Access services from Internet behind router

steve · July 24, 2021, 1:11pm

Hi all I would like to access only Nextcloud and SOGo from Internet behind my router. My Nethserver 7.9 works on my local network with fix IPv4 address.

I can access all of services of Nethserver on my local network by https with add the service’s name to URL (https://myip/nextcloud). The https use TCP 443 port for all services there isn’t different vhost for services.

When I redirect TCP 443 port to Nethserver’s IP address on my router everybody can see all services from Internet. I don’t like if someone can see my Nethserver’s services what I don"t want.

How can I do it that someone can only see specified services (Nextcloud, SOGo) and don’t see other services (Cockpit, phpmyadmin, freepbx, etc.) from Internet.

There is somewhere a how to?

Thank you for help.

stephdl · July 24, 2021, 1:46pm

Openvpn roadwarrior is the key, no NAT translation to your nethserver and you use a vpn bridged to connect from the external of your local network

However if you install fail2ban you have a sustainable security point even if some services are opened to the public side.

Some of web application provided by ns get an access property that you can set to private or public. At least my module

danb35 · July 24, 2021, 2:46pm

But would they know public vs. private in a port-forwarding scenario?

steve · July 24, 2021, 2:59pm

Dear stephdl,

I am looking for a solution to the problem that e.g. with a virtual apache host similar to ubuntu or suse I can solve it.

I solve this in the ubuntu or suse apache config by creating a separate virtual host for each service using different ports. Then I only route the port to the server that I want to make available from the Internet.

Unfortunately, a single apache port is used under Nethserver and all services can be accessed through it.
Unfortunately, the same is true when using openVPN, because the connected user can access the login page for services that are not allowed for it. This I think is a security risk because the user can try to connect even though it is disabled in fail2ban.

Can I change access to services by specifying different ports? In this case, it is enough if I redirect only the defined and enabled ports in the router to the server.

Thanks and Regards

stephdl · July 24, 2021, 6:45pm

Apache cannot run on other port than 80 and 443 in NS but in the vhost panel you can require only to local network.

stephdl · July 24, 2021, 6:48pm

Hum after x attempts it will be banned to all services of nethserver.

steve · July 26, 2021, 1:03pm

I apologize for the English language deficiencies but I will try to clearly describe the solutions I have uncovered. So far I have found three solutions to my problem.

Basic solution
Use Nethserver’s built-in solution to separate Internet and local traffic. This implements each feature according to the Red and Green network interface settings.

Pro
With this solution, the built-in features of Nethserver work well, you can set in a graphical interface which network interface they are available on. In this situation, Nethserver works like a router. If you use your own router, this is not the best solution …

Contra
Unfortunately, with this solution, the services what I have installed are available from all network interfaces, even from the Internet, due to the general settings (Nagios, Zoneminder, etc.). I think another problem is that some services are also available through VPN. I would not allow some services to be accessed via VPN either. I think it’s a security risk. I am looking for a solution to this problem!

Apache virtual hosts
Create an apache virtual host for each service. To do this, modify the httpd.conf file by adding a new virtual host port to Listen. The lines <VirtualHost *: portnumber> and must be added to the apache configuration of the self-installed network service. Be sure to add the SSLEngine On line.

Pro
This is a standard solution for customizing services and Apache provides the right tools for configuration. Unfortunately, due to the Nethserver configuration, the above unique procedure must be followed.

Contra
Unfortunately, the apache configuration has been significantly modified from the original CentOS configuration, therefore, you must modify the apache config files to do this. These settings may change the behavior of Nethserver and may be overwritten when changing the Nethserver configuration. This is not the best solution …

Control access to services
Apache directives allow you to restrict access to network services. Modify the configuration of your network services so that they are only available from the allowed network address ranges. To do this, you only need to modify the apache config file for each service, but you do not need to modify the Nethserver apache config. To do this, you must change the Require or Follow directive in the apache file of the network service you have installed. To do this, enter the network address range from which you allow or deny access.

Pro
This is a simple, easy task and does not affect the Nethserver configuration.

Contra
If you want to change the availability of Nethserver’s built-in network services, you can do so, but they may be overwritten when you change Nethserver’s built-in network services configuration.

Conclusion
I think the best solution is to use solutions 1. and 3. together if you are not using your own router and the Nethserver is connected directly to your ISP’s modem.
If you are using your own router and Nethserver is not performing a traffic management task then I think Solution 3. is the right one.

What do you think about that?

Thanks and Regards

stephdl · July 26, 2021, 8:04pm

Solution 3 could work too, vhost can restricted to local network and I think if you set a network in the known network you will find it too.

I don’t like the port way because you must know which port to use and it is a nightmare in the router, think to forward that port and not this one.

If you want security, solution 1, solution 3 also

If you want complexity solution 2 can be done by a simple apache configuration then open the port in the firewall

steve · July 27, 2021, 8:53pm

Unfortunately, Solution 1 is not appropriate for me because I use a separate router on the network and do not want to use Nethserver as a router.

I don’t want to modify the original Nethserver config files so I don’t want to use Solution 2 either.

The 3 solution remains for me and I see it will work properly and I hope it will be safe. In addition, I will assign the network services I have created to the Nethserver Green network interface. Although it doesn’t matter because I didn’t configure the Red Network Interface … Nethserver doesn’t work for me as a router. Of course, it must be thoroughly tested …

Do you think Option 3 will be safe enough on its own? If so, I would recommend this solution to others who have / will have a similar problem …

Best Regards

stephdl · July 27, 2021, 9:30pm

Open the port udp 1194 in your router to the nethserver and create your certificate for your users, install openvpn client for windows or simply use network manager in linux

I suggest you read about openvpn roadwarrior with a bridged configuration. Your clients will have the same IP that on your LAN.

