allow ssh via on non vpn address while vpn is open

How to customize and extend your OpenVPN installation.
bent
OpenVpn Newbie
Posts: 7
Joined: Thu Oct 07, 2010 2:03 am

allow ssh via on non vpn address while vpn is open

Post by bent » Thu Oct 07, 2010 2:11 am

I want to allow ssh port to connect to the non vpn ip address of my client that is connected to a vpn server.

My setup has eth0 and tun0 interfaces and eth0 is connected to my home network while tun0 is connected to a vpn server. I'm sure I'm explaining this a bit funny but it's just my lack of knowhow on this subject.

The client is running ubuntu 10.04 if that is relevant.

Currently I can ssh my client computer from the internal network that ranges from 10.0.0.2-10.0.0.10. I have a nat router that forwards the port 22 to my client computer from the outside world. I can ssh the client with the vpn ip and from the local network but not with the routers wan ip. If I disable the openvpn connection I can access the client with the router public ip from port 22 so forwarding is correct.

I'm fairly sure this problem has something to do with the route changes the openvpn client does when connecting but my lack of understanding on this subject is preventing me from making the exception necessary for this to work. I will gladly supply more information if needed and would need a nudge in the right direction to resolve this problem.

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: allow ssh via on non vpn address while vpn is open

Post by krzee » Thu Oct 07, 2010 3:51 pm

the requests to sshd come over ethernet interface, and leave over the tunnel.
you would need to set a more specific route to the IP/subnet that you want to reach your sshd, but no traffic to that IP/subnet will go over the vpn...
viewtopic.php?f=15&t=7161

bent
OpenVpn Newbie
Posts: 7
Joined: Thu Oct 07, 2010 2:03 am

Re: allow ssh via on non vpn address while vpn is open

Post by bent » Thu Oct 07, 2010 8:10 pm

krzee wrote:the requests to sshd come over ethernet interface, and leave over the tunnel.
you would need to set a more specific route to the IP/subnet that you want to reach your sshd, but no traffic to that IP/subnet will go over the vpn...
viewtopic.php?f=15&t=7161
I see, there is no other way ? No way to just affect the route of a spefic port regardless of ip/subnet ? Doing this for just spefic IPs or subnets is not ideal for me and makes the vpn less effective in masking traffic. I realise route does not care about ports just about addresses. Nothing I could do to change the route if specific type of traffic last minute to be routed differently ?

bent
OpenVpn Newbie
Posts: 7
Joined: Thu Oct 07, 2010 2:03 am

Re: allow ssh via on non vpn address while vpn is open

Post by bent » Thu Oct 07, 2010 8:32 pm

Basically what I'm thinking now is to create 2 routes one for the VPN via the tun interface and one for the non vpn connection. Then could I use for example iptables to direct the everything except ssh via vpn and ssh via the non vpn connection ?

I'm afraid my i'm just guessing but that sounds doable to me but I just don't know enough to know if that is possible or not.

bent
OpenVpn Newbie
Posts: 7
Joined: Thu Oct 07, 2010 2:03 am

Re: allow ssh via on non vpn address while vpn is open

Post by bent » Fri Oct 08, 2010 12:25 am

Got mine to work using this article: http://www.linuxhorizon.ro/iproute2.html

My situation is basicaly identical to the example 2 in the article. I'll do more tweaks still but this got me further anyway.

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: allow ssh via on non vpn address while vpn is open

Post by krzee » Fri Oct 08, 2010 11:35 pm

very cool, thanx for letting us know how you did it.

bent
OpenVpn Newbie
Posts: 7
Joined: Thu Oct 07, 2010 2:03 am

Re: allow ssh via on non vpn address while vpn is open

Post by bent » Mon Oct 11, 2010 9:09 pm

I spoke a bit too soon It seems I had some part of example 1 there and that overruled basically everything.
my gateway address is 10.0.0.1, vpn client computers local lan address is 10.0.0.5.

ifconfig:
eth0 Link encap:Ethernet HWaddr 00:18:f3:74:ae:53
inet addr:10.0.0.5 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::218:f3ff:fe74:ae53/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2671049 errors:0 dropped:0 overruns:0 frame:0
TX packets:2476494 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2033808500 (2.0 GB) TX bytes:1899189601 (1.8 GB)
Interrupt:28 Base address:0xc000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:258924 errors:0 dropped:0 overruns:0 frame:0
TX packets:258924 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1171605779 (1.1 GB) TX bytes:1171605779 (1.1 GB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.71.0.26 P-t-P:10.71.0.25 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:2235403 errors:0 dropped:0 overruns:0 frame:0
TX packets:1858319 errors:0 dropped:665 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1826588443 (1.8 GB) TX bytes:856502953 (856.5 MB)

