Hi, On 11/10/16 15:48, debbie10t wrote: > Hi > > according to this forum post: > https://forums.openvpn.net/viewtopic.php?f=4&t=22599#p64917 > > OpenVPN --port-share cannot be used by fail2ban because > the source port seen by fail2ban is always 127.0.0.1 > > I do use fail2ban so I know it is highly customisable but > I do not know if or how it could use the --port-share [dir] > option from openvpn to apply the real source IP from the > file created by openvpn. > > I am not expecting to be provided an actual config that > does this but simply to know if it is possible ? > > If anybody can shed a lttle light it would be appreciated. > what I suspect that you/the user wants to do is to use fail2ban to filter out unwanted HTTPS connections on a connection/port shared with OpenVPN. The way port-sharing works is that openvpn listens on port 443, determines whether it's an OpenVPN packet or not, and if it is not, then forwards the packet/connection to some-ip:some-port. However, OpenVPN does not set any proxy headers when forwarding the connection, as it cannot 'interfere' with the SSL connection. The result is that the server will always see as the source address the IP address of the OpenVPN server, and not of the actual client. This makes it impossible to use fail2ban to filter out unwanted HTTPS/SSL connections. I cannot think of a way around this, nor of a way to patch OpenVPN to allow this to work - other port-sharing software such as sslh suffers from the same limitation.
HTH, JJK ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