This configuration is workable with a NS and one green NIC behind your router

stephdl · July 27, 2021, 9:33pm

How can you state on the remote network you will use. The day you will be in holidays…in a client’s house.

you have only opnvpn to make a bridge between the local network and the remote networks if you want to protect one from the others

stephdl · July 27, 2021, 9:40pm

Maybe it worries you but a single apache configuration dropped like you can do it for apache in another distros and that is. Obviously you need to open each tcp port in the FW of the router and of NS.

The cons of this method is that I can scan the ports of your router and finally find what port you use so not really secure

steve · July 29, 2021, 4:48pm

Openvpn works great I redirected the openvpn port to Nethserver. I have a Nethserver and only one Green network interface is configured.
Connected users only have access to Nethserver’s resources and services.

steve · July 29, 2021, 4:57pm

I only allow openvpn connections so I don’t have to open the ports on the router’s firewall.

Regards

Andy_Wismer · July 29, 2021, 5:19pm

@steve

Hi Steve

As a guy who’s been spending the last 30+ years creating and managing secure networks for clients, I have a major problem with the following statement:

If you’re “handing out” VPN access to users you don’t trust (we are talking about your home network, aren’t we?) that is a security issue, not the fact you’re using VPN or port forwarding…

Why are you allowing “untrusted” users on your Home Network?

As I read it, you’re not even using eg LetsEncrypt (Won’t work with only VPN access!), so your Nextcloud data or whatever is more or less “in the clear” or using an unsecure CA for SSL access, if you’re even using SSL access…

Maybe even using SSL on IPs, not FQDN names… (Shudder!)

My 2 cents
Andy

steve · July 29, 2021, 6:17pm

Dear Andy,

I apologize but my English is not perfect.

I am glad that we both have similar professional experience, including professional time. But I think we have different views on security. I have found that people are curious. If they find a page where you can log in, they will try … I would also like to limit this possibility.

We are not talking about a home network but about the network of our small business. Employees must have access to server services. They currently achieve this remotely, working in a home office. Only the most necessary ports on the router are open and redirected. Therefore, employees can only connect to the server through a VPN. Employees should be trusted but their access should be restricted. Because everyone is curious, employee’s access should be denied which is not necessary for work. If I don’t, the employee can even exclude themselves from the system and can’t work until I fix the problem.

I’m sorry, but looking for a solution although it may have been an exaggeration on my part for my safety I expected …

Regards

Andy_Wismer · July 29, 2021, 6:36pm

@steve

Hi

If my hungarian was as good as your english is, I’d be very happy!

It’s true that you can’t trust all employees, the larger the company, the worse it gets…
The “human” factor…

A simple custom error page, displaying the fqdn and IP of the computer the user is attempting access (and maybe even the VPN-Login name), and maybe a scary message stating somthing about “misuse” of company infrastructure / servers / etc along with the note that a mail may be sent to HR (Human Resources / Employee dept) about this “transgression” often works wonders!

NethServer does allow you to assign an individual IP for the VPN (if running in routed mode), that way you have IP-wise track of any users attempting to be a “wise guy”… Not only the internal IP, but also the externally used IP…

As a point in example, for example my home server. Acessing it via
https://intranet.r7.anwi.ch/
will display the right page, using an IP or “other” name, eg gw.r7.anwi.ch will display a different page - a catch all, as such accesses are mostly botnets or wannabe hackers…
You’re welcome to copy the contents and adapt as needed…

My 2 cents
Andy

steve · July 30, 2021, 12:45pm

Hi Andy,

thank you though I know my abilities :)) I am currently using Zentyal but I have been testing Nethserver for a long time. Unfortunately, none of them are perfect for my purposes, but maybe Nethserver is closer to me. Unfortunately, Zentyal has switched to MySQL 8 and is not supported by some of the programs what we use.

You’re absolutely right. Employees work from home so I can’t control who has access to their laptop. Windows password protection doesn’t provide enough security … I also like Nethserver because I can assign two-step authentication to the VPN connection.

I think that what the user does not see then he will not try. We use a similar solution for a mail server if mail arrives at an address that does not exist. In this case, we do not send a notification to the sender, we just throw the letter in the trash. I think this solution is safer.

Thank you for your suggestion but I don’t want to make the server directly available on the Internet. However, I would be interested in how you solved the Let’s Encrypt certificate for the https://intranet.r7.anwi.ch/ subdomain. My domain is registered but I can’t install a Let’s Encrypt certificate on a local subdomain. Therefore, I use a self-signed certificate on the local network.

Regards

danb35 · July 30, 2021, 1:18pm

That’s what DNS validation is for. I’ve written up a couple of ways to handle that in Nethserver:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns

The built-in Let’s Encrypt support also now has some DNS support, though I haven’t looked into the details.

steve · July 30, 2021, 5:17pm

Hi Dan,

thank you for your advice and links.

The local network is separated from the public domain by another subdomain e.g. public domain * .example.org and the local domain e.g. * .intranet.example.org.
Hosts on the local network cannot be accessed from the Internet via VPN only. The local network is controlled by a router but not the Nethserver. Nethserver has a single Green network interface. I don’t know there is an API for DNS is available. My DNS not hosted on Cloudflare.
If I want to configure the Let’s Encrypt certificate on the Nethserver nowthen I get a “not valid FDQN” error message after entering the FDQN.

Regards