My ip route show
vpnpublic ip via 10.0.0.1 dev eth0
10.71.0.25 dev tun0 proto kernel scope link src 10.71.0.26
10.71.0.1 via 10.71.0.25 dev tun0
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.5 metric 1
169.254.0.0/16 dev eth0 scope link metric 1000
0.0.0.0/1 via 10.71.0.25 dev tun0
128.0.0.0/1 via 10.71.0.25 dev tun0
default via 10.0.0.1 dev eth0 proto static
ip route show table 100:
default via 10.0.0.1 dev eth0

I'm marking incoming ssh traffic like this:

Code: Select all

iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 22 -j MARK --set-mark 1
ip rule show:

Code: Select all

0:      from all lookup local
32764:  from all fwmark 0x1 lookup sshtable
32766:  from all lookup main
32767:  from all lookup default
Somehow the vpn client must be pushing everything through tun0 but I'm failing to understand how to make this exception work. I can see with tcpdump port 22 that when I try to connect to my routers public ip with ssh (not in vpn) it gets forwarded correctly to my lan ip 10.0.0.5 but the ack is not visible and my vpn client computer is receiving but either not sending or sending in the wrong place just dunno how to see where it's trying to send it.

So somehow I need to create a route that does not end up in tun0 interface

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: allow ssh via on non vpn address while vpn is open

Post by krzee » Mon Oct 11, 2010 10:21 pm

bent wrote: Somehow the vpn client must be pushing everything through tun0 but I'm failing to understand how to make this exception work.
0.0.0.0/1 via 10.71.0.25 dev tun0
128.0.0.0/1 via 10.71.0.25 dev tun0
that is the 'somehow' you spoke of

Unless you find some way to route based on port in iptables (seemed that example 2 in your link was for that, but i dont even use linux so i wont be testing), routing works based on subnet, not port.

bent
OpenVpn Newbie
Posts: 7
Joined: Thu Oct 07, 2010 2:03 am

Re: allow ssh via on non vpn address while vpn is open

Post by bent » Mon Oct 11, 2010 11:39 pm

krzee wrote:
bent wrote: Somehow the vpn client must be pushing everything through tun0 but I'm failing to understand how to make this exception work.
0.0.0.0/1 via 10.71.0.25 dev tun0
128.0.0.0/1 via 10.71.0.25 dev tun0
that is the 'somehow' you spoke of

Unless you find some way to route based on port in iptables (seemed that example 2 in your link was for that, but i dont even use linux so i wont be testing), routing works based on subnet, not port.

I'm did a bit of reading again so if I understood correctly:
0.0.0.0/1 via 10.71.0.25 dev tun0
128.0.0.0/1 via 10.71.0.25 dev tun0
Combined those 2 are pretty much the whole internet and openvpn uses them because it doesn't want to overwrite the default route.

What if I add the same 2 lines for dev eth0 and the router gateway which is chosen and why ? Does the order make a difference ?

If my understanding is correct with iptables I should be able to mark the incoming ssh traffic and choose whatever route I want for it with ip rule

bent
OpenVpn Newbie
Posts: 7
Joined: Thu Oct 07, 2010 2:03 am

Re: allow ssh via on non vpn address while vpn is open

Post by bent » Wed Oct 13, 2010 1:22 am

Didn't get the whole marking thing to work but I did get done what I wanted by:

Code: Select all

ip route add 10.0.0.0/24 dev eth0 table 101
ip route add default via eth0gw table 101
ip rule add from eth0ip table 101 
So now packets with the source address of my eth0ip will be going out from the eth0gw instead of the vpn tunnel. Everything else goes out by the vpn tunnel which is fine. Maybe one day I will try again with the mangling of tables but for now I'm satisfied with this.

User avatar
kadu
OpenVpn Newbie
Posts: 6
Joined: Wed May 25, 2011 10:54 am

Re: allow ssh via on non vpn address while vpn is open

Post by kadu » Wed May 25, 2011 11:01 am

I know this is a very old thread but thought I would share my knowledge on the matter so anyone that come to this post with similar problem can use it.

If I understand right what you are trying to do is send all packets to that destination over the VPN but not if the destination port is 22 (SSH), at least this is what I do with my home network, so I can access my servers via SSH if there's a problem with the tunnel.

I simply add a NAT rule with a negate option for SSH, this solution uses DNAT, not sure if this is acceptable on your configuration.

Code: Select all

iptables -A PREROUTING -t nat -d <server_public_IP> -p tcp -m tcp ! --dport 22 -j DNAT --to-destination <server_VPN_IP>
So we are telling iptables to NAT anything going to my server public IP except on port 22 to the servers VPN IP, the normal routes will take care of sending those packets over the VPN tunnel

Hope this helps anyone in the future.

