Can't SSH into a open-vpned client anymore

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
hyper_ch
OpenVpn Newbie
Posts: 5
Joined: Sun Aug 16, 2009 7:09 pm

Can't SSH into a open-vpned client anymore

Post by hyper_ch » Fri Jan 01, 2010 12:12 am

Hi there

I currently have setup a vpn server and two vpn clients. One vpn client is on the same lan as I am. My problem is, that I can't ssh into the other client.

Below, I have a schematics of what the whole setup looks like and what works but I'll also explain it after the image:

Image

First of all the basic configuration

Open-VPN server:

server.conf

Code: Select all

 grep -vE '^#|^;|^$' server.conf
port 1194
proto udp
dev tun
ca ./easy-rsa2/keys/ca.crt
cert ./easy-rsa2/keys/server.crt
key ./easy-rsa2/keys/server.key    # Diese Datei geheim halten.
dh ./easy-rsa2/keys/dh1024.pem     # Diffie-Hellman-Parameter
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1" # leitet den Internettraffic am Client zum Server um
push "dhcp-option DNS 208.67.222.222" # DNS-Server 1
push "dhcp-option DNS 208.67.220.220" # DNS-Server 2 (falls vorhanden)
ping-timer-rem
keepalive 20 180
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
verb 6
mute 50
server routes

Code: Select all

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
91.121.147.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
0.0.0.0         91.121.147.254  0.0.0.0         UG    0      0        0 eth0

------


OpenVPN Client:

client.conf

Code: Select all

grep -vE '^#|^;|^$' client.conf
client
dev tun
proto udp
remote 91.121.147.34
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert gb1500.crt
key gb1500.key
ns-cert-type server
comp-lzo
verb 6
mute 50
log     openvpn.log
routes:

Code: Select all

 route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.1        10.8.0.13       255.255.255.255 UGH   0      0        0 tun0
91.121.147.34   188.40.139.1    255.255.255.255 UGH   0      0        0 eth0
10.8.0.13       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
188.40.139.0    0.0.0.0         255.255.255.192 U     0      0        0 eth0
0.0.0.0         10.8.0.13       128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.8.0.13       128.0.0.0       UG    0      0        0 tun0
0.0.0.0         188.40.139.1    0.0.0.0         UG    0      0        0 eth0

------


OpenVPN Client on LAN:

client.conf

Code: Select all

 grep -vE '^#|^;|^$' client.conf
client
dev tun
proto udp
remote ks357331.kimsufi.com
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert rubi.crt
key rubi.key
ns-cert-type server
comp-lzo
verb 6
mute 50
log     openvpn.log
routes

Code: Select all

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
91.121.147.34   10.0.0.1        255.255.255.255 UGH   0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         10.8.0.5        128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.8.0.5        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 eth0

------


What works

- I can directly ssh in to the vpn server and vpn client on lan
- I have vpn connections between the vpn server, the vpn client and the vpn client on lan
- I can ssh into the vpn client on lan (or vpn server) and then ssh (inside the vpn tunnel) into vpn client

What does not work

- I cannot directly ssh anymore into the vpn client


-------


Question

How can I enable again, that I can directly connect through ssh to the vpn client with it's own public, dedicated IP? Using SSH over VPN does not make much sense to me.
Top
User avatar
krzee
Forum Team
Posts: 728
Joined: Fri Aug 29, 2008 5:42 pm

Re: Can't SSH into a open-vpned client anymore

Post by krzee » Wed Jan 27, 2010 9:54 am

the problem here is that you are using redirect-gateway.
This results in ALL outbound traffic that does not have a more specific route than default to flow over the vpn, including any attempts at responding to connections initiated from the internet
But you can make a route for specific subnets or hosts to bypass the vpn, then they can access it without the vpn.
Top
zina83
OpenVpn Newbie
Posts: 4
Joined: Thu Sep 30, 2010 9:43 pm

Re: Can't SSH into a open-vpned client anymore

Post by zina83 » Fri Oct 01, 2010 12:02 am

i have build a network that is nearly looks like your one as shown

Internet<<<<ubuntu server>>>lab4 lan
i have installed and configured openssh on ubuntu server and i could access it from any client PC at the i aslo access it from any client PC out of lab4 lan
my question can i involve my work with openvpn to enhance my work security if your answer is yes?
would you please give my a step by step configuration of ssh-vpn together? how can any client PC that ie either inside the lan or outside it access the vpn-ssh server?
thanks
Top
User avatar
krzee
Forum Team
Posts: 728
Joined: Fri Aug 29, 2008 5:42 pm

Re: Can't SSH into a open-vpned client anymore

Post by krzee » Tue Oct 05, 2010 9:12 am

zina, start your own thread, you can link to this one if you want.
do not hijack other people's threads

hyper_ch,
this person also had that problem, as did the person linked to in that post,
viewtopic.php?f=15&t=7161
Top
Post Reply

Return to “Configuration”