proxy_timeout 300s; listen 1194 udp; proxy_pass tjzimmerman.dev:1194; } }
This section takes incoming TCP packets directed to 9443 and UDP packets directed to 1194 and forwards them to tjzimmerman.dev:9443 and tjzimmerman.dev:1194 respectively.
server { listen 443 ssl; server_name vpn.tjzimmerman.com; location / { proxy_pass https://tjzimmerman.dev:943; sub_filter </head> '<script language="javascript" src="/analytics.js"></script></head>'; sub_filter_once on; } }
This section takes incoming requests to a subdomain, https://vpn.tjzimmerman.com, and redirects them to https://tjzimmerman.dev:943. As you can see, https://vpn.tjzimmerman.com is working without issue. The official NGINX Docker container is also compiled with the required modules to do proxy streaming, as you can see here:
$> 2>&1 nginx -V | tr -- - '\n' | grep -i stream stream stream_realip_module stream_ssl_module stream_ssl_preread_module
Once the traffic hits my external IP, it goes through my router. Where I have port forwarded the required ports as you can see here.
My router sends the traffic to 192.168.10.10 which is the IP Address associated with the OpenVPN server. I am able to connect to the OpenVPN server via this IP Address, or it's associated hostname, without any issues. Here is an example of a successful connection.
However, if I attempt to connect to my VPN through my Reverse Proxy, or even my external IP Address, it fails and says that the connection was refused.
The only difference between these three OpenVPN profiles are the hostname/IP Addresses used via a search & replace. However, I have attached redacted versions of them here for you to see if you wish:
To make matters even more confusing, nmap always reports that the ports are closed or the host is down. Even though I can connect to the VPN via the internal hostname without any issues. And the ports are forwarded on my router.
$> nmap -p 943 192.168.10.10 Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-25 12:01 PDT Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.02 seconds $> nmap -p 943 24.18.133.202 Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-25 12:04 PDT Nmap scan report for 24.18.133.202 Host is up (0.00044s latency). PORT STATE SERVICE 943/tcp closed unknown Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds
However, I'm able to connect to the internal IP via nc just fine. But, still not able to connect using my external IP despite the port being forwarded.
$> nc -v 192.168.10.10 943 192.168.10.10 943 open $>nc -v 24.18.133.202 9443 24.18.133.202 9443 (tungsten-https): Connection refused
Anyone know what's going on here? As far as I can tell all of the firewall stuff is configured just fine. And I have confirmed with my ISP that they are not blocking ingress on 943/TCP or 1194/UDP.
No comments:
Post a Comment