SSH over OpenVPN tunnel

OpenVPN tutorials ranging from configuration to hacks to compilation will be posted here.
Locked
KBerger
OpenVPN User
Posts: 20
Joined: Wed Mar 16, 2011 1:27 pm

SSH over OpenVPN tunnel

Post by KBerger » Fri Mar 18, 2011 8:00 pm

Hello everyone, how're you doing :)?

OK, I just though you might give me a hint as to the nature of my problem.
I'm establishing a connection to my office network (192.168.0.0 255.255.255.224) through the OpenVPN server, which is also the Internet gateway for the mentioned above LAN (192.168.0.1), as can be logically understood.

So, here it is in a nutshell:
1) Openvpn server is 192.168.0.1 on the office network 192.168.0.0/27

2) In the server.conf I have, as regards routing, this:

Code: Select all

server 10.0.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.224"
3) For the VPN I'm using static client address asignment, so in the file ccd/client1 file (which is also declared in the server.conf as required) I have this line:

Code: Select all

ifconfig 10.0.0.5 10.0.0.6
So I successfully connect to my server through Internet and have:

Code: Select all

Fri Mar 18 21:44:16 2011 /sbin/ifconfig tun0 10.0.0.6 pointopoint 10.0.0.5 mtu 1500
Fri Mar 18 21:44:16 2011 /sbin/route add -net 192.168.0.0 netmask 255.255.255.224 gw 10.0.0.5
Fri Mar 18 21:44:16 2011 /sbin/route add -net 10.0.0.1 netmask 255.255.255.255 gw 10.0.0.5
among other thigs in the output, as I'm by now connecting manually, till I fix it all.
So now I can "see" all the machines on 192.168.0.0/27, ping them, nmap them and can, for example, connect to my router web-interface on 192.168.0.17:88.

PROBLEM: I cannot start a SSH session to the 192.168.0.1 (which is the VPN server itself as seen from the local LAN interface, and to which I usually connect via SSH from the LAN) !
The session just hangs (until I Ctrl-C to stop it). However, I can ping that machine OK.

What could possibly cause this? Any ideas? Just can it be related to any routing problems?
BTW, is it OK that I can ping 10.0.0.6 but cannot ping 10.0.0.5?

thanks in advance,
Kostya

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: SSH over OpenVPN tunnel

Post by maikcat » Sat Mar 19, 2011 2:35 pm

hi there,

can you post the output of iptables -L command?
also do you use tcp wrappers? (check /etc/hosts.allow /etc/hosts.deny).

which linux are you using?

cheers,

michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: SSH over OpenVPN tunnel

Post by janjust » Sat Mar 19, 2011 10:02 pm

your ccd file should read

Code: Select all

ifconfig-push 10.0.0.6 10.0.0.5
note the order of the IP addresses; it is normal that you cannot reach 10.0.0.5, try pinging and SSH'ing to 10.0.0.1 instead.

KBerger
OpenVPN User
Posts: 20
Joined: Wed Mar 16, 2011 1:27 pm

Re: SSH over OpenVPN tunnel

Post by KBerger » Sat Mar 19, 2011 11:25 pm

maikcat wrote:hi there,

can you post the output of iptables -L command?
also do you use tcp wrappers? (check /etc/hosts.allow /etc/hosts.deny).

which linux are you using?

cheers,

michael.
1. On the server I'm using Fedora 13.
2. The output of iptables -L I will get as soon as I get to my server.
3. Yea I thought about tcp wrappers being a possible cause of it... anyway I'll be certain when I get to my server.

So I'll post it as soon as I get there.
Great thanks :).

