How to use Ubuntu Droplet and OpenVPN to give your home NAS -> Public IP

May 11, 2017 1.4k views
VPN Firewall Ubuntu 16.04
F63ff91f1bf234a704c75d8edbdfa05b383b3d42
By:
raycool

Hi guys. I'm new here and this is my first post so please don't get too rough on my idea. Basically the idea is to do as follows:

NAS --->ROUTER(NAT/No Public IP)---->INTERNET----->Droplet(OpenVPN server)-PublicIP
|---------------------------------------OpenVPN-----------------------------------|

Having my NAS on a very good connection but without public IP I want to configure it to act as a openvpn client and connect to my droplets openvpn server, which would act as both a firewall and provider of public ip adress. Configuring NAS and creating openvpn server on droplet is well documented. The hard part for is when it comes to configuring iptables. I don't realy get it and apart from using ufw I don't have any real experience using it. Could you guys be so kind to point me in the right direction with that iptables issue?
Step 1 - how to configure iptables to pass bidirectional traffic between two interfaces
Step 2 - how to configure iptables to pass bidirectinal traffic between two interfaces but just on selected ports

Please help ;)

PS. This is an old NAS which is used only for testing some ideas (for those of you who would like to point out that opening ones NAS to the Internet is a bad idea)

Log In to Comment
1 Answer
jtittle1 May 12, 2017

@raycool

The idea behind ufw is to remove the more complex, complicated iptables commands that you'd be using under normal circumstances.

Generally, you'll make sure ufw is disabled, that way you don't accidentally lock yourself out.

ufw disable

Check the status to confirm (even though the command above will tell you essentially the same).

ufw status

Now, I like to also make sure that I'm working with a clean slate, so I'll go ahead and do a reset.

ufw reset

Now, setting up the default policies is where we start. The goal is to deny all incoming and allow all outgoing.

ufw default deny incoming

ufw default allow outgoing

If you turned the firewall on at this point, you'd lock yourself out, so let's start by first allowing at least SSH through.

ufw allow 22/tcp

The above command allows access to Port 22 over TCP to anyone. This means incoming/outgoing.

So the default method of allowing a port through is ufw allow followed by a port number, a /, and then the protocol. In most cases, TCP will always be the protocol unless you're dealing with DNS or something else that requires UDP.

So if we wanted to allow 80 (HTTP) and 443 (HTTPS), we could proceed to run:

ufw allow 80/tcp

and

ufw allow 443/tcp

You can swap those ports to match those that you need open.

Once you're done adding rules, you can enable ufw using:

ufw enable

Outgoing connections will always be allowed, so no rules need to be setup there. The purpose of the above is to define ports that we want to allow connections through on.

As long as the port you're connecting from and to on both servers are open, then you'll be okay with the above. Blocked connections would mean that somewhere, you used the above and didn't open up a port.

Reply
  • raycool May 12, 2017

    Jtittle thank you very much for that input! This clarifies using ufw pretty nicely! What I'am unable to achieve now is that bidirectional packet transfer between my droplets eth (public IP etc) interface and tun interface. The idea is that if I connect to my droplets public IP I get passed through the openvpn (eth to tun) to my NAS. In other words what I am trying to achieve here is to be able to "knock" directly to openvpns client by connecting to droplets Public IP (where my openvpn server is). Is it possible? Please help ;)

Have another answer? Share your knowledge.

Related Questions