1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED: Making httpd listen on the VPN (tun) interface

Discussion in 'Tomato Firmware' started by blaman, Dec 28, 2013.

  1. blaman

    blaman Reformed Router Member

    I have a Linksys E4200 running Tomato Shibby v1.28 (build 115 VPN). It's acting as a client to a VPN. Is it possible to have httpd listening on other interfaces besides WAN and LAN? I would like to access the GUI from the VPN but netstat -ln tells me httpd only listens on WAN and LAN specifically.

    Alternatively, can the GUI be made to run with another webserver, such as lighttpd, that listens on all interfaces? I've also thought of running a VPN server on the router and connecting to it. It's a tad overkill, but it should work.

    Cheers.
     
  2. gfunkdave

    gfunkdave LI Guru Member

    It works fine like this without any special configurations.
     
  3. blaman

    blaman Reformed Router Member

    Nope, it does not. For it to work it'd have to listen either on 172.16.0.x (the VPN IP) or 0.0.0.0, which it doesn't, as per netstat (httpd is on port 2000, 10.0.0.1 is the LAN IP, 192.168.1.100 is the WAN IP):

    Code:
    root@test:/tmp/home/root# netstat -ln
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 127.0.0.1:1026          0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
    tcp        0      0 192.168.1.100:2000      0.0.0.0:*               LISTEN
    tcp        0      0 10.0.0.1:2000           0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
    tcp        0      0 :::53                   :::*                    LISTEN
    tcp        0      0 :::22                   :::*                    LISTEN
    udp        0      0 127.0.0.1:38032         0.0.0.0:*
    udp        0      0 0.0.0.0:27046           0.0.0.0:*
    udp        0      0 0.0.0.0:53              0.0.0.0:*
    udp        0      0 0.0.0.0:67              0.0.0.0:*
    udp        0      0 0.0.0.0:38000           0.0.0.0:*
    udp        0      0 :::53                   :::*
    raw        0      0 0.0.0.0:255             0.0.0.0:*               255
    Active UNIX domain sockets (only servers)
    Proto RefCnt Flags       Type       State         I-Node Path
    root@test:/tmp/home/root#
    
     
    Last edited: Dec 28, 2013
  4. gfunkdave

    gfunkdave LI Guru Member

    Hmm...I'm not sure what to tell you. It doesn't appear that my home router's httpd is listening on anything besides the LAN interface (192.168.4.1:80). And yet, from here at my mother in law's house I can just open a browser and go to 192.168.4.1 or http://router.elbonia/ (my LAN domain name) and it shows right up.

    Have you actually tried it, or are you just going by what netstat says?

    Code:
    root@router:/tmp/home/root# netstat -ln
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 192.168.4.1:139         0.0.0.0:*               LISTEN
    tcp        0      0 192.168.4.1:80          0.0.0.0:*               LISTEN
    tcp        0      0 192.168.4.1:4434        0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:4022            0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:1723            0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
    tcp        0      0 192.168.4.1:445         0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:60926           0.0.0.0:*               LISTEN
    tcp        0      0 :::53                   :::*                    LISTEN
    tcp        0      0 :::22                   :::*                    LISTEN
    tcp        0      0 :::23                   :::*                    LISTEN
    tcp        0      0 :::443                  :::*                    LISTEN
    udp        0      0 192.168.4.1:137         0.0.0.0:*
    udp        0      0 0.0.0.0:137             0.0.0.0:*
    udp        0      0 192.168.4.1:138         0.0.0.0:*
    udp        0      0 0.0.0.0:138             0.0.0.0:*
    udp        0      0 127.0.0.1:38032         0.0.0.0:*
    udp        0      0 0.0.0.0:63506           0.0.0.0:*
    udp        0      0 0.0.0.0:1194            0.0.0.0:*
    udp        0      0 192.168.4.1:51377       0.0.0.0:*
    udp        0      0 0.0.0.0:53              0.0.0.0:*
    udp        0      0 0.0.0.0:67              0.0.0.0:*
    udp        0      0 0.0.0.0:1900            0.0.0.0:*
    udp        0      0 0.0.0.0:38000           0.0.0.0:*
    udp        0      0 :::53                   :::*
    raw   112464      0 0.0.0.0:2               0.0.0.0:*               2
    raw        0      0 0.0.0.0:2               0.0.0.0:*               2
    raw        0      0 0.0.0.0:255             0.0.0.0:*               255
    Active UNIX domain sockets (only servers)
    Proto RefCnt Flags       Type       State         I-Node Path
    
