OpenVPN Support Forum

Posted: **Fri Jan 01, 2010 12:12 am**

Hi there

I currently have setup a vpn server and two vpn clients. One vpn client is on the same lan as I am. My problem is, that I can't ssh into the other client.

Below, I have a schematics of what the whole setup looks like and what works but I'll also explain it after the image:

First of all the basic configuration

Open-VPN server:

server.conf

Code: Select all

 grep -vE '^#|^;|^$' server.conf
port 1194
proto udp
dev tun
ca ./easy-rsa2/keys/ca.crt
cert ./easy-rsa2/keys/server.crt
key ./easy-rsa2/keys/server.key    # Diese Datei geheim halten.
dh ./easy-rsa2/keys/dh1024.pem     # Diffie-Hellman-Parameter
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1" # leitet den Internettraffic am Client zum Server um
push "dhcp-option DNS 208.67.222.222" # DNS-Server 1
push "dhcp-option DNS 208.67.220.220" # DNS-Server 2 (falls vorhanden)
ping-timer-rem
keepalive 20 180
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
verb 6
mute 50

server routes

Code: Select all

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
91.121.147.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
0.0.0.0         91.121.147.254  0.0.0.0         UG    0      0        0 eth0

------

OpenVPN Client:

client.conf

Code: Select all

grep -vE '^#|^;|^$' client.conf
client
dev tun
proto udp
remote 91.121.147.34
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert gb1500.crt
key gb1500.key
ns-cert-type server
comp-lzo
verb 6
mute 50
log     openvpn.log

routes:

Code: Select all

 route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.1        10.8.0.13       255.255.255.255 UGH   0      0        0 tun0
91.121.147.34   188.40.139.1    255.255.255.255 UGH   0      0        0 eth0
10.8.0.13       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
188.40.139.0    0.0.0.0         255.255.255.192 U     0      0        0 eth0
0.0.0.0         10.8.0.13       128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.8.0.13       128.0.0.0       UG    0      0        0 tun0
0.0.0.0         188.40.139.1    0.0.0.0         UG    0      0        0 eth0

------

OpenVPN Client on LAN:

client.conf

Code: Select all

 grep -vE '^#|^;|^$' client.conf
client
dev tun
proto udp
remote ks357331.kimsufi.com
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert rubi.crt
key rubi.key
ns-cert-type server
comp-lzo
verb 6
mute 50
log     openvpn.log

routes

Code: Select all

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
91.121.147.34   10.0.0.1        255.255.255.255 UGH   0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         10.8.0.5        128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.8.0.5        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 eth0

------

What works

- I can directly ssh in to the vpn server and vpn client on lan
- I have vpn connections between the vpn server, the vpn client and the vpn client on lan
- I can ssh into the vpn client on lan (or vpn server) and then ssh (inside the vpn tunnel) into vpn client

What does not work

- I cannot directly ssh anymore into the vpn client

-------

Question

How can I enable again, that I can directly connect through ssh to the vpn client with it's own public, dedicated IP? Using SSH over VPN does not make much sense to me.

Posted: **Wed Jan 27, 2010 9:54 am**

the problem here is that you are using redirect-gateway.
This results in ALL outbound traffic that does not have a more specific route than default to flow over the vpn, including any attempts at responding to connections initiated from the internet
But you can make a route for specific subnets or hosts to bypass the vpn, then they can access it without the vpn.

Posted: **Fri Oct 01, 2010 12:02 am**

i have build a network that is nearly looks like your one as shown

Internet<<<<ubuntu server>>>lab4 lan
i have installed and configured openssh on ubuntu server and i could access it from any client PC at the i aslo access it from any client PC out of lab4 lan
my question can i involve my work with openvpn to enhance my work security if your answer is yes?
would you please give my a step by step configuration of ssh-vpn together? how can any client PC that ie either inside the lan or outside it access the vpn-ssh server?
thanks

Posted: **Tue Oct 05, 2010 9:12 am**

zina, start your own thread, you can link to this one if you want.
do not hijack other people's threads

hyper_ch,
this person also had that problem, as did the person linked to in that post,
viewtopic.php?f=15&t=7161

OpenVPN Support Forum

Can't SSH into a open-vpned client anymore

Can't SSH into a open-vpned client anymore

Re: Can't SSH into a open-vpned client anymore

Re: Can't SSH into a open-vpned client anymore

Re: Can't SSH into a open-vpned client anymore