VPS static IP port forwarding through IPsec tunnel

ipsec
firewall

(Mark Albrecht) #1

Site A is a VPS (Nethserver) and has a static IP, Site B (Nethserver) does not have a public IP. Site A and B are joined by Nethserver IPsec tunnel. I have setup port forward rules but that did not seem to work (the remote servers are pointed to Nethserver as gateway) . Does anyone know if we can forward ports from Site A to Site B with NethServer?


(Markus Neuberger) #2

You may need port forwarding from Nethserver A to site B public IP and from the router on site B to your Nethserver B.

Some thoughts:
On a VPS you only have one interface which puts NS in server mode instead of gateway so port forwarding may not work that way.
And It should work through VPN so maybe you need some firewall rules to allow traffic between local network and VPN or a dummy interface on the VPS.

I’ll test it if I find time…


(Michael Kicks) #3

Are you dependent by IPSec? O you could also try OpenVPN as alternative?
Without NAT-T support (and port fortward of UDP 4500) sometimes IPSec do not spin the wheel properly…


(Mark Albrecht) #4

Thank you for the reply Markus, the VPS used is Vultr and I have a Vultr private IP option, so two nics and Neth Servers are both running in Gateway mode.

I will elaborate so more. I can ping from Neth Server A to internal Site B machines without issue. Just have not been able to find a config that allows external port forwarding from Site A to Site B. The Nethserver on site A accepts Site B IP addresses (via Firewall objects) in the port forward programming but does not seem to act as I would have hoped.

With iptable entries we can do this type of routing but I would not think it would be a good idea to overwrite NethServer.


(Mark Albrecht) #5

Thank you for the reply Michael,

My first choice was OpenVPN but was unable to establish a connection.

I will elaborate so more. With the IPsec tunnel I can ping from Neth Server A to internal Site B machines without issue. Just have not been able to find a config that allows external port forwarding from Site A to Site B. So I believe the underlying VPN link is OK, but yes maybe not as IPsec can be a bit of a pain…

The Nethserver on site A accepts Site B IP addresses (via Firewall objects) in the port forward programming but does not seem to act as I would have hoped.

With iptable entries we can do this type of routing but I would not think it would be a good idea to overwrite NethServer.


(Michael Kicks) #6

@markareait why you should forward ports between sites if you have a tunnel?
Anyway, could be… just a matter of firewall rules to achieve the connections that you need inside the Tunnel? (IPSec or OpenVPN do not change the need to setup a correct firewall policy).