     
  5. blaman

    blaman Reformed Router Member

    What's your setup like? Mine is, the router is a VPN client on 172.16.0.50, and I'd like to httpd to come up when I access 172.16.0.50:2000 from another computer on the VPN, which does not work.
     
  6. gfunkdave

    gfunkdave LI Guru Member

    I have an RT-N66 running Toastman set up as server. I have two clients connected to it, also running Tomato - one Toastman and one Shibby. The VPN is the standard OpenVPN using TLS auth. (though it also works fine when connected via static key auth)

    I just let the router assign VPN IPs...I think it's configured to use the 10.9.0.0/24 subnet. But you don't use that for anything. You should just access the httpd on the standard LAN IP, which in your case looks like 192.168.1.100:2000.

    I don't run a separate instance of httpd - just the stock one that comes with Tomato to access the web based configuration.
     
  7. blaman

    blaman Reformed Router Member

    In case somebody needs this for later, I got it to work! Just do:
    Code:
    service httpd stop
    # apparently httpd uses the current directory as its docroot
    cd /www
    httpd -p 0.0.0.0:`nvram get http_lanport`
    
    on your init script.

    Relevant sources are httpd.c for the -p option to specify address and port, and services.c for the "cd /www" bit.
     
    Last edited: Dec 28, 2013
  8. jerrm

    jerrm Network Guru Member

    But why bother with all that? Why not just access httpd using the router's internal IP as gfunkdave suggests? What is so unusual about your setup?

    The whole point of the VPN is to allow access to your internal net and that includes the internal IP of the router.

    Tomato's "automatic" rules should allow this by default. If you're using custom rules, then a single INPUT rule accepting port 80 from the VPN is a better solution than mucking around with httpd in an init script with a change that will be lost if the service is restarted.
     
    Last edited: Dec 28, 2013
    philess and koitsu like this.
  9. blaman

    blaman Reformed Router Member

    But the router is a *client*, not a server. My setup is, I have several Tomato routers deployed and they all connect to a Debian box acting as a VPN server. So that wouldn't be applicable.

    I mean, if I am another client on the VPN, I can only access each router through its IP in the VPN (172.16.0.x in my case), I couldn't use the LAN IP (10.0.0.1 in my case).
     
    Last edited: Dec 29, 2013
  10. jerrm

    jerrm Network Guru Member

    Client or Server shouldn't matter. Sounds like a pretty basic star topology. The internal IP should be accessible from the server net, or from any VPN connected net as long as the firewall(s)/routing allow it.

    If you really need or just want to use the VPN IP, a nat redirect rule would be better than messing with httpd.
     
  11. blaman

    blaman Reformed Router Member

    Thanks so much for the help, I got it now. I went with the NAT redirect rule. Weird that I didn't think about it, since I'm already using a NAT redirect so people in the router's LAN can access a web server on the VPN server through a specific port.

    This worked:
    Code:
    iptables -tnat -APREROUTING -p tcp --dport `nvram get http_lanport` -j DNAT --to-destination `nvram get lan_ipaddr`:`nvram get http_lanport`
    
    I don't understand this, though. Assuming that by "internal IP" you mean the IP of the router on its LAN (10.0.0.1), how is this possible? All routers have the same LAN IP, so if I were to access them using their LAN address from the VPN server, how would I tell them apart?
     
  12. gfunkdave

    gfunkdave LI Guru Member

    If you use the same LAN subnet on each router, how do you expect to do anything meaningful over the VPN? You won't be able to reliably connect from one LAN to another - and isn't that the point of a VPN?
     

Share This Page