allow ssh via on non vpn address while vpn is open
| Author |
Message |
|
bent
|
Post subject: allow ssh via on non vpn address while vpn is open  Posted: Thu Oct 07, 2010 2:11 am |
|
Joined: Thu Oct 07, 2010 2:03 am
Posts: 7
|
|
I want to allow ssh port to connect to the non vpn ip address of my client that is connected to a vpn server.
My setup has eth0 and tun0 interfaces and eth0 is connected to my home network while tun0 is connected to a vpn server. I'm sure I'm explaining this a bit funny but it's just my lack of knowhow on this subject.
The client is running ubuntu 10.04 if that is relevant.
Currently I can ssh my client computer from the internal network that ranges from 10.0.0.2-10.0.0.10. I have a nat router that forwards the port 22 to my client computer from the outside world. I can ssh the client with the vpn ip and from the local network but not with the routers wan ip. If I disable the openvpn connection I can access the client with the router public ip from port 22 so forwarding is correct.
I'm fairly sure this problem has something to do with the route changes the openvpn client does when connecting but my lack of understanding on this subject is preventing me from making the exception necessary for this to work. I will gladly supply more information if needed and would need a nudge in the right direction to resolve this problem.
|
|
|
|
 |
|
krzee
|
Post subject: Re: allow ssh via on non vpn address while vpn is open Posted: Thu Oct 07, 2010 3:51 pm |
|
| I should be on the dev team. |
 |
Joined: Fri Aug 29, 2008 5:42 pm
Posts: 652
|
the requests to sshd come over ethernet interface, and leave over the tunnel. you would need to set a more specific route to the IP/subnet that you want to reach your sshd, but no traffic to that IP/subnet will go over the vpn... viewtopic.php?f=15&t=7161
|
|
|
|
|
|
|
bent
|
Post subject: Re: allow ssh via on non vpn address while vpn is open Posted: Thu Oct 07, 2010 8:10 pm |
|
Joined: Thu Oct 07, 2010 2:03 am
Posts: 7
|
krzee wrote: the requests to sshd come over ethernet interface, and leave over the tunnel. you would need to set a more specific route to the IP/subnet that you want to reach your sshd, but no traffic to that IP/subnet will go over the vpn... viewtopic.php?f=15&t=7161I see, there is no other way ? No way to just affect the route of a spefic port regardless of ip/subnet ? Doing this for just spefic IPs or subnets is not ideal for me and makes the vpn less effective in masking traffic. I realise route does not care about ports just about addresses. Nothing I could do to change the route if specific type of traffic last minute to be routed differently ?
|
|
|
|
|
|
|
bent
|
Post subject: Re: allow ssh via on non vpn address while vpn is open Posted: Thu Oct 07, 2010 8:32 pm |
|
Joined: Thu Oct 07, 2010 2:03 am
Posts: 7
|
|
Basically what I'm thinking now is to create 2 routes one for the VPN via the tun interface and one for the non vpn connection. Then could I use for example iptables to direct the everything except ssh via vpn and ssh via the non vpn connection ?
I'm afraid my i'm just guessing but that sounds doable to me but I just don't know enough to know if that is possible or not.
|
|
|
|
|
|
|
bent
|
Post subject: Re: allow ssh via on non vpn address while vpn is open Posted: Fri Oct 08, 2010 12:25 am |
|
Joined: Thu Oct 07, 2010 2:03 am
Posts: 7
|
Got mine to work using this article: http://www.linuxhorizon.ro/iproute2.htmlMy situation is basicaly identical to the example 2 in the article. I'll do more tweaks still but this got me further anyway.
|
|
|
|
|
|
|
krzee
|
Post subject: Re: allow ssh via on non vpn address while vpn is open Posted: Fri Oct 08, 2010 11:35 pm |
|
| I should be on the dev team. |
|
Joined: Fri Aug 29, 2008 5:42 pm
Posts: 652
|
|
very cool, thanx for letting us know how you did it.
