Cannot access Apache2 intranet site via VPN (can access other local resources)

apache-2.2pptpvpn

I'm having some problems accessing my Apache2 intranet site when connected to my network's VPN server.

My setup/environment:

ASUS RT-66U router with PPTP VPN server.
Debian server with apache 2.2 as "intranet server".
LAN addresses are in the 10.0.0.0 network.

The intranet site on the Apache2 server is configured so that only the LAN addresses have access (as below):

Order deny,allow
Deny from all

Allow from localhost

# IPv4
Allow from 127.0.0.0/8       # IPv4 Loopback Addresses
Allow from 169.254.0.0/16    # IPv4 Link-local Addresses
Allow from 10.0.0.0/8        # IPv4 Normal LAN Address Space

My ASUS RT-660U router is setup with a built-in PPTP VPN server, and I'm connecting to it with the Windows 7 built-in VPN client.

The VPN connection works fine with regards to the LAN; I can access network shares, SSH to the Linux/Apache2 server, and access the router's web interface at 10.0.0.1. So far, so good.

However, I cannot access the intranet virtual site on the Apache2 server. I can access this when connected to the LAN, and from the outside I get the 403 Forbidden message. So basically it works as it should.

But when I connect to the VPN and try to open the intranet site, I still get the 403 Forbidden message. This is, as mentioned, while having no problems accessing other LAN resources.

When I'm connected to the VPN, from my mobile network, this is Windows ipconfig info:

PPP adapter AEV25 VPN:

Connection-specific DNS Suffix  . : 
IPv4 Address. . . . . . . . . . . : 10.0.0.200
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix  . : 
Link-local IPv6 Address . . . . . : fe80::ccb5:407b:3314:5a66%12
IPv4 Address. . . . . . . . . . . : 192.168.1.206
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

The Windows 7 PC is connected to my Android phone's network (hotspot), then connected to the VPN.

From my basic understanding of networking, it seems that Apache2 uses the address of the Wireless LAN, which is connected to the "outside" through my mobile phone, and not the PPTP adapter address, which is the LAN address.

So, how can I get Apache2 to recognize the "correct" adapter/address, so that I can access the internal site via the VPN connection?

Best Answer

What is the output of your /var/log/apache2/error.log and /var/log/apache2/access.log? That should provide some clues as to why it's being denied, and specifically, the client IP.

If you're using the wrong route to the server, make sure that you're giving the clients the right route. You should be sending them through the VPN gateway when they try to access the Intranet network.

Related Solutions

PPTP VPN – users cannot access internet via the server

A proxy server is typically an applicaiton-layer function. I believe that when you say "act like a proxy" you're really saying "route their traffic across the VPN to that server which will, in turn, route the traffic to its default gateway and ultimately to the Internet".

I'd start with a "tracert" (or OS equivalent command) from a client while connected to the VPN to an Internet address and see where the traffic is going.

It's fairly commonplace in the Microsoft VPN client for users to untick the "Use default gateway on remote network" (set in the "Advanced" settings of TCP/IP on the VPN connection) which will cause only traffic bound for the remote VPN subnet to cross the VPN. Have you checked to see that no one has unticked that box on the clients?

Typically the Microsoft VPN client will "push down" the DNS and WINS settings from the VPN server to the client computers. If the clients are having an inability to access web sites with a browser, for example, it may be that they are routing traffic down the VPN tunnel but that the DNS server being "pushed down" can't resolve Internet names.

Viewing the routing table on a client while connected with the "route print" command will also help figure out what's going on. There should be two default-gateway (0.0.0.0 with a subnet mask of 0.0.0.0) entries on a client that's configured to route all traffic down the VPN-- one for the client's on-subnet default gateway, and one "pointing" to the VPN tunnel.

Edit:

If you want all the traffic from the VPN clients to cross the VPN and egress to the Internet from the VPN "hub" then leave the "Use default gateway on remote network" checkbox ticked on the client computers.

I would suspect that you're having a name resolution problem. I'd connect a client to the VPN and do the following:

tracert -d (your favorite Internet IP address here)

You can use any IP address you want in that command, so long as it's something that's really reachable. Heck, use the IP address of "star.slashdot.org"-- I've already used it in some examples on here... >smile&lt 216.34.181.48

That will show you the route that packets are taking. It's important to use an IP address in that command so that you aren't relying on DNS.

If that looks okay (i.e. you see the packets cross the VPN and leave through the VPN "hub" Internet connection) then give DNS a shot:

nslookup star.slashdot.org

You should get back something like:

C:\>nslookup star.slashdot.org
Server:  the-name-of-the-VPN-server's-DNS-server
Address:  the-ip-address-of-the-VPN-server's-DNS-server

Non-authoritative answer:
Name:    star.slashdot.org
Address:  216.34.181.48

If you get back something nasty like this then the remote DNS server isn't configured to resolve Internet names.

*** the-name-of-the-VPN-server's-DNS-server can't find star.slashdot.org: Non-existent domain

If you get back something like this then the VPN server doesn't have a valid DNS server specified:

C:\>nslookup star.slashdot.org
Server:  [the-ip-address-of-the-VPN-server's-DNS-server]
Address:  the-ip-address-of-the-VPN-server's-DNS-server

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to [the-ip-address-of-the-VPN-server's-DNS-server] timed-out

Windows Server 2003 VPN and Local network

Please read through this and this.

Best Answer

Related Solutions

PPTP VPN – users cannot access internet via the server

Windows Server 2003 VPN and Local network

Related Topic