Is it possible to tunnell openvpn server through SSH out from behind cgnat?
Posted: Thu Mar 04, 2021 4:42 pm
ngrok can be a solution, but I am concerned regarding privacy and security; without a deep understanding, I guess ngrok is providing an external machine that is accessed by the vpn server as well as the client that wants to connect to that vpn. So, all traffic is going through ngrok machine, and I do not like that (one of the purposes of vpn is keeping communications safe, isn't it?)
I have tried with an equivalent solution that has two requirements: I need an external machine ('bridge' machine) and I have to create a ssh tunnel in the client. Assuming we can do that, I only have to do:
On the VPN server (in a cg-nat network or behind a firewall):
On the VPN client:
VPN configuration: it has been configured such that it listens on TCP 1194. The client vpn configuration changes its remote vpn server: localhost, port TCP 1200
This design seems to work; according to the logs, they connect themselves, and even the client receives an IP address from the VPN server (10.3.0.6).
But it cannot connect anywhere, I cannot even ping the vpn server (using its vpn address: 10.3.0.1) ...
To check if there are errors in the VPN configuration, I have tried the direct connection:
My network has dedicated IP, so I do not need this design; I con connect vpn client and server directly.
So, preserving all the same configuration files, but changing the vpn server and port on the client machine (it connects to the internet using a mobile connection, independent of my LAN where the VPN server is connected to), I have repeated the test.
In such case, the connection works perfectly
So, something is wrong or it lacks something I have not considered
If relevant or interesting for somebody, I can send logs
I have tried with an equivalent solution that has two requirements: I need an external machine ('bridge' machine) and I have to create a ssh tunnel in the client. Assuming we can do that, I only have to do:
On the VPN server (in a cg-nat network or behind a firewall):
Code: Select all
ssh -N -g -R 1200:localhost:1194 <my_bridge_machine_ip>Code: Select all
ssh -N -L 1200:localhost:1200 <my_bridge_machine_ip>This design seems to work; according to the logs, they connect themselves, and even the client receives an IP address from the VPN server (10.3.0.6).
But it cannot connect anywhere, I cannot even ping the vpn server (using its vpn address: 10.3.0.1) ...
To check if there are errors in the VPN configuration, I have tried the direct connection:
My network has dedicated IP, so I do not need this design; I con connect vpn client and server directly.
So, preserving all the same configuration files, but changing the vpn server and port on the client machine (it connects to the internet using a mobile connection, independent of my LAN where the VPN server is connected to), I have repeated the test.
In such case, the connection works perfectly
So, something is wrong or it lacks something I have not considered
If relevant or interesting for somebody, I can send logs