Dear Lazyweb,

It is possible to run OpenVPN Connect on macOS for my outbound connections, and also run a web server on my static IP for inbound connections? Launching OpenVPN seems to prevent any incoming connections.

I'd like to be using Sonic's VPN on my home desktop machine, but I also run a web server on it that I occasionally need to access from the outside world.

Previously, previously.

Tags: , , , ,

5 Responses:

  1. George Dorn says:

    You probably want Method 3 from here. The first option may also work but it is new and I haven't used it.

    route-nopull worked for me as well, but ended up leaking traffic.

  2. When OpenVPN is active and all traffic goes through the VPN, your web server would need to be accessed through the VPN as well, so Sonic would need to provide the static IP through the VPN.

    While packets reaching your static IP will come in your regular connections, the return packets will be sent out the VPN (see Wireshark). On the VPN provider's side, NAT is likely in effect, meaning that the return packet will be rewritten to have a source address of the VPN provider, not your static ISP address. So there's no way for the TCP client to recognise the reply.

    In order for this to work, you would need some source-routing firewall magic, and I don't think that's easily possible on macOS.

  3. Who wants to know says:

    Take a look at wireguard. You can choose which IP ranges are routed via the VPN and which are not. It does take a while to set up and the latest Mac store app does have some problems but the go version has no problems.

  4. Peter M says:

    Apologies as this is one of those posts that suggest doing something entirely different from what you actually want and we all know what you think about that.

    Don't connect to the vpn with your mac, instead use a vm running a socks or http proxy, alternatively pfsense or similar if you need direct connections without a proxy. Even though you don't want the hassle of an extra gateway in between, the vpn is probably currently not doing what you want it to do. At best it is doing what you want it to while also increasing the attack surface (the Sonic vpn is more unique in that it automatically forwards all ports to your workstation).

    This will at least resolve your issue with the unreachable webserver.

  5. dave says:

    I have done this on linux (not MacOS) but in theory it should work the same. I had to create a virtual interface and tell openvpn to use that (although it was a while back; I may have given openvpn the "real" eth0 and told the www server to use the virtual eth0:0). IIRC I did not have to do any other weird shit (since they both routed out my upstream via a 1:1 NAT).

  • Previously