One of our corporate websites run on Linux server, built with Apache2 and PHP5.
Several web pages can only be accessed from OpenVPN subnet (addresses 10.8.0.1/24). To check each request, php script compares $_SERVER["REMOTE_ADDR"] value supplied by apache and decide to grant or deny further execution.
Purpose is to deny access to these pages from devices not configured to work through server's VPN.
OpenVPN server is running on same machine, that's why PHP receive addresses like 10.8.0.25 from clients inside VPN and real addresses for other requests.
Is it correct method to "protect" page from public access?
Testing this system i have found an odd thing that if i request one of these "protected" pages using Windows machine, connected to our OpenVPN network, server is able to see real IP address (not 10.8.0.xx), while doing same on Android device works as expected (server cannot see real IP address and get 10.8.0.xx in php).
I use OpenVPN Connect app on Android and OpenVPN GUI on windows. In both cases client routes its traffic through the VPN server, and "What is my IP?" services show VPN address and not the real address of my ISP.
But somehow Windows client gets identified by its real (provider) address on webserver, and cannot access secured pages, regardless VPN is on or off.
- What are possible reasons for that?
I have suspicions that OpenVPN does not work properly on that Windows PC. Otherwise, why server recognizes Android and Windows vpn clients differently?
Thank you.
UPD: iptables -L on VPN/websrv machine
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.8.0.0/24 anywhere tcp dpts:63000:64000
REJECT tcp -- anywhere anywhere tcp dpts:63000:64000 reject-with icmp-port-unreachable
ACCEPT udp -- 10.8.0.0/24 anywhere udp dpts:64000:65000
REJECT tcp -- anywhere anywhere tcp dpts:64000:65000 reject-with icmp-port-unreachable
DROP all -- anywhere anywhere match-set banned_ips src
UPD:: cmd /k route print on Windows machine
Interface List
5...54 04 a6 3d 36 ff ......Realtek PCIe GBE Family Controller
7...fc 75 16 86 ad 84 ......Microsoft Wi-Fi Direct Virtual Adapter
17...00 ff b7 66 85 11 ......TAP-Windows Adapter V9
12...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
13...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
6...fc 75 16 86 ad 82 ......D-Link DWA-125 Wireless N 150 USB Adapter(rev.A3)
1...........................Software Loopback Interface 1
2...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
3...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
8...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.137.1 192.168.137.97 25
0.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 20
10.8.0.0 255.255.255.0 10.8.0.5 10.8.0.6 20
10.8.0.4 255.255.255.252 On-link 10.8.0.6 276
10.8.0.6 255.255.255.255 On-link 10.8.0.6 276
10.8.0.7 255.255.255.255 On-link 10.8.0.6 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 20
xxx.53.xxx.yy 255.255.255.255 192.168.137.1 192.168.137.97 25
192.168.10.0 255.255.255.0 10.8.0.5 10.8.0.6 20
192.168.20.0 255.255.255.0 10.8.0.5 10.8.0.6 20
192.168.137.0 255.255.255.0 On-link 192.168.137.97 281
192.168.137.97 255.255.255.255 On-link 192.168.137.97 281
192.168.137.255 255.255.255.255 On-link 192.168.137.97 281
192.168.171.0 255.255.255.0 On-link 192.168.171.1 276
192.168.171.1 255.255.255.255 On-link 192.168.171.1 276
192.168.171.255 255.255.255.255 On-link 192.168.171.1 276
192.168.229.0 255.255.255.0 On-link 192.168.229.1 276
192.168.229.1 255.255.255.255 On-link 192.168.229.1 276
192.168.229.255 255.255.255.255 On-link 192.168.229.1 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.171.1 276
224.0.0.0 240.0.0.0 On-link 192.168.229.1 276
224.0.0.0 240.0.0.0 On-link 10.8.0.6 276
224.0.0.0 240.0.0.0 On-link 192.168.137.97 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.171.1 276
255.255.255.255 255.255.255.255 On-link 192.168.229.1 276
255.255.255.255 255.255.255.255 On-link 10.8.0.6 276
255.255.255.255 255.255.255.255 On-link 192.168.137.97 281
===========================================================================
Persistent Routes:
None
IPv6 Route Table
xxx.53.xxx.yy is VPN/websrv machine IP.
UPD: Two more facts
– Webserver and protected pages use SSL cert (https)
– DNS on Windows/Android devices is set to Google DNS only.
Best Answer
Install bind on the Openvpn/web server. Add a zone for www.example.com to point to the internal IP of the web server and set forwarders for 8.8.8.8 and 8.8.4.4, also make sure it is listening and set as a resolver for internal/VPN subnets.
A basic zone for the Specific subdomain, be sure to replicate any duplicate details as needed.
named.conf.options
Zone File
make sure you test and configure openvpn to push this dns server.