Skip to main content
Unix & Linux

Return to Revisions

1 of 3
Jim
Jim
  • 13
  • 4

Bypass server VPN to access its HTTP port externally

I'm running a home server with FreeBSD 12.1 with openvpn. The openvpn runs strictly on the server - the rest of my home network is non-openvpn.

I'm a noob with webservers, and am fooling around with using the server in that capacity via lighttpd. I set up the webserver for port 8080 (my ISP keeps 80 closed), and set my DD-WRT router to forward incoming port 8080 to server 8080.

What I want is to have my server do double duty as a VPN server and non-VPN webserver.

But the webserver only works through my router's external IP (with ":8080" added) if I stop openvpn. It also works if I use my VPN IP (with ":8080" added), but that IP always changes when the server or openvpn restarts, so that's not practical.

In my rc.conf I have:

firewall_enable=yes
firewall_nat_enable=yes
gateway_enable=yes

(I'm unsure if the last two are even needed)

My ipfw rules are very basic. I set them up essentially as "kill-switches" for my torrent and NZB traffic if openvpn stops:

00001 allow ip from any to any via lo0
00010 allow ip from any to any via tun0
00101 allow ip from me to 192.168.1.0/24 uid transmission
00102 allow ip from 192.168.1.0/24 to me uid transmission
00103 deny ip from any to any uid transmission
00104 allow ip from me to 192.168.1.0/24 uid sabnzbd
00105 allow ip from 192.168.1.0/24 to me uid sabnzbd
00106 deny ip from any to any uid sabnzbd

Here's my ifconfig:

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=81049b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,VLAN_HWFILTER>
        ether xx:xx:xx:xx:xx:xx
        inet 192.168.1.250 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::xxxx:xxxx:xxxx:xxxx%tun0 prefixlen 64 scopeid 0x3
        inet xx.xxx.xx.xx --> xx.xxx.xx.xx netmask 0xffffffe0
        groups: tun
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 4074

Is there any way this can work? Or would I be forced to have a separate webserver?

Jim
  • 13
  • 4