Kadu

skrewt
OpenVPN User
Posts: 11
Joined: Sun Sep 25, 2011 2:43 pm

Re: allow ssh via on non vpn address while vpn is open

Post by skrewt » Mon Sep 26, 2011 2:29 pm

kadu wrote:I know this is a very old thread but thought I would share my knowledge on the matter so anyone that come to this post with similar problem can use it.

If I understand right what you are trying to do is send all packets to that destination over the VPN but not if the destination port is 22 (SSH), at least this is what I do with my home network, so I can access my servers via SSH if there's a problem with the tunnel.

I simply add a NAT rule with a negate option for SSH, this solution uses DNAT, not sure if this is acceptable on your configuration.

Code: Select all

iptables -A PREROUTING -t nat -d <server_public_IP> -p tcp -m tcp ! --dport 22 -j DNAT --to-destination <server_VPN_IP>
So we are telling iptables to NAT anything going to my server public IP except on port 22 to the servers VPN IP, the normal routes will take care of sending those packets over the VPN tunnel
I'm having the same problem and was hoping your iptables command would help me as well. In my case, my server doesn't have a static public IP. What would I use in this case? Could I use interfaces instead? Like anything coming in eth0 goes out through tun0? I'm very new to OpenVPN and even newer to iptables and routing.

User avatar
janjust
Forum Team
Posts: 2702
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: allow ssh via on non vpn address while vpn is open

Post by janjust » Mon Sep 26, 2011 2:38 pm

Just use

Code: Select all

ptables -A PREROUTING -t nat -i eth0 -p tcp -m tcp ! --dport 22 -j DNAT --to-destination <server_VPN_IP>
instead, if 'eth0' is the interface to which your public IP is bound.

skrewt
OpenVPN User
Posts: 11
Joined: Sun Sep 25, 2011 2:43 pm

Re: allow ssh via on non vpn address while vpn is open

Post by skrewt » Mon Sep 26, 2011 2:53 pm

janjust wrote:Just use

Code: Select all

ptables -A PREROUTING -t nat -i eth0 -p tcp -m tcp ! --dport 22 -j DNAT --to-destination <server_VPN_IP>
instead, if 'eth0' is the interface to which your public IP is bound.
Ok. Last question. server_VPN_IP again is not static. My openvpn.conf file has 4 servers in it to choose from and it picks a random one. Or would that server_VPN_IP be my internal IP to the tun0 interface? ifconfig spits out a very odd inet addr for my tun0 interface, as well.

User avatar
janjust
Forum Team
Posts: 2702
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: allow ssh via on non vpn address while vpn is open

Post by janjust » Mon Sep 26, 2011 3:09 pm

yes it would be the internal VPN IP that the tun0 is configured with ; this IP is normally derived from the 'server' directive.

skrewt
OpenVPN User
Posts: 11
Joined: Sun Sep 25, 2011 2:43 pm

Re: allow ssh via on non vpn address while vpn is open

Post by skrewt » Mon Sep 26, 2011 5:54 pm

After some testing, the internal VPN IP changes everytime I reconnect. I assume I would need a static IP on my tun0 iface for this to work? If so, is that my control or the servers control?

User avatar
kadu
OpenVpn Newbie
Posts: 6
Joined: Wed May 25, 2011 10:54 am

Re: allow ssh via on non vpn address while vpn is open

Post by kadu » Mon Sep 26, 2011 6:05 pm

skrewt wrote:After some testing, the internal VPN IP changes everytime I reconnect. I assume I would need a static IP on my tun0 iface for this to work? If so, is that my control or the servers control?
Do you manage the VPN server?

If so, each client can have a static IP configured on the server.

Kadu

skrewt
OpenVPN User
Posts: 11
Joined: Sun Sep 25, 2011 2:43 pm

Re: allow ssh via on non vpn address while vpn is open

Post by skrewt » Mon Sep 26, 2011 6:13 pm

I do not manage the VPN server, just the SSH server that is serving as the VPN client.

User avatar
kadu
OpenVpn Newbie
Posts: 6
Joined: Wed May 25, 2011 10:54 am

Re: allow ssh via on non vpn address while vpn is open

Post by kadu » Mon Sep 26, 2011 7:46 pm

skrewt wrote:I do not manage the VPN server, just the SSH server that is serving as the VPN client.
You can use the openvpn up/down options together with some variables provided by openvpn to setup the correct uptables rules.

Check the man pages for --up and --route-up, you should be able to get it from there.

Kadu

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: allow ssh via on non vpn address while vpn is open

Post by krzee » Mon Sep 26, 2011 7:54 pm


Post Reply