OpenVPN through reverse SSH tunnel

This is the forum to post your config. Include diagrams, usage graphs, and all the other goodies to show off your network.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
pkkrusty
OpenVpn Newbie
Posts: 4
Joined: Thu Oct 27, 2022 7:59 pm

OpenVPN through reverse SSH tunnel

Post by pkkrusty » Fri Oct 28, 2022 4:56 am

For posterity, here's my working setup on Raspbian 10 Buster:
Image

I needed a way to remotely and securely access the internal network of a few different installations in places where I couldn't control port forwarding, thus preventing me from directly establishing a VPN connection to the two Raspberry Pis. I can connect via RealVNC, which works, but is a clunky solution for accessing internal network resources, especially on mobile.

I used the following guide as a starting point:
https://www.it-react.com/index.php/2020 ... -on-linux/
and then added a bit from Bostrot's answer in this StackExchange thread:
https://superuser.com/questions/1356330 ... ssh-tunnel

Installed OpenVPN via PiVPN script

Code: Select all

curl -L https://install.pivpn.io | bash
on both the RASPI SERVER (not technically necessary, but I also want to VPN into the RASPI SERVER network, so port 1194 is used for that, and the downstream hosts get variations of 1194) and the RASPI HOST.

Edit /etc/openvpn/server.conf on RASPI HOST
Change "proto udp" to "proto tcp" and restart service

Add a user profile via "pivpn add" then adjust .ovpn profile to "proto tcp-client" instead of "proto udp", and replace "remote 192.168.x.x 1194" with ddns address and a different port so the RASPI SERVER can forward the VPN TCP traffic to the SSH tunnel (like "remote domain.myvnc.com 11194") then install that ovpn profile onto a phone or laptop or whatever

Edit /etc/ssh/sshd_config to the following on RASPI SERVER and RASPI HOST. Uncomment and enable:

Code: Select all

AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
TCPKeepAlive yes
ClientAliveInterval 300
ClientAliveCountMax 2
PermitTunnel yes
Use ssh-keygen on RASPI HOST to generate the required self-signed certificates and certificate authority that can then be transferred to the RASPI SERVER so SSH session can be generated without user input. See https://www.it-react.com/index.php/2020 ... d-windows/

Install autossh on RASPI HOST and adjust the init.d script to the following:

Code: Select all

#! /bin/sh
# author: Clément Désiles
# date: 01/08/2016
# source: https://gist.github.com/suma/8134207
# source: http://stackoverflow.com/questions/34094792/autossh-pid-is-not-equal-to-the-one-in-pidfile-when-using-start-stop-daemon

### BEGIN INIT INFO
# Provides:          autossh
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: autossh initscript
# Description:       establish a tunnelled connexion for remote access
### END INIT INFO

. /etc/environment
. /lib/init/vars.sh
. /lib/lsb/init-functions

TUNNEL_HOST=yourddns.domain.com
TUNNEL_USER=pi
TUNNEL_PORT_SSH=10022
TUNNEL_PORT_NODERED=11880
TUNNEL_PORT_GRAFANA=13000
TUNNEL_PORT_TASMOADMIN=15555
TUNNEL_PORT_VPN=11194
MONITOR_PORT=10000
# All the services you want to tunnel, in this guide, vpn is the important one
KEY_PATH=/home/pi/.ssh/id_rsa
# If you saved the RSA key in a different spot, you need to adjust

NAME=autossh
DAEMON=/usr/lib/autossh/autossh
AUTOSSH_ARGS="-M $MONITOR_PORT -f"
SSH_ARGS="-nNTv -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o
IdentitiesOnly=yes -o StrictHostKeyChecking=no \
         -i $KEY_PATH -R $TUNNEL_PORT_SSH:localhost:22 -R
$TUNNEL_PORT_VPN:localhost:1194 -R
# Forward traffic from VPN 11194 port to RASPI HOST tunnel which is listening on 1194 like normal
$TUNNEL_PORT_TASMOADMIN:localhost:5555 -R
# Add or remove these other port forwards as necessary for other services, note that these are not secure https unless you set that up separately
$TUNNEL_PORT_NODERED:localhost:1880 -R
$TUNNEL_PORT_GRAFANA:localhost:3000  $TUNNEL_USER@$TUNNEL_HOST"

DESC="autossh for reverse ssh"
SCRIPTNAME=/etc/init.d/$NAME
DAEMON_ARGS=" $AUTOSSH_ARGS $SSH_ARGS"

# Export PID for autossh
AUTOSSH_PIDFILE=/var/run/$NAME.pid
export AUTOSSH_PIDFILE

do_start() {
        start-stop-daemon --start --background --name $NAME --exec $DAEMON
--test > /dev/null || return 1
        start-stop-daemon --start --background --name $NAME --exec $DAEMON --
$DAEMON_ARGS    || return 2
}

do_stop() {
        start-stop-daemon --stop --name $NAME --retry=TERM/5/KILL/9 --pidfile
$AUTOSSH_PIDFILE --remove-pidfile
        RETVAL="$?"
        [ "$RETVAL" = 2 ] && return 2
        start-stop-daemon --stop --oknodo --retry=0/5/KILL/9 --exec $DAEMON
        [ "$?" = 2 ] && return 2
        return "$RETVAL"
}

case "$1" in
  start)
        log_daemon_msg "Starting $DESC" "$NAME"
        do_start
        case "$?" in
                0|1) log_end_msg 0 ;;
                2) log_end_msg 1 ;;
        esac
        ;;
  stop)
        log_daemon_msg "Stopping $DESC" "$NAME"
        do_stop
        case "$?" in
                0|1) log_end_msg 0 ;;
                2) log_end_msg 1 ;;
        esac
        ;;
  status)
        status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
        ;;
  *)
        echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2
        exit 3
        ;;
esac
Get all the daemons going, and probably do a restart, and things should be working.

Post Reply