KBerger
OpenVPN User
Posts: 20
Joined: Wed Mar 16, 2011 1:27 pm

Re: SSH over OpenVPN tunnel

Post by KBerger » Sat Mar 19, 2011 11:35 pm

janjust wrote:your ccd file should read

Code: Select all

ifconfig-push 10.0.0.6 10.0.0.5
note the order of the IP addresses; it is normal that you cannot reach 10.0.0.5, try pinging and SSH'ing to 10.0.0.1 instead.
I've tried pinging and SSH'ing (and telneting) to 10.0.0.1, but with the same result.
So it looks as though ping packets do get back, but SSH nor telnet don't come back.

Here is what I actually get from my SSH session:

Code: Select all

OpenSSH_5.5p1 Debian-4ubuntu5, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/kostya/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.0.1 [192.168.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/kostya/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/kostya/.ssh/id_dsa-cert type -1
debug1: identity file /home/kostya/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/kostya/.ssh/id_dsa-cert type -1
==== here the debug output stops...===
Notice, that when I try to SSH directly to the outbound server interface, which is firewall protected, the session never comes this far, but stops at the words "Connecting to 192.168.0.1 [192.168.0.1] port 22.".

And thanks for the correction about the order of the IP addresses; I took mine from the HOWTO.

KBerger
OpenVPN User
Posts: 20
Joined: Wed Mar 16, 2011 1:27 pm

Re: SSH over OpenVPN tunnel

Post by KBerger » Tue Mar 22, 2011 8:44 am

OK, it's way easier when I ask questions and you dear friends say YES or NO :).

So...
The thing now works, although being in the office I could only test it connecting from inside the
192.168.0.0/27 network itself to the address 10.0.0.1. Prior to that I had, for the testing purposes, to disable the 'push "route 192.168.0.0 ..."' directive in server config.
So I VPNed to the server and then SSH'ed to 10.0.0.1 without any problems.

And here is what I did, and you please tell me which of these are necessary and which are not.

1.I added the following to my iptables script:

Code: Select all

............
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -s 192.168.0.0/27 -d 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i tun0 -s 10.0.0.0/24 -d 192.168.0.0/27 -j ACCEPT
Guess this won't hurt in any case.

2.But then I also added the following string to the server conf:

Code: Select all

route 10.0.0.0 255.255.255.0
right below

Code: Select all

server 10.0.0.0 255.255.255.0
Guess this is unnecessary, right? In't the "server 10.0.0...." directive enough for the server to learn about the existence of that network?
I just added it because I know such things won't hurt anyway.


OK. I'll go back home and try it from there. If it can SSH to 10.0.0.1, then it MUST also be able to connect to 192.168.0.1.
Then I'll try to configure SAMBA connectivity to the office, but that's another story.

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: SSH over OpenVPN tunnel

Post by maikcat » Tue Mar 22, 2011 10:33 am

hi there,

>iptables -A INPUT -i tun0 -j ACCEPT

this is defenitely needed if you try to connect from your clients into vpn server address


>route 10.0.0.0 255.255.255.0
remove it....

>Guess this is unnecessary, right? In't the "server 10.0.0...." directive enough for the server to learn about the existence of that network?

yeap..



michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

KBerger
OpenVPN User
Posts: 20
Joined: Wed Mar 16, 2011 1:27 pm

Re: SSH over OpenVPN tunnel

Post by KBerger » Tue Mar 22, 2011 12:02 pm

Thanks!

And the files /etc/host.allow, hosts.deny are empty. For now I'll leave them as they are, until after I finish configuring everything the way I want it.

KBerger
OpenVPN User
Posts: 20
Joined: Wed Mar 16, 2011 1:27 pm

Re: SSH over OpenVPN tunnel

Post by KBerger » Tue Mar 22, 2011 5:55 pm

Yea, now I can confirm that it works OK from home over Internet to both 192.168.0.1 and 10.0.0.1.

So I consider the problem to be resolved.

Thanks to everyone for help and support :D.

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: SSH over OpenVPN tunnel

Post by maikcat » Wed Mar 23, 2011 10:48 am

ok then

marked as SOLVED

closed.

michael
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

Locked