My goal is to close all ports on my OS Server system except HTTP and VPN. Then, for remote server administration, allow access via vpn to ssh, Server Admin, Timbuktu, MySQL and a few other services. This would allow my secure remote access to the administration functions from any where in the world and lock down all but public ports. Currently, I come close by only;y allowing HTTP to public and allowing admin access for specified IP addresses through the firewall. However, when travelling, I have no idea what IP address I may be on, so this is less than ideal.
I have setup VPN on OS X Server 10.3.9. I can connect to the server using VPN from the built-in VPN client in 10.4.2. I am assigned the VPN IP address (can check with ifconfig -a). However, I cannot access "functions on the server as I expect.
If I assign the VPN address to an existing, real, unused IP address my LAN range, then I can access all external network features (web, Timbuktu. If I connect to an external web site that reflects my IP, it gives me the VPN assigned IP. However, if I try and ssh to the server (or Timbuktu, or any other "direct access to the server") the connection will fail unless I have either opened the ports in the firewall to all traffic or I leave the firewall rules for the local IP intact. So, if I have firewall rule allowing my normal, non-VPN address to access SSH (call it L.L.L.L), all will be fine. If I deny SSH access to L.L.L.L and open access for SSH for the VPN assigned address (call it V.V.V.V) I am unable to SSH to the server once I am connected via VPN. The firewall logs the attempt as denying access from L.L.L.L. So, internally, the server still is seeing the remote system as L.L.L.L not V.V.V.V.
I have also tried assigning the VPN address to an IP in a private, unused range (192.168.3.2 for instance). Then, I have access to nothing, basically. This would be my ideal solution. Come in via VPN, be assigned an IP in a private range, administer the server, not necessarily see any other parts of the LAN (although that's OK).
Any ideas why this doesn't work?
I have setup VPN on OS X Server 10.3.9. I can connect to the server using VPN from the built-in VPN client in 10.4.2. I am assigned the VPN IP address (can check with ifconfig -a). However, I cannot access "functions on the server as I expect.
If I assign the VPN address to an existing, real, unused IP address my LAN range, then I can access all external network features (web, Timbuktu. If I connect to an external web site that reflects my IP, it gives me the VPN assigned IP. However, if I try and ssh to the server (or Timbuktu, or any other "direct access to the server") the connection will fail unless I have either opened the ports in the firewall to all traffic or I leave the firewall rules for the local IP intact. So, if I have firewall rule allowing my normal, non-VPN address to access SSH (call it L.L.L.L), all will be fine. If I deny SSH access to L.L.L.L and open access for SSH for the VPN assigned address (call it V.V.V.V) I am unable to SSH to the server once I am connected via VPN. The firewall logs the attempt as denying access from L.L.L.L. So, internally, the server still is seeing the remote system as L.L.L.L not V.V.V.V.
I have also tried assigning the VPN address to an IP in a private, unused range (192.168.3.2 for instance). Then, I have access to nothing, basically. This would be my ideal solution. Come in via VPN, be assigned an IP in a private range, administer the server, not necessarily see any other parts of the LAN (although that's OK).
Any ideas why this doesn't work?