|
|
|
|
|
|
|
bent
|
Post subject: Re: allow ssh via on non vpn address while vpn is open Posted: Mon Oct 11, 2010 9:09 pm |
|
Joined: Thu Oct 07, 2010 2:03 am
Posts: 7
|
I spoke a bit too soon It seems I had some part of example 1 there and that overruled basically everything. my gateway address is 10.0.0.1, vpn client computers local lan address is 10.0.0.5. ifconfig: Quote: eth0 Link encap:Ethernet HWaddr 00:18:f3:74:ae:53
inet addr:10.0.0.5 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::218:f3ff:fe74:ae53/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2671049 errors:0 dropped:0 overruns:0 frame:0
TX packets:2476494 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2033808500 (2.0 GB) TX bytes:1899189601 (1.8 GB)
Interrupt:28 Base address:0xc000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:258924 errors:0 dropped:0 overruns:0 frame:0
TX packets:258924 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1171605779 (1.1 GB) TX bytes:1171605779 (1.1 GB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.71.0.26 P-t-P:10.71.0.25 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:2235403 errors:0 dropped:0 overruns:0 frame:0
TX packets:1858319 errors:0 dropped:665 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1826588443 (1.8 GB) TX bytes:856502953 (856.5 MB) My ip route show Quote: vpnpublic ip via 10.0.0.1 dev eth0
10.71.0.25 dev tun0 proto kernel scope link src 10.71.0.26
10.71.0.1 via 10.71.0.25 dev tun0
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.5 metric 1
169.254.0.0/16 dev eth0 scope link metric 1000
0.0.0.0/1 via 10.71.0.25 dev tun0
128.0.0.0/1 via 10.71.0.25 dev tun0
default via 10.0.0.1 dev eth0 proto static ip route show table 100: Quote: default via 10.0.0.1 dev eth0 I'm marking incoming ssh traffic like this: Code: iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 22 -j MARK --set-mark 1 ip rule show: Code: 0: from all lookup local
32764: from all fwmark 0x1 lookup sshtable
32766: from all lookup main
32767: from all lookup default Somehow the vpn client must be pushing everything through tun0 but I'm failing to understand how to make this exception work. I can see with tcpdump port 22 that when I try to connect to my routers public ip with ssh (not in vpn) it gets forwarded correctly to my lan ip 10.0.0.5 but the ack is not visible and my vpn client computer is receiving but either not sending or sending in the wrong place just dunno how to see where it's trying to send it. So somehow I need to create a route that does not end up in tun0 interface
|
|
|
|
|
|
|
krzee
|
Post subject: Re: allow ssh via on non vpn address while vpn is open Posted: Mon Oct 11, 2010 10:21 pm |
|
| I should be on the dev team. |
|
Joined: Fri Aug 29, 2008 5:42 pm
Posts: 652
|
bent wrote: Somehow the vpn client must be pushing everything through tun0 but I'm failing to understand how to make this exception work. 0.0.0.0/1 via 10.71.0.25 dev tun0 128.0.0.0/1 via 10.71.0.25 dev tun0 that is the 'somehow' you spoke of Unless you find some way to route based on port in iptables (seemed that example 2 in your link was for that, but i dont even use linux so i wont be testing), routing works based on subnet, not port.
|
|
|
|
|
|
|
bent
|
Post subject: Re: allow ssh via on non vpn address while vpn is open Posted: Mon Oct 11, 2010 11:39 pm |
|
Joined: Thu Oct 07, 2010 2:03 am
Posts: 7
|
krzee wrote: bent wrote: Somehow the vpn client must be pushing everything through tun0 but I'm failing to understand how to make this exception work. 0.0.0.0/1 via 10.71.0.25 dev tun0 128.0.0.0/1 via 10.71.0.25 dev tun0 that is the 'somehow' you spoke of Unless you find some way to route based on port in iptables (seemed that example 2 in your link was for that, but i dont even use linux so i wont be testing), routing works based on subnet, not port. I'm did a bit of reading again so if I understood correctly: Quote: 0.0.0.0/1 via 10.71.0.25 dev tun0
128.0.0.0/1 via 10.71.0.25 dev tun0 Combined those 2 are pretty much the whole internet and openvpn uses them because it doesn't want to overwrite the default route. What if I add the same 2 lines for dev eth0 and the router gateway which is chosen and why ? Does the order make a difference ? If my understanding is correct with iptables I should be able to mark the incoming ssh traffic and choose whatever route I want for it with ip rule
|
|
|
|
|
|
|
bent
|
Post subject: Re: allow ssh via on non vpn address while vpn is open Posted: Wed Oct 13, 2010 1:22 am |
|
Joined: Thu Oct 07, 2010 2:03 am
Posts: 7
|
Didn't get the whole marking thing to work but I did get done what I wanted by: Code: ip route add 10.0.0.0/24 dev eth0 table 101
ip route add default via eth0gw table 101
ip rule add from eth0ip table 101 So now packets with the source address of my eth0ip will be going out from the eth0gw instead of the vpn tunnel. Everything else goes out by the vpn tunnel which is fine. Maybe one day I will try again with the mangling of tables but for now I'm satisfied with this.
