ssh to user on vpn fails whereas direct ssh works

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
BlackForester
OpenVpn Newbie
Posts: 3
Joined: Sun Jul 25, 2021 1:32 pm

ssh to user on vpn fails whereas direct ssh works

Post by BlackForester » Sun Jul 25, 2021 1:55 pm

I have successfully (?) configured my OpenVPN server on Ubuntu 20.04 LTS according to this tutorial (in German only, however) https://ctaas.de/OpenVPN_Server_Ubuntu_ ... witchDANKE,

Basic routing configurations are set as given in the tutorial.

The connection between my client and the server is established

My main problem is that I can access the server on its public LAN interface without VPN connection via ssh but using ssh via the VPN interface fails by repeated password requests (the password was given correctly, I tried over and over again)

The basic difference to a standard setup is that ssh uses a different port on the public interface, say eth0 and port 25000 (just to keep it simple, actual names/port numbers differ of course)

This works without established VPN connection: ssh -p 25000 foo@fooserver.org

This does not work, when VPN is active (using the first address provided by the TUN interface) ssh foo@10.2.0.2
(adding -p 25000) will fail immediately

Do I have to map the VPN ssh port (22) to 25000 via iptables?


Here is my pretty standard server configuration file (replaced some names for security reasons)
Server conf

remote-cert-tls client

tls-version-min 1.2


auth SHA512
port xxxx

# TCP or UDP server?
proto tcp
dev tun

ca ca.crt
cert fooserver.crt
key fooserver.key # This file should be kept secret

dh dh.pem

# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
topology subnet

server 10.2.0.0 255.255.255.0

ifconfig-pool-persist /var/log/openvpn/ipp.txt

push "route 10.2.1.0 255.255.255.0"

push "dhcp-option DNS A.B.C.D"

keepalive 10 120

tls-crypt ta.key # This file is secret

cipher AES-256-GCM

user nobody
group nogroup

persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log

log-append /var/log/openvpn/openvpn.log

verb 4

explicit-exit-notify 0



The client is running on OpenSuSE Leap 15.2 -- I think that the missing update-resolv-conf could be the real problem...
Last edited by BlackForester on Sun Jul 25, 2021 2:53 pm, edited 1 time in total.

User avatar
Pippin
Forum Team
Posts: 1002
Joined: Wed Jul 01, 2015 8:03 am

Re: ssh to user on vpn fails whereas direct ssh works

Post by Pippin » Sun Jul 25, 2021 2:31 pm

foo@10.2.0.2
Server address is here:
foo@10.2.0.1

BlackForester
OpenVpn Newbie
Posts: 3
Joined: Sun Jul 25, 2021 1:32 pm

Re: ssh to user on vpn fails whereas direct ssh works

Post by BlackForester » Sun Jul 25, 2021 2:47 pm

Pippin wrote:
Sun Jul 25, 2021 2:31 pm
foo@10.2.0.2
Server address is here:
foo@10.2.0.1
Yes, this is an error by me -- I should use 10.2.0.1 of course, not the TUN interface of the local connection

But it does not work with the server VPN address as well

User avatar
TinCanTech
Forum Team
Posts: 9659
Joined: Fri Jun 03, 2016 1:17 pm

Re: ssh to user on vpn fails whereas direct ssh works

Post by TinCanTech » Sun Jul 25, 2021 4:22 pm

BlackForester wrote:
Sun Jul 25, 2021 2:47 pm
I should use 10.2.0.1 of course, not the TUN interface of the local connection
What does that mean ?

Can you ping the server at 10.8.0.1 from where-ever it is that you are trying to ssh into it ?

BlackForester
OpenVpn Newbie
Posts: 3
Joined: Sun Jul 25, 2021 1:32 pm

Re: ssh to user on vpn fails whereas direct ssh works

Post by BlackForester » Sun Jul 25, 2021 5:46 pm

Strangely enough, after a reboot of my client computer all works out of the box -- I can use ssh to the VPN server TUN interface

Sorry about the question, it is of no use any longer...

Post Reply