Hi, On 11/10/16 17:42, debbie10t wrote: > On 11/10/16 15:04, Jan Just Keijser wrote: >> On 11/10/16 15:48, debbie10t wrote: >>> according to this forum post: >>> https://forums.openvpn.net/viewtopic.php?f=4&t=22599#p64917 >>> >>> OpenVPN --port-share cannot be used by fail2ban because >>> the source port seen by fail2ban is always 127.0.0.1 >>> >>> I do use fail2ban so I know it is highly customisable but >>> I do not know if or how it could use the --port-share [dir] >>> option from openvpn to apply the real source IP from the >>> file created by openvpn. >>> >>> I am not expecting to be provided an actual config that >>> does this but simply to know if it is possible ? >>> >>> If anybody can shed a lttle light it would be appreciated. >>> >> what I suspect that you/the user wants to do is to use fail2ban to >> filter out unwanted HTTPS connections on a connection/port shared with >> OpenVPN. >> The way port-sharing works is that openvpn listens on port 443, >> determines whether it's an OpenVPN packet or not, and if it is not, then >> forwards the packet/connection to some-ip:some-port. However, OpenVPN >> does not set any proxy headers when forwarding the connection, as it >> cannot 'interfere' with the SSL connection. The result is that the >> server will always see as the source address the IP address of the >> OpenVPN server, and not of the actual client. This makes it impossible >> to use fail2ban to filter out unwanted HTTPS/SSL connections. >> I cannot think of a way around this, nor of a way to patch OpenVPN to >> allow this to work - other port-sharing software such as sslh suffers >> from the same limitation. >> > > Thanks for your reply JJK and what you say makes obvious sense. > > I do wonder however, the OPs original comment that Quote: > > --- > A) ubuntu 14.04 with openvpn 2.3.2 > B) ubuntu 16.04 with openvpn 2.3.10 > > Both use Port 443 for OpenVPN and share that port with apache at port > 10443. > So Both Servers use the OPENVPN-Config "port-share 10443" parameter > It works perfect both servers. > > But Server A logs any https access in the appache-access-log log with > the correct IP from the access-client > Server B logs allways 127.0.0.1 > --- > > That reads to me as: > ovpn-2.3.2 forwards the packet with the source IP of the client ! > > That is why I was more than usually curious .. > Is it likely that ovpn-2.3.2 did port-sharing incorrectly ? > > (I understand 2.3.2 is a long time ago but possibly a Dev remembers > something useful here) > I've just downloaded and built 2.3.2 and see no difference between 2.3.2 and 2.3.10 - the remote address logged by the HTTPS server is the address of the OpenVPN server (acting as proxy), not that of the actual client. Also, AFAIK the port-sharing code has not been touched in a long time (I've used it in v2.1+) so my bet is that this behaviour has not changed. It could be that Debian/Ubuntu added a patch to OpenVPN 2.3.2 but I doubt it.
HTH, JJK ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