|
|
|
|
|
|
|
kadu
|
Post subject: Re: allow ssh via on non vpn address while vpn is open Posted: Wed May 25, 2011 11:01 am |
|
| OpenVpn Newbie |
 |
Joined: Wed May 25, 2011 10:54 am
Posts: 6
|
I know this is a very old thread but thought I would share my knowledge on the matter so anyone that come to this post with similar problem can use it. If I understand right what you are trying to do is send all packets to that destination over the VPN but not if the destination port is 22 (SSH), at least this is what I do with my home network, so I can access my servers via SSH if there's a problem with the tunnel. I simply add a NAT rule with a negate option for SSH, this solution uses DNAT, not sure if this is acceptable on your configuration. Code: iptables -A PREROUTING -t nat -d <server_public_IP> -p tcp -m tcp ! --dport 22 -j DNAT --to-destination <server_VPN_IP>
So we are telling iptables to NAT anything going to my server public IP except on port 22 to the servers VPN IP, the normal routes will take care of sending those packets over the VPN tunnel Hope this helps anyone in the future. Kadu
|
|
|
|
|
|
|
skrewt
|
Post subject: Re: allow ssh via on non vpn address while vpn is open Posted: Mon Sep 26, 2011 2:29 pm |
|
Joined: Sun Sep 25, 2011 2:43 pm
Posts: 11
|
kadu wrote: I know this is a very old thread but thought I would share my knowledge on the matter so anyone that come to this post with similar problem can use it. If I understand right what you are trying to do is send all packets to that destination over the VPN but not if the destination port is 22 (SSH), at least this is what I do with my home network, so I can access my servers via SSH if there's a problem with the tunnel. I simply add a NAT rule with a negate option for SSH, this solution uses DNAT, not sure if this is acceptable on your configuration. Code: iptables -A PREROUTING -t nat -d <server_public_IP> -p tcp -m tcp ! --dport 22 -j DNAT --to-destination <server_VPN_IP>
So we are telling iptables to NAT anything going to my server public IP except on port 22 to the servers VPN IP, the normal routes will take care of sending those packets over the VPN tunnel I'm having the same problem and was hoping your iptables command would help me as well. In my case, my server doesn't have a static public IP. What would I use in this case? Could I use interfaces instead? Like anything coming in eth0 goes out through tun0? I'm very new to OpenVPN and even newer to iptables and routing.
|
|
|
|
|
|
|
janjust
|
Post subject: Re: allow ssh via on non vpn address while vpn is open Posted: Mon Sep 26, 2011 2:38 pm |
|
| I should be on the dev team. |
 |
Joined: Fri Aug 20, 2010 2:57 pm
Posts: 2083
Location: Amsterdam
|
|
|
|
|
|
|
skrewt
|
Post subject: Re: allow ssh via on non vpn address while vpn is open Posted: Mon Sep 26, 2011 2:53 pm |
|
Joined: Sun Sep 25, 2011 2:43 pm
Posts: 11
|
janjust wrote: Just use Code: ptables -A PREROUTING -t nat -i eth0 -p tcp -m tcp ! --dport 22 -j DNAT --to-destination <server_VPN_IP> instead, if 'eth0' is the interface to which your public IP is bound. Ok. Last question. server_VPN_IP again is not static. My openvpn.conf file has 4 servers in it to choose from and it picks a random one. Or would that server_VPN_IP be my internal IP to the tun0 interface? ifconfig spits out a very odd inet addr for my tun0 interface, as well.
|
|
|
|
|
|
|
janjust
|
Post subject: Re: allow ssh via on non vpn address while vpn is open Posted: Mon Sep 26, 2011 3:09 pm |
|
| I should be on the dev team. |
|
Joined: Fri Aug 20, 2010 2:57 pm
Posts: 2083
Location: Amsterdam
|
|
|
|
|
|
Users browsing this forum: No registered users and 0 guests |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
|
